starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-02-05 00:29:40 +03:00
Code Issues 32 Packages Projects Releases 10 Wiki Activity

"SIGNUPS_ALLOWED: false" is not working on raspberry pi #721

New Issue
Closed
opened 2026-02-04 22:20:52 +03:00 by OVERLORD · 2 comments
OVERLORD commented 2026-02-04 22:20:52 +03:00
Owner
Copy Link

Originally created by @FastHogi on GitHub (Jun 9, 2020).

First of all, thank you for this great project. Bitwarden_rs is running perfectly on my Pi2. Keep up your great work. This is my first post here, so please be patient.

Subject of the issue

I wanted to harden my bitwarden_rs on my pi and I followed your Harding Guide. By the way, thanks for the perfect wiki documention of all security aspects. I set "signups_allowed" to false in the admin panel and also with the alternative way with the env variable. But both ways do not hide the "Create Account" button in the web vault.

I already have 2 users created successfully. I mention this, because I read in the doc somewhere, that with no users created at first, the button is always visible to be able to create at least 1 user. I want to use bitwarden only for my family and don't need any additional user accounts.

I also installed and setup fail2ban, which I tested successfully. I'm receiving email notifications with customized mail bodys and the banned IP's details from the bitwarden log. So it seems to be (relativly) safe right now.

Your environment

  • Bitwarden_rs version: 1.15.0-52ed8e4d
  • Bitwarden web vault version: 2.14.0
  • Install method: Docker image for the raspberry
  • Browsers used: Firefox and Edge
  • Reverse proxy and version: none
  • Version of mysql/postgresql: none
  • Other relevant information: latest and up-to-date 32-bit raspbian with kernel 5.4.44

Steps to reproduce

My config.json in /data looks like this:

[...]
"domain": "{removed-mydomain-here}",
"disable_icon_download": false,
"signups_allowed": false,
"signups_verify": true,
"signups_verify_resend_time": 3600,
"signups_verify_resend_limit": 6,
"invitations_allowed": false
[...]

I start the docker container like this:

docker run -d --name bitwarden
-e ROCKET_TLS='{certs="/ssl/live/{removed-mydomain-here}/fullchain.pem",key="/ssl/live/{removed-mydomain-here}/privkey.pem"}'
-e LOG_FILE=/data/bitwarden.log
-e TZ="Europe/Berlin"
*-e SIGNUPS_ALLOWED=false
-e INVITATIONS_ALLOWED=false *
-v /etc/letsencrypt/:/ssl/
-v /bw-data/:/data/
-p 4001:80 bitwardenrs/server:raspberry

Expected behaviour

In my expectation the "Create Account" button should not be visible when you set SIGNUPS_ALLOWED to false:

grafik

Relevant logs

"docker logs bitwarden" shows the following:

[WARNING] The following environment variables are being overriden by the config file,
[WARNING] please use the admin panel to make changes to them:
[WARNING] SIGNUPS_ALLOWED, INVITATIONS_ALLOWED

But this is clear, because as I said I tried both ways at the same time and so the env variable setting will be overwritten with the setting in the config.json file (with the same "false" value). So, the env variable is recognized correctly, but has no effect. If I only use the config.json setting without the env variable, that warning is of course gone.

