Secure Admin URL

[sonoracomm]

I was unable to find a solution by searching (re: Vaultwarden and NPM solutions) and I apologize if I missed something obvious.

I'm using Docker and Nginx Proxy Manager. All seems to be working very well, but I'm trying to increase security after the fact. I'm new to both Docker and NPM, so this is probably my real problem!

I would like to limit access to the /admin (sub) URL by IP address...because that's how I have done things in the past.

In the past, I have used .htaccess files to limit access to subfolders. If this is a good way to secure the Vaultwarden /admin location, can someone please tell me where that should be located?

Nginx Proxy Manager may have the functionality I'm looking for, but my attempts have all failed (proxy host offline).

This is approximately what I'm looking for:

location /admin {
  Allow 192.168.1.0/24;
  Allow 10.0.1.0/24;
  Deny All;
  }

Can someone point me in the right direction?

Thanks in advance,

G

[BlackDex]

See https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples

[sonoracomm]

Thank you very much for that suggestion.

I had already seen that page and tried many things.

Based on you pointing me to the proxy (and simple logic), I just posted a similar question on the (Github) NPM forum as well.

I guess I was hoping there was a way to do this within Vaultwarden.

I also saw your recent implementation of rate limiting. That should help a lot! Maybe enough?

Thank you again, very much.
G

[Masgalor]

Is this still bothering you?

As you noticed yourself, proxying requests to another application (in this case vaultwarden) is fundamentally different from serving content with a webserver. This is why you cant use .htaccess files or similar.

You are right, the best way to achive this is to manage restrictions in your reverse-proxy.
I had to lookup what Nginx Proxy Manager is and if understand correctly, it is some docker shenanigan to have a visual editor for nginx config files. So I do not know if this a problem with that tool but in general nginx can do what you want.

The policies in your example are correct.
However, that location block is not valid as it is, but maybe it has to look like this within your managemant tool.
Is there some error we can work with?

[sonoracomm]

OK, I got this sorted.

What I wanted to do is protect an admin URL while leaving the web app publicly accessible. This should work with most apps.

With apps that have their admin interface on a different port (ex. Webmin on port 10000), I just don't expose the admin interface port in NPM. This example is for an app that just uses /admin (or something like that on port 80 or 443) to access the web admin interface. In general, it's best to never expose admin URLs to the Internet.

This worked for me running Vaultwarden on Docker (in DMZ and no NAT from LAN):

In NPM, starting with a working "proxy host", I added a "custom location" just pointing to port 80 (where the traffic went previously) :

/admin

(Everything should work just as before at this point, if you were to test it.)

Then I clicked the (custom location) gear icon where one enters custom configuration and entered:

allow 192.168.0.0/24;
deny all;

Now, I can access the /admin URL from my LAN, but not from outside.

If the web app is on a public host, you would use your external IP address instead of the (192.168.0.0/24) LAN address for the allow.

I hope that makes sense for anyone that finds this page.

Thanks much for the replies @Masgalor and @BlackDex!

G

[Disorganise]

Thanks @sonoracomm for documenting - I followed it and achieved the same result. 403 Forbidden from external, access granted internally. perfect

[mkopnsrc]

@sonoracomm this is how I'm doing in NPM GUI,

[skarpinis]

only worked with image: jc21/nginx-proxy-manager:github-pr-3478