Websockets doesn't appear to be working #2099

New Issue

Closed

opened 2025-10-09 17:45:34 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2025-10-09 17:45:34 +03:00

Owner

Copy Link

Originally created by @rcdailey on GitHub.

I have websockets enabled. To verify if websockets is working, I perform these steps:

1. Create an item in my vault view the web application for Bitwarden_rs
2. Wait a few seconds, check the vault on my Android device using the official Bitwarden app. The item does not appear when I search for it.

If I go to settings and manually sync on the Android Bitwarden app, and then perform the search for the item in the vault I created, I do see it. However, a manual sync should not be required, correct?

Here is my reverse proxy configuration. Note I am using NGINX:

server {
    listen 443 ssl http2;
    server_name bitwarden.example.com;
    client_max_body_size 0;
    resolver 127.0.0.11 valid=30s;

    include /config/nginx/ssl.conf;
    include /config/nginx/proxy.conf;

    set $upstream_bitwarden http://bitwarden;

    location / {
        proxy_pass $upstream_bitwarden:10080;
    }

    location /notifications/hub {
        proxy_pass $upstream_bitwarden:3012;
    }

    location /notifications/hub/negotiate {
        proxy_pass $upstream_bitwarden:10080;
    }
}

Contents of /config/nginx/ssl.conf:

# session settings
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

# Diffie-Hellman parameter for DHE cipher suites
ssl_dhparam /config/nginx/dhparams.pem;

# ssl certs
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

# protocols
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;

Contents of /config/nginx/proxy.conf:

# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

# Allow websockets on all servers
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;

# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Ssl on;

To ensure websockets works across all applications supported by my reverse proxy, I have the following in my http block in NGINX:

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

The map above correlates to the proxy.conf file above.

My docker-compose.yml is as follows (for security reasons, some parts are redacted):

version: '3.7'

services:
  app:
    image: mprasil/bitwarden
    restart: unless-stopped
    user: $UID:$GID
    networks:
      reverse_proxy:
        aliases:
        - bitwarden
    volumes:
    - ./data:/data
    - /etc/timezone:/etc/timezone:ro
    environment:
    - TZ=America/Chicago
    - ADMIN_TOKEN=<redacted>
    - ROCKET_PORT=10080
    - LOG_LEVEL=warn
    - DATA_FOLDER=/data
    - DOMAIN=https://bitwarden.example.com
    - YUBICO_CLIENT_ID=<redacted>
    - YUBICO_SECRET_KEY=<redacted>
    - WEBSOCKET_ENABLED=true

networks:
  reverse_proxy:
    external: true
    name: reverse_proxy

I do believe that my nginx configuration is correct here. Is there a bug causing websockets to not work, or is my configuration wrong?

Originally created by @rcdailey on GitHub. I have websockets enabled. To verify if websockets is working, I perform these steps: 1. Create an item in my vault view the web application for Bitwarden_rs 2. Wait a few seconds, check the vault on my Android device using the official Bitwarden app. The item does not appear when I search for it. If I go to settings and manually sync on the Android Bitwarden app, and then perform the search for the item in the vault I created, I do see it. However, a manual sync should not be required, correct? Here is my reverse proxy configuration. Note I am using NGINX: ``` server { listen 443 ssl http2; server_name bitwarden.example.com; client_max_body_size 0; resolver 127.0.0.11 valid=30s; include /config/nginx/ssl.conf; include /config/nginx/proxy.conf; set $upstream_bitwarden http://bitwarden; location / { proxy_pass $upstream_bitwarden:10080; } location /notifications/hub { proxy_pass $upstream_bitwarden:3012; } location /notifications/hub/negotiate { proxy_pass $upstream_bitwarden:10080; } } ``` Contents of `/config/nginx/ssl.conf`: ``` # session settings ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # Diffie-Hellman parameter for DHE cipher suites ssl_dhparam /config/nginx/dhparams.pem; # ssl certs ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; # protocols ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; # OCSP Stapling ssl_stapling on; ssl_stapling_verify on; ``` Contents of `/config/nginx/proxy.conf`: ``` # Security Headers add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; # Allow websockets on all servers proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; # Basic Proxy Config proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Ssl on; ``` To ensure websockets works across all applications supported by my reverse proxy, I have the following in my `http` block in NGINX: ``` map $http_upgrade $connection_upgrade { default upgrade; '' close; } ``` The map above correlates to the `proxy.conf` file above. My `docker-compose.yml` is as follows (for security reasons, some parts are redacted): ```yml version: '3.7' services: app: image: mprasil/bitwarden restart: unless-stopped user: $UID:$GID networks: reverse_proxy: aliases: - bitwarden volumes: - ./data:/data - /etc/timezone:/etc/timezone:ro environment: - TZ=America/Chicago - ADMIN_TOKEN=<redacted> - ROCKET_PORT=10080 - LOG_LEVEL=warn - DATA_FOLDER=/data - DOMAIN=https://bitwarden.example.com - YUBICO_CLIENT_ID=<redacted> - YUBICO_SECRET_KEY=<redacted> - WEBSOCKET_ENABLED=true networks: reverse_proxy: external: true name: reverse_proxy ``` I do believe that my nginx configuration is correct here. Is there a bug causing websockets to not work, or is my configuration wrong?

OVERLORD closed this issue 2025-10-09 17:45:35 +03:00

OVERLORD commented 2025-10-09 17:45:36 +03:00

Author

Owner

Copy Link

@rcdailey commented on GitHub:

Thanks for explaining. Looks like the issue is that the mobile applications hard code the push notification server URL and you're not able to inject into that system. Do you recommend adding suggestions for solutions to this problem on #246? I'll go ahead and close this one out.

@rcdailey commented on GitHub: Thanks for explaining. Looks like the issue is that the mobile applications hard code the push notification server URL and you're not able to inject into that system. Do you recommend adding suggestions for solutions to this problem on #246? I'll go ahead and close this one out.

OVERLORD commented 2025-10-09 17:45:37 +03:00

Author

Owner

Copy Link

@dani-garcia commented on GitHub:

Websockets doesn't apply to the mobile clients, those require push notification support (look at #126 for reasons as why it isn't implemented).

To check that websocket support works, you'll need to use either the web vault, the desktop client or the browser extensions.

@dani-garcia commented on GitHub: Websockets doesn't apply to the mobile clients, those require push notification support (look at #126 for reasons as why it isn't implemented). To check that websocket support works, you'll need to use either the web vault, the desktop client or the browser extensions.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

test_dylint

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

bug

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#2099