Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Errors with NGING reverse Proxy #5157

Open
1 task done
m1raculix opened this issue Dec 16, 2024 · 1 comment
Open
1 task done

Errors with NGING reverse Proxy #5157

m1raculix opened this issue Dec 16, 2024 · 1 comment
Labels

Comments

@m1raculix
Copy link

Steps To Reproduce

I run a self-hosted Bitwarden server on Ubuntu 22.04 with fresh docker
On some clients I'm unable to login
WebAuthn never works, YubiKey nevers works, too
What works are machines where I'm still logged in and sometimes the browser login but I cant fresh login into completely logged out machines.

Tried to disabled the reverse proxy and use bitwardens own SSL certs, but the errors was still the same.

server {
  listen [::]:443 ssl http2;
  listen 443 ssl http2;
  server_name my.domain.com;
  ssl_certificate /etc/letsencrypt/live/my.domain.com/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/my.domain.com/privkey.pem; # managed by Certbot

  # Add headers to serve security related headers
  add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
  add_header X-Content-Type-Options nosniff;
  add_header X-Frame-Options "SAMEORIGIN";
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Robots-Tag none;
  add_header X-Download-Options noopen;
  add_header X-Permitted-Cross-Domain-Policies none;

  # set max upload size
  root /var/www/bitwarden/;

  #  security settings to reach A+
  ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
  ssl_dhparam /etc/ssl/private/dhparams.pem;
  server_tokens off;

  # Logs
  access_log /var/log/nginx/bitwarden-access.log;
  error_log /var/log/nginx/bitwarden-error.log;

#  limit_req zone=lr_zone burst=5 nodelay;
  client_max_body_size 1G;

  # reverse proxy for letsencrypt
  location =  /.well-known/acme-challenge/ {
     return 301 https://192.168.170.18/.well-known/acme-challenge/;
  }

  location / {

     proxy_pass        http://localhost:9696;
     proxy_redirect    off;
     proxy_set_header Host $http_host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto $scheme;
     proxy_set_header X-Forwarded-Protocol $scheme;
     proxy_set_header X-Url-Scheme $scheme;
     # 26.07.
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection $connection_upgrade;


  }
}
# we're in the http context here
map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}
upstream websocket {
     server localhost:4343;
}
#  http to https redirection
server {
    if ($host = my.domain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    listen 80;
    listen [::]:80;
    server_name my.domain.com;

    # reverse proxy for letsencrypt
    location =  /.well-known/acme-challenge/ {
        return 301 http://192.168.170.18/.well-known/acme-challenge/;
    }
    return 301 https://$host$request_uri;
}
# reverse proxy for letsencrypt

Expected Result

Login should work as I did for the last two years.

Actual Result

Login fails with many different error massages

  • incorrect user name or password (both are correct and worked on the same machine)
  • no secure connection (on Android) but my domain gets A+ on SSL check, cert is valid for three months

Screenshots or Videos

No response

Additional Context

Nginx reverse proxy logs
*86 connect() failed (111: Unknown error) while connecting to upstream, client: ::1, server: my.domain.com, request: "GET / HTTP/1.1", upstream: "http://[::1]:9696/", host: "my.domain.com"

ss -ltn
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 4096 0.0.0.0:9696 0.0.0.0:*
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 1024 0.0.0.0:2812 0.0.0.0:*
LISTEN 0 4096 0.0.0.0:3000 0.0.0.0:*
LISTEN 0 511 0.0.0.0:80 0.0.0.0:*
LISTEN 0 511 0.0.0.0:443 0.0.0.0:*
LISTEN 0 4096 0.0.0.0:4343 0.0.0.0:*
LISTEN 0 4096 [::]:9696 [::]:*
LISTEN 0 1024 [::]:2812 [::]:*
LISTEN 0 4096 [::]:3000 [::]:*
LISTEN 0 511 [::]:80 [::]:*
LISTEN 0 4096 :22 :
LISTEN 0 511 [::]:443 [::]:

LISTEN 0 4096 [::]:4343 [::]:*

Build Version

2024.12.1

Environment

Self-Hosted

Environment Details

Ubuntu 22.04 LTS
all updates installed

docker version
Client: Docker Engine - Community
Version: 27.4.0
API version: 1.47
Go version: go1.22.10
Git commit: bde2b89
Built: Sat Dec 7 10:38:40 2024
OS/Arch: linux/amd64
Context: default

Server: Docker Engine - Community
Engine:
Version: 27.4.0
API version: 1.47 (minimum version 1.24)
Go version: go1.22.10
Git commit: 92a8393
Built: Sat Dec 7 10:38:40 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.7.24
GitCommit: 88bf19b2105c8b17560993bee28a01ddc2f97182
runc:
Version: 1.2.2
GitCommit: v1.2.2-0-g7cb3632
docker-init:
Version: 0.19.0
GitCommit: de40ad0

Issue Tracking Info

  • I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
@m1raculix m1raculix added the bug label Dec 16, 2024
@m1raculix
Copy link
Author

Seems the issue disappeared. Don't know why but after replacing all certs, restarting everything, including my internet router, it works again. Maybe a DNS caching or IPv4/IPv6 issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant