starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-02-05 00:29:40 +03:00
Code Issues 32 Packages Projects Releases 10 Wiki Activity

Websocket connections not working with recommended apache2 proxy configuration #1894

New Issue
Closed
opened 2026-02-05 02:08:25 +03:00 by OVERLORD · 0 comments
OVERLORD commented 2026-02-05 02:08:25 +03:00
Owner
Copy Link

Originally created by @SoraMakes on GitHub (Apr 11, 2024).

Subject of the issue

When deploying vaultwarden as docker container and using apache2 as reverseproxy with the configuration recommended here i get NS_ERROR_WEBSOCKET_CONNECTION_REFUSED on Firefox. It works fine when accessing it via ssh proxy and then using http://localhost:50854.

Deployment environment

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.30.5
  • Web-vault version: v2024.1.2b
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Environment settings overridden: false
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Database type: SQLite
  • Database version: 3.44.0
  • Clients used:
  • Reverse proxy and version:
  • Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://************************************",
  "domain_origin": "*****://************************************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "DEBUG",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": true,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "***********,*************",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "********************",
  "smtp_from_name": "\"wikimove Vaultwarden\"",
  "smtp_host": "**************************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "********************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}
  • Install method: docker compose

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    environment:
      - LOG_LEVEL=DEBUG
      - DOMAIN=<some domain>
      - SIGNUPS_ALLOWED=false
      - SIGNUPS_DOMAINS_WHITELIST=<some domains>
      - ADMIN_TOKEN=$ADMIN_TOKEN
      - ORG_GROUPS_ENABLED=true
      - SMTP_HOST=<some domain>
      - SMTP_PORT=587
      - SMTP_SECURITY=starttls
      - SMTP_FROM=no-reply@<some domain>
      - SMTP_FROM_NAME="Vaultwarden"
      - SMTP_USERNAME=no-reply@<some domain>
      - SMTP_PASSWORD=$SMTP_PASSWORD
# doc: https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
    volumes:
      - vw-data:/data
    ports:
      - "127.0.0.1:50584:80"
    restart: unless-stopped

volumes:
  vw-data:

  • Clients used: web vault (Firefox)

  • Reverse proxy and version: apache2 (2.4.38-3+deb10u10)
    the proxy modules ( proxy_module (shared), proxy_http_module (shared), proxy_wstunnel_module (shared)) are loaded

<VirtualHost *:80>
        ServerName passwords.<some domain>

        <ifmodule mod_rewrite.c>
                RewriteEngine On
                RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
                RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
        </ifmodule>

        ErrorLog /var/log/apache2/vaultwarden_error.log
        CustomLog /var/log/apache2/vaultwarden_access.log common
</VirtualHost>
<VirtualHost *:443>
        ServerName passwords.<some domain>

        ProxyRequests Off
        ProxyPreserveHost On
        RequestHeader set X-Real-IP %{REMOTE_ADDR}s


        ProxyPass / http://localhost:50584/ upgrade=websocket
#        ProxyPassReverse / http://passwords.<some domain>/

        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/passwords.<some domain>/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/passwords.<some domain>/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/passwords.<some domain>/chain.pem


        ErrorLog /var/log/apache2/vaultwarden_error.log
        CustomLog /var/log/apache2/vaultwarden_access.log common
</VirtualHost>
  • MySQL/MariaDB or PostgreSQL version: sqlite
  • Other relevant details:

Steps to reproduce

  1. deploy vaultwarden as described
  2. open web app and have a look on the network requests

Expected behaviour

Getting 101 as response on the wss:// requests

Actual behaviour

Getting 404 as response on the wss:// requests

Troubleshooting data

relevant vaultwarden log:

vaultwarden  | [2024-04-11 14:13:18.074][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL
vaultwarden  | [2024-04-11 14:13:18.074][vaultwarden::api::notifications::_][WARN] Request guard `rocket_ws :: WebSocket` is forwarding.
vaultwarden  | [2024-04-11 14:13:18.074][rocket::response::responder::_][WARN] Response was `None`.
vaultwarden  | [2024-04-11 14:13:18.074][rocket::server::_][WARN] Responding with registered (not_found) 404 catcher.
vaultwarden  | [2024-04-11 14:13:18.074][response][INFO] (web_files) GET /<p..> [10] => 404 Not Found

relevant apache2 log

<ip> - - [11/Apr/2024:13:51:47 +0000] "GET /notifications/hub?access_token=<token> HTTP/1.1" 404 3783

