Couldn't access vaultwarden after reverse proxy issue

Hi, i have vaultwarden installed as a docker container on unraid and had some issues with my reverse proxy today so couldn’t access vaultwarden through bitwarden app. I tried logging into vaultwarden directly using the IP address for the unraid docker container but it gave me an error saying that the browser needed https. When i added https:// in front of the IP address, firefox threw an SSL error at me. I managed to eventually get the reverse proxy issue sorted and can now log in but for several hours, i couldn’t log into anything (including my unraid server once i rebooted it) since all my passwords are managed by vaultwarden. Is there a way to log in without a reverse proxied domain? For example, can i log directly into vaultwarden using the IP address of the container? TIA

Generally you cannot access a (secure, https) web server with the IP address only, because SSL certificates are issued to domain names, not to IP addresses.

Also, the server (reverse proxy) needs to know which “server” actually handles the connection (see Server Name Indication - Wikipedia for an overview), so unless Vaultwarden is also (configured as) your default server (i.e. when SNI is not present), then it will not work.

For direct access, without a reverse proxy, you would have to somehow make the docker port accessible from the outside, but usually the docker port mapping applies only to localhost ( so you need some sort of tunnel (ssh can do this easily, especially in cases of emergency like this one).

What about if i just needed emergency access from inside the LAN rather than outside? Is there another way? I had also heard previously the the passwords were cached locally on clients between syncs but both my firefox extension and Android app immediately logged me out when the reverse proxy went down. Surely there’s an easier way to access passwords when reverse proxy is not working. If not, can you point me in the right direction to find out how to create an SSH tunnel to restore access in the future when this happens? Thanks

Very quickly…

If you need to access something (e.g. docker container) listening on localhost (of server), port 1234, you do, from your client:

$ ssh -L 4321:localhost:1234 username@server

Then (without interrupting the ssh session above, e.g. leaving the window open), open a browser and visit http://localhost:4321. This will access the server, port 1234.

Ok thanks. Just confirming, this won’t have the same issue with needing https and receiving an SSL error in vaultwarden?

With the ssh tunnel you would access the container port directly [*], which presumably will not use SSL (it really depends on how you’ve configured it, but in general it is the reverse proxy (e.g. nginx) which takes care of the “SSL termination”, so the access to the actual container server/port will be unencrypted (http), so that no certificates are needed.

[*] Like if you were sitting directly at the server (with keyboard and mouse) and opened a browser to navigate to http://localhost:1234.

(obviously, the connection from the client to the server will be encrypted, by SSH, but not with SSL on top).

I guess the best is just to try it. Stop your reverse proxy and see if/how you can access your vault.