Originally created by @FastHogi on GitHub (Jun 9, 2020). <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unneccessary for your issue, feel free to remove them. Remember to hide/obfuscate personal and confidential information, such as names, global IP/DNS adresses and especially passwords, if neccessary. --> First of all, thank you for this great project. Bitwarden_rs is running perfectly on my Pi2. Keep up your great work. This is my first post here, so please be patient. ### Subject of the issue I wanted to harden my bitwarden_rs on my pi and I followed your [Harding Guide](https://github.com/dani-garcia/bitwarden_rs/wiki/Hardening-Guide). By the way, thanks for the perfect wiki documention of all security aspects. I set "signups_allowed" to false in the admin panel and also with the alternative way with the env variable. But both ways do not hide the "Create Account" button in the web vault. I already have 2 users created successfully. I mention this, because I read in the doc somewhere, that with no users created at first, the button is always visible to be able to create at least 1 user. I want to use bitwarden only for my family and don't need any additional user accounts. I also installed and setup fail2ban, which I tested successfully. I'm receiving email notifications with customized mail bodys and the banned IP's details from the bitwarden log. So it seems to be (relativly) safe right now. ### Your environment <!-- The version number, obtained from the logs or the admin page --> * Bitwarden_rs version: 1.15.0-52ed8e4d * Bitwarden web vault version: 2.14.0 * Install method: Docker image for the raspberry * Browsers used: Firefox and Edge * Reverse proxy and version: none * Version of mysql/postgresql: none * Other relevant information: latest and up-to-date 32-bit raspbian with kernel 5.4.44 ### Steps to reproduce <!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults) and how did you start bitwarden_rs? --> My config.json in /data looks like this: [...] "domain": "{removed-mydomain-here}", "disable_icon_download": false, **"signups_allowed": false,** "signups_verify": true, "signups_verify_resend_time": 3600, "signups_verify_resend_limit": 6, **"invitations_allowed": false** [...] I start the docker container like this: docker run -d --name bitwarden \ -e ROCKET_TLS='{certs="/ssl/live/{removed-mydomain-here}/fullchain.pem",key="/ssl/live/{removed-mydomain-here}/privkey.pem"}' \ -e LOG_FILE=/data/bitwarden.log \ -e TZ="Europe/Berlin" \ **-e SIGNUPS_ALLOWED=false \ -e INVITATIONS_ALLOWED=false \** -v /etc/letsencrypt/:/ssl/ \ -v /bw-data/:/data/ \ -p 4001:80 bitwardenrs/server:raspberry ### Expected behaviour <!-- Tell us what should happen --> In my expectation the "Create Account" button should not be visible when you set SIGNUPS_ALLOWED to false: ![grafik](https://user-images.githubusercontent.com/41678833/84184803-49e45480-aa8e-11ea-9bdf-b4beb7c4c038.png) ### Relevant logs <!-- Share some logfiles, screenshots or output of relevant programs with us. --> "docker logs bitwarden" shows the following: [WARNING] The following environment variables are being overriden by the config file, [WARNING] please use the admin panel to make changes to them: [WARNING] SIGNUPS_ALLOWED, INVITATIONS_ALLOWED But this is clear, because as I said I tried both ways at the same time and so the env variable setting will be overwritten with the setting in the config.json file (with the same "false" value). So, the env variable is recognized correctly, but has no effect. If I only use the config.json setting without the env variable, that warning is of course gone.
OVERLORD commented 2026-02-04 22:20:58 +03:00
Author
Owner
Copy Link

@jjlin commented on GitHub (Jun 9, 2020):

The Create Account button will still be there, but actually attempting to create an account should return an error. This is not something easily fixed since the web vault comes from upstream Bitwarden, and that's not a use case they designed for.

@jjlin commented on GitHub (Jun 9, 2020): The `Create Account` button will still be there, but actually attempting to create an account should return an error. This is not something easily fixed since the web vault comes from upstream Bitwarden, and that's not a use case they designed for.
OVERLORD commented 2026-02-04 22:20:59 +03:00
Author
Owner
Copy Link

@FastHogi commented on GitHub (Jun 9, 2020):

I‘ve checked it and you are right. I still was able to submit a new user form, but received an error that a new user creation is not allowed.

Same for the password hint. There is a config setting, but you can‘t hide it really. Confusing for a new beginner like me, but I understood your limited possibilities here.

Thanks for clarifying this.

@FastHogi commented on GitHub (Jun 9, 2020): I‘ve checked it and you are right. I still was able to submit a new user form, but received an error that a new user creation is not allowed. Same for the password hint. There is a config setting, but you can‘t hide it really. Confusing for a new beginner like me, but I understood your limited possibilities here. Thanks for clarifying this.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#721
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?