[support] Bitwardenrs Bitwarden_rs

[J05u 5]

Hello, i have very weird issue with Bitwarden via my subdomain

When i try to access my bitwarden via my phone lte - can't connect. Once i am turning any vpn, even addblocking like adguard - everything works. What can be wrong?

[blaine07 24]

Posting a pic; evidently BW can’t get certain Favicons; is this stuff in life reason for alarm or?

 

 

[Roxedus 60]

8 hours ago, J05u said:

Hello, i have very weird issue with Bitwarden via my subdomain

When i try to access my bitwarden via my phone lte - can't connect. Once i am turning any vpn, even addblocking like adguard - everything works. What can be wrong?

Are you using the sample in swag?

[J05u 5]

1 minute ago, Roxedus said:

Are you using the sample in swag?

Yes. It's working, but only when any vpn is turned on. Even which one is changing some dns if i am right

[Roxedus 60]

7 hours ago, blaine07 said:

Posting a pic; evidently BW can’t get certain Favicons; is this stuff in life reason for alarm or?

 

 

Im not sure how advanced that feature is, like if it follows the html tag for favicon, or just assumes it lives on /favicon.ico, i have those errors too sometimes, and i havent seen anything bad from it. 

[Roxedus 60]

3 minutes ago, J05u said:

Yes. It's working, but only when any vpn is turned on. Even which one is changing some dns if i am right

And you are sure your app i set to connect to the subdomain?

[J05u 5]

2 minutes ago, Roxedus said:

And you are sure your app i set to connect to the subdomain?

yes, as i said i don't need to be in my local network, any vpn connection on iphone/ipad solves issue, so i am wondering what can be wrong. Why i need to have any vpn turned on to make it working

[Roxedus 60]

Just now, J05u said:

yes, as i said i don't need to be in my local network, any vpn connection on iphone/ipad solves issue, so i am wondering what can be wrong. Why i need to have any vpn turned on to make it working

This just enforces my suspicion of the app using a ip or something

[J05u 5]

16 minutes ago, Roxedus said:

This just enforces my suspicion of the app using a ip or something

it the app i just pointed to the domain name. And plus webpage is not opening also

[Roxedus 60]

1 minute ago, J05u said:

it the app i just pointed to the domain name. And plus webpage is not opening also

And just to be sure, other sites on the same domain work? 

[J05u 5]

2 minutes ago, Roxedus said:

And just to be sure, other sites on the same domain work? 

yes, sonnar is working fine under same domain. i dont need any vpn, nothing

[Abigel 3]

Hi,

why do I not have the Emergency Access option ?

 

[Roxedus 60]

Hi,
why do I not have the Emergency Access option ?
 

It is not implemented in this version.

[blaine07 24]

On 1/25/2021 at 8:06 AM, Roxedus said:

It is not implemented in this version.

Any idea when this will be updated to include their new features and such mate?

[Roxedus 60]

21 minutes ago, blaine07 said:

Any idea when this will be updated to include their new features and such mate?

Follow the bitwarden_rs project. As stated in the post, i do not create these applications. 

[blaine07 24]

Just now, Roxedus said:

Follow the bitwarden_rs project. As stated in the post, i do not create these applications. 

I probably knew that; sigh. Thank you LOL

[tmor2 3]

On 12/18/2020 at 11:49 PM, tmor2 said:

Problem with ATTACHMENTS!

 

I have BW with Letsencrypt. Everything works fine except attachments.

 

When I attach a document (e.g an image to Identity), then try to open it I get following errors:

(1) On iPhone/iPad: "Unable to download File"

(2) On Mac (with BW being standalone app): the spinning wheel appears (as if trying to download a document) - spinning wheel stays for hours. No error message.

 

When I go to UNRAID->appdata (share) - I can clearly see that the images I uploaded are stored in separate directory and hashed.

 

Someone raised similar issue on Github here and here,  but I don't know how to apply solution on UNRAID with letsencrypt

 

Any help?

 

Solved.

 

Problem was in appdata/bitwarden/config.json file.

Second line should have started with "https" and not "http",.

[s449 0]

I got this set up through SWAG for a reverse proxy. All my other containers I run through them work fine and are secure (https). But this one wasn't. Firefox alerted me it wasn't secure. Is there any way to make it secure? I used the CONF sample file from SWAG and tried tweaking the configuration a few ways.

[SimplifyAndAddCoffee 4]

I'm trying to use this with SWAG/nginx and there are 2 problems I'm having trouble solving:

 

1. I get a 502 bad gateway using the subdomain to try and hit the bitwardenrs docker on 8086. 

## Version 2020/12/09
# make sure that your dns has a cname set for bitwarden and that your bitwarden container is not using a base url
# make sure your bitwarden container is named "bitwarden"
# set the environment variable WEBSOCKET_ENABLED=true on your bitwarden container

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name bitwarden.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 128M;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwardenrs;
        set $upstream_port 8086;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /admin {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwardenrs;
        set $upstream_port 8086;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /notifications/hub {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwardenrs;
        set $upstream_port 3012;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /notifications/hub/negotiate {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwardenrs;
        set $upstream_port 8086;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

 

2. I don't want bitwarden exposed to the internet, despite the fact I am also using the reverse proxy to handle internet traffic to other dockers. Is there any way to configure this so that BitwardenRS gets SSL on the LAN but can't be reached from the WAN?

