Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[support] Vaultwarden (formerly Bitwarden_rs)

Featured Replies

Hello, i have very weird issue with Bitwarden via my subdomain

When i try to access my bitwarden via my phone lte - can't connect. Once i am turning any vpn, even addblocking like adguard - everything works. What can be wrong?

  • Replies 734
  • Views 277.5k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • I added the following to my reverse proxy for the admin panel   location /admin { return 404; } I only access the panel locally using the direct ip.

  • New repository is: vaultwarden/server:latest Change it in docker settings: Stop the container Rename repository to vaultwarden/server Hit Apply and start the container

  • log showing [NOTICE] You are using a plain text `ADMIN_TOKEN` which is insecure. Please generate a secure Argon2 PHC string by using `vaultwarden hash` or `argon2`. See: https://github.com/dani-gar

Posted Images

Posting a pic; evidently BW can’t get certain Favicons; is this stuff in life reason for alarm or?

 

 

5F82FAD2-C040-4135-BECE-0FA3C4B07DB7.jpeg

  • Author
8 hours ago, J05u said:

Hello, i have very weird issue with Bitwarden via my subdomain

When i try to access my bitwarden via my phone lte - can't connect. Once i am turning any vpn, even addblocking like adguard - everything works. What can be wrong?

Are you using the sample in swag?

1 minute ago, Roxedus said:

Are you using the sample in swag?

Yes. It's working, but only when any vpn is turned on. Even which one is changing some dns if i am right

  • Author
7 hours ago, blaine07 said:

Posting a pic; evidently BW can’t get certain Favicons; is this stuff in life reason for alarm or?

 

 

5F82FAD2-C040-4135-BECE-0FA3C4B07DB7.jpeg

Im not sure how advanced that feature is, like if it follows the html tag for favicon, or just assumes it lives on /favicon.ico, i have those errors too sometimes, and i havent seen anything bad from it. 

  • Author
3 minutes ago, J05u said:

Yes. It's working, but only when any vpn is turned on. Even which one is changing some dns if i am right

And you are sure your app i set to connect to the subdomain?

2 minutes ago, Roxedus said:

And you are sure your app i set to connect to the subdomain?

yes, as i said i don't need to be in my local network, any vpn connection on iphone/ipad solves issue, so i am wondering what can be wrong. Why i need to have any vpn turned on to make it working

  • Author
Just now, J05u said:

yes, as i said i don't need to be in my local network, any vpn connection on iphone/ipad solves issue, so i am wondering what can be wrong. Why i need to have any vpn turned on to make it working

This just enforces my suspicion of the app using a ip or something

16 minutes ago, Roxedus said:

This just enforces my suspicion of the app using a ip or something

it the app i just pointed to the domain name. And plus webpage is not opening also

  • Author
1 minute ago, J05u said:

it the app i just pointed to the domain name. And plus webpage is not opening also

And just to be sure, other sites on the same domain work? 

2 minutes ago, Roxedus said:

And just to be sure, other sites on the same domain work? 

yes, sonnar is working fine under same domain. i dont need any vpn, nothing

On 1/25/2021 at 8:06 AM, Roxedus said:


It is not implemented in this version.

Any idea when this will be updated to include their new features and such mate?

  • Author
21 minutes ago, blaine07 said:

Any idea when this will be updated to include their new features and such mate?

Follow the bitwarden_rs project. As stated in the post, i do not create these applications. 

Just now, Roxedus said:

Follow the bitwarden_rs project. As stated in the post, i do not create these applications. 

I probably knew that; sigh. Thank you LOL

On 12/18/2020 at 11:49 PM, tmor2 said:

Problem with ATTACHMENTS!

 

I have BW with Letsencrypt. Everything works fine except attachments.

 

When I attach a document (e.g an image to Identity), then try to open it I get following errors:

(1) On iPhone/iPad: "Unable to download File"

(2) On Mac (with BW being standalone app): the spinning wheel appears (as if trying to download a document) - spinning wheel stays for hours. No error message.

 

When I go to UNRAID->appdata (share) - I can clearly see that the images I uploaded are stored in separate directory and hashed.

 

Someone raised similar issue on Github here and here,  but I don't know how to apply solution on UNRAID with letsencrypt

 

Any help?

 

Solved.

 

Problem was in appdata/bitwarden/config.json file.

Second line should have started with "https" and not "http",.

I got this set up through SWAG for a reverse proxy. All my other containers I run through them work fine and are secure (https). But this one wasn't. Firefox alerted me it wasn't secure. Is there any way to make it secure? I used the CONF sample file from SWAG and tried tweaking the configuration a few ways.

