search

dani-garcia / vaultwarden

Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs
GNU Affero General Public License v3.0
36.78k stars 1.79k forks source link

My setup on docker Synology NAS. Is it correct this way? #194

Closed BobWs closed 5 years ago

BobWs commented 5 years ago

So I have installed this image on docker Synology NAS and I have some questions about the setup.

This is my installation/setup for now: Folders mapped: docker/bw-data/ to /data/

Ports mapped: Local port: 3012 to container port 3012 Local port: 81 to container port 80 (my local 80 port is in use by a webserver so I had to choose an alternative port)

The container is served behind an reverse proxy (to server SSL connection outside of the LAN with my own domain)

Reverse Proxy setup: (setup though Synology DSM GUI) Source Protocol: HTTPS Hostname: vault.mydomain.com Port: 443

Destination Protocol: HTTP Hostname: localhost Port: 81

When browsing to https://vault.mydomain.com I see the Bitwarden Web UI and I can login and create creadentials etc. (desktop app and mobile apps all works fine) But when I change the proxy destination port to 3012 I’m getting an error Web-socket page. Also when browsing my-ip-address:3012 I’m getting the same error. Browsing my-ip-address:80 I see the Web UI. This setup works fine for me, but I was wondering if this setup that is working for me is the right path or is it just dumb luck and that it isn't necessary to specify port 3012.

Also how do I fix the notification error warning?

error in the log file: ERROR: '/notifications/hub' should be proxied towards the websocket server, otherwise notifications will not work. Go to the README for more info.

mprasil commented 5 years ago

Your setup sounds wrong. You need to proxy just specific path to the 3012 port, the rest should still be routed to 81 in your case. See documentation. I'm not sure how/if DSM GUI allows that setup though. Check out PROXY.md for how is it configured in other proxy servers.

Note that the WebSockets configuration is not strictly necessary, it just enables live sync in Vault and browser extensions.

BobWs commented 5 years ago

This is how it looks like on the synology: screen shot 2018-09-19 at 15 15 45 screen shot 2018-09-19 at 15 15 49 screen shot 2018-09-19 at 15 15 54 screen shot 2018-09-19 at 15 16 55

What do I need to change? and where? Thanks!

mprasil commented 5 years ago

From the screenshot of proxy settings it doesn't look like that supports the required per-path setting. You might need to run another container with some other proxy, (say one of the servers we have sample configuration for) and then let synology to proxy that container instead to add HTTPS.

If you want to just use the Synology proxy, then you can't use WebSockets, which honestly isn't really that big deal unless you update your passwords couple times per hour. 😉

fbartels commented 5 years ago

Hi @BobWs ,

the Nginx configuration ui of Synology is not sophisticated enough to manage the extra path for the websocket connection. But luckily you can also manage vhosts for Nginx manually, for this you only have to place the configuration file into /usr/local/etc/nginx/sites-enabled.

BobWs commented 5 years ago

Hi @fbartels Thanks for your help. I've created a proxy file and placed it in /usr/local/etc/nginx/sites-enabled

My file is called "bitwarden_proxy.conf" and looks like this:

server { include conf.d/ssl/ssl.conf;

listen 443 ssl http2; server_name vault.*;

location /notifications/hub/negotiate { include conf.d/proxy-confs/proxy.conf; proxy_pass http://localhost:81; }

location / { include conf.d/proxy-confs/proxy.conf; proxy_pass http://localhost:81; }

location /notifications/hub { proxy_pass http://localhost:3012/api/websocket; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }

But I still get the ERROR: '/notifications/hub' should be proxied towards the websocket server, otherwise notifications will not work. Go to the README for more info.

What am I doing wrong?

dani-garcia commented 5 years ago

I can't say that I know my way around nginx, but proxy_pass http://localhost:3012/api/websocket; should probably be just proxy_pass http://localhost:3012;, like in all the other proxy examples. I'm not sure where the /api/websocket part comes from.

BobWs commented 5 years ago

I copied from this link https://github.com/dani-garcia/bitwarden_rs/blob/master/PROXY.md

I will give it a try!

BobWs commented 5 years ago

I can't say that I know my way around nginx, but proxy_pass http://localhost:3012/api/websocket; should probably be just proxy_pass http://localhost:3012;, like in all the other proxy examples. I'm not sure where the /api/websocket part comes from.

Didn't make any difference Error still in log

dani-garcia commented 5 years ago

Is there a chance that it's still using the rule created in the GUI instead of the conf file? Other than that i don't have any idea.

