[support] Vaultwarden (formerly Bitwarden_rs)


398 posts in this topic Last Reply

Recommended Posts

20 minutes ago, Gragorg said:

 

I added this to my nginx and it blocks the admin as it should.  Is there an easy way in the template to have it use the ip instead of the domain for the gui?  Or is everyone manually typing in the ip when they need to access the admin?

 

Just create a bookmark.

Link to post
  • Replies 397
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

New repository is: vaultwarden/server:latest Change it in docker settings: Stop the container Rename repository to vaultwarden/server Hit Apply and start the container

I added the following to my reverse proxy for the admin panel   location /admin { return 404; } I only access the panel locally using the direct ip.

Thanks for the thorough response. Me and the 10479 people that will ask after me VERY MUCH appreciate it :-)

Posted Images

30 minutes ago, Gragorg said:

 

I added this to my nginx and it blocks the admin as it should.  Is there an easy way in the template to have it use the ip instead of the domain for the gui?  Or is everyone manually typing in the ip when they need to access the admin?

 

You should access the admin page only via LAN so you type the IP/admin and there you go. If you have local DNS then you can access it over a local domain e.g. home.local/admin

Link to post
1 hour ago, ddozen said:

Seems that vaultwarden is not updating after changing repository to vaultwarden/server... is anyone seeing this? im still at version  2.19.0

I have deleted the old bitwardenrs template tio use the new vaultwarden one (but keeping appdata). I'm in 2.19 two. Don't know if it's a bug. After checking https://github.com/dani-garcia/vaultwarden/releases it's normal.

Link to post

Hello,

 

Vaultwarden is running on my machine since a few weeks perfectly.

 

Today i have activated the Email 2FA.

 

If i log in to the webvault with the browser the webvault ask me for the 2FA code after typing in the masterpassword. The 2FA code then sended via mail. With this 2FA code i can unlock my webvault. Same thing if i want to synchronize the iPhone-App or the Browser-Plugin with the webvault: after typing in the credentials (email & password) i recive an eMail with the 2FA code and then with this code i unlock the vault an can synchronize the App or Browser Plugin with the webvault/database.

But, after every sended eMail with the (correct) 2FA code i have this error message in my bitwarden.log:

 

[2021-06-05 16:03:13.603][error][ERROR] 2FA token not provided
[2021-06-05 16:07:19.638][error][ERROR] 2FA token not provided
[2021-06-05 16:08:21.815][error][ERROR] 2FA token not provided
[2021-06-05 16:13:22.129][error][ERROR] 2FA token not provided
[2021-06-05 16:20:09.245][error][ERROR] 2FA token not provided

 

Second Question:

From time to time i hvae the folloing message in the bitwarden.log:

 

###########################################################
    '/notifications/hub' should be proxied to the websocket server or notifications won't work.
    Go to the Wiki for more info, or disable WebSockets setting WEBSOCKET_ENABLED=false.
    ###########################################################################################

 

What is mean with that, what is notification/hub and what can i do to solve this?

 

Thank you very much for the help!

 

Christian 

Link to post

Should we use "Content Security Policy" and "X - xxxxx" protection in swag setting (bitwarden.subdomain.conf) ?

what kind of setting ?

im getting B+ on https://observatory.mozilla.org/ but A+ on https://www.ssllabs.com/ of my bitwarden server, but on nextcloud server having both A+ .

So what kind of setting of "Content Security Policy" and some more "X-xxx " we need use in bitwarden ?

 

Link to post

Hi everybody.

I'm still using this container through browser extension (it works fine).

I only use it within my lan, or at the most while I'm connected through a VPN. Not really want (or have necessity) to open any port and expose it to the internet.

I can't, however, access the admin page for managing users and collection: it requires HTTPS.

I've read about using reverse proxy, but don't know anything about it (since, again, I just use a VPN).

Can somebody make a noobie proof guide for setting it up for local access only?

Link to post

I will try to answer by the best of my knowledge. 

I think you would be able to access Bitwarden via LAN, the problem is a valid certificate in your browser (recognized by the browsers root approval authority). This isn't so hard to do but I'm not sure if this would actually work. Didn't try.

The Admin page, you can access via LAN and that is the right thing to do, to block access via internet and allow only via LAN.

Regarding accessing Bitwarden via Reverse Proxy. It is a very safe procedure, especially if you are using Clouflare's DNS service. I can write a tutorial for that using Nginx Proxy Manager in a docker container. I suppose you own a domain registered in one of the worlds registrars (GoDaddy, Bluehost, Namecheap, Hostgator and similar)?

Edited by yogy
Link to post
On 6/14/2021 at 10:19 PM, yogy said:

Regarding accessing Bitwarden via Reverse Proxy. It is a very safe procedure, especially if you are using Clouflare's DNS service. I can write a tutorial for that using Nginx Proxy Manager in a docker container. I suppose you own a domain registered in one of the worlds registrars (GoDaddy, Bluehost, Namecheap, Hostgator and similar)?

 

Just for my peace of mind, wireguard port is the only one I've opened.

Is it possible to access Bitwarden only within my LAN, without any access from outside?

Link to post

If you use Nginx Proxy Manager (or any reverse proxy app) the only port to be open is 443 which already is. I have various apps in docker containers and all working with reverse proxy, no additional ports opened. I didn't experiment with Bitwarden access through LAN and probably will not. Hopefully someone managed to made it working via LAN and could provide further assistance.

Link to post
On 6/11/2021 at 2:16 PM, Masterwishx said:

Should we use "Content Security Policy" and "X - xxxxx" protection in swag setting (bitwarden.subdomain.conf) ?

what kind of setting ?

im getting B+ on https://observatory.mozilla.org/ but A+ on https://www.ssllabs.com/ of my bitwarden server, but on nextcloud server having both A+ .

