[SOLVED] Websocket setup on Synology

I have installed Bitwarden on my Synology into Docker, It’s working well. What I want to add there is Websocket notification. I have added the new option to the wariables “websocket_enabled=true” and also in reverse proxy on NAS i added to the “custom header” feature “websocket”, but it still doesn’t work. I can see the message in bitwarden’s log: ‘/notifications/hub’ should be proxied to the websocket server or notifications won’t work. Can you please help me to fix this? In the Bitwarden’s read only config list I see: websocket address: 0.0.0.0. Maybe this is the problem? Shouldn’t there be 127.0.0.1? But how to add it if so… Thank you

1 Like

You need to include details on your reverse proxy config…

Oh really? Such an information :slight_smile:
Can you share a secret with me and tell me what I should adjust there (where)? I’ll be so appreciated.
Jan

@honza: I am not sure why you are reacted like this to @jjlin comment ?

Since your traffic goes through a web proxy and you do not know why the ws: fails, it may be because your web proxy setup is incorrect.

It just simplifies the troubleshooting and avoids a back and forth exchange of “do you have this?”, “and what about that” + there may be some configuration which is simply incorrect.

Hi, I still don’t understand what you mean.
I an not linux guru, I am not using SSH or so much. i don’t want to make some setups through it. I was just politely asking if somebody can help with my situation. I have allowed websocket on synology nas reverse proxy because they said it must be on for notifications. I have running bitwarden instance inside synology docker. I add variables to the docker bitwarden instance: websocket_enabled:true and websocket_address: 127.0.0.1 (I donť know if it’s correct). In bitwarden setup I see websocket port 3012. Honestly I don’t know what and where setup and I am asking here. If somebody is willing to advice and doesn’t feel offended with my linux unknowledge. I would like to make it work, I need not know to the detail why some setups are like they are…

The thing is that in order to help you, best is to provide the configuration file of your reverse proxy (you mention “(…) in reverse proxy on NAS i added to the “custom header” feature “websocket (…)”).

Without this information it is hard to tell which part of the configuration of the reverse proxy is correct and which one is wrong, or missing.

It has nothnig to do with your linux skills, everyone of us learn everyday.

Ok, I got it, thank you! My Proxy reverse record is bellow. Just to know, ports in docker are set this way: local 32776 to container’s 3012 and local 8123 to docker’s 80.

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name bw.mydomain.com;

ssl_certificate /usr/syno/etc/certificate/ReverseProxy/73646661-c0ae-1234-b9cd-1b80c12cd7e2/fullchain.pem;
ssl_certificate_key /usr/syno/etc/certificate/ReverseProxy/73646661-c0ae-1234-b9cd-1b80c12cd7e2/privkey.pem;

location / {
    proxy_connect_timeout 60;
    proxy_read_timeout 60;
    proxy_send_timeout 60;
    proxy_intercept_errors off;
    proxy_http_version 1.1;
    proxy_set_header        Upgrade            $http_upgrade;
    proxy_set_header        Connection            $connection_upgrade;
    proxy_set_header        Host            $http_host;
    proxy_set_header        X-Real-IP            $remote_addr;
    proxy_set_header        X-Forwarded-For            $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto            $scheme;
    proxy_pass http://localhost:8123;
}

Hello

It is working fine on Synology both docker containers which I tested: BitwardenRS standard or mysql edition (with mariaDB on Synology). See bellow the screen capture on my settings for reverse proxy and websocket active. Port 32772 is port of docker container. It works with localhost or ip of you NAS or 127.0.0.1. All are fine.

I hope it helps,
G

Capture2

1 Like

Thanks, means your live sync through websocket are working? Please, what is your port setup then? Mine is here:

Thank you.

Hello

I am using ssl from cloudflare (not the one from synology), I have not tried in other configuration (without ssl or other ssl providers), but it should work.
The email settings you can add later, there are not necessary from first time.
Admin_token it is the admin password for respectiv access panel, also not necessary from first time.
Network is bridge setup in docker.

If you know how to work with docker compose you can use the following configuration. Folder “bit” you need to create it under the coresponding path in synology.

version: ‘3’
services:
bitwarden:
image: bitwardenrs/server
container_name: bitwardenrs-server
ports:
- “32771:3012”
- “32772:80”
environment:
ADMIN_TOKEN: “your_ADMIN_pass”
SMTP_HOST: “your_server”
SMTP_PORT: 587
SMTP_FROM: “your_email”
SMTP_FROM_NAME: “Bitwarden_RS”
SMTP_USERNAME : “email_user”
SMTP_PASSWORD: “your_password”
volumes:
- /volume1/docker/bit:/data
network_mode: bridge

Anyway, the docker confirguration for bitwardenrs works straight away from docker in synolgy.