I'm trying to use this with SWAG/nginx and there are 2 problems I'm having trouble solving:

 

1. I get a 502 bad gateway using the subdomain to try and hit the bitwardenrs docker on 8086. 

## Version 2020/12/09
# make sure that your dns has a cname set for bitwarden and that your bitwarden container is not using a base url
# make sure your bitwarden container is named "bitwarden"
# set the environment variable WEBSOCKET_ENABLED=true on your bitwarden container

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name bitwarden.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 128M;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwardenrs;
        set $upstream_port 8086;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /admin {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwardenrs;
        set $upstream_port 8086;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /notifications/hub {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwardenrs;
        set $upstream_port 3012;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /notifications/hub/negotiate {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwardenrs;
        set $upstream_port 8086;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

 

2. I don't want bitwarden exposed to the internet, despite the fact I am also using the reverse proxy to handle internet traffic to other dockers. Is there any way to configure this so that BitwardenRS gets SSL on the LAN but can't be reached from the WAN?

  • Author
2 hours ago, SimplifyAndAddCoffee said:

1. I get a 502 bad gateway using the subdomain to try and hit the bitwardenrs docker on 8086. 


 

Bitwarden_rs runs on port 80 by default, have you changed the app itself to listen to 8086?
 

 

2 hours ago, SimplifyAndAddCoffee said:

2. I don't want bitwarden exposed to the internet

There is two ways you can tackle this. But which to choose depends on two things, do you use dns validation with swag, and do you have a internal dns server?
If the answer to both is yes, you can just set up the local dns to point to swag on your subdomain. If it is no on either of those, you can use allow/deny in nginx to only let the lan subnet connect. 

On 2/3/2021 at 2:43 AM, Roxedus said:

Bitwarden_rs runs on port 80 by default, have you changed the app itself to listen to 8086?

Yes, and I can reach it locally using http://server:8086

Quote

There is two ways you can tackle this. But which to choose depends on two things, do you use dns validation with swag, and do you have a internal dns server?
If the answer to both is yes, you can just set up the local dns to point to swag on your subdomain. If it is no on either of those, you can use allow/deny in nginx to only let the lan subnet connect. 

I am using http validation, but I could theoretically change that if I have to. My local DNS is managed at the router.

 

For configuring nginx, would that be done in the subdomain.subdomain.conf file? or is there a way to manage specific upstream hosts elsewhere in nginx? Any information on how to do that would be helpful, since I'm new to nginx (and docker in general).

 

EDIT: I got it sorted. Didn't realize the container and app used different ports.

Edited by SimplifyAndAddCoffee

  • Author
3 hours ago, foR said:

unable to open database file

sounds like the database is missing, corrupted or set to read-only

Hi everybody,

Did anyone already try to setup a full local selfhosted bitwarden (without any Let's Encrypt) and make it working with Android ?

 

I have bitwarde docker running on my Unraid, reachable on all web browser through https://tower:18443/bitwarden (including Web browsers on my phone) thanks to a self signed certificate with self CA. The only thing I can't have working is the bitwarden Android App which throw me a "Trust anchor for certification path not found" error even though i've imported the CA certificate.

 

Here is how I generate my stuff :

# >>>>> CA Key
openssl genrsa -des3 -out towerrootCA.key 4096
# >>>>> CA Cert
openssl req -x509 -new -nodes -key towerrootCA.key -sha256 -extensions v3_ca -config conf.file -days 365 -out towerrootCA.crt

# >>>>> Server Key
openssl genrsa -out tower.key 2048
# >>>>> Server csr
openssl req -new -sha256 -key tower.key -subj "/C=FR/ST=FR/O=MyNas/CN=tower" -extensions v3_req -out tower.csr

# >>>>> Server cert
openssl x509 -req -in tower.csr -CA towerrootCA.crt -CAkey towerrootCA.key -CAcreateserial -out tower.crt -extensions v3_req -days 365 -sha256 -extfile conf.file cat tower.crt towerrootCA.crt > finalcertif.crt

 

With my config.file :

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = FR
ST = FR
L = Local
O = MyNas
OU = MyNas
CN = tower

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical, CA:TRUE, pathlen:3
keyUsage = critical, cRLSign, keyCertSign
nsCertType = sslCA, emailCA

[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = u/alt_names

[alt_names]
DNS.1 = tower
DNS.2 = tower.local
DNS.3 = tower:18443

 

Thank you for help, have a good day,

Edited by Miidnight

For folks that want to protect the /admin page from being accessed from outside of the internal network when using SWAG, I think this is a better way.....

 

Note 192.168.1.0 is the LAN network and 10.0.10.0 is a VPN network attaching remotely

 

  location /admin {
    allow 192.168.1.0/24; 
    allow 10.0.10.0/24;
    deny all;
    # enable the next two lines for http auth
    # auth_basic "Restricted";
    # auth_basic_user_file /config/nginx/.htpasswd;
    proxy_pass http://bitwarden;   
  }

 

4 minutes ago, spants said:

I think this is a better way..

Why? I currently am using the method recommended with the post at the top of every page, but if you convince me, I'll switch the recommendation, or recommend both posts.

 

I haven't taken the time to look at the differences, so don't be offended, I'm genuinely curious, just not curious enough to do the work myself. 🙂

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.