[support] Bitwardenrs Bitwarden_rs

[poeterdebier 2]

He, Guys, 

 

was wondering if somebody could help me getting Fail2Ban working. Got the following:

 

added to jail.local

[bitwarden]
enabled = true
port = http,https
filter = bitwardenrs
action = iptables-allports[name=bitwarden]
logpath = /log/bitwarden.log
maxretry = 3
bantime = 14400
findtime = 14400

bitwardenrs.conf (inside filter.d folder):

 

# Named this way beacause the one bundled with fail2ban is outdated

# https://github.com/dani-garcia/bitwarden_rs/wiki/Fail2Ban-Setup
#   - Set up logging to file > https://github.com/dani-garcia/bitwarden_rs/wiki/Logging
#   - Set logging level to warn or error
# Logged in bwdata/logs/identity/Identity/log.txt

[Definition]
failregex = Username or password is incorrect\. Try again\. IP: <HOST>\. Username: .*\.$
ignoreregex =

added 

-e LOG_FILE=/log/bitwarden.log -e LOG_LEVEL=warn -e EXTENDED_LOGGING=true

as extra parameter to bitwardenrs and mapped a folder for the log file. See also attachment.

 

To Let's Encrypt (or Swag) added the same mapped folder.

 

I can see the failed log in attemps in the log of bitwarden but F2B is not doing anything with it.

 

gr Piet

[cybrnook 92]

10 hours ago, poeterdebier said:

He, Guys, 

 

was wondering if somebody could help me getting Fail2Ban working.

Don't forget you need to map that same directory where your bitwarden log file is into your swag container. Then also make sure the path in the bitwarden_rs.conf file for fail2ban has the same "container" path.

 

This is mine for example:

Bitwarden (I manually created the dir and made it nobody:users 777 since bitwarden seems to be running/setting root for all 🙂 )

 

Swag:

 

Swag fail2ban / filter.d / bitwarden_rs.conf file:

# https://github.com/dani-garcia/bitwarden_rs/wiki/Fail2Ban-Setup
#   - Set up logging to file > https://github.com/dani-garcia/bitwarden_rs/wiki/Logging
#   - Set logging level to warn or error
# Logged in /bitwarden-log/bitwarden.log

[Definition]
failregex = Username or password is incorrect\. Try again\. IP: <HOST>\. Username: .*\.$
ignoreregex =

Swag / fail2ban / jail.local file entry:

[bitwarden_rs]

enabled  = true
port     = http,https
filter   = bitwarden_rs
logpath  = /bitwarden-log/bitwarden.log
bantime  = 3600
findtime = 3600
maxretry = 3

 

Edited September 24, 2020 by cybrnook

[WeAreTheDynamite 3]

Hey, I know this is a pretty niche problem, but I have my own local exchange server for mail and I can't for the life of me figure out why SMTP isn't working....

I have the receive connector relay setup up, and works totally fine with Ombi, whenever I try to send a test in the Admin panel I just get SMTP error, which isn't hugely helpful...

 

Here's an example of the settings, I've obviously modified for privacy, but the address/usernames are all actually correct. There's really not a lot to go on, so I'm just wondering if anyone has managed to get this working and has any tips?

 

[Roxedus 61]

 @WeAreTheDynamite I would reach out to the project itself, as I cant see anything obvious either. https://github.com/dani-garcia/bitwarden_rs

[Arubial 0]

On 4/22/2020 at 5:11 PM, Roxedus said:

I added the following to my reverse proxy for the admin panel
 

	location /admin {
		return 404;
	}

I only access the panel locally using the direct ip.

I was able to do this and I'm receiving the 404 error whenever I try to browse to the admin section over the web. When I browse to it locally, it asks for the admin token like it should. When I put the admin token in, it reroutes back to the web and I get the 404 error again. So I have no way to login. 

[Roxedus 61]

Go back to the local adress with /admin after entering the token, it did actually auth.

[Arubial 0]

4 minutes ago, Roxedus said:

Go back to the local adress with /admin after entering the token, it did actually auth.

Thanks, I tried that originally but it kept reverting back to the web version. You helped me fix it though, it was a caching issue. 

[Konfitüre 0]

Hi,

I have a question to fail2ban.

Do I need it and if yes, for what do I need this and is there a way to implement it easy?

[Roxedus 61]

You do not need fail2ban, it is nice to have though. 

