Websockets doesn't appear to be working

[rcdailey]

I have websockets enabled. To verify if websockets is working, I perform these steps:

1. Create an item in my vault view the web application for Bitwarden_rs
2. Wait a few seconds, check the vault on my Android device using the official Bitwarden app. The item does not appear when I search for it.

If I go to settings and manually sync on the Android Bitwarden app, and then perform the search for the item in the vault I created, I do see it. However, a manual sync should not be required, correct?

Here is my reverse proxy configuration. Note I am using NGINX:

server {
    listen 443 ssl http2;
    server_name bitwarden.example.com;
    client_max_body_size 0;
    resolver 127.0.0.11 valid=30s;

    include /config/nginx/ssl.conf;
    include /config/nginx/proxy.conf;

    set $upstream_bitwarden http://bitwarden;

    location / {
        proxy_pass $upstream_bitwarden:10080;
    }

    location /notifications/hub {
        proxy_pass $upstream_bitwarden:3012;
    }

    location /notifications/hub/negotiate {
        proxy_pass $upstream_bitwarden:10080;
    }
}

Contents of /config/nginx/ssl.conf:

# session settings
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

# Diffie-Hellman parameter for DHE cipher suites
ssl_dhparam /config/nginx/dhparams.pem;

# ssl certs
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

# protocols
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;

Contents of /config/nginx/proxy.conf:

# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

# Allow websockets on all servers
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;

# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Ssl on;

To ensure websockets works across all applications supported by my reverse proxy, I have the following in my http block in NGINX:

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

The map above correlates to the proxy.conf file above.

My docker-compose.yml is as follows (for security reasons, some parts are redacted):

version: '3.7'

services:
  app:
    image: mprasil/bitwarden
    restart: unless-stopped
    user: $UID:$GID
    networks:
      reverse_proxy:
        aliases:
        - bitwarden
    volumes:
    - ./data:/data
    - /etc/timezone:/etc/timezone:ro
    environment:
    - TZ=America/Chicago
    - ADMIN_TOKEN=<redacted>
    - ROCKET_PORT=10080
    - LOG_LEVEL=warn
    - DATA_FOLDER=/data
    - DOMAIN=https://bitwarden.example.com
    - YUBICO_CLIENT_ID=<redacted>
    - YUBICO_SECRET_KEY=<redacted>
    - WEBSOCKET_ENABLED=true

networks:
  reverse_proxy:
    external: true
    name: reverse_proxy

I do believe that my nginx configuration is correct here. Is there a bug causing websockets to not work, or is my configuration wrong?

[dani-garcia]

Websockets doesn't apply to the mobile clients, those require push notification support (look at #126 for reasons as why it isn't implemented).

To check that websocket support works, you'll need to use either the web vault, the desktop client or the browser extensions.

[rcdailey]

Thanks for explaining. Looks like the issue is that the mobile applications hard code the push notification server URL and you're not able to inject into that system. Do you recommend adding suggestions for solutions to this problem on #246? I'll go ahead and close this one out.