Hi,
I’m using Vaultwarden (Version 2022.12.0) via Docker container with Apache2 as reverse proxy. I’d like to configure that Vaultwarden can be accessed either via VPN or with Basic Auth prompt.
Accessing via VPN works fine with Bitwarden client apps also. I know that the client apps will not work with Basic Auth, but it doesn’t matter for me.
When login in after Basic Auth prompt, Vaultwarden logs out immediately after login with message:
Logged out
Your login session has expired
Apache2 log shows error:
[Sun Jan 22 18:33:00.459073 2023] [auth_basic:error] [pid 24293] [client 52.30.199.158:65506] AH01614: client used wrong authentication scheme: /api/sync, referer: https://vw.example.com/
Here’s the Apache config:
<VirtualHost *:443>
ServerAdmin it@example.com
ServerName vw.example.com
DocumentRoot /var/www/html
ProxyPreserveHost On
ProxyRequests Off
RequestHeader set X-Real-IP %{REMOTE_ADDR}s
<Proxy *>
Require all granted
</Proxy>
<Location "/">
AuthType Basic
AuthName "Internal Only"
AuthBasicProvider ldap
AuthLDAPBindDN "CN=web01,OU=ServiceAccounts,OU=Accounts,DC=example,DC=com"
AuthLDAPBINDPassword foobar1
AuthLDAPURL "ldaps://ldap01.int.example.com:636/OU=Accounts,DC=example,DC=com?sAMAccountName?sub?(objectClass=user)"
<RequireAny>
<RequireAll>
Require ldap-group CN=Internal,OU=Accounts,DC=example,DC=com
</RequireAll>
# VPN01
Require ip x.y.z.w
Require ip x.y.z.w2
# Vaultwarden IP
Require ip x.y.z.w3
</RequireAny>
# Don't forward authentication information to Vaultwarden app.
# If this is enabled, then VPN doesn't work, but there's no error about wrong authentication scheme.
RequestHeader unset Authorization
ProxyPass http://vw.int.example.com:80/
ProxyPassReverse http://vw.int.example.com:80/
</Location>
ErrorLog ${APACHE_LOG_DIR}/vw-error.log
CustomLog ${APACHE_LOG_DIR}/vw-access.log combined
SSLCertificateFile /etc/letsencrypt/live/vw.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/vw.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
Does somebody know how to get Basic Auth working?