Hello!
I’m running latest docker image.
Traffic to server is proxied through nginx. So far-so good!
What I want to do is to disable the web page and use my public domain only with the apps and addons.
I have tried to do this by telling nginx to deny all on / location, but my iOS app has stopped working.
Googled a thing or two for Vaultwarden and Bitwarden, but not many results appear.
Anyone have any idea?
You can disable the web-vault by setting WEB_VAULT_ENABLED=false
Thank you very much for the fast reply!
Can I do this without deleting my docker container and creating it again or by the /admin page?
Also, .env file in root of my datadir does not seem to make sense…
This is a setting which you need to recreate the container for (in order for the environment variable to take effect) and it cannot be set via the /admin page (as it would require at least a restart anyway).
The .env is relative to the working directory of the vaultwarden process (which would be / in the running container). If you don’t provide the environment variables via docker you could mount a file to /.env. Cf. FAQs · dani-garcia/vaultwarden Wiki · GitHub
My original idea with nginx was such that I will be able to use it as an ON/OFF switch - turn it off by default and then turn on when needed. Recreating container every time is time consuming and involves downtime, rather than just reloading nginx.
Please elaborate why do you want to turn off webvault. I guess you want to secure it that way, but turning web vault off is not a security measure. You vaultwarden is still accessible on the same port trough the internet. You will just see 404: Not Found in a browser when you try to visit your web vault. Nonetheless your Vaultwarden is still there. How else could you connect from you iOS if there will be not any? Turning off just a web page IS NOT a security measure. However consider solutions below:
Whitelist on firewall or reverse proxy to allow only trusted IPs, example only from your own country.
Deploy Wireguard VPN and access Vaultwarden from internal network only.
Configure Fail2Ban to prevent access from anyone after X failed login attempts from his IP address.
Use Knock.d - https://linux.die.net/man/1/knockd - you can keep all your ports closed, but knock.d will add dynamically a firewall rule to allow the connection after receiving proper combination of packets you define. It is really an aweosome tool. It allows to access any services only on demand securely.
Configure 2FA for all accounts
Dissallow sign ups
Please also check and read my comment in this post:
Thank you for your reply!
Yes, as a security measure.
Because, without extensive research, it’ll be hard for random users/bots to know what’s behind this address.
Your recommendations seem useful, thank you!
It will not stop bots. Your service is still accessible on the same port. It’s like a child who closes their eyes and yells “I am invisible!”. Bots seeking for vaultwarden instance will very likely look just for rocket webserver and your server will respond even if you see 404 in a browser. Do you even know how your apps can authenticate to your vaultwarden while you can’t see the webvault? It is never a shame to learn, but it is a shame to be ignorant. If instructions I have provided are too complicated I will try to rewrite them step-by-step, but do not admin that hiding webvault will secure anything. It’s for your own good, as exposing password menager to the limitless void of internet can be fatal without proper configuration.
No, your instructions are detailed enough. Some of them are already done.
Thank you for your replies, they were really helpful!
Not really, since the web-vault is static and only communicate with the api, which you need to have open to support all the other clients anyways