I am seeing weird behavior relating to a few vault item website icons. For most of the vault the icons work, except for some items. I have a registered domainname.com. I have reverse proxy going between two different sites to access a NAS. As an example nas.domainname.com and nas.otherlocation.domainname.com. Both of the NAS’ are relatively set up the same. I am able to get a website icon on the URI nas.otherlocation.domainname.com, but not on nas.domainname.com. I have two separate vault entries for each of the above. If I change the nas.domainname.com to nas.otherlocation.domainname.com the icon appears (even as a second now dup. vault entry), but when I revert the uri back the icon goes away. I’ve tried temporarily turning off all firewalls to rule out a firewall issue. In addition, I run a unifi docker container which is at a domain name of xxx.domainname.com, that website icon comes through to the vault, so it’s definitely not firewall related.
What drives website icons? How does the vault pull it? Why would I see a difference between the two sites?
I was able to finally get the synology dsm icon for my local setup to appear in the vault by messing around with the icon cache folder. I copied the 2nd location dsm icon and renamed it to my local setup and deleted the .miss file. And also eventually deleted out out the icon cache folder so I’m not sure which one of the two fixed that.
But for my bitwarden vault entry I am not seeing an icon come over for that.
The vault icons are fetched by getting the main page of that domain. It then extracts all the favicon tags and uses those.
It uses favicon.ico and a default apple touch icon as fallback.
Vaultwarden needs to be able to access the site, if not, it can’t extract the info of course.
Some NAT rules sometimes prevent loopback if all is internal.
You cloud try to enable trace log_level, which gives more detailed info on the icons and dns requests. You should remove the cached icon for that specific domain.
Which I believe was my initial problem. Locally I had a dns record for dsm and bitwarden which resolved to a local ip address instead of going out to the internet and back in. I then realized after reading that there is a setting in admin settings to prevent local ip, which prevents scraping of local network items. I’d assume that’s the reason why these two items didn’t work. I disabled the dns entries to bitwarden so now that should be resolving using public ip. I still haven’t seen an icon cache file for it or even a miss file.
At what point would it trigger to do a look up.
You can also disable that local ip check of course, it’s there by default to prevent ip-scraping.
The icon’s are also cached by the browser for x amount of days.
One way to force it is to clear the cache, or not sure if that always works with all browser, visit the image URL and ctrl+f5 to force a refresh?
So, go to https://my.domain.tld/icons/icon.for.my.domain.tld/icon.png
Is there a negative or security implication with disabling this setting?
That depends. It will only return the favicon of that page. Someone could see what kind of sites or tools you have running, and your ip range maybe. But that is about it
Do you mean if they gain access to the vault and if that specific local ip item is listed as a vault entry?
In theorie they can, if they measure the time it takes of course.
But, what they could do is, if your internal subnet is 192.168.0.0/24, they could go to https://vw.domain.tld/icons/192.168.0.1/icon.png which could maybe return the icon of the router interface. Or any other service or server you have running in that subnet. Which, they may or may not be able to use somehow.
If everything is tightly locked away, then it’s probably not that big of an issue. Some people do not like that it is possible, and some are not knowledgeable enough to think about the risks. That is why it is blocked by default.
Ok, so I would then think my alternative instead of allowing local ip, is to just remove my dns record pointing my bitwarden domain to a local ip when on the local network. By removing the domain name it should then resolve through the public net.
Since I already did that why wouldn’t the bitwarden icon populate in the vault entry for BW.
I’ve been doing this on the iPhone google chrome browser, I just opened up safari browser and it just generated.
Thank you.