Reverse Proxy + Rocket SSL #6432
-
|
Greetings, i plan to use Vaultwarden for a small company. Is my guess correct, that this kind of setup has security issues because the master password is transmitted unencrypted between proxy -> vaultwarden? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
The password is never sent unencrypted. It's hashed by the clients before it is sent to the server. The only password which is sent unencrypted is the Vaultwarden Admin backend ( If you want to rule-out any mitm between the reverse proxy and Vaultwarden, you could add a self-signed cert which lives very long to Vaultwarden, and configure the reverse proxy to accept that cert and connect to Vaultwarden via SSL. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for your quick reply. |
Beta Was this translation helpful? Give feedback.
-
|
All clients send it encrypted, else we wouldn't be able to match it. |
Beta Was this translation helpful? Give feedback.
The password is never sent unencrypted. It's hashed by the clients before it is sent to the server.
Then Vaultwarden stores this hashed password in the databases by first hashing it again, currently using PBKDF2 600.000.
The only password which is sent unencrypted is the Vaultwarden Admin backend (
/admin) password, but any sys-admin can adjust that anyway.If you want to rule-out any mitm between the reverse proxy and Vaultwarden, you could add a self-signed cert which lives very long to Vaultwarden, and configure the reverse proxy to accept that cert and connect to Vaultwarden via SSL.