[support] Vaultwarden (formerly Bitwarden_rs)


386 posts in this topic Last Reply

Recommended Posts

2 minutes ago, bclinton said:

Greetings folks! New unraid user and recently dropped lastpass and am trying to use bitwarden and swag in a docker container. I am able to run the chrome extension for bitwarden on the PC if I log in to the bitwarden server ahead of time with the browser. Otherwise I received the unable to fetch error. I assume once I get the extension working it will not need attention again. My current problem is getting the app on my phones (android) to connect. I am able to access my server through the browser on the phone but the app continues to refuse the connection. (Exception message:Hostname bitwarden.xxxx.duckdns.org not verfied) I followed Spaceinvaders youtube pretty much. Looking for a suggestion to help tackle the phone :)

Did you remember to add your subdomain to the  SWAG unraid containter config in docker? I often forget this step and get your error

Link to post
  • Replies 385
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

New repository is: vaultwarden/server:latest Change it in docker settings: Stop the container Rename repository to vaultwarden/server Hit Apply and start the container

I added the following to my reverse proxy for the admin panel   location /admin { return 404; } I only access the panel locally using the direct ip.

Thanks for the thorough response. Me and the 10479 people that will ask after me VERY MUCH appreciate it :-)

Posted Images

5 minutes ago, Aceriz said:

Did you remember to add your subdomain to the  SWAG unraid containter config in docker? I often forget this step and get your error

I believe it is right. I used the one he provided but I kept all of my naming the same as his, thinking that it would be correct. Here is the one I am using. I am using bitwarden.XXXXXXX.duckdns.org to reach the container from the chrome browsers. One thing that is strange is I am getting the Not Secure warning in the browser address line but it lets me in after I click proceed. 

 

#BITWARDEN
# make sure that your domain has dns has a cname or a record set for the subdomain bitwarden 
# This config file will work as is when using a custom docker network the same as letesencrypt (proxynet).
# However the container name is expected to be "bitwardenrs" as it is by default the template as this name is used to resolve.  
# If you are not using the custom docker network for this container then change the line "server bitwardenrs:80;" to "server [YOUR_SERVER_IP]:8086;" Also remove line 7

resolver 127.0.0.11 valid=30s;
upstream bitwarden {
    server bitwardenrs:80;
}

server {
    listen 443 ssl;
    server_name bitwarden.*;
    include /config/nginx/ssl.conf;
  client_max_body_size 128M;

  location / {
   proxy_pass http://bitwarden;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
  
  location /notifications/hub {
   proxy_pass http://bitwarden;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
  
  location /notifications/hub/negotiate {
    proxy_pass http://bitwarden;
  }
}

Edited by bclinton
Link to post
5 hours ago, Roxedus said:

regex to catch failed attempts 

I was actually able to get it to work :) with much digging. .. I found the following https://pieterhollander.nl/post/bitwarden/   with some editing got the following to work 

 

to the jail.local 

 

[bitwarden-admin]


enabled = true
port     = http,https
filter     = bitwarden-admin
action     = iptables-allports[name=bitwarden]
logpath = /log/bitwarden.log
maxretry = 2
bantime = 14400
findtime = 14400

 

in the Filter.d folder added bitwarden-admin.conf

 

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
ignoreregex =

 

 

 

anything you might suggest to make it better.. I did test it... and it is working 

 

Link to post
11 minutes ago, jonathanm said:

You don't own or control duckdns.org

I followed the instructions that were outlined in the youtube video - How to Setup and Configure a Reverse Proxy on unRAID with LetsEncrypt & NGINX

Link to post

Another question....  I am wondering how I would go about creating a Docker Log rotation for the bitwarden.log used in the fail2ban setup

 

I have found this attached at the pieter hollander site  but am not sure where I would use such a thing within unraid.... or if it is even needed. 

 

image.png.156f768d890d49ecb56563b0cb4b9c89.png

Link to post
4 minutes ago, bclinton said:

I followed the instructions that were outlined in the youtube video - How to Setup and Configure a Reverse Proxy on unRAID with LetsEncrypt & NGINX

 

 

Within the Bitwarden Docker template did  you enable websocket ? by default it is now set to disabled... with the SWAG nginx .config file need to enable this... 

 

 

Link to post
6 minutes ago, bclinton said:

I followed the instructions that were outlined in the youtube video - How to Setup and Configure a Reverse Proxy on unRAID with LetsEncrypt & NGINX

 

you could also try using the SWAG .sample config file... but would need to ensure that you either remove the reverse proxy for /admin... as described in the pinned message on the top of this forum ..   additionally you may want to consider once your done with the reverse proxy setting up fail2ban which is what I have been working on and just got sorted out. . (instructions on first page (bottom) of this help thread). 

 

Link to post
2 minutes ago, Aceriz said:

 

 

Within the Bitwarden Docker template did  you enable websocket ? by default it is now set to disabled... with the SWAG nginx .config file need to enable this... 

 

 

 

I actually deleted everything and will try again from scratch in the morning. Can you recommend a youtube install video besides spaceinvaders? I have been trying to wrap my head around all of the settings and what I missed all day. I feel drunk :)

Link to post
Just now, bclinton said:

 

I actually deleted everything and will try again from scratch in the morning. Can you recommend a youtube install video besides spaceinvaders? I have been trying to wrap my head around all of the settings and what I missed all day. I feel drunk :)

honestly Spaceinvaders  are the best video that I have found... and use.  Then alot of searching with the forums to find solutions...  

