starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-02-05 00:29:40 +03:00
Code Issues 32 Packages Projects Releases 10 Wiki Activity

DUO redirection after 2FA does not redirect to the subpath with 1.32.0 #2001

New Issue
Closed
opened 2026-02-05 02:31:23 +03:00 by OVERLORD · 1 comment
OVERLORD commented 2026-02-05 02:31:23 +03:00
Owner
Copy Link

Originally created by @kilaketia on GitHub (Aug 14, 2024).

Subject of the issue

After 2FA verification is done, DUO redirect us to https://fqdn/duo-redirect-connector.html instead of https://fqdn/subpath/duo-redirect-connector.html.

Deployment environment

  • vaultwarden version: 1.32.0

  • Install method: Docker

  • Clients used: web vault

  • Reverse proxy and version: NGINX 1.22.1-9

  • MySQL/MariaDB or PostgreSQL version: MariaDB

  • Other relevant details:

Steps to reproduce

Try to login with DUO 2FA, with Vaultwarden accessible from a sub path only, using the old interface or the universal prompt of DUO.

Expected behaviour

User should be redirected to https://fqdn/subpath/duo-redirect-connector.html after 2FA verification with DUO.

Actual behaviour

User is redirected to https://fqdn/duo-redirect-connector.html and receive a 404 error.

Troubleshooting data

Vaultwarden is configured with domain as "https://fqdn/vault/".

NGINX configuration :

upstream vaultwarden-default {
  zone vaultwarden-default 64k;
  server 127.0.0.1:8080;
  keepalive 2;
}

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      "";
}

server {
        listen 443 ssl http2;
        server_name vault.mydomain.com;
        ssl_certificate /etc/ssl/private/cert.pem;
        ssl_certificate_key /etc/ssl/private/key.pem;
        client_max_body_size 128M;

        access_log /var/log/nginx/vault.access.log;
        error_log /var/log/nginx/vault.error.log warn;
        add_header X-Robots-Tag "none";

         location /vault/ {
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
        	proxy_pass http://vaultwarden-default;
        }

        location /vault/admin {
                allow 192.168.1.0/24;
                deny all;

                proxy_http_version 1.1;
                proxy_set_header "Connection" "";
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_pass http://vaultwarden-default;
        }

        proxy_connect_timeout       777;
        proxy_send_timeout          777;
        proxy_read_timeout          777;
        send_timeout                777;
}

server {
        listen 80;
        server_name vault.mydomain.com;
        return 301 https://$host$request_uri;
}

Temporary fix :

 location / {
                rewrite ^/duo-redirect-connector.html$ /vault/duo-redirect-connector.html?$args permanent;
}
Originally created by @kilaketia on GitHub (Aug 14, 2024). ### Subject of the issue After 2FA verification is done, DUO redirect us to https://fqdn/duo-redirect-connector.html instead of https://fqdn/subpath/duo-redirect-connector.html. ### Deployment environment * vaultwarden version: 1.32.0 * Install method: Docker * Clients used: web vault * Reverse proxy and version: NGINX 1.22.1-9 * MySQL/MariaDB or PostgreSQL version: MariaDB * Other relevant details: ### Steps to reproduce Try to login with DUO 2FA, with Vaultwarden accessible from a sub path only, using the old interface or the universal prompt of DUO. ### Expected behaviour User should be redirected to https://fqdn/subpath/duo-redirect-connector.html after 2FA verification with DUO. ### Actual behaviour User is redirected to https://fqdn/duo-redirect-connector.html and receive a 404 error. ### Troubleshooting data Vaultwarden is configured with domain as "https://fqdn/vault/". NGINX configuration : ``` upstream vaultwarden-default { zone vaultwarden-default 64k; server 127.0.0.1:8080; keepalive 2; } map $http_upgrade $connection_upgrade { default upgrade; '' ""; } server { listen 443 ssl http2; server_name vault.mydomain.com; ssl_certificate /etc/ssl/private/cert.pem; ssl_certificate_key /etc/ssl/private/key.pem; client_max_body_size 128M; access_log /var/log/nginx/vault.access.log; error_log /var/log/nginx/vault.error.log warn; add_header X-Robots-Tag "none"; location /vault/ { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://vaultwarden-default; } location /vault/admin { allow 192.168.1.0/24; deny all; proxy_http_version 1.1; proxy_set_header "Connection" ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://vaultwarden-default; } proxy_connect_timeout 777; proxy_send_timeout 777; proxy_read_timeout 777; send_timeout 777; } server { listen 80; server_name vault.mydomain.com; return 301 https://$host$request_uri; } ``` Temporary fix : ``` location / { rewrite ^/duo-redirect-connector.html$ /vault/duo-redirect-connector.html?$args permanent; } ```
OVERLORD added the bug label 2026-02-05 02:31:23 +03:00
OVERLORD commented 2026-02-05 02:32:38 +03:00
Author
Owner
Copy Link

@GeorgeCastanza commented on GitHub (Aug 15, 2024):

I suspect this is my issue too. When I login, the cloudflare tunnel is not redirecting properly (I guess??) and it's forwarding to my router page, not my vw instance.

Edit: login via email code does work.

@GeorgeCastanza commented on GitHub (Aug 15, 2024): I suspect this is my issue too. When I login, the cloudflare tunnel is not redirecting properly (I guess??) and it's forwarding to my router page, not my vw instance. Edit: login via email code **does** work.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
troubleshooting
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#2001
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?