Note: the docker configuration layout is altered by the forum page. I cannot attach txt files, nor zips.

Thank you,
I found the solution yet and it’s working now well… :slight_smile:
I made all these steps…

Thank you for your willing to help

Jan

Hello,
Live sync works with this simple configuration?
For me, I had to configure Nginx myself…
Are you sure, live sync is enable on your side?!

Hi everyone,

I had trouble getting Websocket support on my Bitwarden_rs Docker + Reverse Proxy Synology setup to work but in the end was able to build a working solution without having to use SSH.

I’m not sure if my steps will work for everyone but I’ve put them into a note below. Please let me know if you have any feedback or suggestions:

-Norman

1 Like

Hello,
This script make possible websocket notification when using synology DSM Reverse-proxy.
Thanks for your work.
I slightly modified the script by setting the ip address instead of localhost to have it working. And add a \ before " for this : "upgrade".
(I also add some comments, and echo to have a trace in the log)

Hello here,

With DSM7, the script isn’t working anymore…

It must be changed

Only the part where the ws. file is create still works.

The path for server.ReverseProxy.conf file has changed, and the sed commande line isn’t working anymore.

I managed with someone to have a working script. It’s not very elegant, but it works.

I put some comments, I’m sorry, they are in french, maybe oneday I’ll translate them…

Before launching the script, you have to change the IP adresse used IP_NAS="192.168.2.200" on the line 47.

Then, you have to launch the script with 3 arguments :

  • the first is the domaine name

  • the second is the exposed port ROCKET_PORT, the same as the one declared in the reverse proxy

  • the third is the exposed port for the websocket

ANd now, the script :


#!/bin/bash

##==============================================================================================

##                                                                                            ##

##                       Script vaultwarden__Enable_Websocket-DSM_7.sh                        ##

##                                                                                            ##

##          Source : https://gist.github.com/nstanke/3949ae1c4706854d8f166d1fb3dadc81         ##

##                                                                                            ##

##==============================================================================================

##                                                                                            ##

##   Ce script pemet de router ce qui ne peut pas être fait avec le reverse-proxy             ##

##   de DSM (Synology) pour faire fonctionner les notifications Websocket                     ##

##   Doc. vaultwarden :                                                                       ##

##        Route the /notifications/hub endpoint to the WebSocket server, by default           ##

##        at port 3012, making sure to pass the Connection and Upgrade headers.               ##

##        (Note the port can be changed with WEBSOCKET_PORT variable)                         ##

##        https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications    ##

##                                                                                            ##

##==============================================================================================

##                                                                                            ##

##                             Principe de Tâche planifier à créer                            ##

##                                                                                            ##

## Il faut lancer régulièrement le script car toutes modifications faites dans l'interface    ##

## graphique du Reverse-Proxy de DSM va modifier le fichier de configuration. Il en va de     ##

## même lorsque le NAS redémarre.                                                             ##

##                                                                                            ##

##==============================================================================================

##                                                                                            ##

##        /!\    Il faut modifier l'adresse IP en ligne 47 par l'IP du NAS    /!\             ##

##                                                                                            ##

##==============================================================================================

##                                                                                            ##

## Paramètres de lancement du script :                                                        ##

## bash /volume1/docker/bitwarden/enable_ws.sh vault.example.com 5555 5556                    ##

##                                                                                            ##

## -- vault.example.com = Nom de domaine de vaultwarden (celui du Reverse Proxy de DSM)       ##

## -- 5555 = Port exposé ROCKET_PORT par Docker (Identique à celui du Reverse Proxy de DSM)   ##

## -- 5556 = Port exposé WEBSOCKET_PORT par Docker                                            ##

##                                                                                            ##

##==============================================================================================

LOC_DIR="/etc/nginx"

part1=0

part2=0

MY_DOMAIN=$1

PORT_ACCES=$2

PORT_CONT=$3

IP_NAS="192.168.2.200"

echo -e "\n$(date "+%R:%S - ") Script vaultwarden__Enable_Websocket.sh pour activer les Notifications Websockets"

f_affiche_parametre() {

  echo "          bash /volume1/docker/_Scripts-DOCKER/vaultwarden__Enable_Websocket.sh vault.example.com 5555 5556 "

  echo "                           -- vault.example.com = Nom de domaine de vaultwarden (celui du Reverse Proxy de DSM) "

  echo "                           -- 5555 = Port exposé ROCKET_PORT par Docker (Identique à celui du Reverse Proxy de DSM)"

  echo "                           -- 5556 = Port exposé WEBSOCKET_PORT par Docker"

}

if [ ! $# -eq 3 ]; then

  if [ $# -eq 0 ]; then

    # Aucun paramètre n'a été fourni. On va afficher la liste de ce qui peut être utilisé.

    echo "$(date "+%R:%S - ") Aucun paramètre fourni ! Revoir l'appel du script :"

    f_affiche_parametre

  else

    echo "$(date "+%R:%S - ") Le nombre de paramètres fournis n'est pas correct ! Revoir l'appel du script :"

    f_affiche_parametre

  fi

  echo -e "$(date "+%R:%S - ") ECHEC de lancement du script !!!!!!!!!\n"

  exit 1

fi

echo "$(date "+%R:%S - ") Exécution des commandes..."