So what kind of setting of "Content Security Policy" and some more "X-xxx " we need use in bitwarden ?

 

 

I am also interested in the solution to improving these results.

Link to post
  • 3 weeks later...

 

I have followed the instructions of space invader to no end trying to combine several aged videos together (swag and bitwarden have now changed), with new containers (let's encrypt changed to swag) and still I can't get swag, vaultwarden, and cloudflare to work together. I have some questions that might be easy to answer but extremely helpful to me If you would. I purchased a domain, so i'm going the domain route here. @SpaceInvaderOne

 

1. with the new vaultwarden (rather than bitwarden rs), is spaceinvaders tutorial and custom config file for letsencrypt still relevant, and should you use his config with custom networks or go with Swag's config files? 

2. if my vaultwarden docker is on custom network 176.17.0.2:80 (proxynet) ---> 192.168.50.191:8086 do I simply open port 8086 and reverse proxy does the rest? how does my local network talk to proxynet? I'm thinking that is the importance of having the config file correct.

 

Thank you to anyone who can shed light on these 2 questions so far...everything I do lands me at my unraid homepage from the domain I purchased and I have no idea why the reverse proxies do not kick in at this point. 

 

on cloudflare my domain points to my ip using CF_DDNS. i set up a cname for bitwarden.mydomain

 

 

via @SpaceInvaderOne his custom config states  "# If you are not using the custom docker network for this container then change the line "server bitwardenrs:80;" to "server [YOUR_SERVER_IP]:8086;" Also remove line 7"

 

7 #resolver 127.0.0.11 valid=30s;

 

using Swag the logs will require me to comment out line 7 as it complains of a duplicate. seems the resolver is constantly recreating it self if you remove it/rename when you restart. however I am using a custom network, and so i'm in a bit of a paradox. 

 

 

 

Link to post

I wont be able to answer your question completely because I use Nginx Proxy Manager as a reverse proxy, so I have no clue how to do it with Swag. 

To answer your second question (2.), no, you don't open any ports on your router, that's what reverse proxy is all about. The only port forwarding on the router is for reverse proxy (in your case Swag or any other if you choose so). The purchase of your own domain is a great choise, I would recomend it for everyone, since it doesn't really cost much.

So the idea of a Reverse Proxy is that you will be able to access (on the Internet) your apps via subdomains. If your domain is xywz.com, you will be able to access bitwarden / vaultwarden via vaultwarden.xywz.com without entering port number at the end. Let's encrypt will provide you with necesary certificate for this subdomain and if you go with Cloudflare DNS you are protecting the access to your apps even more. You can also use their DDNS.

If you decide to switch Swag with Nginx Proxy Manager (NPM) as a reverse proxy with Cloudflare take a look of this great video 

Check out also a long discusion of NPM on this forum.

Link to post

@yogy thank you soo much for the help here. I actually found this gem of a video and yeah I did see geeked video as well, but it was def IBRACORP that did it for me with an Edge cert method, amazing. again thank you so much for the support, it all started making sense after weeks of hammering away, but of course still so much to watch out for and to learn. 

 

Link to post

hi all,

Does anyone know how to remove the /admin page so it isn't accessible at all?  I commented out the # admin token from config.json file and restarted the server completely but it's still there. Thank you for any hints. I would imagine that after you created your own account you'd want to remove this admin page...but then re-enable it if of course you need to do something else. 

Link to post
18 minutes ago, Kevin Marchese said:

hi all,

Does anyone know how to remove the /admin page so it isn't accessible at all?  I commented out the # admin token from config.json file and restarted the server completely but it's still there. Thank you for any hints. I would imagine that after you created your own account you'd want to remove this admin page...but then re-enable it if of course you need to do something else. 

Did you read the recommended post at the top of every page of this thread?

Link to post
8 hours ago, jonathanm said:

Did you read the recommended post at the top of every page of this thread?

@jonathanm I'm sorry man, I wasn't seeing that as a solution for some reason. Now I just have to figure out where to put that in the reverse proxy, i'm using NPM so I'm just not positive where to add that line. still trying to remember a whole bunch of stuff. apologize for the ignorance. 

Link to post
8 hours ago, yogy said:

Exactly, just follow the procedure and your admin page is no longer accessible over the internet, only via local network. 

@yogy thanks again, I'm just gonna research where exactly to put that, still very rusty on this stuff, been doing all video editing for way too long, and most of this just got completely away form me, apparently.

Link to post

The easiest way:

  • open Nginx Proxy Manager webUI
  • edit Bitwarden/Vaultwarden Proxy Host
  • go to Advanced tab
  • paste it in Custom Nginx Configuration and click Save 

You can also do it directly to your Bitwarden/Vaultwarden *.conf file (/mnt/user/appdata/NginxProxyManager/nginx/proxy_host)

Screenshot 2021-07-18 104153.png

Link to post

Expanding on securing the admin panel a little bit: On my setup, I run a split DNS config w/ Pihole so I can access my web services on the LAN with HTTPS certificates still being valid (Router doesn't support NAT Loopback). In my SWAG nginx folder, I created a lan-only.conf file:

allow 192.168.1.0/24;
deny all;

 

Then, in my bitwarden.subdomain.conf file, I added the following to location /admin:

include /config/nginx/lan-only.conf;

 

This way, any non-LAN access through the reverse proxy gets returned a 403 - Forbidden. I also use the same method for several of my other web services that I want LAN access for, but not external access, while still being able to use DNS entries to access them (used to run 2 SWAG containers, one for internal, one for external, but managed to consolidate it all down with the added config).

 

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.