starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-02-05 00:29:40 +03:00
Code Issues 32 Packages Projects Releases 10 Wiki Activity

TOTP Blocked when use proxy_intercept_errors for code 400 #1359

New Issue
Closed
opened 2026-02-05 00:42:19 +03:00 by OVERLORD · 1 comment
OVERLORD commented 2026-02-05 00:42:19 +03:00
Owner
Copy Link

Originally created by @webysther on GitHub (Sep 18, 2022).

Subject of the issue

When creating nice error pages I discovered that after login the page that request the TOTP is intercepted by reverse proxy when the page for code HTTP 400 is used

Deployment environment

Where is admin page Generate Support String!?

  • vaultwarden version: 1.25.2

  • Install method: docker

  • Clients used: web vault

  • Reverse proxy and version: Nginx Proxy Manager

  • MySQL/MariaDB or PostgreSQL version: SQLite

  • Other relevant details: Removed error_page 400 /.../400.html solve the problem

Steps to reproduce

Create a error page for HTTP 400 and try login with user configured TOTP:

error_page 400 /error_pages/HTTP400.html
proxy_intercept_errors on;

Expected behaviour

Workes with error pages 400 configured

Actual behaviour

image

Troubleshooting data

gzip on;
gzip_vary on;
gzip_min_length 20;
gzip_comp_level 9;
gzip_proxied any;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml application/json;
gzip_disable "MSIE [1-6]\."; 

location /authelia {
    internal;
    set $upstream_authelia http://AUTHELIA/api/verify;
    proxy_pass_request_body off;
    proxy_pass $upstream_authelia;    
    proxy_set_header Content-Length "";
 
    # Timeout if the real server is dead
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
    client_body_buffer_size 128k;
    proxy_set_header Host $host;
    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr; 
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $http_host;
    proxy_set_header X-Forwarded-Uri $request_uri;
    proxy_set_header X-Forwarded-Ssl on;
    proxy_redirect  http://  $scheme://;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_cache_bypass $cookie_session;
    proxy_no_cache $cookie_session;
    proxy_buffers 4 32k;
 
    send_timeout 5m;
    proxy_read_timeout 240;
    proxy_send_timeout 240;
    proxy_connect_timeout 240;
}

location / {
    set $upstream_app http://VAULTWARDEN;
    proxy_pass $upstream_app;

    auth_request /authelia;
    auth_request_set $target_url $scheme://$http_host$request_uri;
    auth_request_set $user $upstream_http_remote_user;
    auth_request_set $groups $upstream_http_remote_groups;
    proxy_set_header Remote-User $user;
    proxy_set_header Remote-Groups $groups;

    client_max_body_size    10m;
    client_body_buffer_size 128k;

    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

    error_page 401 =302 https://auth.webysther.org/?rd=$target_url;

    send_timeout 5m;
    proxy_read_timeout 360;
    proxy_send_timeout 360;
    proxy_connect_timeout 360;
    proxy_buffering         off;
    proxy_request_buffering off;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_max_temp_file_size 0;

    proxy_set_header X-Forwarded-Host $http_host;
    proxy_set_header X-Forwarded-Uri $request_uri;
    proxy_set_header X-Forwarded-Ssl on;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_upgrade;
    proxy_redirect   http://  $scheme://;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_cache_bypass $cookie_session;
    proxy_no_cache $cookie_session;
    proxy_buffers 64 256k;

    set_real_ip_from 10.0.0.0/8;
    set_real_ip_from 172.0.0.0/8;
    set_real_ip_from 192.168.0.0/16;
    set_real_ip_from fc00::/7;
    real_ip_header X-Forwarded-For;
    real_ip_recursive on;
    proxy_set_header Connection "";


       error_page 400 /error_pages/HTTP400.html;
        error_page 402 /error_pages/HTTP402.html;
        error_page 403 /error_pages/HTTP403.html;
        error_page 404 /error_pages/HTTP404.html;
        error_page 500 /error_pages/HTTP500.html;
        error_page 501 /error_pages/HTTP501.html;
        error_page 502 /error_pages/HTTP502.html;
        error_page 503 /error_pages/HTTP503.html;
        proxy_intercept_errors on;

}

        location /error_pages/ {
                alias /data/nginx/error_pages/;
                internal;
        }
Originally created by @webysther on GitHub (Sep 18, 2022). <!-- # ### NOTE: Please update to the latest version of vaultwarden before reporting an issue! This saves you and us a lot of time and troubleshooting. See: * https://github.com/dani-garcia/vaultwarden/issues/1180 * https://github.com/dani-garcia/vaultwarden/wiki/Updating-the-vaultwarden-image # ### --> <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unnecessary for your issue, feel free to remove them. Remember to hide/redact personal or confidential information, such as passwords, IP addresses, and DNS names as appropriate. --> ### Subject of the issue <!-- Describe your issue here. --> When creating nice error pages I discovered that after login the page that request the TOTP is intercepted by reverse proxy when the page for code HTTP 400 is used ### Deployment environment Where is admin page Generate Support String!? <!-- ========================================================================================= Preferably, use the `Generate Support String` button on the admin page's Diagnostics tab. That will auto-generate most of the info requested in this section. ========================================================================================= --> <!-- The version number, obtained from the logs (at startup) or the admin diagnostics page --> <!-- This is NOT the version number shown on the web vault, which is versioned separately from vaultwarden --> <!-- Remember to check if your issue exists on the latest version first! --> * vaultwarden version: 1.25.2 <!-- How the server was installed: Docker image, OS package, built from source, etc. --> * Install method: docker * Clients used: web vault <!-- web vault, desktop, Android, iOS, etc. (if applicable) --> * Reverse proxy and version: Nginx Proxy Manager <!-- if applicable --> * MySQL/MariaDB or PostgreSQL version: SQLite <!-- if applicable --> * Other relevant details: Removed `error_page 400 /.../400.html` solve the problem ### Steps to reproduce <!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults) and how did you start vaultwarden? --> Create a error page for HTTP 400 and try login with user configured TOTP: ``` error_page 400 /error_pages/HTTP400.html proxy_intercept_errors on; ``` ### Expected behaviour <!-- Tell us what you expected to happen --> Workes with error pages 400 configured ### Actual behaviour <!-- Tell us what actually happened --> ![image](https://user-images.githubusercontent.com/750007/190882305-7bcf6d1f-232d-41b8-a013-fd1890cad325.png) ### Troubleshooting data <!-- Share any log files, screenshots, or other relevant troubleshooting data --> ``` gzip on; gzip_vary on; gzip_min_length 20; gzip_comp_level 9; gzip_proxied any; gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml application/json; gzip_disable "MSIE [1-6]\."; location /authelia { internal; set $upstream_authelia http://AUTHELIA/api/verify; proxy_pass_request_body off; proxy_pass $upstream_authelia; proxy_set_header Content-Length ""; # Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; client_body_buffer_size 128k; proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Uri $request_uri; proxy_set_header X-Forwarded-Ssl on; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 4 32k; send_timeout 5m; proxy_read_timeout 240; proxy_send_timeout 240; proxy_connect_timeout 240; } location / { set $upstream_app http://VAULTWARDEN; proxy_pass $upstream_app; auth_request /authelia; auth_request_set $target_url $scheme://$http_host$request_uri; auth_request_set $user $upstream_http_remote_user; auth_request_set $groups $upstream_http_remote_groups; proxy_set_header Remote-User $user; proxy_set_header Remote-Groups $groups; client_max_body_size 10m; client_body_buffer_size 128k; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; error_page 401 =302 https://auth.webysther.org/?rd=$target_url; send_timeout 5m; proxy_read_timeout 360; proxy_send_timeout 360; proxy_connect_timeout 360; proxy_buffering off; proxy_request_buffering off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_max_temp_file_size 0; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Uri $request_uri; proxy_set_header X-Forwarded-Ssl on; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_upgrade; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 64 256k; set_real_ip_from 10.0.0.0/8; set_real_ip_from 172.0.0.0/8; set_real_ip_from 192.168.0.0/16; set_real_ip_from fc00::/7; real_ip_header X-Forwarded-For; real_ip_recursive on; proxy_set_header Connection ""; error_page 400 /error_pages/HTTP400.html; error_page 402 /error_pages/HTTP402.html; error_page 403 /error_pages/HTTP403.html; error_page 404 /error_pages/HTTP404.html; error_page 500 /error_pages/HTTP500.html; error_page 501 /error_pages/HTTP501.html; error_page 502 /error_pages/HTTP502.html; error_page 503 /error_pages/HTTP503.html; proxy_intercept_errors on; } location /error_pages/ { alias /data/nginx/error_pages/; internal; } ```
OVERLORD commented 2026-02-05 00:42:25 +03:00
Author
Owner
Copy Link

@webysther commented on GitHub (Sep 18, 2022):

To fix this problem maybe need to fix the HTTP request for the page of TOTP, which looks malformed.
For me don't make sense to use HTTP 400 for this, a 302 makes sense because the user and pass are correct, don't give the TOTP as the second step of the login flow.

image

@webysther commented on GitHub (Sep 18, 2022): To fix this problem maybe need to fix the HTTP request for the page of TOTP, which looks malformed. For me don't make sense to use HTTP 400 for this, a 302 makes sense because the user and pass are correct, don't give the TOTP as the second step of the login flow. ![image](https://user-images.githubusercontent.com/750007/190882508-0d15048d-3e27-41e8-97bd-ea7491996bc8.png)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#1359
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?