Thanks for following up. The following tests have pushed the issue one step further (hope so!).
I’ll report in detail what I’ve done in case it’s useful to someone else that might suffer this issue:
-
I connect the Android device straight away with no adblock/proxy/vpn/firewall.
-
Pinging the server from Android device is fine. It shows consistent 50ms time and no packet lost.
-
The vault loads fine if I login from the Android browser app.
-
I installed Kiwi Browser and the Bitwarden extension. I can log in and sync perfectly through the extension.
-
I reinstalled 2 versions of the Android app (v.2.5.6 and v.2.6.1). I downloaded the packages from here: https://github.com/bitwarden/mobile/releases (filename com.x8bit.bitwarden.apk)
On launching the app, I click the top-left icon and set my custom URL, as I do in the PC. Then I proceed to log in and the server allows the connection.
This is how it looks the accepted connection from the logs perspective:
tail -n 10 bitwarden_nginx_access.log
xxx.xxx.xxx.xxx - - [09/Oct/2020:22:03:42 +0100] "POST /api/accounts/prelogin HTTP/1.1" 200 32 "-" "Bitwarden_Mobile/2.6.1 (Android 8.1.0; SDK 27; Model xxx)"
xxx.xxx.xxx.xxx - - [09/Oct/2020:22:03:44 +0100] "POST /identity/connect/token HTTP/1.1" 200 3254 "-" "Bitwarden_Mobile/2.6.1 (Android 8.1.0; SDK 27; Model xxx)"
xxx.xxx.xxx.xxx - - [09/Oct/2020:22:03:45 +0100] "GET /api/sync HTTP/1.1" 400 226 "-" "-"
xxx.xxx.xxx.xxx - - [09/Oct/2020:22:03:46 +0100] "PUT /api/devices/identifier/80bd067c-f487-4567-b805-c8300fd4aeff/token HTTP/1.1" 400 226 "-" "-"
tail -n 10 bitwarden.log
[2020-10-09 22:03:42.520][request][INFO] POST /api/accounts/prelogin
[2020-10-09 22:03:42.521][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK
[2020-10-09 22:03:44.562][request][INFO] POST /identity/connect/token
[2020-10-09 22:03:44.878][bitwarden_rs::api::identity][INFO] User xxx@gmail.com logged in successfully. IP: xxx.xxx.xxx.xxx
[2020-10-09 22:03:44.879][response][INFO] POST /identity/connect/token (login) => 200 OK
journalctl -n 10 -u bitwarden.service
Oct 09 22:03:42 hostname bitwarden_rs[313987]: [2020-10-09 22:03:42.520][request][INFO] POST /api/accounts/prelogin
Oct 09 22:03:42 hostname bitwarden_rs[313987]: [2020-10-09 22:03:42.521][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK
Oct 09 22:03:44 hostname bitwarden_rs[313987]: [2020-10-09 22:03:44.562][request][INFO] POST /identity/connect/token
Oct 09 22:03:44 hostname bitwarden_rs[313987]: [2020-10-09 22:03:44.878][bitwarden_rs::api::identity][INFO] User xxx@gmail.com logged in successfully. IP: xxx.xxx.xxx.xxx
Oct 09 22:03:44 hostname bitwarden_rs[313987]: [2020-10-09 22:03:44.879][response][INFO] POST /identity/connect/token (login) => 200 OK
Now, I’m logged in the Android app. It doesn’t contain any key, and therefore go to Settings > Sync
and click on the Sync button.
This is how the logs report the failed sync attempt:
tail -n 10 bitwarden_nginx_access.log
xxx.xxx.xxx.xxx - - [09/Oct/2020:22:22:19 +0100] "GET /api/sync HTTP/1.1" 400 226 "-" "-"
tail -n 10 bitwarden.log
Doesn't log anything related to the sync attempt.
journalctl -n 10 -u bitwarden.service
Doesn't log anything related to the sync attempt.
In contrast, this is what gets logged whenever I hit the sync button on the browser plugin (It syncs just fine):
tail -n 10 bitwarden_nginx_access.log
xxx.xxx.xxx.xxx - - [09/Oct/2020:22:26:35 +0100] "GET /api/sync HTTP/2.0" 200 63082 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36"
tail -n 10 bitwarden.log
[2020-10-09 22:26:35.266][request][INFO] GET /api/sync
[2020-10-09 22:26:35.280][response][INFO] GET /api/sync?<data..> (sync) => 200 OK
journalctl -n 10 -u bitwarden.service
Oct 09 22:26:35 figtree bitwarden_rs[313987]: [2020-10-09 22:26:35.266][request][INFO] GET /api/sync
Oct 09 22:26:35 figtree bitwarden_rs[313987]: [2020-10-09 22:26:35.280][response][INFO] GET /api/sync?<data..> (sync) => 200 OK
Please notice that while Nginx logs both failed/accepted sync attempts, bitwarden service in contrast just logs the accepted attempt.
Then I caught on a little detail:
- The Android App does the connection and syncing using HTTP1.1 protocol:
GET /api/sync HTTP/1.1
- While the browser plugins/apps are syncing using HTTP2 protocol:
GET /api/sync HTTP/2.0
. The Bitwarden extension on Kiwi browser running under Android also uses HTTP2 protocol.
That apparently points to the Nginx configuration, isn’t it?
At first sight, I see two potential candidates to address this issue:
Nginx general configuration file:
cat /etc/nginx/nginx.conf | grep ssl_protocols
ssl_protocols TLSv1.2 TLSv1.3;
Vault vhost file:
cat /etc/nginx/sites-available/vault | grep 'listen 443'
listen 443 ssl http2;
I’m under the impression that here could lie the key to solve the issue.
But I’m not fully sure how to deal with that, because on one hand the server accepts the HTTP1.1 login request from the Android app but denies the HTTP1.1 sync request. While all HTTP2 requests go through without issues.
Any hints?