Vaultwarden + ModSecurity websockets 502 Bad Gateway

Hi! Here I am again in the last part of my journey to install vaultwarden with ModSecurity.

I’m trying to setup the websockets but I doesn’t seem to work.
The example proposed on the github (Docker Traefik ModSecurity Setup · dani-garcia/vaultwarden Wiki · GitHub) doesn’t work for me.

I’ve made the websockets work using the following issue (Websocket not working? · Issue #1 · Brettdah/vaultwarden-traefiked · GitHub)

My code which is working, without Modsecurity is as follow:

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    networks:
      - default
    command:
      - --log.level=DEBUG
      - --providers.docker=true
      - --providers.docker.exposedByDefault=false
      - --entrypoints.web.address=:80
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /opt/docker/le:/letsencrypt

  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    labels:
      traefik.enable: true
      traefik.docker.network: default
      traefik.http.routers.vw-ui-http.rule: Host(`localhost`)
      traefik.http.routers.vw-ui-http.entrypoints: web
      traefik.http.routers.vw-ui-http.service: vw-ui
      traefik.http.services.vw-ui.loadbalancer.server.port: 80
      traefik.http.routers.vw-websocket-http.rule: Host(`localhost`) && Path(`/notifications/hub`)
      traefik.http.routers.vw-websocket-http.entrypoints: web
      traefik.http.routers.vw-websocket-http.service: vw-websocket
      traefik.http.services.vw-websocket.loadbalancer.server.port: 3012
    networks:
      - default
      - proxy
    environment:
      WEBSOCKET_ENABLED: "true"
      SENDS_ALLOWED: "true"
      PASSWORD_ITERATIONS: 500000
      SIGNUPS_ALLOWED: "true"
      SIGNUPS_VERIFY: "true"
      DOMAIN: "http://localhost"
      LOG_FILE: "/data/vaultwarden.log"
      LOG_LEVEL: "debug"
      EXTENDED_LOGGING: "true"
    volumes:
      - /opt/docker/vaultwarden:/data

networks:
  proxy:
    driver: bridge
    internal: true

Now, the docker compose with the WAF that doesn’t work is as follow:

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    networks:
      - default
    command:
      - --log.level=DEBUG
      - --providers.docker=true
      - --providers.docker.exposedByDefault=false
      - --entrypoints.web.address=:80
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /opt/docker/le:/letsencrypt

  waf:
    image: owasp/modsecurity-crs:apache
    container_name: waf
    networks:
      - default
      - proxy
    environment:
      PARANOIA: 1
      ANOMALY_INBOUND: 10
      ANOMALY_OUTBOUND: 5
      PROXY: 1
      REMOTEIP_INT_PROXY: "172.20.0.1/16"
      BACKEND: "http://vaultwarden:80"
      BACKEND_WS: "ws://vaultwarden:80/notifications/hub"
      ERRORLOG: "/var/log/waf/waf.log"
      PROXY_ERROR_OVERRIDE: "off"
    volumes:
     - /opt/docker/waf:/var/log/waf
     - /opt/docker/waf-rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf:/etc/modsecurity.d/owasp-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
     - /opt/docker/waf-rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf:/etc/modsecurity.d/owasp-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
    labels:
      traefik.enable: true
      traefik.docker.network: default
      traefik.http.routers.vw-ui-http.rule: Host(`localhost`)
      traefik.http.routers.vw-ui-http.entrypoints: web
      traefik.http.routers.vw-ui-http.service: vw-ui
      traefik.http.services.vw-ui.loadbalancer.server.port: 80
      traefik.http.routers.vw-websocket-http.rule: Host(`localhost`) && Path(`/notifications/hub`)
      traefik.http.routers.vw-websocket-http.entrypoints: web
      traefik.http.routers.vw-websocket-http.service: vw-websocket
      traefik.http.services.vw-websocket.loadbalancer.server.port: 3012

  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    networks:
      - proxy
    environment:
      WEBSOCKET_ENABLED: "true"
      SENDS_ALLOWED: "true"
      PASSWORD_ITERATIONS: 500000
      SIGNUPS_ALLOWED: "true"
      SIGNUPS_VERIFY: "true"
      DOMAIN: "http://localhost"
      LOG_FILE: "/data/vaultwarden.log"
      LOG_LEVEL: "debug"
      EXTENDED_LOGGING: "true"
    volumes:
      - /opt/docker/vaultwarden:/data

