starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-12-10 01:10:09 +03:00
Code Issues 429 Packages Projects Releases 10 Wiki Activity

Feature Request: Authenticated Origin Pulls #1850

New Issue
Closed
opened 2025-10-09 17:33:00 +03:00 by OVERLORD · 7 comments
OVERLORD commented 2025-10-09 17:33:00 +03:00
Owner
Copy Link

Originally created by @Dubz on GitHub.

It would be fantastic if there was a way to enable authenticated origin pulls, including the ability to set a valid certificate for them. This would allow us to secure our installations behind WAFs, like Cloudflare, and ensure nobody is able to get around that.

Apache example:

SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /path/to/origin-pull-ca.pem

Nginx example:

ssl_client_certificate /etc/nginx/certs/cloudflare.crt;
ssl_verify_client on;

See for more info: https://support.cloudflare.com/hc/en-us/articles/204899617

Originally created by @Dubz on GitHub. It would be fantastic if there was a way to enable authenticated origin pulls, including the ability to set a valid certificate for them. This would allow us to secure our installations behind WAFs, like Cloudflare, and ensure nobody is able to get around that. Apache example: ```apache SSLVerifyClient require SSLVerifyDepth 1 SSLCACertificateFile /path/to/origin-pull-ca.pem ``` Nginx example: ```nginx ssl_client_certificate /etc/nginx/certs/cloudflare.crt; ssl_verify_client on; ``` See for more info: https://support.cloudflare.com/hc/en-us/articles/204899617
OVERLORD commented 2025-10-09 17:33:02 +03:00
Author
Owner
Copy Link

@Dubz commented on GitHub:

Yes, that is their name for it. It's basically just client authentication, which would also be mutual authentication, or mutual TLS as you mentioned. Thanks for the reference as well. I guess I'll just have to keep an eye on it for the time being.

@Dubz commented on GitHub: Yes, that is their name for it. It's basically just client authentication, which would also be mutual authentication, or mutual TLS as you mentioned. Thanks for the reference as well. I guess I'll just have to keep an eye on it for the time being.
OVERLORD commented 2025-10-09 17:33:02 +03:00
Author
Owner
Copy Link

@Dubz commented on GitHub:

In the meantime, I just closed of 443 to the machine and only allowed Cloudflare's IPs to access it via 443. This will also accomplish what I'm aiming for.
Just in case anyone else wants to lock their instance down.

@Dubz commented on GitHub: In the meantime, I just closed of 443 to the machine and only allowed [Cloudflare's IPs](https://www.cloudflare.com/ips/) to access it via 443. This will also accomplish what I'm aiming for. Just in case anyone else wants to lock their instance down.
OVERLORD commented 2025-10-09 17:33:03 +03:00
Author
Owner
Copy Link

@Dubz commented on GitHub:

While I am not quite sure if I wanted to route all the web traffic to my password manager through a third party, the examples you have already posted could very likely be used with this project already. Just put either Apache or Nginx infront of your installation.

I can understand not feeling comfortable with routing through it, but considering the data is already being hosted by one (AWS, Azure, GCP), it's not really different for that. I'd personally rather have the system protected with a well known firewall than just out in the open as-is, or trying to manage one on my own. Plus I think I'd trust Cloudflare with my data more than any of the three mentioned cloud providers. They have a decent reputation in my book in regards to security transparency.

As for placing it behind Apache/Nginx, that is an option, however when running it in the cloud on an instance that runs one container, that's not really an option I'm aware of. This is really the only piece of the puzzle to lock and secure the container from the outside world.

