hi guys, I am new to Vaultwarden and docker in general and i just installed it, however i noticed that the admin page is exposed to the internet, and id like to secure it or disable it. I don’t know why this doesn’t have 2fa as it’s crucial for security reasons. Anyways, if someone can please tell me the steps to either:
1-Disable the page for accessing, on which i have tried to delete the admin token but it doesnt work cuz its on the config.json file which i don’t know how to manipulate or not sure if this refers to the actual admin page.
2- using nginx rules, in which i have no clue how to work it as i mentioned, i am new to docker.
Please help me set this up as i like the product, however having this admin page exposed is NOT GOOD.
if you don’t want the /admin page, why did you enable it in the first place?
make sure you don’t set ADMIN_TOKEN in your environment, and it won’t be enabled.
(in my case, /admin returns “The admin panel is disabled, please configure the ‘ADMIN_TOKEN’ variable to enable it”).
because using the .env i was not able to get the smtp working. so I needed the admin page to get it working, now I need to disable but taking off the ADMIN_TOKEN in the .env is not working, page is still accessible.
1 Like
Back up your data and rebuild a new docker with smtp related env variables. This how I deal with this problem.
However, with 2fa to access admin panel would be better. 
Do you run the vault behind any kind of reverse proxy? If so, simply block the use of the admin page from anyone outside of the local network. I use caddy so for example this is the caddy config to do so:
(vaultwarden-admin) {
@admin {
path /admin*
not remote_ip 192.168.0.0/16
}
redir @admin / permanent
}
This takes any path starting with /admin and redirects them to / if they are not within 192.168.0.0/16 and this can be done with any reverse proxy.
where is this config file located? cant find it. I have used this GUIDE to install Vaultwarden
You may find some good detail as well as user contributions for guides on the Vaultwarden Wiki
Though going off the guide you referenced it appears this is stored in a docker volume for the caddy configuration so you should just be able to access that and make the needed config edits or simply add them in the docker-compose.yaml
I have added the code suggested above on the docker-compose.yaml but doesn’t work, and since the caddy config file is on a volume of the docker how can I access it? I am a noob to docker. thanks for the help
If you make a config change you will likely need to run docker-compose up -d or docker-compose restart to have that apply. As with anything I would always caution and recommend to have a recent backup of your vault data.
I haven’t messed with docker and volumes in a while but this is what I could find that might help locate this on your system.
Well, if you’ve set ADMIN_TOKEN as an environment variable, remove it or comment it out.
If it’s in config.json, you’ll need to access the file inside your Docker container and remove the admin_token line. You can use a command like docker exec -it [container_name] nano /config/config.json to edit the file.
Restart your Vaultwarden container for the changes to take effect.
I hope this helps. Also, you can check out for some tips here at Vaultwarden Docker — Framework Repositories 1.0 documentation
For what it’s worth, if you are using Cloudflared for access to your vaultwarden installation, in Cloudflare simply create an application rule for accessing vaultwarden (make sure to include the URL path /admin when configuring domain access) and apply a policy that requires an access code sent to your email address.
You will need to enter the access code on the Cloudflare access page that will load first, before you can even get to the /admin page.
If you use Synology and have installed Vaultwarden from Synology Container Manager following this excellent tutorial: Vaultwarden (Bitwarden) in Docker on a Synology NAS I solved this to restrict web and admin access from internet doing three things: 1st: you have to setup a VPN (I’m using a Synology RT2600AC router which does have it’s own VPN server) 2nd: after VPN setup, from Synology DSM / Control Panel / Login Portal / Advanced / Reverse Proxy, set up access to Vaultwarden (also before this you can set up free Synology DDNS or if you have your own domain configured and SSL certificate). 3rd: You have to configure on Synology reverse proxy an ACL rule and set up this ACL on the Vaultwarden reverse proxy configuration; on this ACL rule you have to include the VPN range (ex. 172.21.0.0/24) and AFTER this deny all IPs; then save everything. Now to access Vaultwarden from web or the admin configuration you can only do this if the VPN is on, otherwise it would not let you access. Nonetheless you can use the Bitwarden app without VPN to access your vault from any of your devices where Bitwarden app is installed and configured.
Update: sorry for the above post but it is useless. I did some test and if you set ACL on Synology reverse proxy config it won’t let you access anything except the selected IP or range IP listed on ACL… The solution would be to use NGNIX PROXY MANAGER installed as a docker app on the Synology NAS but seems that this solution will conflict whit own Synology proxy manager and Synology Web Station. So this is still an issue; hope the D Garcia will come up whit a solution.