How to configure reverse proxy + Basic Auth with Vaultwarden

Help
1

Hi,

I’m using Vaultwarden (Version 2022.12.0) via Docker container with Apache2 as reverse proxy. I’d like to configure that Vaultwarden can be accessed either via VPN or with Basic Auth prompt.

Accessing via VPN works fine with Bitwarden client apps also. I know that the client apps will not work with Basic Auth, but it doesn’t matter for me.

When login in after Basic Auth prompt, Vaultwarden logs out immediately after login with message:

Logged out
Your login session has expired

Apache2 log shows error:

[Sun Jan 22 18:33:00.459073 2023] [auth_basic:error] [pid 24293] [client 52.30.199.158:65506] AH01614: client used wrong authentication scheme: /api/sync, referer: https://vw.example.com/

Here’s the Apache config:

<VirtualHost *:443>
    ServerAdmin it@example.com
    ServerName vw.example.com
    DocumentRoot /var/www/html

    ProxyPreserveHost On
    ProxyRequests Off
    RequestHeader set X-Real-IP %{REMOTE_ADDR}s

    <Proxy *>
        Require all granted
    </Proxy>

    <Location "/">
        AuthType Basic
        AuthName "Internal Only"
        AuthBasicProvider ldap
        AuthLDAPBindDN "CN=web01,OU=ServiceAccounts,OU=Accounts,DC=example,DC=com"
        AuthLDAPBINDPassword foobar1
        AuthLDAPURL "ldaps://ldap01.int.example.com:636/OU=Accounts,DC=example,DC=com?sAMAccountName?sub?(objectClass=user)"

        <RequireAny>
            <RequireAll>
                Require ldap-group CN=Internal,OU=Accounts,DC=example,DC=com
            </RequireAll>
            # VPN01
            Require ip x.y.z.w
            Require ip x.y.z.w2
            # Vaultwarden IP
            Require ip x.y.z.w3
        </RequireAny>

        # Don't forward authentication information to Vaultwarden app.
        # If this is enabled, then VPN doesn't work, but there's no error about wrong authentication scheme.
        RequestHeader unset Authorization

        ProxyPass           http://vw.int.example.com:80/
        ProxyPassReverse    http://vw.int.example.com:80/
    </Location>

    ErrorLog ${APACHE_LOG_DIR}/vw-error.log
    CustomLog ${APACHE_LOG_DIR}/vw-access.log combined

    SSLCertificateFile /etc/letsencrypt/live/vw.example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/vw.example.com/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

Does somebody know how to get Basic Auth working?

2

I tested with nginx, but the same automatic logout happens also with it.

3

You can’t use basic auth with the web-vault or client api. Only the admin interface can handle that. The other endpoints are conflicting the auth mechanisms which causes the logout.

Also, all other clients can’t handle basic auth anyway. So that’s probably not the best way to go. If you want extra security, i suggest to enable 2FA/MFA for your account.

1 Like
4

Ok, thank you. I’ve secured a lot of Java/Tomcat applications with additional security layer via reverse proxy.

Is there any other security measurement than 2FA/MFA wich could be used? Except VPN which is already in place.

I have read the Hardening Guide.

5

You might find Authelia useful to you. Authelia is an open-source authentication and authorization server and portal fulfilling the identity and access management (IAM) role of information security in providing multi-factor authentication and single sign-on (SSO) for your applications via a web portal.
image

However there are plenty of easier best practices at all layers of deployment.

  1. Firewall - always allow only what is necessary. Block all traffic OUT and IN, then add rules to allow only incoming connection at HTTP and WEBSOCKET ports from your reverse proxy, SSH to manage your Vaultwarden. Next, add rules to allow OUTGOING traffic on port 80 and 443. If you can - deploy your own internal DNS like AdGuard and allow OUTGOING traffic on port 53 only to your internal DNS. If not then keep only 80 and 443 allowed and use DNSoverHTTPS from Cloudflare or other trusted provider of your choice. If attacker or malware gets in somehow, they could try to start connection to C&C server. Allowing only required for Vaultwarden ports may stop or slow down attackers.
  2. Reverse proxy - Follow best practices and define properly your security headers, put attention to Content Security Policy (CSP). You might want to redirect bitwarden.yourdomain.tld/admin to error 403 (forbidden).
  3. Run Docker container without root. After installing Docker here is an instruction how to do it.
    Linux post-installation steps for Docker Engine | Docker Documentation
  4. Vaultwarden - be sure to configure SMTP. Any events connected with failed logins, unfinished 2FA, new logins from new locations - will go to your mailbox so you can react.
  5. Host - your docker container must live somewhere, maybe on a VM. Be sure to keep your host OS updated and configured carefully. Be sure that access is secured, by hardening SSH. Disable root login, maybe disable password login and use public key authentication only. Example: How To Harden OpenSSH on Ubuntu 20.04 | DigitalOcean
1 Like
6

Great advice, thanks!