Healthcheck fails if vaultwarden installed in subfolder with domain_path set

[sataris]

Subject of the issue

Using portainer I can see that the healthcheck is failing.

This may be a configuration issue on my end but it doesn't feel like it.

In my scenario I have bitwarden installed in a subfolder (https://domain.com/bitwarden) with yubikey authentication enabled.

The only way I could get the yubikey authentication to work correctly was to ensure that DOMAIN in the config,json contained only the domain eg. "domain": "https://domain.com/" and not the subfolder as noted in #925 and fixed in #927

I was able to work out the health check fails if vaultwarden is hosted on a subfolder, the "domain_path" key is set, and the "domain" key does not contain the subfolder.

This causes the health check to fail as /healthcheck.sh will return http://localhost:80/alive as the healthcheck url

I have gotten around this in my installation by taking the domain_path variable from the config.json so my healthcheck url is http://localhost:80/${domain_path}/alive

I can do a PR if you wish, but the healthcheck script could become a mess with having to deal with paths in both domain and domain_path keys 😄 (and I'm not sure if i'd break anything else)

Deployment environment

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.22.2
• Web-vault version: v2.21.1
• Running within Docker: true
• Environment settings overridden: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.35.4
• Clients used:
• Reverse proxy and version: Nginx
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: SIGNUPS_ALLOWED, INVITATIONS_ALLOWED, ADMIN_TOKEN

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_ip_header_enabled": true,
  "admin_token": "*****",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_max_conns": 10,
  "database_url": "******/**.*******",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://******.***",
  "domain_origin": "*****://******.***",
  "domain_path": "/****",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "enable_db_wal": true,
  "extended_logging": false,
  "helo_name": null,
  "hibp_api_key": "*******",
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "invitation_org_name": "Bitwarden_RS",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "WARN",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "org_attachment_limit": null,
  "org_creation_users": "",
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": true,
  "signups_allowed": false,
  "signups_domains_whitelist": "******.***",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_explicit_tls": false,
  "smtp_from": "*******@******.***",
  "smtp_from_name": "*** ***",
  "smtp_host": "****.******.***",
  "smtp_password": "******",
  "smtp_port": 587,
  "smtp_ssl": true,
  "smtp_timeout": 15,
  "smtp_username": "*******@******.***",
  "templates_folder": "data/templates",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": true,
  "websocket_port": 3012,
  "yubico_client_id": "67046",
  "yubico_secret_key": "*******",
  "yubico_server": null
}

Steps to reproduce

Install vaultwarden on a subfolder

enable yubikey on an account

set DOMAIN to a FQDN without a subfolder (http://abc.com/)
set DOMAIN_PATH to the subfolder (/bitwarden)

Healthcheck.sh will return http://localhost:80/alive (and fail) and Yubikey will authenticate

I'm raising this because I don't want to choose between yubikey authentication and the healthcheck

Expected behaviour

Healthcheck.sh should build the correct healthcheck url when domain and domain_path are specified in config.json

Actual behaviour

Healthcheck sh returns 404 not found and completely disregards the setting of domain_path.

Troubleshooting data

[jjlin]

You probably need the fix in #1950. It is in the testing images, but hasn't made it into a release yet.

[BlackDex]

@sataris, i see you mentioned that you modified the config.json manually. This is not the recommend way, and this also causes the issue you have. From the output i see that the DOMAIN variable does not have the path configured, which is what you need to do.

Those other values for the domain are auto generated and non-editable. Since you did this manually, it breaks the config, and thus the health check.

Either use env variables, or change the config via the admin interface.

[sataris]

@sataris, i see you mentioned that you modified the config.json manually. This is not the recommend way, and this also causes the issue you have. From the output i see that the DOMAIN variable does not have the path configured, which is what you need to do.

Those other values for the domain are auto generated and non-editable. Since you did this manually, it breaks the config, and thus the health check.

Either use env variables, or change the config via the admin interface.

At the moment I need the webauthn to function more than I need the healthcheck to pass.

I'll wait for the fix in #1950 and then reconfigure bitwarden.

Thanks!

[BlackDex]

Well you need both, and the correct config, and that patch.
You can run the testing image which had that patch already.