 

this is your first time setting up SWAG right?   have you checked the logs... to ensure that you are getting a server ready as per the spaceinvader video... do you have nginx connected with anything else for remote proxy?

 

Link to post
Just now, Aceriz said:

honestly Spaceinvaders  are the best video that I have found... and use.  Then alot of searching with the forums to find solutions...  

 

this is your first time setting up SWAG right?   have you checked the logs... to ensure that you are getting a server ready as per the spaceinvader video... do you have nginx connected with anything else for remote proxy?

 

Yes. I did that first and it all appeared right. The logs showed success verifying the bclinton.duckdns.org host name. I think my problem is with me missing something with the certificates. Like I mentioned. After all was said and done I am able to log into the bitwarden container with bitwarden.bclinton.duckdns.org fine. The only issues I had was not able to get it installed on the phone (android) and I got the "unsafe site" http error in the address bar. I noticed on Spaceinvaders video he did not get that so I have to have missed something. I agree - Spaceinvader is the best. I am only a week with my unraid (came from synology) and have learned so much. 

Link to post
15 minutes ago, bclinton said:

bitwarden.bclinton.duckdns.org

I do not claim to be an expert at all... but based on your site.. it  looks like a subdomain  i am not sure if having the extra "."  in between bitwarden.bclinton   makes a difference....  try setting up with just a single subdomain  like "bcclintonbitwarden "

 

again not an expert at all with this.. rather just a trouble shooting step to consider... 

 

 

 

Link to post
4 minutes ago, Aceriz said:

I do not claim to be an expert at all... but based on your site.. it  looks like a subdomain  i am not sure if having the extra "."  in between bitwarden.bclinton   makes a difference....  try setting up with just a single subdomain  like "bcclintonbitwarden "

 

again not an expert at all with this.. rather just a trouble shooting step to consider... 

 

 

 

Will do. Thanks! I think tomorrow I will start fresh with Swag and get up according to SI's video again.

Link to post
9 hours ago, Roxedus said:

the admin panel needs another regex to catch failed attempts 

 

Okay so I have been able to setup another regex... but it is having a weird  response.... 

 

When I try logging into the reversed proxy multiple times past the "maxretry"  amounts  I don't get banned...  but when i Reset the SWAG container then the bans take effect...   I am not sure why or even where to go from here...  any thoughts would be great

Link to post
15 hours ago, Aceriz said:

I do not claim to be an expert at all... but based on your site.. it  looks like a subdomain  i am not sure if having the extra "."  in between bitwarden.bclinton   makes a difference....  try setting up with just a single subdomain  like "bcclintonbitwarden "

 

again not an expert at all with this.. rather just a trouble shooting step to consider... 

 

 

 

 

It looks like you were right. It was tied to my naming of the subdomain. An update though....I found out my domain provider (namecheap) has dynamic DNS included. After changing the dns settings for my domain and not using duckdns Swag works great. My first test container was sonarr and it works perfect. Now on to adding nextcloud. :) 

 

I must say Nextcloud is pretty slick! 

 

Thanks for the suggestions!

Edited by bclinton
Link to post
2 hours ago, bclinton said:

It looks like you were right.

So Glad that it works for you :)

 

2 hours ago, bclinton said:

must say Nextcloud is pretty slick! 

Yes Nextcloud is great.   :)  

 

If your able to figure out the Fail2ban issues with bitwarden let me know....

Link to post

Bitwarden and swag were setup and working correctly. But my network has changed slightly. For example it used to be:

Cable modem in bridge mode

      \/

PFsense

    \/

Unraid with bitwarden, duckdns and swag dockers

 

then I had to modify my network to this:

 

Cable modem in router mode

                    \/

PFsense                PFsense  configured in HA mode

                    \/

Unraid                   Unraid

 

Note only one Unraid has the original config with bitwarden, duckdns and swag.

 

now with the new network settings I can not sync bitwarden or access the vault via ****.duckdns.org

 

I dont know if its a setting im forgetting or if its something on the main router that I didnt do. I have the ports forward in PFsense and the firewall on the main router is turned off.

 

any help would be greatly appreciated.

Link to post
On 2/20/2021 at 6:58 PM, JT24 said:

Hi, 

Just set BitWarden up using this container and everything is working perfectly.

My only question is, backups... 
What's the best way to have daily backups of the database?

Could someone please help me with this?

Link to post
On 2/17/2021 at 1:08 PM, Roxedus said:

I just use CA backup, then rclone that archive to the cloud. 

When you are using CA to back up what specifically are you pulling if you mind me asking... Mind posting like a screen shot of your setting.. (then I can and will figure out the rclone part :) 

 

thanks

 

Link to post
On 2/21/2021 at 2:12 AM, Zidichy said:

Hey guys, i've just made a detailed guide / tutorial for bitwarden_rs with cloudflare & fail2ban integration + admin portal protection :)

 


Hope this helps someone :)

This was awesomely written !!!

 

Link to post
  • Roxedus changed the title to [support] Vaultwarden (formerly Bitwarden_rs)

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.