WebSocket not working with Apache Reverse Proxy

Hello everyone,

I have trouble setting up the Bitwarden_rs Websocket feature.
In my configuration the external Webserver is an Apache Server with SSL Encryption. The Request will be forwarded unencrypted to the Bitwarden_RS Docker container.

  • Bitwarden listens on Port 8081
  • Websocket is enabled and listening on Port 3012.
  • Apache is configured to forward the traffic to Port 3012

When I try to open the URL in a Webbrowser https:///notifications/hub I will receive the following error:

“ErrorModel”:{“Message”:"\n ###########################################################\n ‘/notifications/hub’ should be proxied to the websocket server or notifications won’t work.\n Go to the Wiki for more info, or disable WebSockets setting WEBSOCKET_ENABLED=false.\n ###########################################################################################\n",“Object”:“error”},“Message”:"",“Object”:“error”,“ValidationErrors”:{"":["\n ###########################################################\n ‘/notifications/hub’ should be proxied to the websocket server or notifications won’t work.\n Go to the Wiki for more info, or disable WebSockets setting WEBSOCKET_ENABLED=false.\n ###########################################################################################\n"]},“error”:"",“error_description”:""}

Apache Config:
Server version: Apache/2.4.38

<VirtualHost *:443>
ServerName example.com

    # Enables SSL and provides Certificates
    SSLEngine on
    SSLCertificateFile file.pem
    SSLCertificateKeyFile file.pem
    Include /etc/letsencrypt/options-ssl-apache.conf

    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /notifications/hub(.*) ws://localhost:3012/$1 [P,L]
    ProxyPass / http://localhost:8081/

    ProxyPreserveHost On
    ProxyRequests Off
    RequestHeader set X-Real-IP %{REMOTE_ADDR}s
    RequestHeader setifempty Connection "Upgrade"
    RequestHeader setifempty Upgrade "websocket"

    # Fail2Ban
    LogLevel info ssl:warn
    LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" proxy

    ErrorLog ${APACHE_LOG_DIR}/error-server.log
    CustomLog ${APACHE_LOG_DIR}/access-server.log combined

Bitwarden_RS environment (Generated via diagnostics page)

  • Bitwarden_rs version: v1.20.0
  • Web-vault version: v2.19.0
  • Running within Docker: true
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Database type: SQLite
  • Database version: 3.33.0
  • Clients used:
  • Reverse proxy and version:

Does aybody has a clue how to fix this?

Thank you

Hello,
You should try to replace localhost by the ip address of the host of the container.
I’ve got a similar problem, and hat it working by replacing localhost by my host’s ip address.

Hi MilesTEG1,

thank you for your reply. Are you also using apache as a reverse proxy?

I tried your suggestion but i still receive the same error. Web Vault works without a Problem.

Here are the changes:

RewriteRule /notifications/hub(.*) ws://172.17.0.2:3013/$1 [P,L]
ProxyPass / http://172.17.0.2:8081/

Hello @MXMLN
No, my reverse proxy is Nginx (Synology).
Your host ip is really 172.17.0.2 ? Not like 192.168.x.x ?
It’s not the container IP inside the bridge network you have to set, but it’s your host IP.

Hello @MilesTEG1,

ok I misunderstood that, sorry.
172.1.0.2 is indeed the Docker Container IP.

My Server doesn’t have another RFC1918 private IP interface. The eth0 Interface has a public IP which obviously I won’t post here.
I changed the Apache config to the eth0 interface IP but still receive the same error message…

RewriteRule /notifications/hub(.*) ws://9.10.11.12:3013/$1 [P,L]
ProxyPass / http://9.10.11.12:8081/

Oh, I’m sorry, but I can’t help you anymore on this…
My knowledge is limited… and I don’t know anything about apache revers proxy…
I was just transposing what I know on your problem.

I hope someone could help you :blush:

Ok, thanks anyway for your help and the try. Have a nice evening

1 Like

Thank you,
Have a nice evening too.

1 Like

Visiting /notifications/hub in a browser isn’t going to negotiate a WebSocket connection.

You’re probably missing -p 3012:3012 in your docker run command to publish the WebSocket port.

I know that opening it in a browser isn’t going to
Negotiate a websocket connection. It’s just for testing purposes.
Other people wrote they receive JSON data in the browser.

But editing or deleting an entry on the desktop client and waiting and looking on an other Desktop client so it will sync fast and automatically doesn’t work either. Also I couldn’t find a ws Connection in a wireshark trace and no entries in the bitwarden log as well.

So which testing method would be appropriate in your opinion?

I‘m not missing the port configuration. As mentioned above the server is listening in port 3012 and I used -p 3012:3012 with the rocker run command.
If it wasn’t enabled the error Mesaad wouldn’t also be displayed like that

I have an additional question:
Have you configured the Websocket IP-Address (-e WEBSOCKET_ADDRESS=) or left it blank so it is 0.0.0.0?

Thank you

No, I didn’t set this variable in my docker-compose.
So I don’t know what value it get…

Just wanted to let you know what the issue was:
After various tries of debugging I changed the websocket port in the apache config to 3013. Bitwarden was listening on Port 3012. Changing the apache config solved the problem.

Thanks everyone for your help!

1 Like

:+1: Good to know that you solved your problem :slight_smile:

1 Like