(SOLVED) WebSocket nginx selfhosted Bitwarden(Vaultwarden)

[RamSense]

Hi,

I am running a selfhosted Bitwarden(Vaultwarden) in docker (on Synology NAS).
https://registry.hub.docker.com/r/vaultwarden/server/
I have opnsense -> nginx as a reverse proxy. Website domain.com is working and lets encrypt ssl for https
I have enabled WebSocket Support in nginx - location

What else must I do in nginx to get this working? I am trying to get WebSocket enabled for real time updates to Bitwarden/Vaultwarden.

p.s. I am using nginx with the opnsense GUI, the instructions I can find on the internet for manual nginx settings is:
location /notifications/hub {
        proxy_pass http://NAS_HOST_IP:3012;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /notifications/hub/negotiate {
        proxy_pass http://NAS_HOST_IP:80;
    }

how to get this done in the GUI?

nb: in the nginx http error log I noticed this:
*20 kevent() reported that connect() failed (61: Connection refused) while connecting to upstream, client: 192.168.1.46, server: domain.com, request: "GET /notifications/hub?

[fabian]

The negotiate endpoint needs no websockets?

[RamSense]

When I look at the nginx config file given as an example I see a port mentioned 3012
(proxy_pass http://NAS_HOST_IP:3012;)

when I am on opnsense nginx I have only the option WebSocket support but no port to add. (?)
Is this what is missing? an added location, http server and upstream all with port 3012?
I have never worked with web sockets before

this is from their explaining:
By default, vaultwarden listens on port 80 for web (REST API) traffic and on port 3012 for WebSocket traffic (if WebSocket notifications are enabled). The reverse proxy should be configured to terminate SSL/TLS connections (preferably on port 443, the standard port for HTTPS). The reverse proxy then passes incoming client requests to vaultwarden on port 80 or 3012 as appropriate, and upon receiving a response from vaultwarden, passes that response back to the client.
https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples

[Fright]

when I am on opnsense nginx I have only the option WebSocket support but no port to add. (?)
Is this what is missing? an added location, http server and upstream all with port 3012?

i think you can set port at Upstream Server settings. so you need separate Upstream and Upstream Server for /notifications/hub Locations. imho this will give you desired config

[RamSense]

ok,
and for those urls (/notifications/hub/  and  /notifications/hub/negotiate) to point to this added upstream server and port, how do I do that?

do I have to add in an other added [http server] with domain.com/notifications/hub/negotiate as complete url? instead of only domain.com? or is there another correct way to do this?

like setting a simple url rewrite of domain.com/notifications/hub/ rewrite to NAS_HOST_IP:3012//notifications/hub/
ui
Or simply put, can you describe, step by step, how I ad this in the opnsense Nginx GUI?:

}

    location /notifications/hub {
        proxy_pass http://NAS_IP_ADDRESS:3012;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /notifications/hub/negotiate {
        proxy_pass http://NAS_IP_ADDRESS:80;
    }

Many thanks in advance!

[Fright]

imho something like:
One HTTP Server

Two Upstream servers: one for tcp80, second - for tcp3012

Two Upstreams: one pointing to tcp80 Upstream server, second - pointing to tcp3012 Upstream server

Three Locations:  "/" and "/notifications/hub/negotiate" - pointing to tcp80 Upstream, "/notifications/hub" - pointing to tcp3012 Upstream with " WebSocket Support" enabled.

In HTTP Server settings choose all three locations (root ("/"), hub ("/notifications/hub") and hub_nego(""/notifications/hub/negotiate""))

[RamSense]

thanks, that was helpful and I added those steps.

When I look at the http access log I see now a status 502
GET /notifications/hub?access_token=

I tested in the browser with:
ws://NAS_IP:3012 i get
WebSocket Protocol Error: Unable to parse WebSocket key.

with
ws://domain.com:3012 I get
can not open page

in the http log I see status 101

[RamSense]

Yes!!
It works. I had one extra change to make on the Synology Docker. I had localhost as listening address an somehow I had to change this to 0.0.0.0 to let WebSocket work!

So I hope that other users that are looking for a self hosted password manager (with real time updates from all devices) can use this also.

I really like Bitwarden -> Vaultwarden self hosted in docker.

thank you very much Fright!

[W0nderW0lf]

Hi all,
well I am glitching into the same issue, only that I am hosting it on unRAID and I want to use another URL path, so it wont be so obvious.  (security reasons u know ...)
I got it already running with basically "/" as root pattern.
But when I want to use "vault.example.com/bitwarden/path" as root path, I get 404. I think I have to either configure an URL rewriting for negotiate and hub, to always add bitwarden/path in front, or I do it the same just with ".../path/negotiate..".
I also changed the Domain Path for the Container, and the path is also shown in the admin settings, so that should be fine.

U guys have an idea?

[RamSense]

isn't it safe and easy to add in nginx reverse proxy an IP ACL with ACL ENTRIES your LAN IP and VPN IP only and add
default action "Deny Access" ?

[W0nderW0lf]

Depends on what you try to achieve. I dont want to use VPN for sites like this, since I want my wife and I to have access to it without needing to setup VPN first. I was doing the hardening guide. See last entry: https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Guide
I found a proxy config https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples, but atm it doesnt work with my setup.
VPN might be safer, but its voodoo for my wife.

[W0nderW0lf]

Got it working. If you are interested.
Inside the Location "/path/" you have to set the path prefix "/" to make it work.
404 is gone.

[RamSense]

Thanks for sharing. I will read your link to see if it adds up to my current setup.
i have wireguard vpn setup and installed it for my wife and let it be always on. That way it works great for her also and skipping the voodoo part :-)