Oh Painful BitWarden_RS...

Currently reading
Oh Painful BitWarden_RS...

S

silverj

Media Resource
86
39
Last edited:
Hi All

BitWarden was supposed to be easy... It was easy. And then it wasn't.
So, before Christmas, following the advice on these boards, I setup my Bitwarden_RS as per the Rusty guide. It worked and was good. I had a problem with the usual https access, but solved it somehow. However, I did nothing with this container; I couldn't get fail2ban working and this seemed to me to be a necessary step. So I wasted several full days over the last couple of months with the sosandroid pages trying, in vain.

Yesterday I gave up and tried to resurrect my working container from before, except it wouldn't. I can access with my local address and port, but I couldn't login due to this https thing again. This time I cannot resolve the problem, even using RP and my day off work is again lost.

Tonight I decided to start again and following the Rusty article I again created a container. On first run I cannot create an account, due to https I guess. So I download an old version of Firefox and then create my account.
Now, using the old Firefox, I can log in with my local address. Using a current version of Firefox it will not work.
My Let's Encrypt is apparently good and chained (comodosslstore.com), although my RP address (bitw.mydomain.com) only gives me the Synology not found page, whether I try from within my network or without.

I am so lost. What am I screwing up??? (I feel such a plonker rewriting what others have written in synoforum and many times elsewhere, but I cannot find my solution in those...)
Thanks.
 

Attachments

  • reverse proxy.png
    reverse proxy.png
    25.2 KB · Views: 29
  • summary.png
    summary.png
    31.3 KB · Views: 29
Sort by date Sort by votes
From the images it all looks ok. That error would indicate that when you reverse to you https url, there is nothing there.

The fact that local access works this has to be rp problem of some sort.

Try using localhost as a destination address in your reverse proxy.

Also, do you have the correct DOMAIN variable set for the container pointing to your public name?
 
Upvote 0
Last edited:
Gerard said:
Check the firewall. Temporarily disable it, does it then work? Also use https:// then your bw domain name
Click to expand...
Hi Gerard
Thanks for the thoughts. I had tried the Syn firewall, makes no difference. I have port forward and firewall rules in my USG as attached.
-- post merged: --

Rusty said:
From the images it all looks ok. That error would indicate that when you reverse to you https url, there is nothing there.

The fact that local access works this has to be rp problem of some sort.

Try using localhost as a destination address in your reverse proxy.

Also, do you have the correct DOMAIN variable set for the container pointing to your public name?
Click to expand...
Hi...
Yes, my money would have been on the RP. Except I have a RP setup for DSM and that was working fine.

The DOMAIN variable is inside, yes. See screenshot. I must have removed it when I took the first screenshot.

Five minutes later... so localhost works??? Why? How? I never use localhost, I always use my local fixed address. So that is not the reason it worked before...
Please... Explain...
I thank you, but explain... (I will not marked Solved yet...)
 

Attachments

  • LAN IN.png
    LAN IN.png
    6.3 KB · Views: 17
  • PortForward.png
    PortForward.png
    6.3 KB · Views: 20
  • summary.png
    summary.png
    37.9 KB · Views: 19
  • certif.png
    certif.png
    15 KB · Views: 20
Upvote 0
silverj said:
Five minutes later... so localhost works??? Why? How? I never use localhost, I always use my local fixed address. So that is not the reason it worked before...
Please... Explain...
Click to expand...
The reason is that if you use an IP address the container will start to "look" around your network and then terminate back to your NAS.

If you have docker containers on multiples NAS you would use IP, but if the container runs on the device that is also an RP, localhost works.

Reason IP does not work out of the sudden could be routing.
 
Upvote 0
Rusty said:
Could be a DNS problem before then DHCP
Click to expand...
Ignore that remark of mine, it was nonsense... I had changed the RP back to the local address, then it stopped working again. Surprise.

Rusty said:
The reason is that if you use an IP address the container will start to "look" around your network and then terminate back to your NAS.
Click to expand...
Yes. That would imply routing as you said. I take your point about containers on multiple NAS (in my case, one NAS is sufficient for Docker! Already in over my head I think.) although that nonetheless suggests that localhost is a workaround that is "sufficient" in my case. I need to think about the routing and how I could screw up a visit to the switch (same vlan) and back. Thanks.
 
