Vaultwarden nginx user-agent filter

Hello to all,

I’m posting this topic because I’m having a problem with the nginx configuration on Vaultwarden with user-agent filtering.

Here is my current configuration.

####BITWARDEN####

include /etc/nginx/conf/user-agent/user-agent-pwd.domain.tld.conf;

server {
	listen 80;
	listen 443 ssl http2;
	server_name pwd.domain.tld;

	if ($scheme != "https") {
		rewrite ^ https://$host$uri permanent;
	}

	include /etc/nginx/conf/ssl/ssl.conf;
	include /etc/nginx/conf/ssl/domain/cert.domain.tld.conf;
	include /etc/nginx/conf/error-page/error-page.conf;
	charset utf-8;

	location / {
		if ($user_agent = 0) { return 403; }

		proxy_pass http://vaultwarden;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
	}

	location /notifications/hub {
		if ($user_agent = 0) { return 403; }

		proxy_pass http://vaultwarden:3012;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
	}
  
	location /notifications/hub/negotiate {
		if ($user_agent = 0) { return 403; }

		proxy_pass http://vaultwarden;
	}

	location /admin {
		if ($user_agent = 0) { return 403; }
		
		proxy_pass http://vaultwarden;
		proxy_set_header Host $host;
		 X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
	}
}

user-agent-pwd.domain.fr.conf:

map $http_user_agent $user_agent {
        default                         0;
        ~Bitwarden\_Mobile\/.*?Android\s(10|11|12|13|14)(\;|\..*?\;)                  1; # Bitwarden Android 10 > 14

        ~Android\s(10|11|12|13|14)(\;|\..*?\;).*?Chrome\/(10[0-9]|11[0-9])\.                                1; # Chrome 100 > 119 : Android 10 > 14
        ~(iPhone|iPad)\;.*?OS\s(12|15|16)(\s|\_.*?\s).*?CriOS\/(10[0-9]|11[0-9])\.                          1; # Chrome 100 > 119 : iPad/iPhone iOS 12,15,16
        ~X11\;\sLinux\s(x86_64|amd64|i686)\).*Chrome\/(10[0-9]|11[0-9])\.                                   1; # Chrome 100 > 119 : Linux
        ~Macintosh\;.*?OS\sX\s(11|12|13)(\s|\_.*?\s).*?Chrome\/(10[0-9]|11[0-9])\.                          1; # Chrome 100 > 119 : Macintosh Mac OS X 11 > 13
        ~Windows\sNT\s(10)(\s|\..*?\s).*?Chrome\/(10[0-9]|11[0-9])\.     	                                1; # Chrome 100 > 119 : Windows 10 > 11

        ~Android\s(10|11|12|13|14)(\;|\..*?\;).*?EdgA\/(10[0-9]|11[0-9])\.          	                    1; # Edge 100 > 119 : Android 10 > 14
        ~(iPhone|iPad)\;.*?OS\s(12|15|16)(\s|\_.*?\s).*?EdgiOS\/(10[0-9]|11[0-9])\.                         1; # Edge 100 > 119 : iPad/iPhone iOS 12,15,16
        ~Macintosh\;.*?OS\sX\s(11|12|13)(\s|\_.*?\s).*?Edg\/(10[0-9]|11[0-9])\.         	                1; # Edge 100 > 119 : Macintosh Mac OS X 11 > 13
        ~Windows\sNT\s(10)(\s|\..*?\s).*?Edg\/(10[0-9]|11[0-9])\. 	                                        1; # Edge 100 > 119 : Windows 10 > 11

        ~Android\s(10|11|12|13|14)(\;|\..*?\;).*?Firefox\/(10[0-9]|11[0-9])\.                               1; # Firefox 100 > 119 : Android 10 > 14
        ~(iPhone|iPad)\;.*?OS\s(12|15|16)(\s|\_.*?\s).*?FxiOS\/(10[0-9]|11[0-9])\.                          1; # Firefox 100 > 119 : iPad/iPhone iOS 12,15,16
        ~X11\;\sLinux\s(x86_64|amd64|i686)\;.*Firefox\/(10[0-9]|11[0-9])\.     	                            1; # Firefox 100 > 119 : Linux
        ~Macintosh\;.*?OS\sX\s(11|12|13)(\s|\_.*?\s).*?Firefox\/(10[0-9]|11[0-9])\.                         1; # Firefox 100 > 119 : Macintosh Mac OS X 11 > 13
        ~Windows\sNT\s(10)(\s|\..*?\s).*?Firefox\/(10[0-9]|11[0-9])\.      	                                1; # Firefox 100 > 119 : Windows 10 > 11

        ~(iPhone|iPad)\;.*?OS\s(12|15|16)(\s|\_.*?\s).*Version\/(.*?)\sMobile\/16.                          1; # Safari 16 : iPad/iPhone iOS 12,15,16
        ~Macintosh\;.*?OS\sX\s(11|12|13)(\s|\_.*?\s).*?Version\/16\.        	                            1; # Safari 16 : Macintosh
}

I don’t encounter any problem on extensions in browsers or Windows client.

I encounter the problem only on the Android application.

I checked the filter, user-agent works correctly.

It doesn’t work in the /api or /identity section of the URL or I have to disable the filter.

		location /api {
		# if ($user_agent = 0) { return 403; }

		proxy_pass http://vaultwarden;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
	}

		location /identity {
		# if ($user_agent = 0) { return 403; }

		proxy_pass http://vaultwarden;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
	}

Error nginx

[16/Feb/2023:10:57:29 +0100] src=192.168.1.140 dst=10.0.1.2 srcPort=58770 dstPort=443 usrName=- srcBytes=367 dstBytes=3987 serverName=pwd.domain.tld httpHost=pwd.domain.tld UserAgent=Bitwarden_Mobile/2023.1.0 (Android 13; SDK 33; Model SM-F926B) requestMethod=POST /api/accounts/prelogin HTTP/1.1 Status=403 url=https://pwd.domain.tld/api/accounts/prelogin Referer=-

Thank you in advance.