starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-02-05 00:29:40 +03:00
Code Issues 32 Packages Projects Releases 10 Wiki Activity

Nginx Proxy Pass WSS Fails #1091

New Issue
Closed
opened 2026-02-04 23:53:40 +03:00 by OVERLORD · 0 comments
OVERLORD commented 2026-02-04 23:53:40 +03:00
Owner
Copy Link

Originally created by @StarScream159 on GitHub (Aug 5, 2021).

Nginx Proxy Pass WSS Fails

I have vaultwarden setup with a standard nginx install and am proxying the connection to docker. Everything works except I get an wss error in my browser and nginx log for the websocket. From what I can tell everything is correct. I see the parity_ws process listening on 0.0.0.0:3012 in the vaultwarden log and I see from docker ps that port 2013/tcp is there. I'm pretty sure my nginx config is correct with the upgrade headers. But I still get errors. Any help would be appreciated.

Deployment environment (Generated via diagnostics page)

  • Vaultwarden version: v1.22.2
  • Web-vault version: v2.21.1
  • Running within Docker: true
  • Environment settings overridden: false
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Time Check: true
  • Domain Configuration Check: false
  • HTTPS Check: false
  • Database type: SQLite
  • Database version: 3.35.4
  • Clients used: browser Brave (Version 1.27.109 Chromium: 92.0.4515.115 (Official Build) (64-bit))
  • Reverse proxy and version:
  • Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_ip_header_enabled": true,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_max_conns": 10,
  "database_url": "****/**.*******",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "****://*********",
  "domain_origin": "****://*********",
  "domain_path": "",
  "domain_set": false,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "enable_db_wal": true,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/bitwarden.log",
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "org_attachment_limit": null,
  "org_creation_users": "",
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_explicit_tls": false,
  "smtp_from": "",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": null,
  "smtp_password": null,
  "smtp_port": 587,
  "smtp_ssl": true,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": true,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}
  • Other relevant details: nginx version: nginx/1.14.1

What Happens

In my browser after logging in I see my vault. If I open my console I get the following:

WebSocketTransport.js:86 WebSocket connection to 'wss://passwords.example.com/notifications/hub?access_token=LONGTOKENSTRINGHERE' failed: 
(anonymous) @ WebSocketTransport.js:86
... <rest of stack trace here> ...
Utils.js:198 [2021-08-05T17:00:01.938Z] Error: Failed to start the connection: Error: There was an error with the transport.

In my nginx logs I see the following:

2021/08/05 13:00:02 [error] 64657#0: *303 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.99.5, server: passwords.example.com, request: "GET /notifications/hub?access_token=LONGTOKENSTRINGHERE HTTP/1.1", upstream: "http://127.0.0.1:3012/notifications/hub?access_token=LONGTOKENSTRINGHERE

In the vaultwarden log I see that it is opening conncetions:

/--------------------------------------------------------------------\
|                        Starting Vaultwarden                        |
|                           Version 1.22.2                           |
|--------------------------------------------------------------------|
| This is an *unofficial* Bitwarden implementation, DO NOT use the   |
| official channels to report bugs/features, regardless of client.   |
| Send usage/configuration questions or feature requests to:         |
|   https://vaultwarden.discourse.group/                             |
| Report suspected bugs/issues in the software itself at:            |
|   https://github.com/dani-garcia/vaultwarden/issues/new            |
\--------------------------------------------------------------------/

[INFO] No .env file found.

[2021-08-05 16:50:42.593][parity_ws][INFO] Listening for new connections on 0.0.0.0:3012.
[2021-08-05 16:50:42.597][start][INFO] Rocket has launched from http://0.0.0.0:80

And when I try to load/hit the socket URL from within the container I get the expected result, so it is listening:

# docker exec -i -t vaultwarden curl 127.0.0.1:3012
# WebSocket Protocol Error: Unable to parse WebSocket key.

Troubleshooting data

My nginx config:

server {
  listen *:80;
  server_name passwords.example.com;
  server_tokens off; ## Don't show the nginx version number, a security best practice
  return 301 https://passwords.example.com:443$request_uri;
}
server {
  listen 443 ssl http2;
  server_name passwords.example.com;

  # Specify SSL config if using a shared one.
  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

  # Allow large attachments
  client_max_body_size 128M;

  location / {
    proxy_pass http://localhost:32080;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }

  location /notifications/hub {
    proxy_pass http://127.0.0.1:3012;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_set_header Host $host;
  }

  location /notifications/hub/negotiate {
    proxy_pass http://localhost:32080;
  }