[pinion 4]

Recently I lost all my containers and had to reinstall via "Previous Apps". After getting it set back up it will not allow me to log in telling me

An error has occurred.
Username or password is incorrect. Try again

I reset the admin panel token and checked there and there are no users. Strange. So I restored from a CA_Backup file and the same thing. I started using DB Browser for SQLite to look at other old backed up databases and there are no users in any of them. Which makes no sense because it's been working for years with no problem until now. Anyone have a clue where else I can go to troubleshoot? Or is there an issue with how I'm opening the sqlite3 db?

[pinion 4]

I have no clue what happened. I'm looking at my backups and there are no bitwarden backups before August. Starting in August I just have a weekly backup of a blank database. Luckily, I found a folder where I had manually backed it up 10 months ago. So I've lost 10 months worth of stuff but it's at least working now. Throwing the old files into the appdata directory and restarting worked for me though. I'll keep looking for a backup but I have no idea how this happened or why I didn't have a bitwarden docker for several months according to CA_Backup. Perhaps I pointed the data directory somewhere else?

[KungFury84 0]

Hello, I'm currently trying to setup bitwarden, I have the reverse proxy working and now trying to enable SMTP.  I'm wanting the email address to come from my own domain email and I'm going to use an Microsoft O365 account for SMTP and not having much sccuess. I'm just wondering if anyone has got an O365 account to work? I know there is other providers but at the moment I had a spare O365 account (was trying not to spend money if I didn't have to etc). 

[Tolete 2]

I need of some help with bitwarden "bitwarden.subdomain.conf" file.

looks like Swag last update update, upgraded its proxy files. I was able to upgrade all other proxy files but for some reason can figure this one out.

 

old - bitwarden.subdomain.conf  - - working

#BITWARDEN
# make sure that your domain has dns has a cname or a record set for the subdomain bitwarden 
# This config file will work as is when using a custom docker network the same as letesencrypt (proxynet).
# However the container name is expected to be "bitwardenrs" as it is by default the template as this name is used to resolve.  
# If you are not using the custom docker network for this container then change the line "server bitwardenrs:80;" to "server [YOUR_SERVER_IP]:8086;" Also remove line 7

resolver 127.0.0.11 valid=30s;
upstream bitwarden {
    server bitwardenrs:80;
}

server {
    listen 443 ssl;
    server_name bitwarden.*;
    include /config/nginx/ssl.conf;
  client_max_body_size 128M;

  location / {
   proxy_pass http://bitwarden;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
  
  location /notifications/hub {
   proxy_pass http://bitwarden;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
  
  location /notifications/hub/negotiate {
    proxy_pass http://bitwarden;
  }
}

new - bitwarden.subdomain.conf.sample  - - not working

## Version 2020/12/09
# make sure that your dns has a cname set for bitwarden and that your bitwarden container is not using a base url
# make sure your bitwarden container is named "bitwarden"
# set the environment variable WEBSOCKET_ENABLED=true on your bitwarden container

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name bitwarden.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 128M;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwarden;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /admin {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwarden;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /notifications/hub {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwarden;
        set $upstream_port 3012;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /notifications/hub/negotiate {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwarden;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

 

Edited December 11, 2020 by Tolete

[thespooler 3]

I noticed Websockets defaults to off in this template, so that's where I've left it.  But curious what's the benefit of enabling it as I see most of the proxy examples are including it.

[tmor2 3]

Problem with ATTACHMENTS!

 

I have BW with Letsencrypt. Everything works fine except attachments.

 

When I attach a document (e.g an image to Identity), then try to open it I get following errors:

(1) On iPhone/iPad: "Unable to download File"

(2) On Mac (with BW being standalone app): the spinning wheel appears (as if trying to download a document) - spinning wheel stays for hours. No error message.

 

When I go to UNRAID->appdata (share) - I can clearly see that the images I uploaded are stored in separate directory and hashed.

 

Someone raised similar issue on Github here and here,  but I don't know how to apply solution on UNRAID with letsencrypt

 

Any help?

Edited December 19, 2020 by tmor2

[Endy 16]

I've been struggling to get Bitwarden to work. The docker is installed and I can access it by IP, but not by reverse proxy.

 

My ISP blocks port 80, but not port 443 so I am using Cloudflare to force 443.

 

First I followed SpaceInvader's video and was using SWAG. I just get an Error 522 from Cloudflare. (Everything else through SWAG was working just fine.)

