Protect Admin panel by restricting access to only IP LAN

[MilesTEG1]

Hello,

With the 1.25.1 version of Vaultwarden, my script to enable websocket notifications wasn't working anymore because of some lack of proxy_set_header in my configuration file.
I do some research with the wiki, and I have come to change some proxy_set_header according to the wiki.

Some explanations first

First I have to explain my particular configuration of Vaultwarden.
I installed it in docker, on my Synology NAS.
I use a domain name, with a valid certificate, so in HTTPS in order to use 2FA for login.
I also use the reverse proxy of DSM to serve my services with various domain names like :

• vault.mydomain.tld
• dsm.mydomain.tld
• photos.mydomain.tld
• files.mydomain.tld
• etc ...

The reverse proxy is base on NGINX, but we don't have access to it easily. It needs SSH to the NAS.
In order to get the WebSocket Notifications working, I have to launch a bash script searching in the server.ReverseProxy.conf the server line corresponding to my Vaultwarden domain name, and it adds a line include /etc/nginx/websocket.locations.vaultwarden;.
This websocket.locations.vaultwarden file contain now this :

location /notifications/hub/negotiate {
    proxy_http_version 1.1;
    proxy_set_header "Connection" "";
    
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://192.168.2.200:882;
}

location /notifications/hub {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Forwarded $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://192.168.2.200:3012;
}

location /admin {
    # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
    # auth_basic Private;
    # auth_basic_user_file /path/to/htpasswd_file;

    # Restrict access to only some IP (LAN IP & VPN)
    allow 192.168.2.0/24;
    allow 192.168.10.0/24;
    allow 192.168.11.0/24;
    deny all;

    proxy_http_version 1.1;
    proxy_set_header "Connection" "";

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://192.168.2.200:882/admin;
}

Restricting the access to admin panel ton IP LAN and VPN

As you can see in the previous websocket.locations.vaultwarden file, all is correct corresponding to the wiki page : proxy-examples, except for the allow / deny lines I add.
I add those lines to allow only the LAN IP & VPN I use, and deny all others.

Note for some like me : restart NGONX service after mofiying the websocket.locations.vaultwarden file 😵

My suggestion

Can you add this to the wiki ? It could be a bonus to the security of the admin panel.

    # Restrict access to only some IP (LAN IP & VPN)
    allow 192.168.2.0/24;
    allow 192.168.10.0/24;
    allow 192.168.11.0/24;
    deny all;

Thanks for reading all the message 😄

PS : if someone want to see the script doing all the modification, I can put it here, but it's in French.

[BobWs]

Why not use Nginx Proxy Manager (NPM)? Then you don’t need a script to make the necessary changes to reverse proxy. https://www.blackvoid.club/nginx-proxy-manager/
See how to setup with NPM https://www.blackvoid.club/bitwarden-livesync-feature/

[MilesTEG1]

Hello @BobWs
I'm not using NPM because it's a bit too complex to get it working on my synology (Docker, in macvlan). But I'm thinking of trying it again maybe.
But, I can't disable the DSM nginx. And I need this one to have the synology's domain name working (I use this one for some app, and an OVH domain for others apps).

I read the two links you gave, and Ok NPM may be more easy than I thought...
For the Websocket Notifications, all he have done with the external .conf put into /usr/local/etc/nginx/sites-enabled is what I have done in the nginx .conf file, but I do more complex than him... yes 😄

My message here was more about adding the following lines into the nginx proxy examples 😀

    # Restrict access to only some IP (LAN IP & VPN)
    allow 192.168.2.0/24;
    allow 192.168.10.0/24;
    allow 192.168.11.0/24;
    deny all;

[Stephan-4711]

Hi Miles,

thanks for your script this is working finde :-)
I have one question about it.
When some comes from outside the nginx is creating a 404 when entering the /admin page.
If someone goes to another side /cheese for example the vaultwarden page creates another 404 which looks very diffrent.
an attacker now sees, there is something behind /admin.
is there away to show the 404 page from the vaultwarden page or rewrite the /admin side from the outside to / so that the user gets the normal login window?

[BlackDex]

You could just redirect it internally to /404, this doesn't exists of course, but will show you the same page.

[stefan0xC]

@BlackDex Well, it will not exist in future versions of Vaultwarden (or if you are using testing) because we don't ship the 404 folder of the web client anymore (since v2023.8.2). With v2023.7.1 (the web-vault version shipped in the current latest release and earlier) /404 will just fail (IIRC).

[Stephan-4711]

could you plese give me help with the code how to redirect to / root path?
Sorry I'm to stupid for scripting :-(