}

I'm starting the docker install with:

docker run -d --name vaultwarden -v /opt/bitwarden/:/data/ -p 32080:80 -e WEBSOCKET_ENABLED=true -e LOG_FILE=/data/bitwarden.log -e ADMIN_TOKEN=RANDOMSTRINGHERE vaultwarden/server:latest
Originally created by @StarScream159 on GitHub (Aug 5, 2021). ### Nginx Proxy Pass WSS Fails I have vaultwarden setup with a standard nginx install and am proxying the connection to docker. Everything works except I get an wss error in my browser and nginx log for the websocket. From what I can tell everything is correct. I see the parity_ws process listening on 0.0.0.0:3012 in the vaultwarden log and I see from docker ps that port 2013/tcp is there. I'm pretty sure my nginx config is correct with the upgrade headers. But I still get errors. Any help would be appreciated. ### Deployment environment (Generated via diagnostics page) * Vaultwarden version: v1.22.2 * Web-vault version: v2.21.1 * Running within Docker: true * Environment settings overridden: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Time Check: true * Domain Configuration Check: false * HTTPS Check: false * Database type: SQLite * Database version: 3.35.4 * Clients used: browser Brave (Version 1.27.109 Chromium: 92.0.4515.115 (Official Build) (64-bit)) * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_ip_header_enabled": true, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "authenticator_disable_time_drift": false, "data_folder": "data", "database_max_conns": 10, "database_url": "****/**.*******", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "****://*********", "domain_origin": "****://*********", "domain_path": "", "domain_set": false, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_expiration_time": 600, "email_token_size": 6, "enable_db_wal": true, "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "/data/bitwarden.log", "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "org_attachment_limit": null, "org_creation_users": "", "password_iterations": 100000, "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_explicit_tls": false, "smtp_from": "", "smtp_from_name": "Vaultwarden", "smtp_host": null, "smtp_password": null, "smtp_port": 587, "smtp_ssl": true, "smtp_timeout": 15, "smtp_username": null, "templates_folder": "data/templates", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_syslog": false, "user_attachment_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": true, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> * Other relevant details: nginx version: nginx/1.14.1 ### What Happens In my browser after logging in I see my vault. If I open my console I get the following: ``` WebSocketTransport.js:86 WebSocket connection to 'wss://passwords.example.com/notifications/hub?access_token=LONGTOKENSTRINGHERE' failed: (anonymous) @ WebSocketTransport.js:86 ... <rest of stack trace here> ... Utils.js:198 [2021-08-05T17:00:01.938Z] Error: Failed to start the connection: Error: There was an error with the transport. ``` In my nginx logs I see the following: ``` 2021/08/05 13:00:02 [error] 64657#0: *303 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.99.5, server: passwords.example.com, request: "GET /notifications/hub?access_token=LONGTOKENSTRINGHERE HTTP/1.1", upstream: "http://127.0.0.1:3012/notifications/hub?access_token=LONGTOKENSTRINGHERE ``` In the vaultwarden log I see that it is opening conncetions: ``` /--------------------------------------------------------------------\ | Starting Vaultwarden | | Version 1.22.2 | |--------------------------------------------------------------------| | This is an *unofficial* Bitwarden implementation, DO NOT use the | | official channels to report bugs/features, regardless of client. | | Send usage/configuration questions or feature requests to: | | https://vaultwarden.discourse.group/ | | Report suspected bugs/issues in the software itself at: | | https://github.com/dani-garcia/vaultwarden/issues/new | \--------------------------------------------------------------------/ [INFO] No .env file found. [2021-08-05 16:50:42.593][parity_ws][INFO] Listening for new connections on 0.0.0.0:3012. [2021-08-05 16:50:42.597][start][INFO] Rocket has launched from http://0.0.0.0:80 ``` And when I try to load/hit the socket URL from within the container I get the expected result, so it is listening: ``` # docker exec -i -t vaultwarden curl 127.0.0.1:3012 # WebSocket Protocol Error: Unable to parse WebSocket key. ``` ### Troubleshooting data My nginx config: ``` server { listen *:80; server_name passwords.example.com; server_tokens off; ## Don't show the nginx version number, a security best practice return 301 https://passwords.example.com:443$request_uri; } server { listen 443 ssl http2; server_name passwords.example.com; # Specify SSL config if using a shared one. ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # Allow large attachments client_max_body_size 128M; location / { proxy_pass http://localhost:32080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /notifications/hub { proxy_pass http://127.0.0.1:3012; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; } location /notifications/hub/negotiate { proxy_pass http://localhost:32080; } } ``` I'm starting the docker install with: ``` docker run -d --name vaultwarden -v /opt/bitwarden/:/data/ -p 32080:80 -e WEBSOCKET_ENABLED=true -e LOG_FILE=/data/bitwarden.log -e ADMIN_TOKEN=RANDOMSTRINGHERE vaultwarden/server:latest ```
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#1091
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?