Workaround

As a workaround i added the following lines to my apache VirtualHost conf

# WebSocket proxying
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /notifications/hub(.*) ws://localhost:50584/notifications/hub$1 [P,L]
Originally created by @SoraMakes on GitHub (Apr 11, 2024). ### Subject of the issue When deploying vaultwarden as docker container and using apache2 as reverseproxy with the configuration recommended [here](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples) i get NS_ERROR_WEBSOCKET_CONNECTION_REFUSED on Firefox. It works fine when accessing it via ssh proxy and then using `http://localhost:50854`. ### Deployment environment ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.30.5 * Web-vault version: v2024.1.2b * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Environment settings overridden: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.44.0 * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://************************************", "domain_origin": "*****://************************************", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "DEBUG", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": true, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "***********,*************", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "********************", "smtp_from_name": "\"wikimove Vaultwarden\"", "smtp_host": "**************************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "********************", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": false, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> <!-- How the server was installed: Docker image, OS package, built from source, etc. --> * Install method: docker compose ``` services: vaultwarden: image: vaultwarden/server:latest container_name: vaultwarden environment: - LOG_LEVEL=DEBUG - DOMAIN=<some domain> - SIGNUPS_ALLOWED=false - SIGNUPS_DOMAINS_WHITELIST=<some domains> - ADMIN_TOKEN=$ADMIN_TOKEN - ORG_GROUPS_ENABLED=true - SMTP_HOST=<some domain> - SMTP_PORT=587 - SMTP_SECURITY=starttls - SMTP_FROM=no-reply@<some domain> - SMTP_FROM_NAME="Vaultwarden" - SMTP_USERNAME=no-reply@<some domain> - SMTP_PASSWORD=$SMTP_PASSWORD # doc: https://github.com/dani-garcia/vaultwarden/blob/main/.env.template volumes: - vw-data:/data ports: - "127.0.0.1:50584:80" restart: unless-stopped volumes: vw-data: ``` * Clients used: web vault (Firefox) * Reverse proxy and version: apache2 (2.4.38-3+deb10u10) the proxy modules ( proxy_module (shared), proxy_http_module (shared), proxy_wstunnel_module (shared)) are loaded ``` <VirtualHost *:80> ServerName passwords.<some domain> <ifmodule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/ RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] </ifmodule> ErrorLog /var/log/apache2/vaultwarden_error.log CustomLog /var/log/apache2/vaultwarden_access.log common </VirtualHost> <VirtualHost *:443> ServerName passwords.<some domain> ProxyRequests Off ProxyPreserveHost On RequestHeader set X-Real-IP %{REMOTE_ADDR}s ProxyPass / http://localhost:50584/ upgrade=websocket # ProxyPassReverse / http://passwords.<some domain>/ SSLEngine on SSLCertificateFile /etc/letsencrypt/live/passwords.<some domain>/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/passwords.<some domain>/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/passwords.<some domain>/chain.pem ErrorLog /var/log/apache2/vaultwarden_error.log CustomLog /var/log/apache2/vaultwarden_access.log common </VirtualHost> ``` * MySQL/MariaDB or PostgreSQL version: sqlite * Other relevant details: ### Steps to reproduce 1) deploy vaultwarden as described 2) open web app and have a look on the network requests ### Expected behaviour Getting 101 as response on the wss:// requests ### Actual behaviour Getting 404 as response on the wss:// requests ### Troubleshooting data relevant vaultwarden log: ``` vaultwarden | [2024-04-11 14:13:18.074][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL vaultwarden | [2024-04-11 14:13:18.074][vaultwarden::api::notifications::_][WARN] Request guard `rocket_ws :: WebSocket` is forwarding. vaultwarden | [2024-04-11 14:13:18.074][rocket::response::responder::_][WARN] Response was `None`. vaultwarden | [2024-04-11 14:13:18.074][rocket::server::_][WARN] Responding with registered (not_found) 404 catcher. vaultwarden | [2024-04-11 14:13:18.074][response][INFO] (web_files) GET /<p..> [10] => 404 Not Found ``` relevant apache2 log ``` <ip> - - [11/Apr/2024:13:51:47 +0000] "GET /notifications/hub?access_token=<token> HTTP/1.1" 404 3783 ``` ### Workaround As a workaround i added the following lines to my apache VirtualHost conf # WebSocket proxying RewriteEngine On RewriteCond %{HTTP:Upgrade} =websocket [NC] RewriteRule /notifications/hub(.*) ws://localhost:50584/notifications/hub$1 [P,L]
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#1894
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?