Websocket connections not working with recommended apache2 proxy configuration

[Glutamat42]

Subject of the issue

When deploying vaultwarden as docker container and using apache2 as reverseproxy with the configuration recommended here i get NS_ERROR_WEBSOCKET_CONNECTION_REFUSED on Firefox. It works fine when accessing it via ssh proxy and then using http://localhost:50854.

Deployment environment

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.30.5
• Web-vault version: v2024.1.2b
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Environment settings overridden: false
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.44.0
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

**Environment settings which are overridden:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://************************************", "domain_origin": "*****://************************************", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "DEBUG", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": true, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "***********,*************", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "********************", "smtp_from_name": "\"wikimove Vaultwarden\"", "smtp_host": "**************************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "********************", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": false, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ```

• Install method: docker compose

services: vaultwarden: image: vaultwarden/server:latest container_name: vaultwarden environment:

• LOG_LEVEL=DEBUG
• DOMAIN=
• SIGNUPS_ALLOWED=false
• SIGNUPS_DOMAINS_WHITELIST=
• ADMIN_TOKEN=$ADMIN_TOKEN
• ORG_GROUPS_ENABLED=true
• SMTP_HOST=
• SMTP_PORT=587
• SMTP_SECURITY=starttls
• SMTP_FROM=no-reply@
• SMTP_FROM_NAME="Vaultwarden"
• SMTP_USERNAME=no-reply@
• SMTP_PASSWORD=$SMTP_PASSWORD

  doc: https://github.com/dani-garcia/vaultwarden/blob/main/.env.template

  volumes:

• vw-data:/data ports:
• "127.0.0.1:50584:80" restart: unless-stopped

volumes: vw-data:

* Clients used: web vault (Firefox)

* Reverse proxy and version: apache2 (2.4.38-3+deb10u10)
the proxy modules ( proxy_module (shared),  proxy_http_module (shared),  proxy_wstunnel_module (shared)) are loaded

<VirtualHost *:80> ServerName passwords.

    <ifmodule mod_rewrite.c>
            RewriteEngine On
            RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
            RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    </ifmodule>

    ErrorLog /var/log/apache2/vaultwarden_error.log
    CustomLog /var/log/apache2/vaultwarden_access.log common

<VirtualHost *:443> ServerName passwords.

    ProxyRequests Off
    ProxyPreserveHost On
    RequestHeader set X-Real-IP %{REMOTE_ADDR}s

    ProxyPass / http://localhost:50584/ upgrade=websocket

ProxyPassReverse / http://passwords./

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/passwords.<some domain>/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/passwords.<some domain>/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/passwords.<some domain>/chain.pem

    ErrorLog /var/log/apache2/vaultwarden_error.log
    CustomLog /var/log/apache2/vaultwarden_access.log common

* MySQL/MariaDB or PostgreSQL version: sqlite
* Other relevant details:

### Steps to reproduce
1) deploy vaultwarden as described
2) open web app and have a look on the network requests

### Expected behaviour
Getting 101 as response on the wss:// requests

### Actual behaviour
Getting 404 as response on the wss:// requests

### Troubleshooting data
relevant vaultwarden log:

vaultwarden | [2024-04-11 14:13:18.074][request][INFO] GET /notifications/hub?accesstoken=eyJ0eXAiOiJKV1QiL vaultwarden | [2024-04-11 14:13:18.074][vaultwarden::api::notifications::][WARN] Request guard rocket_ws :: WebSocket is forwarding. vaultwarden | [2024-04-11 14:13:18.074][rocket::response::responder::][WARN] Response was None. vaultwarden | [2024-04-11 14:13:18.074][rocket::server::][WARN] Responding with registered (not_found) 404 catcher. vaultwarden | [2024-04-11 14:13:18.074][response][INFO] (web_files) GET /<p..> [10] => 404 Not Found

relevant apache2 log

- - [11/Apr/2024:13:51:47 +0000] "GET /notifications/hub?access_token= HTTP/1.1" 404 3783 ``` ### Workaround As a workaround i added the following lines to my apache VirtualHost conf # WebSocket proxying RewriteEngine On RewriteCond %{HTTP:Upgrade} =websocket [NC] RewriteRule /notifications/hub(.*) ws://localhost:50584/notifications/hub$1 [P,L]