Client crashes when trying to use Send with file attachment

[tomashora]

Hello everyone,

we are having an issue when trying to Send a file using any client (dekstop, browser addon, vaultwarden web). Using send with only text works ok. It seems to be somewhere on the path: client - cloudflare proxy - nginx proxy - vaultwarden, because if I try it using different access (client - caddy proxy - vaultwarden) it work as expected.

Could this be related to cloudflare proxy or a mistake in the nginx config? Any hints are highly appretiated!

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      "";
}


server {
    listen 80;
    server_name pass.my.domain;
    server_tokens off;

    root /var/www;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }

    access_log  /var/log/nginx/${host}_access.$logfile_date.log;
    error_log  /var/log/nginx/${host}_error.$logfile_date.log;
}

server {
    listen 443 ssl;
    server_name pass.my.domain;
    server_tokens off;

    root /var/www;

    ssl_certificate /etc/letsencrypt/live/$host/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/$host/privkey.pem;
    ssl_session_cache shared:le_nginx_SSL:10m;
    ssl_session_timeout 1440m;
    ssl_session_tickets off;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;

    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";

    ssl_client_certificate /etc/nginx/conf.d/cloudflare/cloudflare-origin-pull-ca.pem;
    ssl_verify_client on;

    set_real_ip_from  0.0.0.0/0;
    set_real_ip_from ::/0;
    real_ip_header CF-Connecting-IP;

    location /admin {
        deny all;
        return 403;
    }

    location / {
        proxy_pass  http://A.B.C.D/;
        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header    Upgrade             $http_upgrade;
        proxy_set_header    X-Forwarded-Proto   $scheme;
        proxy_set_header    Connection          $connection_upgrade;
        proxy_http_version 1.1;
    }

    access_log  /var/log/nginx/${host}_access.ssl.$logfile_date.log;
    error_log  /var/log/nginx/${host}_error.ssl.$logfile_date.log;
}

[stefan0xC]

My guess given that config would be that you need to set client_max_body_size 500M; because that defaults to 1m.

[tomashora]

@stefan0xC thanks for hint! Unfortunately it still behaves the same after adding it both to server a location sections...

[tomashora]

Seems to be related to Cloudflare Proxy or its WAF policies. If skip CF by modifying hosts file (setting the server IP) it works as expected.

[tomashora]

@stefan0xC it was due to the cloudflare waf rule identifying the request as CVE-2020-13443. Needed to create a WAF rule to skip it. Now works ok. Thanks!

[anxo-outeiral]

For those having the same issue:

I tried the suggested Cloudflare WAF rules to skip /api/sends/ and CVE-2020-13443, but it didn't work for me. I'm on Cloudflare Free.

The logs show the classic pattern — the POST to /api/sends/file/v2 returns 200 OK, but then the send is immediately deleted:

vaultwarden | [2026-06-19 11:25:28.312][request][INFO] POST /api/sends/file/v2
vaultwarden | [2026-06-19 11:25:28.327][response][INFO] (post_send_file_v2) POST /api/sends/file/v2 => 200 OK
vaultwarden | [2026-06-19 11:25:29.958][request][INFO] DELETE /api/sends/ed2e239c-4752-4eb1-aae8-08a0bb6b7f2c
vaultwarden | [2026-06-19 11:25:29.973][response][INFO] (delete_send) DELETE /api/sends/<send_id> => 200 OK

The second POST (the actual file upload to /api/sends//file/<file_id>) never happens — it gets blocked somewhere before even reaching Vaultwarden.

Even with the available skip options configured, the issue persisted. The only solution that worked was disabling the Cloudflare proxy (orange cloud → grey cloud/DNS Only) on the subdomain.

If anyone has found a working solution that keeps Cloudflare proxy enabled, please share it. Thanks!