search

dani-garcia / vaultwarden

Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs
GNU Affero General Public License v3.0
36.78k stars 1.79k forks source link

bitwardenrs/server:raspberry ignoring `DISABLE_ADMIN_TOKEN` #833

Closed rekesz4 closed 4 years ago

rekesz4 commented 4 years ago

Subject of the issue

Using Dockstarter I had an instance running perfectly well. Nextcloud was having issues so I decided to format Rpi and start from scratch, but saved the nginx config files. Now when I try to run bitwarden_rs I keep getting the following error message in portainer:

Error loading config:

`ADMIN_TOKEN` is enabled but has an empty value. To enable the admin page without token, use `DISABLE_ADMIN_TOKEN`

Even though I've set the DISABLE token numerous times. I think this is why I keep getting 502 error when accessing bitwarden.domain.com. I thought it might be related to the server ignoring the SIGNUPS_ALLOWED variable, but I just ran docker-compose and it's still not working.

Your environment

Steps to reproduce

Run bitwarden_rs using Dockstarter.

Expected behaviour

Server should be up and running as before.

Actual behaviour

Server seems to ignore DISABLE_ADMIN_TOKEN.

Screenshot_20200130_101735

Ayitaka commented 4 years ago

ADMIN_TOKEN is enabled but has an empty value. To enable the admin page without token, use DISABLE_ADMIN_TOKEN

That error is because you have ADMIN_TOKEN uncommented but have not set a token (password) after it. If you want the admin page enabled then you should generate a token and place the token after ADMIN_TOKEN= Run openssl rand -base64 48 on your rpi to generate a random token ADMIN_TOKEN=df7sg980dg87sdfg6d8s7g6879dsf687s9d

Commenting out ADMIN_TOKEN is what actually disables the admin page, so if you do not need to use the admin page then just comment it out like: #ADMIN_TOKEN=df7sg980dg87sdfg6d8s7g6879dsf687s9d

DISABLE_ADMIN_TOKEN just turns the requirement for the token off (meaning anyone can access the admin page just by visiting it - no password is required!). You pretty much never want to set DISABLE_ADMIN_TOKEN to true because it is very insecure, so set it to false, comment that line out or remove it from your config. #DISABLE_ADMIN_TOKEN=false

Your 502 error code (Bad Gateway) is caused by nginx not being able to connect to bitwarden_rs. So if fixing the admin_token issue doesnt fix the 502 error, then double-check your nginx configuration and make sure it points to the same ports you have bitwarden_rs listening on.

dani-garcia commented 4 years ago

Okay this has been changed in https://github.com/dani-garcia/bitwarden_rs/commit/480ba933fa01f2fa09e515fe238784c4cd3c2576, now if the admin token is disabled we won't error if it's set to the empty string.

That said, as @Ayitaka mentions, make sure your server is in a private secure network or behind a proxy that protects the /admin section, like this example: https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples#nginx-by-shauder