starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-12-09 09:13:02 +03:00
Code Issues 429 Packages Projects Releases 10 Wiki Activity

Caddy proxy cannot login to vault when caddy heredoc respond is used #289

New Issue
Closed
opened 2025-10-09 16:20:50 +03:00 by OVERLORD · 0 comments
OVERLORD commented 2025-10-09 16:20:50 +03:00
Owner
Copy Link

Originally created by @Korel on GitHub.

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.32.7
  • Web-vault version: v2024.6.2c
  • OS/Arch: linux/aarch64
  • Running within a container: true (Base: Debian)
  • Database type: PostgreSQL
  • Database version: PostgreSQL 17.2 (Debian 17.2-1.pgdg120+1) on aarch64-unknown-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit
  • Environment settings overridden!: false
  • Uses a reverse proxy: false
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: false
  • HTTPS Check: false
  • Websocket Check: true
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "**********://***************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "****://*********************",
  "domain_origin": "****://*********",
  "domain_path": "************",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": null,
  "smtp_password": null,
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.32.7

Deployment method

Official Container Image

Custom deployment method

I deployed it using docker-compose. Here is a reproducing example (tried to keep it minimal):
compose.yaml

services:
  postgres:
    image: postgres:latest
    restart: unless-stopped
    environment:
      POSTGRES_USER: user
      POSTGRES_PASSWORD: password
      POSTGRES_DB: vaultwarden

  vaultwarden:
    image: vaultwarden/server:latest
    restart: unless-stopped
    ports: 
      - 8080:80 # to debug
    environment:
      DATABASE_URL: postgresql://user:password@postgres:5432/vaultwarden
      DOMAIN: http://localhost/vaultwarden
      ADMIN_TOKEN: eh9jQgDRClRZKWrDkrMTIIBI62colVJufQTzobU244Br0xg7rZK0Cn9QkIWLl8MP
      I_REALLY_WANT_VOLATILE_STORAGE: true

  caddy:
    image: caddy:latest
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
      - 443:443/udp
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile

Caddyfile

{
	log {
		output stdout
		level INFO
	}
}

# Handle HTTP requests for domains (assuming your domain is korel.ignorelist.com)
http://localhost {
	# Vaultwarden reverse proxy
	route /vaultwarden/* {
		reverse_proxy vaultwarden:80 {
			header_up X-Real-IP {remote_host}
			header_down Cache-Control no-cache
		}
	}

	header Content-Type text/html
	respond /somepath 200 {
		body <<HTML
			<head>
				<title>Links</title>
			</head>
			<body>
				<h1>Links</h1>
				<ul>
					<li><a href='/link1'>link1</a></li>
					<li><a href='/link2'>link2</a></li>
				</ul>
			</body>
			</html>
			HTML
	}
}

Reverse Proxy

caddy 2.8.4

Host/Server Operating System

Linux

Operating System Version

Ubuntu 24.04

Clients

Web Vault, Browser Extension

Client Version

Firefox Version 133.0.3

Steps To Reproduce

Use the example deployment.
Create an account in vaultwarden
Try to login

Expected Result

Should be able to login succesfully

Actual Result

Cannot login, response says username or password is wrong.

If you remove the heredoc respond in Caddyfile, then reverse proxy can login this time. So below Caddyfile (just the vaultwarden proxy part) works:

{
	log {
		output stdout
		level INFO
	}
}

# Handle HTTP requests for domains (assuming your domain is korel.ignorelist.com)
http://localhost {
	# Vaultwarden reverse proxy
	route /vaultwarden/* {
		reverse_proxy vaultwarden:80 {
			header_up X-Real-IP {remote_host}
			header_down Cache-Control no-cache
		}
	}

	# header Content-Type text/html
	# respond /somepath 200 {
	# 	body <<HTML
	# 		<head>
	# 			<title>Links</title>
	# 		</head>
	# 		<body>
	# 			<h1>Links</h1>
	# 			<ul>
	# 				<li><a href='/link1'>link1</a></li>
	# 				<li><a href='/link2'>link2</a></li>
	# 			</ul>
	# 		</body>
	# 		</html>
	# 		HTML
	# }
}

Logs

No response

Screenshots or Videos

No response

Additional Context

Works on Android client for some reason...
I think it's a weird problem and I don't know if it is a caddy or vaultwarden issue. I tried to narrow the problem down from a longer Caddyfile and saw the problem happening after I readded the respond part.