BobWs commented 5 years ago

So do I have to delete the GUI rule?

dani-garcia commented 5 years ago

I'm not sure, but maybe the GUI has precedence over the config file, so it's worth a shot, I think. Maybe reboot after the change just to make sure.

BobWs commented 5 years ago

So I figure out that I was in the wrong place! /usr/local/etc/nginx/sites-enabled is not where the proxy file is.

This is the folder where I found the proxy file of synology GUI /etc/nginx/app.d

And this is the configuration what is inside the proxy file:

server { listen 443 ssl; listen [::]:443 ssl;

server_name myvault.domain.com;

ssl_certificate /usr/syno/etc/certificate/ReverseProxy/64b22df2-8ee8-411d-bc6b-d6dd31c4f4fd/fullchain.pem;

ssl_certificate_key /usr/syno/etc/certificate/ReverseProxy/64b22df2-8ee8-411d-bc6b-d6dd31c4f4fd/privkey.pem;

allow 192.168.178.0/24;

allow 142.176.14.58;

deny all;

location / {
    proxy_set_header        Host                $http_host;
    proxy_set_header        X-Real-IP           $remote_addr;
    proxy_set_header        X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto   $scheme;
    proxy_intercept_errors  on;
    proxy_http_version      1.1;

    proxy_pass http://localhost:81;

}

}

So can you please help me how to edit the file with the right configurations?

dani-garcia commented 5 years ago

Probably something like this:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name myvault.domain.com;

    ssl_certificate /usr/syno/etc/certificate/ReverseProxy/64b22df2-8ee8-411d-bc6b-d6dd31c4f4fd/fullchain.pem;

    ssl_certificate_key /usr/syno/etc/certificate/ReverseProxy/64b22df2-8ee8-411d-bc6b-d6dd31c4f4fd/privkey.pem;

    allow 192.168.178.0/24;
    allow 142.176.14.58;

    deny all;

    location /notifications/hub/negotiate {
        proxy_pass http://localhost:81;
    }

    location /notifications/hub {
        proxy_pass http://localhost:3012;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location / {
        proxy_set_header        Host                $http_host;
        proxy_set_header        X-Real-IP           $remote_addr;
        proxy_set_header        X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto   $scheme;
        proxy_intercept_errors  on;
        proxy_http_version      1.1;

        proxy_pass http://localhost:81;
    }
}
BobWs commented 5 years ago

okay thanks I will give it a try!

fbartels commented 5 years ago

So I figure out that I was in the wrong place! /usr/local/etc/nginx/sites-enabled is not where the proxy file is.

the one file you found was the file automatically created by the nginx gui, if you edit this, you changes will likely be overwritten by synology when you use the nginx gui to edit another host. while you may use it as a template, the update safe way would be to move your bitwarden nginx configuration into site-enabled.

BobWs commented 5 years ago

@fbartels I Will give it another try today, changing the proxy file in /etc/nginx/app.d didn’t make any difference.

BobWs commented 5 years ago

Well it isn't working. When I create a proxy file in /usr/local/etc/nginx/sites-enabled and restart nginx my synology goes crazy and I get an error message: "DSM cannot start up normally because it ran into a problem. Please contact the Synology support team for help."

Then I remove the proxy conf file and restart nginx again and my Synology acts normal again. So It isn't working for my.

Guess I will have to stick with the non notification working version.

BobWs commented 5 years ago

So Synology has updated their GUI and there is now a setup preference for Web-socket within the reverse proxy GUI setup. I have again tried to setup notification, but it's still not working. Keep getting the error message ERROR: '/notifications/hub' should be proxied towards the websocket server, otherwise notifications will not work. Go to the README for more info.

What am I missing?

screen shot 2018-10-10 at 10 52 08

screen shot 2018-10-10 at 10 51 52

screen shot 2018-10-10 at 13 14 38

screen shot 2018-10-10 at 13 22 19

mprasil commented 5 years ago

Unless you can configure it to forward this specific path: /notifications/hub to the 3012 port and everything else including /notifications/hub/negotiate to port 80, it won't work. From the screenshots it doesn't look like the GUI supports that level of configuration.

dani-garcia commented 5 years ago

This hasn't had activity in some time, so I'm closing it now. If this is still an issue, please reopen it.

Hobbabobba commented 4 years ago

If some users experience problems: remember to change the path to your certs, if you have can´t use the standard cert. you will find all the certs of your diskstation in /usr/syno/etc/certificate/_archive