Vaultwarden behind Sophos XGS WAF

Hello everyone,
I’ve been hosting Vaultwarden on a Hetznercloud for a few months. So far I had directed the traffic to the server via Nginx reverse proxy and that worked without any problems. Now for security reasons I have put Vaultwarden behind a Sophos XGS with web filtering turned on. Everything works so far, but you can’t create entries from mobile devices and it only works sometimes from the browser. The message “Socket closed” always appears on mobile devices. How does this work exactly? Which paths, URLs or ports are used for this?
Currently port 443 is forwarded from external to port 80 internally.
Thank you in advance!
If you need more information, screenshots or config files feel free to contact me!

Hi there,
you need to manage the forwarding with “path-specific routing” to enable “Web socket passthrough”

Take a look here on how to test the websocket connection: Enabling WebSocket notifications · dani-garcia/vaultwarden Wiki · GitHub
Sincerely, Markus

Thanks Markus,
I’ve already tried that, but that doesn’t work for me either.
How do you configured your rule?

This is the error from my browser:

Thanks and best regards!

This is my Rule:

These are my protection settings:

Hi there,
I guess it’s the “Zusätzliche Optionen” in your FW-rule or the protection settings.
In our case I disabled “HTML umschreiben”. “Cookies umschreiben” is not present, which - I guess - is caused by the very loose protection policy.
I suppose that you need to play around with these settings.
Greetings Markus

Thanks Markus,
now I’ve disabled everything what could inspect or analyze the traffic:

It still doesn’t work.

Do you have anything special in your configuration?

My config looks like that:

“domain”: “https://.de",
“sends_allowed”: true,
“trash_auto_delete_days”: 30,
“incomplete_2fa_time_limit”: 3,
“disable_icon_download”: false,
“signups_allowed”: false,
“signups_verify”: true,
“signups_verify_resend_time”: 3600,
“signups_verify_resend_limit”: 6,
“org_creation_users”: "
“invitations_allowed”: true,
“emergency_access_allowed”: true,
“password_iterations”: 600000,
“password_hints_allowed”: true,
“show_password_hint”: false,
“admin_token”: “",
“invitation_org_name”: "
“ip_header”: “X-Real-IP”,
“icon_redirect_code”: 302,
“icon_cache_ttl”: 2592000,
“icon_cache_negttl”: 259200,
“icon_download_timeout”: 10,
“icon_blacklist_non_global_ips”: true,
“disable_2fa_remember”: false,
“authenticator_disable_time_drift”: false,
“require_device_email”: false,
“reload_templates”: false,
“log_timestamp_format”: “%Y-%m-%d %H:%M:%S.%3f”,
“admin_session_lifetime”: 20,
“_enable_yubico”: true,
“_enable_duo”: true,
“_enable_smtp”: true,
“use_sendmail”: false,
“smtp_host”: ““,
“smtp_security”: “force_tls”,
“smtp_port”: ,
“smtp_from”: "
“smtp_from_name”: “Vaultwarden”,
“smtp_username”: "
“smtp_password”: “*******”,
“smtp_auth_mechanism”: “Login”,
“smtp_timeout”: 15,
“smtp_embed_images”: true,
“smtp_accept_invalid_certs”: false,
“smtp_accept_invalid_hostnames”: false,
“_enable_email_2fa”: true,
“email_token_size”: 6,
“email_expiration_time”: 600,
“email_attempts_limit”: 3

Hello Philip,
nope, don’t guess so

### Your environment (Generated via diagnostics page)
* Vaultwarden version: v1.30.5
* Web-vault version: v2024.1.2b
* OS/Arch: linux/x86_64
* Running within a container: true (Base: Debian)
* Environment settings overridden: true
* Uses a reverse proxy: true
* IP Header check: false (X-Forwarded-For)
* Internet access: true
* Internet access via a proxy: false
* DNS Check: true
* Browser/Server Time Check: true
* Server/NTP Time Check: true
* Domain Configuration Check: true
* HTTPS Check: true
* Database type: MySQL
* Database version: 10.11.7-MariaDB-1:10.11.7+maria~ubu2204
* Clients used: 
* Reverse proxy and version: 
* Other relevant information: 

### Config (Generated via diagnostics page)
<details><summary>Show Running Config</summary>


  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": false,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 10,
  "admin_ratelimit_seconds": 60,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "*****://***********************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://********************",
  "domain_origin": "*****://********************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": 14,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "****************************",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/vaultwarden.log",
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "****************************,***************************",
  "org_events_enabled": true,
  "org_groups_enabled": true,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "***************,******************,**************,*********",
  "signups_verify": true,
  "signups_verify_resend_limit": 5,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": "Login",
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "********************",
  "smtp_from_name": "****************************",
  "smtp_host": "********************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null


But concerning your screenshot of the FW rule:
We got no sticky sessions in the pathspecific routing

but we got “Pass host header” activated

Greetings, Markus

Hi Markus,

thanks for your help!
Now Vaultwarden is working behind the Sophos with a lot of securityfeatures enabled.
It was a problem with routing. It seems like Sophos has problems if the Webserver is in a different subnet.

Thanks and best regards!