Admin panel login redirect

[SinTh0r4s]

Subject of the issue

Hi,
I am using a Bitwarden_RS instance on my personal host behind a nginx reverse proxy for HTTPS. Let's Encrpyt. All that good stuff. Now i am looking into hardening my installation before i go live. As part of that I configured my nginx to block every public access to the /admin/ subdirectory.

  location ~ /admin {
    deny all;
    return 403;
  }

This works like intended. If i try to access https://bitwarden.public.dns/admin i am greeted with a 403 warning. So far so good.

I am still able to access the admin panel locally by accessing https://bitwarden.local/admin. Now i enter my token and press enter . Then i get redirected to https://bitwarden.public.dns/admin and receive a 403. If i change the address to https://bitwarden.local/admin again i can use the admin panel without problems.
The same thing happens when i log out of the admin panel (although it does not bother me in that case).

Is it possible to stop that redirecting to the public dns after login? After all it is just for convenience.

Great project! Love it!
SinTh0r4s

My environment

• Bitwarden_rs version: 1.15.1.gitb34d548
• Web version: 2.14.1
• Install method: CentOS Linux release 7.8.2003 (Core)
• From EPEL Repo: https://copr.fedorainfracloud.org/coprs/mrmeee/bitwarden_rs/repo/epel-7/mrmeee-bitwarden_rs-epel-7.repo
• Reverse proxy and version: Nginx 1.14.1
• Version of mysql/postgresql: Ver 15.1 Distrib 10.3.17-MariaDB
• Other relevant information: In bitwarden.conf: DOMAIN=https://bitwarden.public.dns:443

[Mte90]

I have a similar problem.
Domain: https://dev.domain.tld/bitwarden/admin
After entering the password: https://dev.domain/admin

[wcjxixi]

incorrect nginx reverse proxy configuration

  location ~ /admin {
    deny all;
    return 403;
  }

Replace with：

  location /admin {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_pass http://127.0.0.1:8443; #8443 is the host port your bitwarden_rs container is exposed to
  }

reference https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples Nginx (by shauder)

[Mte90]

I have the issue with apacheand as I can see in the wiki this parameters for nginx already exists.

[BlackDex]

The redirect is done based upon the DOMAIN setting you have configured.
So, in the case where it redirects to a wrong place that value is configured wrong.
In the other case, i can understand the multi-tld stuff. I could look into using the actual host for this instead of the configured DOMAIN.

[Mte90]

In my case is multihost installation in a subfolder and the domain is configured right

[BlackDex]

But with multi host you can only configure one host/domain in the config. And that is where the Redirect is pointing you to.

[BlackDex]

Closing this ticket because of inactivity.
Feel free to continue this discussion on the forum: https://bitwardenrs.discourse.group/

[Mte90]

I still have the issue, so I don't know how to keep the discussion moving on as the problem persist.

[BlackDex]

Well i have tested this my self just right now, and i can't reproduce this issue.
I tested this with nginx and it works without any strange redirect issues.

Also, i saw that there was no example for nginx available at the Proxy Examples, so i added this.
Please see: https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples -> Nginx with sub-path (by BlackDex)

[Mte90]

In my case the TLD was missing in the settings so I fixed it but the admin is like this:

I am using "Apache in a sub-location" setting.

[BlackDex]

@Mte90 did you also added the correct sub-path into the DOMAIN variable? So like https://my-domain.tld/bitwarden/?

[blackw1ng]

Hey, to continue on that one..

I used the apache2-sublocation stencil from the wiki - which does not mention DOMAIN.
In case I do not set this env, i can get the /bitwarden/ working :)

However /bitwarden/admin/ does not really work.
First of all tries to load resources from /bwrs_static/.

A simple RewriteRule ^/bwrs_static/(.*) /bitwarden/bwrs_static/$1 [R=302,L] fixes at least the layout.

Entering the correct password results in first a POST (with a set token), next a 303, then again a GET on the /bitwarden/admin - so no login happens :(
In case an incorrect password is entered, the yellow banner appears - so at least it seems, that the token is verified.

Setting DOMAIN="https://xyz/bitwarden/admin" or DOMAIN="https://xyz/bitwarden/admin/" results in a 404 from rocket...