[Roxedus 60]

2 hours ago, SimplifyAndAddCoffee said:

1. I get a 502 bad gateway using the subdomain to try and hit the bitwardenrs docker on 8086. 

Bitwarden_rs runs on port 80 by default, have you changed the app itself to listen to 8086?
 

 

2 hours ago, SimplifyAndAddCoffee said:

2. I don't want bitwarden exposed to the internet

There is two ways you can tackle this. But which to choose depends on two things, do you use dns validation with swag, and do you have a internal dns server?
If the answer to both is yes, you can just set up the local dns to point to swag on your subdomain. If it is no on either of those, you can use allow/deny in nginx to only let the lan subnet connect. 

[SimplifyAndAddCoffee 4]

On 2/3/2021 at 2:43 AM, Roxedus said:

Bitwarden_rs runs on port 80 by default, have you changed the app itself to listen to 8086?

Yes, and I can reach it locally using http://server:8086

Quote

There is two ways you can tackle this. But which to choose depends on two things, do you use dns validation with swag, and do you have a internal dns server?
If the answer to both is yes, you can just set up the local dns to point to swag on your subdomain. If it is no on either of those, you can use allow/deny in nginx to only let the lan subnet connect. 

I am using http validation, but I could theoretically change that if I have to. My local DNS is managed at the router.

 

For configuring nginx, would that be done in the subdomain.subdomain.conf file? or is there a way to manage specific upstream hosts elsewhere in nginx? Any information on how to do that would be helpful, since I'm new to nginx (and docker in general).

 

EDIT: I got it sorted. Didn't realize the container and app used different ports.

Edited February 4 by SimplifyAndAddCoffee

[Roxedus 60]

3 hours ago, foR said:

unable to open database file

sounds like the database is missing, corrupted or set to read-only

[Miidnight 0]

Hi everybody,

Did anyone already try to setup a full local selfhosted bitwarden (without any Let's Encrypt) and make it working with Android ?

 

I have bitwarde docker running on my Unraid, reachable on all web browser through https://tower:18443/bitwarden (including Web browsers on my phone) thanks to a self signed certificate with self CA. The only thing I can't have working is the bitwarden Android App which throw me a "Trust anchor for certification path not found" error even though i've imported the CA certificate.

 

Here is how I generate my stuff :

# >>>>> CA Key
openssl genrsa -des3 -out towerrootCA.key 4096
# >>>>> CA Cert
openssl req -x509 -new -nodes -key towerrootCA.key -sha256 -extensions v3_ca -config conf.file -days 365 -out towerrootCA.crt

# >>>>> Server Key
openssl genrsa -out tower.key 2048
# >>>>> Server csr
openssl req -new -sha256 -key tower.key -subj "/C=FR/ST=FR/O=MyNas/CN=tower" -extensions v3_req -out tower.csr

# >>>>> Server cert
openssl x509 -req -in tower.csr -CA towerrootCA.crt -CAkey towerrootCA.key -CAcreateserial -out tower.crt -extensions v3_req -days 365 -sha256 -extfile conf.file cat tower.crt towerrootCA.crt > finalcertif.crt

 

With my config.file :

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = FR
ST = FR
L = Local
O = MyNas
OU = MyNas
CN = tower

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical, CA:TRUE, pathlen:3
keyUsage = critical, cRLSign, keyCertSign
nsCertType = sslCA, emailCA

[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = u/alt_names

[alt_names]
DNS.1 = tower
DNS.2 = tower.local
DNS.3 = tower:18443

 

Thank you for help, have a good day,

Edited February 7 by Miidnight

[spants 25]

For folks that want to protect the /admin page from being accessed from outside of the internal network when using SWAG, I think this is a better way.....

 

Note 192.168.1.0 is the LAN network and 10.0.10.0 is a VPN network attaching remotely

 

  location /admin {
    allow 192.168.1.0/24; 
    allow 10.0.10.0/24;
    deny all;
    # enable the next two lines for http auth
    # auth_basic "Restricted";
    # auth_basic_user_file /config/nginx/.htpasswd;
    proxy_pass http://bitwarden;   
  }

 

[jonathanm 1207]

4 minutes ago, spants said:

I think this is a better way..

Why? I currently am using the method recommended with the post at the top of every page, but if you convince me, I'll switch the recommendation, or recommend both posts.

 

I haven't taken the time to look at the differences, so don't be offended, I'm genuinely curious, just not curious enough to do the work myself. 🙂