Hi,
I installed vaultwarden via DEB package as a systemd service. Runs nice and smooth. It is behind a reverse proxy that is running on another server. This is an nginx. which also deals with the certificates.
Now I want to enable fail2ban. In fact it works, but when I connected from the outside (like mobile internet) to my vaultwarden, the nginx get locked or the gateway. It depends if I use X-Real-IP or X-Forwarded-For. But of course I need the ip address from outside. What is my fault?
nginx config:
server {
listen 80;
server_name domain.tld;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name domain.tld;
ssl_certificate /root/.acme.sh/domain.tld/fullchain.cer;
ssl_certificate_key /root/.acme.sh/domain.tld/domain.tld.key;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
client_max_body_size 128M;
location / {
proxy_pass http://192.168.230.9:80;
proxy_set_header "Connection" "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /notifications/hub/negotiate {
proxy_pass http://192.168.230.9:80;
proxy_set_header "Connection" "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /notifications/hub {
proxy_pass http://192.168.230.9:3012;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Forwarded $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
fail2ban jail:
[vaultwarden]
enabled = true
port = 80,443,8081
banaction = %(banaction_allports)s
backend = systemd
filter = vaultwarden[journalmatch='_SYSTEMD_UNIT=vaultwarden.service']
maxretry = 3
bantime = 14400
findtime = 14400
and config.json:
{
"domain": "https://domain.tld",
"sends_allowed": true,
"incomplete_2fa_time_limit": 3,
"disable_icon_download": false,
"signups_allowed": false,
"signups_verify": true,
"signups_verify_resend_time": 3600,
"signups_verify_resend_limit": 6,
"invitations_allowed": false,
"emergency_access_allowed": true,
"password_iterations": 600000,
"password_hints_allowed": true,
"show_password_hint": false,
"admin_token": "token",
"invitation_org_name": "Vaultwarden",
"ip_header": " X-Real-IP",
"icon_redirect_code": 302,
"icon_cache_ttl": 2592000,
"icon_cache_negttl": 259200,
"icon_download_timeout": 10,
"icon_blacklist_non_global_ips": true,
"disable_2fa_remember": false,
"authenticator_disable_time_drift": false,
"require_device_email": false,
"reload_templates": false,
"log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
"admin_session_lifetime": 20,
"_enable_yubico": true,
"_enable_duo": false,
"_enable_smtp": true,
"use_sendmail": false,
"smtp_host": "smtp.mail.gov",
"smtp_security": "starttls",
"smtp_port": 123,
"smtp_from": "mail",
"smtp_from_name": "Vaultwarden",
"smtp_username": "mail",
"smtp_password": "password",
"smtp_timeout": 15,
"smtp_embed_images": true,
"smtp_accept_invalid_certs": false,
"smtp_accept_invalid_hostnames": false,
"_enable_email_2fa": false,
"email_token_size": 6,
"email_expiration_time": 600,
"email_attempts_limit": 3
}
In the diagnostics I see also this:
But I can’t see any differences here.