How to configure reverse proxy + Basic Auth with Vaultwarden

You might find Authelia useful to you. Authelia is an open-source authentication and authorization server and portal fulfilling the identity and access management (IAM) role of information security in providing multi-factor authentication and single sign-on (SSO) for your applications via a web portal.

However there are plenty of easier best practices at all layers of deployment.

  1. Firewall - always allow only what is necessary. Block all traffic OUT and IN, then add rules to allow only incoming connection at HTTP and WEBSOCKET ports from your reverse proxy, SSH to manage your Vaultwarden. Next, add rules to allow OUTGOING traffic on port 80 and 443. If you can - deploy your own internal DNS like AdGuard and allow OUTGOING traffic on port 53 only to your internal DNS. If not then keep only 80 and 443 allowed and use DNSoverHTTPS from Cloudflare or other trusted provider of your choice. If attacker or malware gets in somehow, they could try to start connection to C&C server. Allowing only required for Vaultwarden ports may stop or slow down attackers.
  2. Reverse proxy - Follow best practices and define properly your security headers, put attention to Content Security Policy (CSP). You might want to redirect bitwarden.yourdomain.tld/admin to error 403 (forbidden).
  3. Run Docker container without root. After installing Docker here is an instruction how to do it.
    Linux post-installation steps for Docker Engine | Docker Documentation
  4. Vaultwarden - be sure to configure SMTP. Any events connected with failed logins, unfinished 2FA, new logins from new locations - will go to your mailbox so you can react.
  5. Host - your docker container must live somewhere, maybe on a VM. Be sure to keep your host OS updated and configured carefully. Be sure that access is secured, by hardening SSH. Disable root login, maybe disable password login and use public key authentication only. Example: How To Harden OpenSSH on Ubuntu 20.04 | DigitalOcean
1 Like