Is there anyway to make the Admin page on a different port number? I run Vaultwarden on a Synology NAS and I’d like to put it on a separate port that’s only allowed by certain IP’s by the firewall.
Hey!
I’m new to the forum but super excited to jump in and lend a hand where I can. Changing the port for your Admin page on Vaultwarden is possible. You can modify the configuration file to specify a different port number. Just locate the config file, usually named config.toml or similar, and look for the port setting. Update that to your desired port number. As for restricting access, you can indeed use your firewall to limit access to that specific port by allowing only certain IPs. This adds a great layer of security. If you need a hand with the specifics, feel free to ask!!
Thanks for the reply! I know how to set the port number for the main instance using the “domain”: “https://www.example.com:#####”, in the config file. But I don’t see an option to put the admin page on a different port. I’m assuming that’s because it would need a separate web page running to do that. Does anyone know of a better way to separate the admin page in order to firewall it?
Right now I just have the Admin page disabled. I know the standard answer is not to expose Vaultwarden publicly, but with remote users in my family I might as well switch to paid Bitwarden if Vaultwarden shouldn’t be exposed.
Thanks!
Separating the admin page on a different port can indeed be a bit tricky. You’re right; it might require a separate web server. One idea could be using a reverse proxy like NGINX to manage different access points and firewall settings. That way, you could route traffic to specific pages and enhance security without exposing everything publicly. It’s a bit of a workaround, but might help keep things more secure for your remote users.
Synology uses Nginx so you could use something like this:
location /admin {
# See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
# auth_basic Private;
# auth_basic_user_file /path/to/htpasswd_file;
# Restrict access to only some IP (LAN IP & VPN)
# allow 192.168.1.0/24
allow IP_NET_HERE;
deny all;
proxy_http_version 1.1;
proxy_set_header "Connection" "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://IP_AND_PORT_SYNOLOGY/admin;
}
As Synology tends to overwrite the reverse proxy configuration you can use a task and a script like that one: Synology Bitwarden_rs Websocket setup without SSH · GitHub
Simply paste the code from above after
location /notifications/hub {
...
}
and before >>$LOC_DIR/websocket.locations.vaultwarden
Run that in the task scheduler like the following (as root):
bash Path_To_Script domain_name exposed_port exposed port
example: bash /volume1/docker/vaultwarden__Enable_Websocket.sh funny_domain.com 1234 1234
The script is running on my NAS every hour.
Thank you for the very detailed response! To be honest, I don’t run anything on hardware that I don’t 100% completely understand. For what I’m trying to do the fix seems a lot harder than the trouble of just disabling the admin token and re-enabling it when I need it. I simply made a backup copy of the config file and then removed the admin token from the active config file. I’ve got DSM access locked down so if somebody gets into my DSM login I’ve got bigger issues. But you’ve definitely gave me something to look at and learn from!