Hi! Here I am again in the last part of my journey to install vaultwarden with ModSecurity.
I’m trying to setup the websockets but I doesn’t seem to work.
The example proposed on the github (Docker Traefik ModSecurity Setup · dani-garcia/vaultwarden Wiki · GitHub) doesn’t work for me.
I’ve made the websockets work using the following issue (Websocket not working? · Issue #1 · Brettdah/vaultwarden-traefiked · GitHub)
My code which is working, without Modsecurity is as follow:
services:
traefik:
image: traefik:latest
container_name: traefik
networks:
- default
command:
- --log.level=DEBUG
- --providers.docker=true
- --providers.docker.exposedByDefault=false
- --entrypoints.web.address=:80
restart: unless-stopped
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /opt/docker/le:/letsencrypt
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
labels:
traefik.enable: true
traefik.docker.network: default
traefik.http.routers.vw-ui-http.rule: Host(`localhost`)
traefik.http.routers.vw-ui-http.entrypoints: web
traefik.http.routers.vw-ui-http.service: vw-ui
traefik.http.services.vw-ui.loadbalancer.server.port: 80
traefik.http.routers.vw-websocket-http.rule: Host(`localhost`) && Path(`/notifications/hub`)
traefik.http.routers.vw-websocket-http.entrypoints: web
traefik.http.routers.vw-websocket-http.service: vw-websocket
traefik.http.services.vw-websocket.loadbalancer.server.port: 3012
networks:
- default
- proxy
environment:
WEBSOCKET_ENABLED: "true"
SENDS_ALLOWED: "true"
PASSWORD_ITERATIONS: 500000
SIGNUPS_ALLOWED: "true"
SIGNUPS_VERIFY: "true"
DOMAIN: "http://localhost"
LOG_FILE: "/data/vaultwarden.log"
LOG_LEVEL: "debug"
EXTENDED_LOGGING: "true"
volumes:
- /opt/docker/vaultwarden:/data
networks:
proxy:
driver: bridge
internal: true
Now, the docker compose with the WAF that doesn’t work is as follow:
services:
traefik:
image: traefik:latest
container_name: traefik
networks:
- default
command:
- --log.level=DEBUG
- --providers.docker=true
- --providers.docker.exposedByDefault=false
- --entrypoints.web.address=:80
restart: unless-stopped
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /opt/docker/le:/letsencrypt
waf:
image: owasp/modsecurity-crs:apache
container_name: waf
networks:
- default
- proxy
environment:
PARANOIA: 1
ANOMALY_INBOUND: 10
ANOMALY_OUTBOUND: 5
PROXY: 1
REMOTEIP_INT_PROXY: "172.20.0.1/16"
BACKEND: "http://vaultwarden:80"
BACKEND_WS: "ws://vaultwarden:80/notifications/hub"
ERRORLOG: "/var/log/waf/waf.log"
PROXY_ERROR_OVERRIDE: "off"
volumes:
- /opt/docker/waf:/var/log/waf
- /opt/docker/waf-rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf:/etc/modsecurity.d/owasp-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
- /opt/docker/waf-rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf:/etc/modsecurity.d/owasp-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
labels:
traefik.enable: true
traefik.docker.network: default
traefik.http.routers.vw-ui-http.rule: Host(`localhost`)
traefik.http.routers.vw-ui-http.entrypoints: web
traefik.http.routers.vw-ui-http.service: vw-ui
traefik.http.services.vw-ui.loadbalancer.server.port: 80
traefik.http.routers.vw-websocket-http.rule: Host(`localhost`) && Path(`/notifications/hub`)
traefik.http.routers.vw-websocket-http.entrypoints: web
traefik.http.routers.vw-websocket-http.service: vw-websocket
traefik.http.services.vw-websocket.loadbalancer.server.port: 3012
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
networks:
- proxy
environment:
WEBSOCKET_ENABLED: "true"
SENDS_ALLOWED: "true"
PASSWORD_ITERATIONS: 500000
SIGNUPS_ALLOWED: "true"
SIGNUPS_VERIFY: "true"
DOMAIN: "http://localhost"
LOG_FILE: "/data/vaultwarden.log"
LOG_LEVEL: "debug"
EXTENDED_LOGGING: "true"
volumes:
- /opt/docker/vaultwarden:/data
networks:
proxy:
driver: bridge
internal: true
I have these logs
TRAEFIK
time="2023-03-08T00:15:26Z" level=debug msg="Creating middleware" routerName=vw-websocket-http@docker serviceName=vw-websocket middlewareType=Pipelining middlewareName=pipelining entryPointName=web
time="2023-03-08T00:15:26Z" level=debug msg="Creating load-balancer" entryPointName=web routerName=vw-websocket-http@docker serviceName=vw-websocket
time="2023-03-08T00:15:26Z" level=debug msg="Creating server 0 http://192.168.80.3:3012" serviceName=vw-websocket entryPointName=web routerName=vw-websocket-http@docker serverName=0
time="2023-03-08T00:15:26Z" level=debug msg="child http://192.168.80.3:3012 now UP"
time="2023-03-08T00:15:26Z" level=debug msg="Propagating new UP status"