networks:
  proxy:
    driver: bridge
    internal: true

I have these logs
TRAEFIK

time="2023-03-08T00:15:26Z" level=debug msg="Creating middleware" routerName=vw-websocket-http@docker serviceName=vw-websocket middlewareType=Pipelining middlewareName=pipelining entryPointName=web
time="2023-03-08T00:15:26Z" level=debug msg="Creating load-balancer" entryPointName=web routerName=vw-websocket-http@docker serviceName=vw-websocket
time="2023-03-08T00:15:26Z" level=debug msg="Creating server 0 http://192.168.80.3:3012" serviceName=vw-websocket entryPointName=web routerName=vw-websocket-http@docker serverName=0
time="2023-03-08T00:15:26Z" level=debug msg="child http://192.168.80.3:3012 now UP"
time="2023-03-08T00:15:26Z" level=debug msg="Propagating new UP status"
time="2023-03-08T00:15:26Z" level=debug msg="Added outgoing tracing middleware vw-websocket" routerName=vw-websocket-http@docker middlewareName=tracing middlewareType=TracingForwarder entryPointName=web
time="2023-03-08T00:15:26Z" level=debug msg="Creating middleware" entryPointName=web routerName=vw-ui-http@docker serviceName=vw-ui middlewareName=pipelining middlewareType=Pipelining
time="2023-03-08T00:15:26Z" level=debug msg="Creating load-balancer" serviceName=vw-ui entryPointName=web routerName=vw-ui-http@docker
time="2023-03-08T00:15:26Z" level=debug msg="Creating server 0 http://192.168.80.3:80" routerName=vw-ui-http@docker serviceName=vw-ui serverName=0 entryPointName=web
time="2023-03-08T00:15:26Z" level=debug msg="child http://192.168.80.3:80 now UP"
time="2023-03-08T00:15:26Z" level=debug msg="Propagating new UP status"
time="2023-03-08T00:15:26Z" level=debug msg="Added outgoing tracing middleware vw-ui" entryPointName=web routerName=vw-ui-http@docker middlewareName=tracing middlewareType=TracingForwarder
time="2023-03-08T00:15:26Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2023-03-08T00:15:46Z" level=debug msg="'502 Bad Gateway' caused by: dial tcp 192.168.80.3:3012: connect: connection refused"
time="2023-03-08T00:15:55Z" level=debug msg="Provider event received {Status:health_status: healthy ID:9c73a725244101ef98130f8b342f957b6d51ce34a89fe73d9e0cfb07e0449d4d From:vaultwarden/server:latest Type:container Action:health_status: healthy Actor:{ID:9c73a725244101ef98130f8b342f957b6d51ce34a89fe73d9e0cfb07e0449d4d Attributes:map[com.docker.compose.config-hash:c68adb2b13f5b4964329469ac98a12d0abc0e4fc1f16f716d9492213cae71285 com.docker.compose.container-number:1 com.docker.compose.depends_on: com.docker.compose.image:sha256:241447ae76e9de0d377a5a2bc9efbb9309286cba1333fedd497010a5b5baae56 com.docker.compose.oneoff:False com.docker.compose.project:me com.docker.compose.project.config_files:/home/me/docker-compose.yml com.docker.compose.project.working_dir:/home/me com.docker.compose.service:vaultwarden com.docker.compose.version:2.16.0 image:vaultwarden/server:latest name:vaultwarden org.opencontainers.image.created:2022-12-24T15:53:16+00:00 org.opencontainers.image.documentation:https://github.com/dani-garcia/vaultwarden/wiki org.opencontainers.image.licenses:GPL-3.0-only org.opencontainers.image.revision:10dadfca068ed449fcd4a74b70ae2cd83990d3d4 org.opencontainers.image.source:https://github.com/dani-garcia/vaultwarden org.opencontainers.image.url:https://hub.docker.com/r/vaultwarden/server org.opencontainers.image.version:1.27.0]} Scope:local Time:1678234555 TimeNano:1678234555789766473}" providerName=docker
time="2023-03-08T00:15:55Z" level=warning msg="Could not find network named 'default' for container '/waf'! Maybe you're missing the project's prefix in the label? Defaulting to first available network." providerName=docker container=waf-me-a9ff607b4d613ee4c0606a277122b4295ef2e70b19a6f8f8760297cd00e9c99c serviceName=vw-websocket
time="2023-03-08T00:15:55Z" level=warning msg="Could not find network named 'default' for container '/waf'! Maybe you're missing the project's prefix in the label? Defaulting to first available network." serviceName=vw-ui providerName=docker container=waf-me-a9ff607b4d613ee4c0606a277122b4295ef2e70b19a6f8f8760297cd00e9c99c
time="2023-03-08T00:15:55Z" level=debug msg="Filtering disabled container" providerName=docker container=traefik-me-00587f5b10825e69899edce4f5e3f1b2a580eae443bd600981b457fbaadbb8b7
time="2023-03-08T00:15:55Z" level=debug msg="Filtering disabled container" providerName=docker container=vaultwarden-me-9c73a725244101ef98130f8b342f957b6d51ce34a89fe73d9e0cfb07e0449d4d
time="2023-03-08T00:15:55Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"vw-ui-http\":{\"entryPoints\":[\"web\"],\"service\":\"vw-ui\",\"rule\":\"Host(`localhost`)\"},\"vw-websocket-http\":{\"entryPoints\":[\"web\"],\"service\":\"vw-websocket\",\"rule\":\"Host(`localhost`) \\u0026\\u0026 Path(`/notifications/hub`)\"}},\"services\":{\"vw-ui\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://192.168.80.3:80\"}],\"passHostHeader\":true}},\"vw-websocket\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://192.168.80.3:3012\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2023-03-08T00:15:55Z" level=debug msg="Skipping unchanged configuration." providerName=docker
time="2023-03-08T00:16:06Z" level=debug msg="'502 Bad Gateway' caused by: dial tcp 192.168.80.3:3012: connect: connection refused"

I have tried many different configurations but none seems to work. I require your help because I have no idea how to solve this ! Thanks !

Have you seen the comment made here not too long ago regarding a similar post for ModSecurity