Hi, I’m working on improving the security of my home server.
I want to use the Bitwarden app and the Chrome/Firefox extensions outside my LAN, but I don’t need Web Vault at all. How do I block access to Web Vault from outside the LAN in the Caddyfile?

pass.my-domain {
    @block_webvault_outside {
        not remote_ip 192.168.1.0/24 10.8.0.0/24
        
        # What should be there?
        # path /admin* will lock only admin options
    }

    respond @block_webvault_outside 403
    reverse_proxy vaultwarden:80
}
  • Snot Flickerman@lemmy.blahaj.zoneEnglish
    4·
    22 days ago

    I personally don’t expose services like these to the Internet directly but rather put them behind a Wireguard VPN that I stay connected to while remote to be able to access local network resources and ad-blocking without actually exposing anything in my internal network except the Wireguard port.

    That doesn’t work for everyone of course, but I personally would be really nervous exposing a service like Vaultwarden to the Internet without having it behind a VPN.

  • relaymoth@sh.itjust.worksEnglish
    3·
    21 days ago

    If you’re deploying Vaultwarden via docker, there’s an ENV to disable web vault

    WEB_VAULT_ENABLED=true

    Set to false and redeploy.

      • relaymoth@sh.itjust.worksEnglish
        1·
        21 days ago

        You’re right.

        If you login to Vaultwarden and access the Web vault, is there a path like /admin you can add to your blocked paths config?