#############################################################################################################

## Début de la partie de création/modification de fichiers

##

if [ -f $LOC_DIR/websocket.locations.vaultwarden ]; then

  rm $LOC_DIR/websocket.locations.vaultwarden

  part1=1

fi

echo """

location /notifications/hub {

    proxy_pass http://$IP_NAS:$PORT_CONT;

    proxy_set_header Upgrade \$http_upgrade;

    proxy_set_header Connection \"upgrade\";

}

location /notifications/hub/negotiate {

    proxy_pass http://$IP_NAS:$PORT_ACCES;

}

""" >>$LOC_DIR/websocket.locations.vaultwarden

# Note : avec DSM7, le chemin d'accès du fichier server.ReverseProxy.conf a changé

#         DSM6.2  = /etc/nginx/app.d/server.ReverseProxy.conf

#         DSM7    = /etc/nginx/sites-enabled/server.ReverseProxy.conf

if ! grep -q "websocket.locations.vaultwarden" /etc/nginx/sites-enabled/server.ReverseProxy.conf; then

  # Commandes fonctionnelles avec DSM6.2.x, mais plus avec DSM 7.0 (RC)

  #sed -i "/$1;/ a\ include $LOC_DIR/websocket.locations.vaultwarden;" /etc/nginx/app.d/server.ReverseProxy.conf

  #if nginx -t 2>/dev/null; then synoservicecfg --reload nginx; else exit 1; fi

  # Commande fonctionnelles avec DSM 7 (RC)

  sed -r "s#^([[:blank:]]*server_name[[:blank:]]*${MY_DOMAIN}[[:blank:]]*;[[:blank:]]*)\$#\1\n\n\tinclude ${LOC_DIR}/websocket.locations.vaultwarden;#" /etc/nginx/sites-enabled/server.ReverseProxy.conf > /etc/nginx/sites-enabled/server.ReverseProxy.conf.new

  mv /etc/nginx/sites-enabled/server.ReverseProxy.conf.new /etc/nginx/sites-enabled/server.ReverseProxy.conf

  if nginx -t 2>/dev/null; then synosystemctl reload nginx; else exit 1; fi

  part2=1 # Variable pour indiquer que cette partie a été exécutée

fi

##

## Fin de la partie de création/modification de fichiers

#############################################################################################################

if [ $part1 -eq 1 ]; then

  echo "$(date "+%R:%S - ")    -- Le fichier $LOC_DIR/websocket.locations.vaultwarden existait déjà, il a été supprimé puis recréé."

else

  echo "$(date "+%R:%S - ")    -- Le fichier $LOC_DIR/websocket.locations.vaultwarden n'existait pas, il a été créé."

fi

if [ $part2 -eq 1 ]; then

  echo "$(date "+%R:%S - ")    -- !!!!!! --->  La modification dans le fichier /etc/nginx/sites-enabled/server.ReverseProxy.conf n'existait pas. Elle a été écrite."

  echo "$(date "+%R:%S - ")    -- !!!!!! --->  Le fichier /etc/nginx/sites-enabled/server.ReverseProxy.conf a du être réinitialisé après un reboot ou lors d'une modification du reverse-proxy dans DSM."

else

  echo "$(date "+%R:%S - ")    -- La modification du fichier /etc/nginx/sites-enabled/server.ReverseProxy.conf a déjà été effectuée lors d'une précédente exécution. Aucune modification n'est donc nécessaire."

fi

echo "$(date "+%R:%S - ") Script vaultwarden__Enable_Websocket.sh terminé"

exit

1 Like

Kudos to @MilesTEG1 for the original script, a user has translated and amended and I can confirm this is working perfectly on DSM 7.0

2 Likes

Hello,
@coalfield
I’m wondering if it could be possible to add with the script a restriction IP sources for the https://vaut.domain.tld/admin page ?
My idea is to restrict this page to only LAN ips like 192.168.0.0/24 and only VPN IP (VPN Server on DSM or SRM) like 192.168.10.0/24 .
But I don’t know if it possible, and how to do it.
Some of you do have an idea ?

Thanks in advance :slight_smile:

PS : I have posted the same message on the gist :slight_smile: