starred/vaultwarden

Fork 0

mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-26 09:46:00 +03:00

[GH-ISSUE #1040] Admin panel login redirect #736

New issue

Closed

opened 2026-03-03 02:02:42 +03:00 by kerem · 12 comments

kerem commented

2026-03-03 02:02:42 +03:00

Owner

Originally created by @SinTh0r4s on GitHub (Jul 2, 2020).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/1040

Subject of the issue

Hi,
I am using a Bitwarden_RS instance on my personal host behind a nginx reverse proxy for HTTPS. Let's Encrpyt. All that good stuff. Now i am looking into hardening my installation before i go live. As part of that I configured my nginx to block every public access to the /admin/ subdirectory.

  location ~ /admin {
    deny all;
    return 403;
  }

This works like intended. If i try to access https://bitwarden.public.dns/admin i am greeted with a 403 warning. So far so good.

I am still able to access the admin panel locally by accessing https://bitwarden.local/admin. Now i enter my token and press enter . Then i get redirected to https://bitwarden.public.dns/admin and receive a 403. If i change the address to https://bitwarden.local/admin again i can use the admin panel without problems.
The same thing happens when i log out of the admin panel (although it does not bother me in that case).

Is it possible to stop that redirecting to the public dns after login? After all it is just for convenience.

Great project! Love it!
SinTh0r4s

My environment

Bitwarden_rs version: 1.15.1.gitb34d548
Web version: 2.14.1
Install method: CentOS Linux release 7.8.2003 (Core)
From EPEL Repo: https://copr.fedorainfracloud.org/coprs/mrmeee/bitwarden_rs/repo/epel-7/mrmeee-bitwarden_rs-epel-7.repo
Reverse proxy and version: Nginx 1.14.1
Version of mysql/postgresql: Ver 15.1 Distrib 10.3.17-MariaDB
Other relevant information: In bitwarden.conf: DOMAIN=https://bitwarden.public.dns:443

Originally created by @SinTh0r4s on GitHub (Jul 2, 2020). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/1040 ### Subject of the issue Hi, I am using a Bitwarden_RS instance on my personal host behind a nginx reverse proxy for HTTPS. Let's Encrpyt. All that good stuff. Now i am looking into hardening my installation before i go live. As part of that I configured my nginx to block every public access to the /admin/ subdirectory. ``` location ~ /admin { deny all; return 403; } ``` This works like intended. If i try to access `https://bitwarden.public.dns/admin` i am greeted with a 403 warning. So far so good. I am still able to access the admin panel locally by accessing `https://bitwarden.local/admin`. Now i enter my token and press `enter` . Then i get redirected to `https://bitwarden.public.dns/admin` and receive a 403. If i change the address to `https://bitwarden.local/admin` again i can use the admin panel without problems. The same thing happens when i log out of the admin panel (although it does not bother me in that case). Is it possible to stop that redirecting to the public dns after login? After all it is just for convenience. Great project! Love it! SinTh0r4s ### My environment * Bitwarden_rs version: 1.15.1.gitb34d548 * Web version: 2.14.1 * Install method: CentOS Linux release 7.8.2003 (Core) * From EPEL Repo: https://copr.fedorainfracloud.org/coprs/mrmeee/bitwarden_rs/repo/epel-7/mrmeee-bitwarden_rs-epel-7.repo * Reverse proxy and version: Nginx 1.14.1 * Version of mysql/postgresql: Ver 15.1 Distrib 10.3.17-MariaDB * Other relevant information: In bitwarden.conf: DOMAIN=https://bitwarden.public.dns:443

kerem closed this issue

2026-03-03 02:02:42 +03:00

kerem commented

2026-03-03 02:02:43 +03:00

Author

Owner

@Mte90 commented on GitHub (Jul 27, 2020):

I have a similar problem.
Domain: https://dev.domain.tld/bitwarden/admin
After entering the password: https://dev.domain/admin

@Mte90 commented on GitHub (Jul 27, 2020): I have a similar problem. Domain: https://dev.domain.tld/bitwarden/admin After entering the password: https://dev.domain/admin

kerem commented

2026-03-03 02:02:43 +03:00

Author

Owner

@wcjxixi commented on GitHub (Oct 12, 2020):

incorrect nginx reverse proxy configuration

  location ~ /admin {
    deny all;
    return 403;
  }

Replace with：

  location /admin {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_pass http://127.0.0.1:8443; #8443 is the host port your bitwarden_rs container is exposed to
  }

reference https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples Nginx (by shauder)

@wcjxixi commented on GitHub (Oct 12, 2020): incorrect nginx reverse proxy configuration ``` location ~ /admin { deny all; return 403; } ``` Replace with： ``` location /admin { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://127.0.0.1:8443; #8443 is the host port your bitwarden_rs container is exposed to } ``` reference [https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples](https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples) Nginx (by shauder)

kerem commented

2026-03-03 02:02:43 +03:00

Author

Owner

@Mte90 commented on GitHub (Oct 12, 2020):

I have the issue with apacheand as I can see in the wiki this parameters for nginx already exists.

@Mte90 commented on GitHub (Oct 12, 2020): I have the issue with apacheand as I can see in the wiki this parameters for nginx already exists.

kerem commented

2026-03-03 02:02:43 +03:00

Author

Owner

@BlackDex commented on GitHub (Oct 12, 2020):

The redirect is done based upon the DOMAIN setting you have configured.
So, in the case where it redirects to a wrong place that value is configured wrong.
In the other case, i can understand the multi-tld stuff. I could look into using the actual host for this instead of the configured DOMAIN.

@BlackDex commented on GitHub (Oct 12, 2020): The redirect is done based upon the `DOMAIN` setting you have configured. So, in the case where it redirects to a wrong place that value is configured wrong. In the other case, i can understand the multi-tld stuff. I could look into using the actual host for this instead of the configured DOMAIN.

kerem commented

2026-03-03 02:02:44 +03:00

Author

Owner

@Mte90 commented on GitHub (Oct 12, 2020):

In my case is multihost installation in a subfolder and the domain is configured right

@Mte90 commented on GitHub (Oct 12, 2020): In my case is multihost installation in a subfolder and the domain is configured right

kerem commented

2026-03-03 02:02:44 +03:00

Author

Owner

@BlackDex commented on GitHub (Oct 12, 2020):

But with multi host you can only configure one host/domain in the config. And that is where the Redirect is pointing you to.

@BlackDex commented on GitHub (Oct 12, 2020): But with multi host you can only configure one host/domain in the config. And that is where the Redirect is pointing you to.

kerem commented

2026-03-03 02:02:44 +03:00

Author

Owner

@BlackDex commented on GitHub (Nov 18, 2020):

Closing this ticket because of inactivity.
Feel free to continue this discussion on the forum: https://bitwardenrs.discourse.group/

@BlackDex commented on GitHub (Nov 18, 2020): Closing this ticket because of inactivity. Feel free to continue this discussion on the forum: https://bitwardenrs.discourse.group/

kerem commented

2026-03-03 02:02:44 +03:00

Author

Owner

@Mte90 commented on GitHub (Nov 18, 2020):

I still have the issue, so I don't know how to keep the discussion moving on as the problem persist.

@Mte90 commented on GitHub (Nov 18, 2020): I still have the issue, so I don't know how to keep the discussion moving on as the problem persist.

kerem commented

2026-03-03 02:02:44 +03:00

Author

Owner

@BlackDex commented on GitHub (Nov 18, 2020):

Well i have tested this my self just right now, and i can't reproduce this issue.
I tested this with nginx and it works without any strange redirect issues.

Also, i saw that there was no example for nginx available at the Proxy Examples, so i added this.
Please see: https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples -> Nginx with sub-path (by BlackDex)

@BlackDex commented on GitHub (Nov 18, 2020): Well i have tested this my self just right now, and i can't reproduce this issue. I tested this with nginx and it works without any strange redirect issues. Also, i saw that there was no example for nginx available at the Proxy Examples, so i added this. Please see: https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples -> `Nginx with sub-path (by BlackDex)`

kerem commented

2026-03-03 02:02:44 +03:00

Author

Owner

@Mte90 commented on GitHub (Nov 19, 2020):

In my case the TLD was missing in the settings so I fixed it but the admin is like this:

I am using "Apache in a sub-location" setting.

@Mte90 commented on GitHub (Nov 19, 2020): In my case the TLD was missing in the settings so I fixed it but the admin is like this: ![Screenshot_20201119_155358](https://user-images.githubusercontent.com/403283/99683143-4d89f780-2a80-11eb-9cb5-aec51d3cc6a2.png) I am using "Apache in a sub-location" setting.

kerem commented

2026-03-03 02:02:44 +03:00

Author

Owner

@BlackDex commented on GitHub (Nov 19, 2020):

@Mte90 did you also added the correct sub-path into the DOMAIN variable? So like https://my-domain.tld/bitwarden/?

@BlackDex commented on GitHub (Nov 19, 2020): @Mte90 did you also added the correct sub-path into the DOMAIN variable? So like `https://my-domain.tld/bitwarden/`?

kerem commented

2026-03-03 02:02:44 +03:00

Author

Owner

@blackw1ng commented on GitHub (Mar 5, 2021):

Hey, to continue on that one..

I used the apache2-sublocation stencil from the wiki - which does not mention DOMAIN.
In case I do not set this env, i can get the /bitwarden/ working :)

However /bitwarden/admin/ does not really work.
First of all tries to load resources from /bwrs_static/.

A simple RewriteRule ^/bwrs_static/(.*) /bitwarden/bwrs_static/$1 [R=302,L] fixes at least the layout.

Entering the correct password results in first a POST (with a set token), next a 303, then again a GET on the /bitwarden/admin - so no login happens :(
In case an incorrect password is entered, the yellow banner appears - so at least it seems, that the token is verified.

Setting DOMAIN="https://xyz/bitwarden/admin" or DOMAIN="https://xyz/bitwarden/admin/" results in a 404 from rocket...

@blackw1ng commented on GitHub (Mar 5, 2021): Hey, to continue on that one.. I used the apache2-sublocation stencil from the wiki - which does not mention `DOMAIN`. In case I do not set this env, i can get the `/bitwarden/` working :) However `/bitwarden/admin/` does not _really_ work. First of all tries to load resources from `/bwrs_static/`. A simple `RewriteRule ^/bwrs_static/(.*) /bitwarden/bwrs_static/$1 [R=302,L]` fixes at least the layout. Entering the correct password results in first a POST (with a set token), next a 303, then again a GET on the `/bitwarden/admin` - so no login happens :( In case an _incorrect_ password is entered, the yellow banner appears - so at least it seems, that the token is verified. Setting `DOMAIN="https://xyz/bitwarden/admin"` or `DOMAIN="https://xyz/bitwarden/admin/"` results in a 404 from rocket...