Originally created by @Korel on GitHub. ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.32.7 * Web-vault version: v2024.6.2c * OS/Arch: linux/aarch64 * Running within a container: true (Base: Debian) * Database type: PostgreSQL * Database version: PostgreSQL 17.2 (Debian 17.2-1.pgdg120+1) on aarch64-unknown-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit * Environment settings overridden!: false * Uses a reverse proxy: false * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: false * HTTPS Check: false * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "**********://***************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "****://*********************", "domain_origin": "****://*********", "domain_path": "************", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "", "smtp_from_name": "Vaultwarden", "smtp_host": null, "smtp_password": null, "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.32.7 ### Deployment method Official Container Image ### Custom deployment method I deployed it using docker-compose. Here is a reproducing example (tried to keep it minimal): compose.yaml ```yaml services: postgres: image: postgres:latest restart: unless-stopped environment: POSTGRES_USER: user POSTGRES_PASSWORD: password POSTGRES_DB: vaultwarden vaultwarden: image: vaultwarden/server:latest restart: unless-stopped ports: - 8080:80 # to debug environment: DATABASE_URL: postgresql://user:password@postgres:5432/vaultwarden DOMAIN: http://localhost/vaultwarden ADMIN_TOKEN: eh9jQgDRClRZKWrDkrMTIIBI62colVJufQTzobU244Br0xg7rZK0Cn9QkIWLl8MP I_REALLY_WANT_VOLATILE_STORAGE: true caddy: image: caddy:latest restart: unless-stopped ports: - 80:80 - 443:443 - 443:443/udp volumes: - ./Caddyfile:/etc/caddy/Caddyfile ``` Caddyfile ``` { log { output stdout level INFO } } # Handle HTTP requests for domains (assuming your domain is korel.ignorelist.com) http://localhost { # Vaultwarden reverse proxy route /vaultwarden/* { reverse_proxy vaultwarden:80 { header_up X-Real-IP {remote_host} header_down Cache-Control no-cache } } header Content-Type text/html respond /somepath 200 { body <<HTML <head> <title>Links</title> </head> <body> <h1>Links</h1> <ul> <li><a href='/link1'>link1</a></li> <li><a href='/link2'>link2</a></li> </ul> </body> </html> HTML } } ``` ### Reverse Proxy caddy 2.8.4 ### Host/Server Operating System Linux ### Operating System Version Ubuntu 24.04 ### Clients Web Vault, Browser Extension ### Client Version Firefox Version 133.0.3 ### Steps To Reproduce Use the example deployment. Create an account in vaultwarden Try to login ### Expected Result Should be able to login succesfully ### Actual Result Cannot login, response says username or password is wrong. If you remove the heredoc respond in Caddyfile, then reverse proxy can login this time. So below Caddyfile (just the vaultwarden proxy part) works: ``` { log { output stdout level INFO } } # Handle HTTP requests for domains (assuming your domain is korel.ignorelist.com) http://localhost { # Vaultwarden reverse proxy route /vaultwarden/* { reverse_proxy vaultwarden:80 { header_up X-Real-IP {remote_host} header_down Cache-Control no-cache } } # header Content-Type text/html # respond /somepath 200 { # body <<HTML # <head> # <title>Links</title> # </head> # <body> # <h1>Links</h1> # <ul> # <li><a href='/link1'>link1</a></li> # <li><a href='/link2'>link2</a></li> # </ul> # </body> # </html> # HTML # } } ``` ### Logs _No response_ ### Screenshots or Videos _No response_ ### Additional Context Works on Android client for some reason... I think it's a weird problem and I don't know if it is a caddy or vaultwarden issue. I tried to narrow the problem down from a longer Caddyfile and saw the problem happening after I readded the respond part.
OVERLORD added the bug label 2025-10-09 16:20:50 +03:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
bug
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
troubleshooting
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#289
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?