Apache2 Reverse Proxy of Vaultwarden Problems

Parkour_Lama · 27 September 2021 12:22

Hello,
This topic is quite similar to https://dietpi.com/forum/t/confused-reverse-proxy-and-vaultwarden/5762/1 but different problem and web server.

Installation and configuring vaultwarden was a breeze. I now have a fully functioning password manager ready to go. The problem arises when trying to use the app.

I’ve disabled the certificates in the vaultwarden config file, so works on http:.
Now, using the example config. with sub-location shown in the wiki https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples it seemed to be interfering with my nextcloud server.

I’ve realized that I don’t actually need to create a new website for it, simply using the Location part, I’ve added this to my apache2.conf file :

<Location /bitwarden/>
    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /notifications/hub(.*) ws://localhost:8001/$1 [P,L]
    ProxyPass http://localhost:8001/

    ProxyPreserveHost On
    RequestHeader set X-Real-IP %{REMOTE_ADDR}s
</Location>

Two things are different here, I’ve used the port dietpi uses while setting up vaultwarden and, replaced the last line,

ProxyPass http://<SERVER>:80/$sublocation/

with

ProxyPass http://localhost:8001/

as adding bitwarden for sub-location results in a Error 404, Not Found.

Now, with the above config, I can access Bitwarden from

https://[Domain].com/bitwarden/

The final forward slash is necessary as using just

https://[Domain].com/bitwarden

results in a Not Found Error.

Now the conclusion of this story (Apologies for the long winded explanation),
When entering the Server URL of a Self-Hosted Sever in the Bitwarden App, it automatically removes the final forward slash whenever I click save, and thus cannot reach my sever resulting in an error.
What can I do to fix this?

P.S. Following the wiki, I have the websocket proxy module loaded, but, modifying the docker start-up to include the sub-location is beyond me as docker doesn’t even seem to be running?

Parkour_Lama · 27 September 2021 17:47

Alright, I’ve found a hacky solution solution to this simply by adding a backslash to the URL, which seems to later convert into a forward slash.
i.e.

https://[DOMAIN].com/bitwarden\

I’m not going to mark it as a solution just yet, hopefully someone’s got a better method, until then…

Joulinar · 27 September 2021 22:46

basically your configuration is correct.

I guess you did a2enmod proxy_wstunnel and a2enmod proxy_http. As well you set DOMAIN=https://your.ddns.com/vault/ in Vaultwarden configuration.

I did a test using following apache2 config /etc/apache2/sites-enabled/000-default-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
        DocumentRoot /var/www
        ErrorLog ${APACHE_LOG_DIR}/error.log
        #CustomLog ${APACHE_LOG_DIR}/access.log combined

ServerName your.ddns.com
SSLCertificateFile /etc/letsencrypt/live/your.ddns.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/your.ddns.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

#vault
    <Location /vault>
        RewriteEngine On
        RewriteCond %{HTTP:Upgrade} =websocket [NC]
        RewriteRule /notifications/hub(.*) ws://192.168.0.17:3012/$1 [P,L]
        ProxyPass http://192.168.0.17:8001/vault/

        ProxyPreserveHost On
#      RequestHeader set X-Real-IP %{REMOTE_ADDR}s
    </Location>

</VirtualHost>
</IfModule>

At least for me it’s needed to disable RequestHeader and I adjusted Location.

Once apache2 has been restarted. I’m able to access Vaultwarden using sub path

https://your.ddns.com/vault