-
|
I have Vaultwarden through Authelia protection. Everything works fine on desktop and web because I can login to authelia and then the service itself but the mobile app can't connect. Is there any way to keep this two things running together or what is the best way to disable authelia and still have a secure service that is exposed to the world? |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 9 replies
-
|
This is what I have currently: # Password Manager
bitwarden:
container_name: Bitwarden
image: vaultwarden/server:alpine
restart: always
volumes:
- $USERDIR/Bitwarden/Data:/data
- $USERDIR/Bitwarden/SSL:/ssl
- $USERDIR/Bitwarden/Logs:/logs
- /etc/localtime:/etc/localtime:ro
networks:
pihole:
ipv4_address: '172.22.0.109'
user: $PUID:$PGID
environment:
- LOG_FILE=/logs/vaultwarden.log
- LOG_LEVEL=warn
- ...extra options
logging:
driver: "local"
options:
max-size: 10m
max-file: "3"
labels:
- autoheal=true
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.bitwarden-rtr.entrypoints=https"
- "traefik.http.routers.bitwarden-websocket.entrypoints=https"
- "traefik.http.routers.bitwarden-admin.entrypoints=https"
- "traefik.http.routers.bitwarden-rtr.rule=Host(`bitwarden.$DOMAINNAME`)"
- "traefik.http.routers.bitwarden-websocket.rule=Host(`bitwarden.$DOMAINNAME`) && Path(`/notifications/hub`)"
- "traefik.http.routers.bitwarden-admin.rule=Host(`bitwarden.$DOMAINNAME`) && Path(`/admin`)"
- "traefik.http.routers.bitwarden-rtr.tls=true"
- "traefik.http.routers.bitwarden-admin.tls=true"
- "traefik.http.routers.bitwarden-websocket.tls=true"
## Middlewares
# - "traefik.http.routers.bitwarden-rtr.middlewares=chain-oauth@file"
# - "traefik.http.routers.bitwarden-rtr.middlewares=chain-authelia@file"
# - "traefik.http.routers.bitwarden-admin.middlewares=chain-authelia@file" # Authelia for Admin
# - "traefik.http.routers.bitwarden-rtr.middlewares=chain-no-auth@file" #No auth for dashboard
# - "traefik.http.routers.bitwarden-websocket.middlewares=chain-no-auth@file" #No auth for websocket
- "traefik.http.routers.bitwarden-admin.middlewares=chain-authelia@file" # Authelia for Admin
- "traefik.http.routers.bitwarden-rtr.middlewares=chain-no-auth@file" #No auth for dashboard
- "traefik.http.routers.bitwarden-websocket.middlewares=chain-no-auth@file" #No auth for websocket
## HTTP Services
- "traefik.http.routers.bitwarden-rtr.service=bitwarden-svc"
- "traefik.http.routers.bitwarden-websocket.service=bitwarden-websocket-svc"
- "traefik.http.routers.bitwarden-admin.service=bitwarden-admin-svc"
- "traefik.http.services.bitwarden-svc.loadbalancer.server.port=8089"
- "traefik.http.services.bitwarden-admin-svc.loadbalancer.server.port=8089"
- "traefik.http.services.bitwarden-websocket-svc.loadbalancer.server.port=3012"
depends_on:
- traefik
mem_limit: 1000m
mem_reservation: 100mThen I have the logs piping into Crowdsec with the Authelia and Vaultwarden collections. So the frontend is protected by the Vaultwarden account protection (2fa, bruteforce protection etc), then the admin is protected via Authelia. As far as I know, this is the only way to do it. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for your answer. Seems like a nice way to protect it. |
Beta Was this translation helpful? Give feedback.
-
|
If anyone gets here trying to do the same with caddy, this is how I managed to do: It's working well enough, if there's any improvments that can be made, leave a reply (b ̄▽ ̄)b |
Beta Was this translation helpful? Give feedback.
-
|
The |
Beta Was this translation helpful? Give feedback.
-
|
Thanks to this and this for sharing. Pinging op and answer in case they are vulnerable to this ( @rubenmate @modem7 ) I did notice that I need two different traefik routers (one for each of the following)
- traefik.http.routers.vaultwarden-admin.entrypoints=websecure
- traefik.http.routers.vaultwarden-admin.rule=Host(`domain.com`) && Path(`/vwslug/admin`)
- traefik.http.routers.vaultwarden-admin.tls=true
- traefik.http.routers.vaultwarden-admin.tls.certResolver=le
- traefik.http.routers.vaultwarden-admin.middlewares=authelia-ext@file
- traefik.http.routers.vaultwarden-admin-2.entrypoints=websecure
- traefik.http.routers.vaultwarden-admin-2.rule=Host(`domain.com`) && Path(`/vwslug/admin/`)
- traefik.http.routers.vaultwarden-admin-2.tls=true
- traefik.http.routers.vaultwarden-admin-2.tls.certResolver=le
- traefik.http.routers.vaultwarden-admin-2.middlewares=authelia-ext@fileIf anyone knows a way around this or to combine them besides adding another middleware to add a trailing slash, let me know. |
Beta Was this translation helpful? Give feedback.
-
|
Ok simple oversight and simple fix: change Path to PathPrefix. - traefik.http.routers.vaultwarden-admin.entrypoints=websecure
- traefik.http.routers.vaultwarden-admin.rule=Host(`domain.com`) && PathPrefix(`/vwslug/admin`)
- traefik.http.routers.vaultwarden-admin.tls=true
- traefik.http.routers.vaultwarden-admin.tls.certResolver=le
- traefik.http.routers.vaultwarden-admin.middlewares=authelia-ext@file |
Beta Was this translation helpful? Give feedback.
-
|
@modem7 Moved beyond, care to expand on that? |
Beta Was this translation helpful? Give feedback.
-
Heya, I moved over to Keycloak, and this weekend I'll move again to Authentik as it's (imo) a better (read: more adaptable when it comes to multiple users (although it is more complex)) platform, especially when working with Traefik. |
Beta Was this translation helpful? Give feedback.
-
|
I've also moved to Authentik, highly recommend |
Beta Was this translation helpful? Give feedback.
-
|
Also, here's my Authentik config for protecting the admin console, but leaving the web UI available on both desktop and mobile (obviously logins are protected with 2fa + Crowdsec + Cloudflare). |
Beta Was this translation helpful? Give feedback.
This is what I have currently: