Issue with bitwarden

[jokerigno]

---

Expected Behavior

Bitwarden simply works

Current Behavior

Bitwarden reverse proxy does not work.

Steps to Reproduce

1. setup proxy-confs file
2. run container

Environment

OS: Unraid CPU architecture: x86_64/arm32/arm64 How docker service was installed:

via community applications

Command used to create docker container (run/create/compose/screenshot)

Docker logs

Hi, I updated Swag container and now my bitwarden instance is not working anymore. Checking swag log I found a message asking me to update nginx conf files so I update conf file inside nginx folder with new template, renamed container as requested in that file from bitwardenrs to bitwarden and set true to WEBSOCKET_ENABLED in bitwarden container. Still can't access from outside. Any hint?

Previous conf file

#BITWARDEN
# make sure that your domain has dns has a cname or a record set for the subdomain bitwarden 
# This config file will work as is when using a custom docker network the same as letesencrypt (proxynet).
# However the container name is expected to be "bitwardenrs" as it is by default the template as this name is used to resolve.  
# If you are not using the custom docker network for this container then change the line "server bitwardenrs:80;" to "server [YOUR_SERVER_IP]:8086;" Also remove line 7

resolver 127.0.0.11 valid=30s;
upstream bitwarden {
    server bitwardenrs:80;
}

server {
    listen 443 ssl;
    server_name bitwarden.*;
    include /config/nginx/ssl.conf;
  client_max_body_size 128M;

  location / {
   proxy_pass http://bitwarden;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }

  location /notifications/hub {
   proxy_pass http://bitwarden;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }

  location /notifications/hub/negotiate {
    proxy_pass http://bitwarden;
  }
}

New Conf file

## Version 2020/12/09
# make sure that your dns has a cname set for bitwarden and that your bitwarden container is not using a base url
# make sure your bitwarden container is named "bitwarden"
# set the environment variable WEBSOCKET_ENABLED=true on your bitwarden container

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name bitwarden.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 128M;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwarden;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /admin {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwarden;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /notifications/hub {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwarden;
        set $upstream_port 3012;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /notifications/hub/negotiate {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwarden;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

[github-actions[bot]]

Thanks for opening your first issue here! Be sure to follow the bug or feature issue templates!

[aptalca]

Define not working

[jokerigno]

Sorry.

The container is working as expected. But is the reverse proxy for specific instance of Bitwarden that NOW stopped working.

Other proxies (Nextcloud, home assistant) continue to working.

That's why I opened this issue.

[aptalca]

I meant, what are you seeing? What error are you getting?

[jokerigno]

I see error 522 ( I use cloudfare)

[nemchik]

I see error 522 ( I use cloudfare)

https://support.cloudflare.com/hc/en-us/articles/115003011431-Troubleshooting-Cloudflare-5XX-errors#522error

This doesn't look like it's going to have anything to do with the bitwarden proxy. It's possible that a configuration in one of your other proxy config files may be the issue. Can you post your container logs? The container logs should tell you if any of the other config files are not up to date with our latest samples.

[jokerigno]

I have this message in logs:

The following reverse proxy confs have different version dates than the samples that are shipped.

This may be due to user customization or an update to the samples. You should compare them to the samples in the same folder to make sure you have the latest updates. /config/nginx/proxy-confs/sonarr.subdomain.conf /config/nginx/proxy-confs/radarr.subdomain.conf /config/nginx/proxy-confs/plex.subdomain.conf /config/nginx/proxy-confs/organizr.subdomain.conf /config/nginx/proxy-confs/nextcloud.subdomain.conf /config/nginx/proxy-confs/homeassistant.subdomain.conf /config/nginx/proxy-confs/freshrss.subdomain.conf

Those service are working btw. I will update those template and see if the error persist.

In the meantime thank you!