 

Then I switched everything over to using HAProxy in Pfsense. Instead of using the custom network, I gave each of the docker containers their own static IP addresses. Again, I can get everything working, but Bitwarden gets Error 522 from Cloudflare. HAProxy stats shows that Bitwarden is up.

 

I've searched and searched, but I can not find an answer. Any ideas?

[brent3000 4]

On 12/19/2020 at 3:49 PM, tmor2 said:

but I don't know how to apply solution on UNRAID with letsencrypt

Are you using swag or letsencrypt? I did some tests with my one and worked fine,

 

ONe of the fixes listed on the links you posted suggests there was an issue with the ports not being passed across. I assume via the web etc its all fine when going directly to the website and downloading the

 

On 12/20/2020 at 9:33 AM, Endy said:

but Bitwarden gets Error 522 from Cloudflare

 I know it was covered in SI's video but i assume you dont haver a port clash and also the config file has loaded correctly into swag?

[tmor2 3]

13 hours ago, brent3000 said:

Are you using swag or letsencrypt? I did some tests with my one and worked fine,

 

ONe of the fixes listed on the links you posted suggests there was an issue with the ports not being passed across. I assume via the web etc its all fine when going directly to the website and downloading the

 

I don't understand what "swag" is. I don't understand how the question on "or letsencrypt" is different from my "I have BW with Letsencrypt"? Are you using letsencrypt in some other context?

Edited January 3 by tmor2

[Roxedus 61]

3 hours ago, tmor2 said:

I don't understand what "swag" is. I don't understand how the question on "or letsencrypt" is different from my "I have BW with Letsencrypt"? Are you using letsencrypt in some other context?

In what context are you using letsencypt in? 

[Roxedus 61]

On 12/19/2020 at 11:33 PM, Endy said:

HAProxy stats shows that Bitwarden is up.

atleast give some config so we can help. 

[brent3000 4]

3 hours ago, tmor2 said:

what "swag" is. I don't understand how the question on "or letsencrypt"

There is a docker container called 'letsencrypt' and then it was replaced by the newer container 'swag' - swag is the new version of the former 'letsencrypt' docker container 

 

Thats the context 

[Endy 16]

On 1/3/2021 at 5:12 PM, Roxedus said:

atleast give some config so we can help. 

For the Bitwarden docker container it's using Custom:br0 with it's own ip and port 80. I have websockets set to true.

 

I'm not sure how to concisely describe the HAProxy setup. The backend points to the ip and port of the bitwarden docker container, encrypt ssl and ssl checks are off. Health check method is http. Frontend is set so that if host starts with bitwarden (ie bitwarden.mydomain.com), it uses the bitwarden backend.

 

It is exactly the same as my other docker containers, but it is the only one that doesn't work. Just error 522 from Cloudflare which apparently means that it's connecting but the request isn't finishing. It seems to be connecting on the local network just fine and I have not made any changes to the configuration inside of Bitwarden.

[Roxedus 61]

51 minutes ago, Endy said:

The backend points to the ip and port of the bitwarden docker container, encrypt ssl and ssl checks are off.

Its been a while since i used HAProxy, but you need to set it to connect over https, but to not validate the cert, as it is self-signed

[tazire 4]

Just looking for a bit of help with the Admin token. Its been a long time since I had to access it so I have no idea what it was. I tried to replace the token in the edit container section... container is back up but the new token doesnt work. What is the correct way to reset/change the admin token?

 

EDIT

Nevermind... just went to the appdate and config.json and found the set token.

Edited January 15 by tazire

[tmor2 3]

On 1/3/2021 at 6:11 PM, Roxedus said:

In what context are you using letsencypt in? 

 

Hi.

 

Letsencrypt (the docker) is used as a reverse proxy. Thus, when Bitwarden is invoked from outside of local network and via my subdomain bitwarden.mydomain.com, the request is routed to my letsencrypt (reverse proxy), which then routes rwuest to Bitwarden docker app.

 

I am able to upload any attachment to Bitwarden (regardless whether I am local or on the go).

I can see encrypted attachments in UNRAID->appdata->bitwarden->attachments (folder).

 

However, whenever I use client on iOS/iPad or a browser plugin (any browser), or standalone OSX app, I simply cannot download/view that attachment.

 

I reviewed the log from Docker->Bitwarden...It doesn't show any error messages, not even a request to access the attachment.

 

Does that help?

 

Edited January 17 by tmor2