I’ve managed to get my bitwardenrs instance running and thought it’d be good to provide some layers of protection. Especially after seeing this.
I started looking into fail2ban, but found multiple issues so bailed out of that.
I then tried setting basicauth in caddy, which is fine for my initial url, by as soon as I try to login, it immediately logs me out, stating:
Logged out
Your login session has expired
I’ve used the * wildcard in the caddy basicauth directive, which I would’ve thought that would allow full access everywhere, but I guess that’s not quite right.
Basic auth won’t work well with Bitwarden in general, certainly not with the mobile apps.
Personally I think strict SNI is good enough for most people, and Caddy does that by default. If you really want, putting bitwarden_rs under a secret subdir would have substantially the same effect as basic auth:
I realise I’m being over-cautious, but after seeing the shodan.io site having public details of bitwarden instances worldwide it makes me very wary and want to make my instance as strong and secure as possible.
I’ll therefore do as suggested and follow the Hardening Guide.