I have a recurring issues with being signed out when editing existing Vaultwarden entries and the change not being reflected. New entries are successful but edit or deletes result in being signed out. This occurs with both via web browser and the Chrome extension. This is affecting our ability to use it. Anyone seen this before or have any ideas what might be causing this?
Vaultwarden version: 1.25.2 with Apache reverse proxy for SSL
Vaultwarden database: SQLite 3.35.4
Apache version: 2.5.54
BitWarden extension version: 2022.8.0
What do the logs of Vaultwarden tell you during those moments?
What if you create a new item and edit it directly afterwards?
From the Apache logs, it looks like it’s triggering some mod security rules. It happens for new items that are immediately edited – it’s added and then unmodifiable. Other changes such as account info and master password updates work. Thanks for helping.
Vaultwarden Log:
[vaultwarden::api::identity][INFO] User {email address} logged in successfully. IP: {ip address}
[response][INFO] (login) POST /identity/connect/token => 200 OK
[request][INFO] POST /identity/connect/token
[response][INFO] (login) POST /identity/connect/token => 200 OK
[request][INFO] GET /api/sync?excludeDomains=true
[response][INFO] (sync) GET /api/sync?<data…> => 200 OK
Apache Log:
ModSecurity: Warning. Match of “within %{tx.allowed_methods}” against “REQUEST_METHOD” required. [file “/usr/share/modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf”] [line “45”] [msg “Method is not allowed by policy”] [data “PUT”] [severity “CRITICAL”] [ver “OWASP_CRS/3.2.0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-generic”] [tag “OWASP_CRS”] [tag “OWASP_CRS/POLICY/METHOD_NOT_ALLOWED”] [tag “WASCTC/WASC-15”] [tag “OWASP_TOP_10/A6”] [tag “OWASP_AppSensor/RE1”] [tag “PCI/12.1”] [hostname “{hostname}”] [uri “/api/ciphers/{cipher id}”] [unique_id “{id}”], referer: {url}
ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file “/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf”] [line “91”] [msg “Inbound Anomaly Score Exceeded (Total Score: 5)”] [severity “CRITICAL”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-generic”] [hostname “{hostname}”] [uri “/api/ciphers/{cipher id}”] [unique_id “{id}”], referer: {url}
ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file “/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf”] [line “86”] [msg “Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0”] [tag “event-correlation”] [hostname “{hostname}”] [uri “/api/ciphers/{cipher id}”] [unique_id “{id}”], referer: {url}
Looks like ModSecurity is blocking some needed HTTP Methods for Bitwarden/Vaultwarden to work.
It needs POST, GET, PUT, DELETE for all API calls to work.