Upvote 0
silverj said:
Ignore that remark of mine, it was nonsense... I had changed the RP back to the local address, then it stopped working again. Surprise.


Yes. That would imply routing as you said. I take your point about containers on multiple NAS (in my case, one NAS is sufficient for Docker! Already in over my head I think.) although that nonetheless suggests that localhost is a workaround that is "sufficient" in my case. I need to think about the routing and how I could screw up a visit to the switch (same vlan) and back. Thanks.
Click to expand...
Log into your NAS as root and try and run these commands one at a time then restart your NAS

Code: 
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
 
Upvote 0
Could it be due to docker using its own network? When i was going thru the setup the container was running off a 172.x.x address rather than my local ip subnet of 192. I use localhost for my rp rules and never had a problem. Peak around the network tab and check the ip subnet of docker/docker container.
 
Upvote 0
Rusty said:
Log into your NAS as root and try and run these commands one at a time then restart your NAS
Click to expand...
Hi Rusty,
I did this and no great change. I can access Bitwarden inside and outside my network. This would be great, if I could get fail2ban working, although this eludes me still.
What I had before was that I had access inside the network. If I was outside, I could VPN inside and access Bitwarden from there. i.e. not possible to get access without VPN. This must be more secure. Does anyone have this without using Caddy?

Hi Gerard, yes, Docker will supply a 172... by default. I have my own network defined, to help with security a little.
 
Upvote 0
Gerard said:
Im now confused, did i miss something. I thought this whole thread was about bitwarden not working outside of the network?
Click to expand...
Partially! In the first post, I had the situation that using the my domain address bitw.mydomain.com I couldn't log in, whether inside or outside the network. I CAN do this now. This is a step forward. (Having to have localhost in the RP puzzles me though. The pic that shows the local IP¨address for one RP and localhost required for the other is plain weird to me. Utterly unimportant I suppose, but weird. This suggests I still haven't got a clue and I don't like that feeling!)
All I need now is someone who has made fail2ban work and I'll be a very happy camper... I do not have IDS/IPS and exposing THE most important database in my life to a potential brute force attack (yes, I have got 2FA) does not make me feel good.

Hope I haven't sown too much additional confusion!
 

Attachments

  • ReverseP.png
    ReverseP.png
    7.6 KB · Views: 8
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Register

Log in

Already have an account? Log in here.

Similar threads

G
Info Bitwarden Unified Beta
Right, I’m sure those having an issue have some sort of unique thing going on. Considering they didn’t...
2
Replies
33
Views
6,158
Gerard
G
G
  • Question
Bitwarden - Unshare an item
Indeed. You would need to delete it from the org and then recreate it in your personal vault to recapture...
Replies
2
Views
2,286
silverj
S
NAS Newbie
  • Question
Bitwarden "Browswer Requires HTTPS" Round 2...
https://bitwarden.dadsnas.i234.me:443 still directs to DSM login screen. I did not have "automatically...
Replies
11
Views
2,598
NAS Newbie
NAS Newbie
NAS Newbie
  • Question
Why doesn't my entire Bitwarden vault export?
I read the title as “why doesn't my entire Bitwarden vault explode? And I kept looking at it while zoned...
Replies
6
Views
3,011
WST16
WST16
NAS Newbie
  • Solved
Cannot connect to Bitwarden in Docker via reverse proxy on ubiquiti network... help?
I've changed the thread type. Now you can Mark as solution by clicking on this: Thank you.
Replies
6
Views
4,286
SynoMan
SynoMan
M
Solved Bitwarden - Enabling HTTPS - NIGHTMARE!
Setup of BW will take a few minutes then you will achieve free of charge full version of your own host for...
2
Replies
22
Views
22,091
jeyare
jeyare
E
Bitwarden Andorid app error: Trust anchor for certification path not found.
If you alrady have a wildcard certificate, you should already have those files. If it's created by LE, you...
Replies
3
Views
14,477
one-eyed-king
one-eyed-king

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Register

Trending threads

Back
Top