[jokerigno]

Ok I updated all the conf files and the issue persist. Here's the full log:

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/

Brought to you by linuxserver.io
-------------------------------------

To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot

To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/Berlin
URL=xxxxxxxxxxx.it
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
VALIDATION=dns
CERTPROVIDER=
DNSPLUGIN=cloudflare
EMAIL=xxxxxxxxxxxxxxx.it
STAGING=false

Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
Wildcard cert for only the subdomains of xxxxxxxxxxxx.it will be requested
E-mail address entered: xxxxxxxxxxxx.it
dns validation via cloudflare plugin is selected
Certificate exists; parameters unchanged; starting nginx
Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,
and add a new env variable "MAXMINDDB_LICENSE_KEY", set to your license key.
Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
Wildcard cert for only the subdomains of xxxxxxxxxxxxx.it will be requested
E-mail address entered: xxxxxxxxxxxxx.it
dns validation via cloudflare plugin is selected
Certificate exists; parameters unchanged; starting nginx
Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,
and add a new env variable "MAXMINDDB_LICENSE_KEY", set to your license key.
[cont-init.d] 50-config: exited 0.
[cont-init.d] 60-renew: executing...
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
[cont-init.d] 60-renew: exited 0.
[cont-init.d] 70-templates: executing...
[cont-init.d] 70-templates: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready

[jokerigno]

any update on it?

[j0nnymoe]

Have you confirmed bitwarden is on the same docker network? what's the actual error you're getting?

[jokerigno]

Yes bitwarden uses same docker network than other containers (called proxynet). The error is 522 (I think specific for cloudfare maybe?)

I already asked support in cloudfare forum, they linked me to this page https://community.cloudflare.com/t/community-tip-fixing-error-522-connection-timed-out/42325

I'm quite sure that this is not useful in my case because I didn't changed any setting in firewall or container so far and other containers are using swag without issue (deluge, sonarr, radarr, home assistant )

[aptalca]

Turn off cloudflare proxy

[jokerigno]

That's brutal. Also because as says before it worked till 20days ago and still works for other web apps

[nemchik]

That's brutal. Also because as says before it worked till 20days ago and still works for other web apps

Turning off the CF proxy may only need to be done temporarily. We want to make sure it works without it.

[jokerigno]

Ok. Just to be sure. Do you want me to remove CF in my registrar dns right (I have a domain that I use from outside lan). So I need to change DNS from the one cloudflare gave me to regular one. Right?

[nemchik]

Ok. Just to be sure. Do you want me to remove CF in my registrar dns right (I have a domain that I use from outside lan). So I need to change DNS from the one cloudflare gave me to regular one. Right?

No.

All you need to do is make sure the CF proxy is disabled for the domain or subdomain you're using to access bitwarden.

[jokerigno]

Ok I guess I made the right thing asking ....

I made the simple change

and now :

Same error. Different page

ERR_CONNECTION_TIMED_OUT

I rebooted container and looked at logs. No message.

[nemchik]

Can you run:

docker exec swag ping bitwarden -c2

And confirm that it does not say bad address?

[jokerigno]

Confirm:

root@Joshua:~# docker exec swag ping bitwarden -c2
PING bitwarden (172.18.0.2): 56 data bytes
64 bytes from 172.18.0.2: seq=0 ttl=64 time=0.073 ms
64 bytes from 172.18.0.2: seq=1 ttl=64 time=0.060 ms

--- bitwarden ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.060/0.066/0.073 ms

[jokerigno]

If it can be useful mobile apps and chrome ext (all of them are setup with external url) are still ok.

[Roxedus]

Everything points to this being a issue with your portforward, or DNS setup.

[jokerigno]

Everything points to this being a issue with your portforward, or DNS setup.

But it happens ONLY with this container. Not with all the others.

[Roxedus]

Yet there is not a shred of evidence pointing to the fact that your browser even tries to connect. A faulty proxy-conf would most likely end up with a 502 error. A faulty nginx config would present itself in the docker logs. Are you able to post some nginx logs saying that your browser is reaching it?

[jokerigno]

This is the only error that I found in error.log in nginx

`2021/04/23 10:54:36 [error] 476#476: 740 bitwarden could not be resolved (3: Host not found), client: 141.101.104.118, server: bitwarden., request: "POST /identity/connect/token HTTP/1.1", host: "bitwarden.casaconcordia.it"

It was this morning before disabling proxy in CF `

[Roxedus]

So your log agrees with my suspicion of your browser not even connecting.

[nemchik]

Assuming you are using chrome, can you visit chrome://settings/help and tell us the version you see?

Ex: Version 90.0.4430.85 (Official Build) (64-bit)

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.