I have usually disabled the admin panel. This works only if ADMIN_TOKEN is not set. But if the environment variable is set and thus also written to the config, deleting the variable does nothing, because the token remains in the config and must be deleted from there each time to disable the panel again.
It would be better if I could decide via a separate variable whether the panel is activated or not.
What I did to limit access to the admin panel was add a section in my proxy config to deny any connection to it outside of specific local IP addresses to the /admin subdirectory.
1 Like
Yes, I have also thought about this but only as an additional measure when the panel is active and I might forget to deactivate it again.
unless you dont trust your internal network you would not have to turn it on and off, its just an allow and deny all definition in nginx which would look something like this in the same server block as your root / definition
location ~ (/bitwarden)?/admin {
set $upstream_app bitwarden;
set $upstream_port 80;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
allow iprangeyouwanttoallow/32;
deny all;
}
Instead of using deny and allow I tried a different method to get a 444 error instead of 403 as described here: firewall - Nginx return `444` on deny - Server Fault
http{
...
geo $remote_addr $allowed_trafic {
default false;
192.168.0.0/16 true;
}
}
server {
...
if ( $allowed_trafic = 'false'){
return 444;
}
...
}
I also use 444 when someone does not access the main site via a specific URL.
where is this file located? i need to this ASAP. thanks
Its inside the nginx.conf which I use as a reverse proxy. Depending on your reverse proxy installation the server part can also be in a separate configuration file. Iām using Swag for this.