[SOLVED] 2nd domain for the admin page

Hey :slight_smile:

Thanks for all your hard work - this project is great. The title is a little misleading but I did not know how to describe it.

I have vaultwarden set up on two domains (I know that you can only specify one). One for regular usage that blocks access to the /admin path and one that does provide access to the admin panel but is protected by mTLS. This was also the main reason why I needed two domains for this, as you can not have different TLS configurations for the same domain (btw: the Bitwarden Apps support mTLS which is awesome). I am already using this for quite a while and it works great. However there is a minor inconvenience when logging in to the admin page. When I log in with the admin key it will correctly log you in and create the session cookie, however the page will redirect you to https://admin which obviously is not a valid url. I can just enter the page again and I will be logged in and can use the page normally from there on.

So this is probably a very specific request and I can imagine not too important but maybe there could be a second base domain config setting that would just default to the other one if not provided.

I imagine there are more important issues as this is a not supported use case but I do not know a lot about Rust. I looked into patching it myself but I would appreciate a little guidance on where to start.

I found this: vaultwarden/admin.rs at main · dani-garcia/vaultwarden · GitHub
But I do not fully understand how the config works. Can I just add the entry here vaultwarden/config.rs at 7b742009a180c990c013df51946ab22aa02c7a96 · dani-garcia/vaultwarden · GitHub and it will be available in the admin.rs? I don’t need there to be a setting in the admin panel.

I can understand if this is just not supported and you can not help me. But I figured asking where to start does not hurt. It’s also not the end of the world since you don’t need to log in to the admin panel very often and pressing “back” once is just a bit annoying but nothing major.

Kind regards

How come it will redirect you to https://admin?
That kinda looks like the Location: header is not working correctly. which by default just uses the same Host: header which is sent. Maybe the reverse proxy isn’t sending the correct headers for Vaultwarden to determine the hostname? Or, the reverse proxy is rewriting the location header which get sent?

Since within the code vaultwarden/admin.rs at main · dani-garcia/vaultwarden · GitHub it only uses the path and never the hostname to trigger the redirect. That is what is done automatically by the HTTP Server Library.

Because i can use the same instance with http://localhost/admin, or http://my.host.tld/admin all will redirect just fine.

1 Like

Well… I fixed it. However, my reverse proxy configuration was correct. I am not quite sure what the issue was, but my main domain was https://bitwarden.example.com and the second one I was using was https://admin.bitwarden.example.com/ switching the admin domain to https://vaultwarden.example.com fixed the issue.

Maybe there is something wrong how the parsing of the domain works or it just can’t handle subdomains 2 layers deep.

Thanks for your input. Even though the problem seems to be somewhere else and is certainly not really fixed, it led me to find a fix for my issue. :slight_smile:

I just tested it my self, and there seems to be nothing wrong on the server side.
I can use admin.sub.domain.tld just fine. Same goes for admin.secret.sub.domain.tld.

The server sends back same HOST as it receives during the location redirections.

Hmm, thanks for testing… I don’t really know what changed… I only changed the domain and it started working. I really can’t explain what the issue is. I will try changing it back to the old domain tomorrow to see if the problem is reproducable. Maybe it is a problem with traefik, which I am using as a reverse proxy.

Thanks a lot for your effort :slight_smile:

To me it looks like it is changing the location header and removes the domain for some reason. But not sure how that works with treafik.