How to configure reverse proxy + Basic Auth with Vaultwarden

iisti · January 23, 2023, 1:46pm

Hi,

I’m using Vaultwarden (Version 2022.12.0) via Docker container with Apache2 as reverse proxy. I’d like to configure that Vaultwarden can be accessed either via VPN or with Basic Auth prompt.

Accessing via VPN works fine with Bitwarden client apps also. I know that the client apps will not work with Basic Auth, but it doesn’t matter for me.

When login in after Basic Auth prompt, Vaultwarden logs out immediately after login with message:

Logged out
Your login session has expired

Apache2 log shows error:

[Sun Jan 22 18:33:00.459073 2023] [auth_basic:error] [pid 24293] [client 52.30.199.158:65506] AH01614: client used wrong authentication scheme: /api/sync, referer: https://vw.example.com/

Here’s the Apache config:

<VirtualHost *:443>
    ServerAdmin it@example.com
    ServerName vw.example.com
    DocumentRoot /var/www/html

    ProxyPreserveHost On
    ProxyRequests Off
    RequestHeader set X-Real-IP %{REMOTE_ADDR}s

    <Proxy *>
        Require all granted
    </Proxy>

    <Location "/">
        AuthType Basic
        AuthName "Internal Only"
        AuthBasicProvider ldap
        AuthLDAPBindDN "CN=web01,OU=ServiceAccounts,OU=Accounts,DC=example,DC=com"
        AuthLDAPBINDPassword foobar1
        AuthLDAPURL "ldaps://ldap01.int.example.com:636/OU=Accounts,DC=example,DC=com?sAMAccountName?sub?(objectClass=user)"

        <RequireAny>
            <RequireAll>
                Require ldap-group CN=Internal,OU=Accounts,DC=example,DC=com
            </RequireAll>
            # VPN01
            Require ip x.y.z.w
            Require ip x.y.z.w2
            # Vaultwarden IP
            Require ip x.y.z.w3
        </RequireAny>

        # Don't forward authentication information to Vaultwarden app.
        # If this is enabled, then VPN doesn't work, but there's no error about wrong authentication scheme.
        RequestHeader unset Authorization

        ProxyPass           http://vw.int.example.com:80/
        ProxyPassReverse    http://vw.int.example.com:80/
    </Location>

    ErrorLog ${APACHE_LOG_DIR}/vw-error.log
    CustomLog ${APACHE_LOG_DIR}/vw-access.log combined

    SSLCertificateFile /etc/letsencrypt/live/vw.example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/vw.example.com/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

Does somebody know how to get Basic Auth working?

iisti · January 27, 2023, 12:20pm

I tested with nginx, but the same automatic logout happens also with it.

BlackDex · January 28, 2023, 7:34am

You can’t use basic auth with the web-vault or client api. Only the admin interface can handle that. The other endpoints are conflicting the auth mechanisms which causes the logout.

Also, all other clients can’t handle basic auth anyway. So that’s probably not the best way to go. If you want extra security, i suggest to enable 2FA/MFA for your account.

iisti · January 30, 2023, 2:01pm

Ok, thank you. I’ve secured a lot of Java/Tomcat applications with additional security layer via reverse proxy.

Is there any other security measurement than 2FA/MFA wich could be used? Except VPN which is already in place.

I have read the Hardening Guide.