Resource icon

Tutorial Securing your Vaultwarden install

Currently reading
Tutorial Securing your Vaultwarden install

silverj submitted a new resource:

Securing your Bitwarden_rs install - Following initial install of Bitwarden, suggestions for helping to secure it.

Greetings... Finally a direct contribution to This Place, I would like to give some hints on making your Bitwarden_RS install a little more secure. I have the view that (a) my password manager is THE most important content in my digital life, and (b) I am by no means an expert in software or digital security, so therefore I have to do what I can to protect My Secret Stuff from nefarious persons.

In the Real World away from forums and the like, I have exactly two friends who have installed...

Read more about this resource...
 
19
2
NAS
Synology DS920+
Operating system
  1. Windows
Mobile operating system
  1. Android
  2. iOS
This looks great! So my question is how can I do all this - starting from step 3 - from the Synology GUI? :) I've already got bitwarden_RS set up with the SSL and Reverse Proxy (Synology's built in reverse proxy manager) using the GUI so its just a matter of tweaking it with Caddy and the rest in a GUI format.
 
Hi Hydraulics,
Welcome to this forum...

Well, I guess you can do it from the gui. The docker-compose files are essentially just setting up environment variables so it shouldn't be a problem.
Apart from that you can create folders in file station.
again under File Station you can Mount a folder on your NAS (under the Tools menu) and copy the various files you need over. You can then modify them using Text Editor.

You have Bitwarden_rs already functioning, so you can modify environment variables easy enough. So the setup should be okay for you.

However, having said all that, should you want to manually ban / unban an IP address for example, you will need the command line for that. So I would suggest you do not go too far without familiarising with ssh and the basics of the command line. Else you risk to lock yourself out from a given client when you come to test your setup.
I am not a command line hack by any means, but the basics are manageable...
 
2
0
NAS
DS1019+
Operating system
  1. Windows
Mobile operating system
  1. iOS
Hello, first of all thank you for the very good tutorial.
However, I have a problem with access to the reverse proxy http page.
When trying to open the page I get the error message "400 Bad Request - Request Header Or Cookie Too Large" from the nginx.
I hope someone can help me with the solution.

Fehler Nginx.png
 
1
1
NAS
DS218+
Operating system
  1. macOS
Mobile operating system
  1. iOS

Rusty

Moderator
NAS Support
4,773
1,396
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Hello, first of all thank you for the very good tutorial.
However, I have a problem with access to the reverse proxy http page.
When trying to open the page I get the error message "400 Bad Request - Request Header Or Cookie Too Large" from the nginx.
I hope someone can help me with the solution.

View attachment 3605
can you give a bit more details on your implementation and reverse configure?
 
However, I have a problem with access to the reverse proxy http page.
Hi king79,
Welcome to this forum... it is a pleasant community here.
As Rusty asked, can you describe more what you are doing. I'm puzzled by this statement above. How far did you get, by the way?

In the end you should be using something like: https:///bitw.mydomain.com to access your vault.
I'm relieved it seems to work for someone at least, so perhaps there are only some small steps missing for you.
 
2
0
NAS
DS1019+
Operating system
  1. Windows
Mobile operating system
  1. iOS
Hello Rusty and silverj,
thank you very much for the quick reply.
I am using a DS1019+ with DSM 6.2.4 and the webstation 2.1.10 with the backend nginx and php 7.3.

I was also able to install Vaultwarden exactly according to silverj's instructions without any problems and everything works.
I also created the two reverse proxy https and http according to the instructions. There are no other reverse proxy settings. Accessing via https:///bitw.mydomain.com opens the Vaultwarden login page.
When I try to access the page http:///bitw.mydomain.com I get the error message ""400 Bad Request - Request Header Or Cookie Too Large". I have removed the entry for the http reverse proxy (from step 2).
When I now open the page http:///bitw.mydomain.com the normal homepage appears which is located in the directory "web" of the disk station and the error message is gone.
Could it be that the reverse proxy for http is not needed. If more information is needed, I will be able to provide it.

Thanks in advance for your help.
 

Rusty

Moderator
NAS Support
4,773
1,396
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
When I try to access the page http:///bitw.mydomain.com I get the error message ""400 Bad Request
Try and setup this process via web station and configure another reverse host that will then redirect to https

 
Hi king79...
It is interesting you write that. When I was originally trying to get all this working I couldn't see the reason for this RP so I didn't use it and the system didn't work. It was probably something else wrong at the time and I didn't return to it.
Returning to it now, I removed the http RP and everything works nicely for the moment, from inside and outside the network.
However, I do not run the Synology web station, unlike you perhaps. I also have a general redirect from http to https in DSM.
 
57
29
NAS
DS1019+
Operating system
  1. Linux
  2. Windows
Mobile operating system
  1. Android
Hi, Looks like the script that would fix the built in reverse proxy for Vaultwarden no longer works under DSM 7.0. Here was the original script. I am poking around but haven't found a solution yet. Anyone else resolved the websocket issue?

bash /volume1/docker/vaultwarden/enable_ws.sh vaultwarden.somedomain.com 5100 5101

Code:
#!/bin/bash
#   
#    enable_ws.sh
#   
#
#    p1 - fqdn of vaultwarden
#    p2 - exposed port for vaultwarden
#    p3 - exposed port for websocket






LOC_DIR="/etc/nginx"


if [ ! -f $LOC_DIR/ws.locations ]; then
    echo """
    location /notifications/hub {
        proxy_pass http://localhost:$3;
        proxy_set_header Upgrade \$http_upgrade;
        proxy_set_header Connection "upgrade";
    }


    location /notifications/hub/negotiate {
        proxy_pass http://localhost:$2;
    }


    """ >> $LOC_DIR/ws.locations
fi


if ! grep -q "ws.locations" /etc/nginx/app.d/server.ReverseProxy.conf; then
    sed -i "/$1;/ a\ include $LOC_DIR/ws.locations;" /etc/nginx/app.d/server.ReverseProxy.conf
    if nginx -t 2>/dev/null; then synoservicecfg --reload nginx; else exit 1; fi
fi
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Hi All, after some struggle I could have the paperless-ng working directly from docker portainer on DSM...
Replies
2
Views
2,079
hello, i'm using this tutorial to build my nginx proxy on docker and mariadb on docker, but them i do...
Replies
8
Views
2,237
Also true. Should have posted, where it can be applied.
Replies
9
Views
2,636

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Top