NGINX log / 400 error after unlock vault

[alialAGR]

Subject of the issue

After unlocking Vault, NGINX access log shows error 400 token access request like:
10.122.15.177 - - [23/Jun/2022:16:52:48 +0200] "GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJuYmYiOjE2NTU5OTU5NjUsImV4cCI6MTY1NjAwMzE2NSwiaXNzIjoiaHR0cHM6Ly9iaXR3YXJkZW4uc2FuZGV0ZWwuaW50fGxvZ2luIiwic3ViIjoiZTU0NzQ4M2QtOTY4Yy00ZmQ5LWFlMjEtY2FkZmRjNWI2MDEyIiwicHJlbWl1bSI6dHJ1ZSwibmFtZSI6IkFsZWphbmRybyBHb256w6FsZXoiLCJlbWFpbCI6ImFyZWF0aWMuYWRtLnNhbmRldGVsQGp1bnRhZGVhbmRhbHVjaWEuZXMiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwib3Jnb3duZXIiOlsiMjhiYTJmYzUtOTI0ZS00OWI0LWFkYTctMTgyZGEwZWRhMDk0IiwiOGUwM2RkYzItNWM2Yi00MTE3LWEzMTgtZGQ1MTZmMzcwN2M4IiwiOTAyYmJjMTQtM2NiMy00OTk5LTg5OTYtNzk2MjM0NDI0ZTUyIiwiZTdkMjc2ODUtM2ZjMy00MjFjLWIwOWMtNWI2NmZjNGFiNTVhIl0sIm9yZ2FkbWluIjpbXSwib3JndXNlciI6W10sIm9yZ21hbmFnZXIiOltdLCJzc3RhbXAiOiIzYjk5N2YzMS1lZGM1LTQ2ODEtOWVhMy02YjFkZDMwYmUwYWQiLCJkZXZpY2UiOiI4ZTZhODZiNS0yMjNhLTRhMDYtYTI0YS00YzYxZWMxNDRkNTgiLCJzY29wZSI6WyJhcGkiLCJvZmZsaW5lX2FjY2VzcyJdLCJhbXIiOlsiQXBwbGljYXRpb24iXX0.3mAOCUqOEwPn7UOo4psWtzLxHe3g5g7MmGpfF7FeV8CGFQNko4TzOVN5fWpmF9yb1anHzejglSAuGIp5Z-I5-O2xDYr-wqVgygkw3uq80WbkoC3tFO5il3xGmUhkXTWKq60DwRSGuoO3YkTmsbEzDtHjMAA6Mamd0S0GG6NfhZwVhto0rwg7UcD9Y3XQaJTsktdMEQQa_assa1NglJ7RYxvkM-i1PQg-E5iIDN6SukMWLK0dhRcmrTtNdoreN5lX1KCMaKVUNDZugKfWL6KoVvqSAEDpz_xarCDGvbLTmB00LFZENJDpnhHS3DoMnfZ2qxQt_iMDGQ2XMKjUJPMOuA HTTP/1.1" 400 2 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0"

(token changes everytime you unlock vault))

Deployment environment

• vaultwarden version: 1.25.0 (vault 2.28.1 )

• Install method: Docker in RHEL 8.5

• Clients used: Web: Mozilla / Chrome / Brave (over Ubuntu 22.04)

• Reverse proxy and version: True

• MySQL/MariaDB or PostgreSQL version:
  mysql Ver 15.1 Distrib 10.4.22-MariaDB, for Linux (x86_64) using EditLine wrapper

• Other relevant details: nginx version: nginx/1.16.1

Steps to reproduce

When Vault is locked, after validating master pass, I can work whith Vaultwarden, but I notice that apears token / error 400 in NGINX's access.log

Expected behaviour

I understand that kind of request are errors

Actual behaviour

Troubleshooting data

[BlackDex]

Looks like you didn't configured the reverse proxy correctly.
See: https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples

You have websockets enabled, but not configured in the correct way, that causes the 400.

[alialAGR]

Thanks so much. I'll check the config file.

[ShlomiD83]

@BlackDex I started getting the same errors as mentioned above.
I don't quite undterstand what I need to add NPM's advanced config.

can you please give me an example?

[BlackDex]

Examples are in the link of my previous post.

[ShlomiD83]

Examples are in the link of my previous post.

I saw that but I'm using an advanced config with Authelia. didn't know what I should add.
I think I've solved my problem by adding a custom location to the proxy host and mapping WS ports.

[BlackDex]

Authelia could cause issues. But i have no actuall experience my self with it.

[ShlomiD83]

@BlackDex
how about this error? I'm just loading the Admin page and see this error in the logs..

2023-04-03T08:11:21.023220490Z [2023-04-03 11:11:21.022][vaultwarden::api::admin::][WARN] Request guard AdminToken failed: "Unauthorized".
2023-04-03T08:11:21.023255545Z [2023-04-03 11:11:21.023][rocket::server::][WARN] Responding with registered (admin_login) /admin 401 catcher.
2023-04-03T08:11:21.024338780Z [2023-04-03 11:11:21.024][response][INFO] (admin_page) GET /admin/ => 401 Unauthorized

[kpfleming]

When you refer to 'NPM logs' what exactly are you looking at? NPM (the Node package manager) isn't generally used while a service is running.

[stefan0xC]

How does your failregex look? Because fail2ban should only ban actual attempts like

[2023-04-03 11:39:29.882][vaultwarden::api::admin][ERROR] Invalid admin token. IP: 192.168.12.34

Either improve that so it's more specific like the example from the wiki page or if that is not possible, maybe you could add an appropriate ignoreregex.

[ShlomiD83]

How does your failregex look? Because fail2ban should only ban actual attempts like

[2023-04-03 11:39:29.882][vaultwarden::api::admin][ERROR] Invalid admin token. IP: 192.168.12.34

Either improve that so it's more specific like the example from the wiki page or if that is not possible, maybe you could add an appropriate ignoreregex.

[INCLUDES]

[Definition]

failregex = ^.+" (4\d\d|3\d\d) (\d\d\d|\d) .+$
^.+ 4\d\d \d\d\d - .+ [Client ] [Length .+] ".+" .+$

that's my Fail2ban filter file.

[ShlomiD83]

When you refer to 'NPM logs' what exactly are you looking at? NPM (the Node package manager) isn't generally used while a service is running.

fail2ban monitors these logs:
logpath = /log/npm/default-host_access.log
/log/npm/proxy-host-_access.log
/log/npm/proxy-host-_error.log

[ShlomiD83]

I've managed to add an "ignoreregex" to ignore 401 warnings in the logs but failed login attempts to the admin page are also logged as 401 while failed login attempts to the web vault are logged as 400.

so I don't get banned but so will everyone who'll try to brute force my admin page (assuming that he'll het through Authelia's 2FA).