Apache Reverse Proxy Problems

Hey Everyone,

we installed a Proxy (Apache) for our Bitwarden_rs installation, so we could redirect http to https. Which is working just fine.
The Proxy is listening on Port 80 and 443 and redirects the traffic to port 5443 (which is disabled in the firwall of the Host). I start the Bitwarden-Server using Docker-Compose setting ROCKET_PORT to 443 and the following Port Configuration:

ports:
  - 5443:443
  -3012:3012

Bitwarden is working totally fine when opening it via “https://Bitwarden.domain.de” and “http://bitwarden.domain.de”, with the http Version redirecting to https. If i however try to reach “http://IP:5443” it will connect me with an unsecure http connection, even though, that all Incoming Traffic to Port 5443 is set to be dropped on the Host.

Also the Proxy and Docker/Bitwarden are running on the same Server.

I am pretty sure, that i missed something very obvious, but i simply can´t find out what i missed. Any helped will be highly appreciated!

What is IP? The IP of your docker host? Is it a private IP?

Hey,

IP ia the IP of the docker Host, which Happens to be a Public IP. However i solved the problem by changing the Port-Mapping Section to the following:

Ports:
- 127.0.0.1:5443:442
- 127.0.0.1:3012:3012

It is great that you found the solution by binding to localhost, I would just be worried about what you mentioned in your question:

It suggests that your firewalling has a problem. From what I understand, the host is directly exposed to Internet (the IP is public) so the host firewall (iptables I guess) is not set up correctly as it should have blocked the port 5443.

Hey,

That worried me as well. I did another Portscan and everything looked fine. I will so sind further digging in this.

I Just saw, that someone else had the same problem (Firewall rules, apache proxy and docker) and came to the same solution.

Sorry if this is obvious, but you need to make sure you make the tests from the right network. If your iptables block traffic ingress from Internet then of course testing it from within your LAN will show the port open.

iptables are not simple, I used to use shorewall (https://shorewall.org/) - it is a fantastic way to organize your networks in a sensible way and have shorewall ultimately build you iptables configuration.

Hey,

sorry for getting back at you this late. It has been a quiet turbulent time to say the least. We made sure, that iptables where configured correctly. I´ll admit, that I am not expert on iptables, but my coworkers are and i had them take a look at it too, in order to verify.

In any case - if you can access that port from Internet as IP:5443 (where the IP is your public IP, and the test is from Internet (via, say, a VPN if you do not have any external server) there there is definitely a problem with your firewall.

There may be other ports open - you can check your most typical ports over here https://www.grc.com/shieldsup to check if there are no surprises but an nmap on your IP and port 5443 that shows it as open is really something to worry about (not really because of Bitwarden but rather of a general security misconfiguration).

This is advice from someone working in information security.