@Dubz commented on GitHub: > > > While I am not quite sure if I wanted to route all the web traffic to my password manager through a third party, the examples you have already posted could very likely be used with this project already. Just put either Apache or Nginx infront of your installation. I can understand not feeling comfortable with routing through it, but considering the data is already being hosted by one (AWS, Azure, GCP), it's not really different for that. I'd personally rather have the system protected with a well known firewall than just out in the open as-is, or trying to manage one on my own. Plus I think I'd trust Cloudflare with my data more than any of the three mentioned cloud providers. They have a decent reputation in my book in regards to security transparency. As for placing it behind Apache/Nginx, that is an option, however when running it in the cloud on an instance that runs one container, that's not really an option I'm aware of. This is really the only piece of the puzzle to lock and secure the container from the outside world.
OVERLORD commented 2025-10-09 17:33:03 +03:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub:

Is Authenticated Origin Pulls Cloudflare's name for Mutual TLS? If so there's an open issue in Rocket for it: https://github.com/SergioBenitez/Rocket/issues/254. There's a PR for it that was closed for inactivity, and the issue doesn't seem very active so for know using a proxy is the only way.

@dani-garcia commented on GitHub: Is Authenticated Origin Pulls Cloudflare's name for Mutual TLS? If so there's an open issue in Rocket for it: https://github.com/SergioBenitez/Rocket/issues/254. There's a PR for it that was closed for inactivity, and the issue doesn't seem very active so for know using a proxy is the only way.
OVERLORD commented 2025-10-09 17:33:04 +03:00
Author
Owner
Copy Link

@fbartels commented on GitHub:

While I am not quite sure if I wanted to route all the web traffic to my password manager through a third party, the examples you have already posted could very likely be used with this project already. Just put either Apache or Nginx infront of your installation.

@fbartels commented on GitHub: While I am not quite sure if I wanted to route all the web traffic to my password manager through a third party, the examples you have already posted could very likely be used with this project already. Just put either Apache or Nginx infront of your installation.
OVERLORD commented 2025-10-09 17:33:06 +03:00
Author
Owner
Copy Link

@yggdrasil-tynor commented on GitHub:

In the meantime, I just closed of 443 to the machine and only allowed Cloudflare's IPs to access it via 443. This will also accomplish what I'm aiming for.
Just in case anyone else wants to lock their instance down.

Wouldn't that allow anybody just to open a free cloudflare account, and proxy requests to your instance? It's not protected without Mutual TLS aka. Authenticated Origin Pulls.

@yggdrasil-tynor commented on GitHub: > In the meantime, I just closed of 443 to the machine and only allowed [Cloudflare's IPs](https://www.cloudflare.com/ips/) to access it via 443. This will also accomplish what I'm aiming for. > Just in case anyone else wants to lock their instance down. Wouldn't that allow anybody just to open a free cloudflare account, and proxy requests to your instance? It's not protected without Mutual TLS aka. Authenticated Origin Pulls.
OVERLORD commented 2025-10-09 17:33:06 +03:00
Author
Owner
Copy Link

@Dubz commented on GitHub:

In the meantime, I just closed of 443 to the machine and only allowed Cloudflare's IPs to access it via 443. This will also accomplish what I'm aiming for.
Just in case anyone else wants to lock their instance down.

Wouldn't that allow anybody just to open a free cloudflare account, and proxy requests to your instance? It's not protected without Mutual TLS aka. Authenticated Origin Pulls.

I have not tested it, but you can see why I posted this request to begin with. I may end up porting the instance to a different server and running more than just a docker image on GCP to take care of this. That way I can have a bit more control over it.
Either way, it works for now and helps mask the system from just anyone.

@Dubz commented on GitHub: > > > > In the meantime, I just closed of 443 to the machine and only allowed [Cloudflare's IPs](https://www.cloudflare.com/ips/) to access it via 443. This will also accomplish what I'm aiming for. > > Just in case anyone else wants to lock their instance down. > > Wouldn't that allow anybody just to open a free cloudflare account, and proxy requests to your instance? It's not protected without Mutual TLS aka. Authenticated Origin Pulls. I have not tested it, but you can see why I posted this request to begin with. I may end up porting the instance to a different server and running more than just a docker image on GCP to take care of this. That way I can have a bit more control over it. Either way, it works for now and helps mask the system from just anyone.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
bug
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#1850
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?