search

bitwarden / server

Bitwarden infrastructure/backend (API, database, Docker, etc).
https://bitwarden.com
Other
15.43k stars 1.3k forks source link

Bitwarden self-hosted - Impossible to access the Admin Portal https://yourdomain.com/admin #2319

Open nicfab opened 2 years ago

nicfab commented 2 years ago

Steps To Reproduce

After installed Bitwarden, I set the /opt/bitwaden/bwdata/config.yml as follow:

#
# Note: After making changes to this file you need to run the `rebuild` or `update`
# command for them to be applied.
#
# Full URL for accessing the installation from a browser. (Required)
url: https://bw.nicfab.eu
#
# Auto-generate the `./docker/docker-compose.yml` config file.
# WARNING: Disabling generated config files can break future updates. You will be
# responsible for maintaining this config file.
# Template: https://github.com/bitwarden/server/blob/master/util/Setup/Templates/DockerCompose.hbs
generate_compose_config: true
#
# Auto-generate the `./nginx/default.conf` file.
# WARNING: Disabling generated config files can break future updates. You will be
# responsible for maintaining this config file.
# Template: https://github.com/bitwarden/server/blob/master/util/Setup/Templates/NginxConfig.hbs
generate_nginx_config: true
#
# Docker compose file port mapping for HTTP. Leave empty to remove the port mapping.
# Learn more: https://docs.docker.com/compose/compose-file/#ports
http_port: 8089
#
# Docker compose file port mapping for HTTPS. Leave empty to remove the port mapping.
# Learn more: https://docs.docker.com/compose/compose-file/#ports
https_port: 9443
#
# Docker compose file version. Leave empty for default.
# Learn more: https://docs.docker.com/compose/compose-file/compose-versioning/
compose_version:
#
# Configure Nginx for Captcha.
captcha: false
#
# Configure Nginx for SSL.
ssl: false
#
# SSL versions used by Nginx (ssl_protocols). Leave empty for recommended default.
# Learn more: https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_versions:
#
# SSL ciphersuites used by Nginx (ssl_ciphers). Leave empty for recommended default.
# Learn more: https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_ciphersuites:
#
# Installation uses a managed Let's Encrypt certificate.
ssl_managed_lets_encrypt: false
#
# The actual certificate. (Required if using SSL without managed Let's Encrypt)
# Note: Path uses the container's ssl directory. The `./ssl` host directory is mapped to
# `/etc/ssl` within the container.
ssl_certificate_path:
#
# The certificate's private key. (Required if using SSL without managed Let's Encrypt)
# Note: Path uses the container's ssl directory. The `./ssl` host directory is mapped to
# `/etc/ssl` within the container.
ssl_key_path:
#
# If the certificate is trusted by a CA, you should provide the CA's certificate.
# Note: Path uses the container's ssl directory. The `./ssl` host directory is mapped to
# `/etc/ssl` within the container.
ssl_ca_path:
#
# Diffie Hellman ephemeral parameters
# Learn more: https://security.stackexchange.com/q/94390/79072
# Note: Path uses the container's ssl directory. The `./ssl` host directory is mapped to
# `/etc/ssl` within the container.
ssl_diffie_hellman_path:
#
# Nginx Header Content-Security-Policy parameter
# WARNING: Reconfiguring this parameter may break features. By changing this parameter
# you become responsible for maintaining this value.
nginx_header_content_security_policy: "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; connect-src 'self' wss://{0} https://api.pwnedpasswords.com https://2fa.directory; object-src 'self' blob:;"
#
# Communicate with the Bitwarden push relay service (push.bitwarden.com) for mobile
# app live sync.
push_notifications: true
#
# Use a docker volume (`mssql_data`) instead of a host-mapped volume for the persisted database.
# WARNING: Changing this value will cause you to lose access to the existing persisted database.
# Learn more: https://docs.docker.com/storage/volumes/
database_docker_volume: false
#
# Defines "real" IPs in nginx.conf. Useful for defining proxy servers that forward the
# client IP address.
# Learn more: https://nginx.org/en/docs/http/ngx_http_realip_module.html
#
# Defined as a dictionary, e.g.:
# real_ips: ['10.10.0.0/24', '172.16.0.0/16']
real_ips:
#
# Enable Key Connector (https://bitwarden.com/help/article/deploy-key-connector)
enable_key_connector: false
#
# Enable SCIM
enable_scim: false

Then, I edited the file ./bwdata/env/global.override.env adding my email value at the adminSettings__admins=

Then, I set an NGINX conf file with the following content:

server {

    server_name yourdomain.com;

    location / {
        proxy_pass http://127.0.0.1:8089;
    }

    client_max_body_size 20G;

    listen [::]:443 ssl http2;
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = yourdomain.com) {
        return 301 https://$host$request_uri;
    }

     server_name yourdomain.com;
     listen [::]:80;
     return 404;
}

server {
    if ($host = yourdomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name bw.nicfab.eu;
    listen 80;
    return 404; # managed by Certbot
}

Bitwarden works, but if I try to access the Admin Portal reaching https://yourdomain.com/admin it redirects to https://127.0.0.1/admin/login?returnUrl=%2Fadmin and it doesn't work.

Expected Result

Access the Admin Portal correctly according to the instruction published here: https://bitwarden.com/help/admin-portal/#access-the-admin-portal

Actual Result

Impossible accessing to the Admin Portale because the system redirects to https://127.0.0.1/admin/login?returnUrl=%2Fadmin, and it doesn't work.

Screenshots or Videos

No response

Additional Context

No response

Build Version

bitwarden.sh version 2022.9.1 Docker version 20.10.18, build b40c2f6 docker-compose version 1.25.0, build unknown

Environment

Self-Hosted

Environment Details

nicfab commented 2 years ago

From https://github.com/bitwarden/server/issues/253#issuecomment-378105668 I discovered that I can access directly to https://yourdomain.com/admin/login

However, I hope that an update can fix it to access directly to https://yourdomain.com/admin according to the instructions published here https://bitwarden.com/help/admin-portal/#access-the-admin-portal

dbosompem commented 2 years ago

Hi @nicfab , thanks for bringing this to our attention. We will make time and take a look.

mehmetcankamar commented 1 year ago

I think, it's aspnetcore related bug. Authentication middleware does not redirect correctly. If you remove [Authorize] attribute you'll see, it works clear. Some workarounds are available;

  1. This approach should be managed by a config parameter or something. 

    app.Use((context, next) =>
{
context.Request.Scheme = "https";
return next(context);
});

  2. This is a nasty hack. Instead of using [Authorize], we can deal it with the old fashioned way. Here is commit: https://github.com/bitwarden/server/commit/5b6d3dfcbd18bac32b1b8df19c2f890eb652c250