time="2023-03-08T00:15:26Z" level=debug msg="Added outgoing tracing middleware vw-websocket" routerName=vw-websocket-http@docker middlewareName=tracing middlewareType=TracingForwarder entryPointName=web
time="2023-03-08T00:15:26Z" level=debug msg="Creating middleware" entryPointName=web routerName=vw-ui-http@docker serviceName=vw-ui middlewareName=pipelining middlewareType=Pipelining
time="2023-03-08T00:15:26Z" level=debug msg="Creating load-balancer" serviceName=vw-ui entryPointName=web routerName=vw-ui-http@docker
time="2023-03-08T00:15:26Z" level=debug msg="Creating server 0 http://192.168.80.3:80" routerName=vw-ui-http@docker serviceName=vw-ui serverName=0 entryPointName=web
time="2023-03-08T00:15:26Z" level=debug msg="child http://192.168.80.3:80 now UP"
time="2023-03-08T00:15:26Z" level=debug msg="Propagating new UP status"
time="2023-03-08T00:15:26Z" level=debug msg="Added outgoing tracing middleware vw-ui" entryPointName=web routerName=vw-ui-http@docker middlewareName=tracing middlewareType=TracingForwarder
time="2023-03-08T00:15:26Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2023-03-08T00:15:46Z" level=debug msg="'502 Bad Gateway' caused by: dial tcp 192.168.80.3:3012: connect: connection refused"
time="2023-03-08T00:15:55Z" level=debug msg="Provider event received {Status:health_status: healthy ID:9c73a725244101ef98130f8b342f957b6d51ce34a89fe73d9e0cfb07e0449d4d From:vaultwarden/server:latest Type:container Action:health_status: healthy Actor:{ID:9c73a725244101ef98130f8b342f957b6d51ce34a89fe73d9e0cfb07e0449d4d Attributes:map[com.docker.compose.config-hash:c68adb2b13f5b4964329469ac98a12d0abc0e4fc1f16f716d9492213cae71285 com.docker.compose.container-number:1 com.docker.compose.depends_on: com.docker.compose.image:sha256:241447ae76e9de0d377a5a2bc9efbb9309286cba1333fedd497010a5b5baae56 com.docker.compose.oneoff:False com.docker.compose.project:me com.docker.compose.project.config_files:/home/me/docker-compose.yml com.docker.compose.project.working_dir:/home/me com.docker.compose.service:vaultwarden com.docker.compose.version:2.16.0 image:vaultwarden/server:latest name:vaultwarden org.opencontainers.image.created:2022-12-24T15:53:16+00:00 org.opencontainers.image.documentation:https://github.com/dani-garcia/vaultwarden/wiki org.opencontainers.image.licenses:GPL-3.0-only org.opencontainers.image.revision:10dadfca068ed449fcd4a74b70ae2cd83990d3d4 org.opencontainers.image.source:https://github.com/dani-garcia/vaultwarden org.opencontainers.image.url:https://hub.docker.com/r/vaultwarden/server org.opencontainers.image.version:1.27.0]} Scope:local Time:1678234555 TimeNano:1678234555789766473}" providerName=docker
time="2023-03-08T00:15:55Z" level=warning msg="Could not find network named 'default' for container '/waf'! Maybe you're missing the project's prefix in the label? Defaulting to first available network." providerName=docker container=waf-me-a9ff607b4d613ee4c0606a277122b4295ef2e70b19a6f8f8760297cd00e9c99c serviceName=vw-websocket
time="2023-03-08T00:15:55Z" level=warning msg="Could not find network named 'default' for container '/waf'! Maybe you're missing the project's prefix in the label? Defaulting to first available network." serviceName=vw-ui providerName=docker container=waf-me-a9ff607b4d613ee4c0606a277122b4295ef2e70b19a6f8f8760297cd00e9c99c
time="2023-03-08T00:15:55Z" level=debug msg="Filtering disabled container" providerName=docker container=traefik-me-00587f5b10825e69899edce4f5e3f1b2a580eae443bd600981b457fbaadbb8b7
time="2023-03-08T00:15:55Z" level=debug msg="Filtering disabled container" providerName=docker container=vaultwarden-me-9c73a725244101ef98130f8b342f957b6d51ce34a89fe73d9e0cfb07e0449d4d
time="2023-03-08T00:15:55Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"vw-ui-http\":{\"entryPoints\":[\"web\"],\"service\":\"vw-ui\",\"rule\":\"Host(`localhost`)\"},\"vw-websocket-http\":{\"entryPoints\":[\"web\"],\"service\":\"vw-websocket\",\"rule\":\"Host(`localhost`) \\u0026\\u0026 Path(`/notifications/hub`)\"}},\"services\":{\"vw-ui\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://192.168.80.3:80\"}],\"passHostHeader\":true}},\"vw-websocket\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://192.168.80.3:3012\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2023-03-08T00:15:55Z" level=debug msg="Skipping unchanged configuration." providerName=docker
time="2023-03-08T00:16:06Z" level=debug msg="'502 Bad Gateway' caused by: dial tcp 192.168.80.3:3012: connect: connection refused"
I have tried many different configurations but none seems to work. I require your help because I have no idea how to solve this ! Thanks !