I can’t log into my user account

[ericxuo]

Hello,

This is a question I've already posted on discourse but as I do not have any answer, I try to get another chance here.
I’ve just installed Vaultwarden on Linux (Mageia 9) without docker after I’ve followed this post :
https://www.bloovis.com/posts/2023-10-06-vaultwarden-without-docker

My config :

I can connect to the admin account and can create a user account but I can’t login using this new created account. I’m immediately disconnected. I’ve seen many topics with the same issue but without any clear explanation on how to solve it.
The error in the vaultwarden log file :
[2024-05-26 17:05:11.518][auth][ERROR] Unauthorized Error: No access token provided
[2024-05-26 17:05:11.518][vaultwarden::api::core::ciphers::_][WARN] Request guard Headers failed: “No access token provided”.

I’m using apache. Here is my vaultwarden.conf file :

<IfModule mod_proxy_http.c>

SSLProxyEngine on
ProxyRequests Off
ProxyPreserveHost On

<Proxy http://127.0.0.1:8000/vaultwarden/>

Order allow,deny
Allow from all
</Proxy>

ProxyPass /vaultwarden/ http://127.0.0.1:8000/vaultwarden/
ProxyPassReverse /vaultwarden/ http://127.0.0.1:8000/vaultwarden/

</IfModule>

Here is my config.json file :

{
"domain": "https://my-domain.fr/vaultwarden",
"sends_allowed": true,
"incomplete_2fa_time_limit": 3,
"disable_icon_download": false,
"signups_allowed": true,
"signups_verify": true,
"signups_verify_resend_time": 3600,
"signups_verify_resend_limit": 6,
"org_creation_users": "[email protected]",
"invitations_allowed": true,
"emergency_access_allowed": true,
"email_change_allowed": true,
"password_iterations": 600000,
"password_hints_allowed": true,
"show_password_hint": true,
"admin_token": "$argon2id$this_is_my_admin_token",
"invitation_org_name": "Vaultwarden",
"ip_header": "X-Forwarded-For",
"icon_redirect_code": 302,
"icon_cache_ttl": 2592000,
"icon_cache_negttl": 259200,
"icon_download_timeout": 10,
"icon_blacklist_non_global_ips": true,
"disable_2fa_remember": false,
"authenticator_disable_time_drift": false,
"require_device_email": false,
"reload_templates": false,
"log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
"admin_session_lifetime": 20,
"_enable_yubico": true,
"_enable_duo": true,
"_enable_smtp": true,
"use_sendmail": false,
"smtp_host": "smtp.gmail.com",
"smtp_security": "starttls",
"smtp_port": 587,
"smtp_from": "[email protected]",
"smtp_from_name": "Vaultwarden",
"smtp_username": "[email protected]",
"smtp_password": "my-password",
"smtp_timeout": 15,
"smtp_embed_images": true,
"smtp_accept_invalid_certs": false,
"smtp_accept_invalid_hostnames": false,
"_enable_email_2fa": true,
"email_token_size": 6,
"email_expiration_time": 600,
"email_attempts_limit": 3
}

Could you help me to solve this issue ?

Regards.

Xuo.

[BlackDex]

What if you bypass the reserve proxy? Or use a different browser or in incognito/private mode.

The header must be dropped or cut out replaced somewhere before it reaches Vaultwarden.

[ericxuo]

Hello,

Thank you for your reply.
I get the same issue when using chromium-browser or Firefox with a private window.

Here is the main 00_default_ssl_vhost.conf file used by the Apache server :

<VirtualHost *:443>
# general configuration
ServerAdmin [email protected]
ServerName my-domain.fr
ServerAlias *.my-domain.fr

# SSL configuration
SSLEngine on
SSLCertificateFile /etc/certificates/ordi4_server.crt
SSLCertificateKeyFile /etc/certificates/ordi4_server.pem

SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on
# Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode

CustomLog logs/ssl_request_log \

"%V %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>

DocumentRoot "/var/www/html"
RewriteEngine on
RewriteCond %{HTTP_HOST} ^([^\.]+)\.my-domain\.fr
RewriteCond /var/www/html/%1 -l
RewriteRule ^(.*) /%1/$1 [L]

</VirtualHost>

There is one part above about header but I really don't what it is used for. Should it be changed ?

Regards.

Xuo.

PS :
Here is a message I've received after having tried to connect with Chromium :

[ericxuo]

Hi,

I could make it work after some painful tries.
Here are my different configuration files. Hope this can help.

my vaultwarden .env file :

DOMAIN=https://vaultwarden.my_domain.fr/
ORG_CREATION_USERS=<my_email>
ADMIN_TOKEN='<my_admin_token>'
SIGNUPS_ALLOWED=false
SMTP_HOST=smtp.free.fr
SMTP_FROM=<my_smtp_email>
SMTP_FROM_NAME=Vaultwarden
# Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and us>
SMTP_PORT=587
SMTP_SECURITY=starttls
#SMTP_SECURITY=force_tls
# (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_>
# (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this o>
SMTP_USERNAME=<my_smtp_username>
SMTP_PASSWORD=<my_smtp_password>
SMTP_TIMEOUT=15
LOG_LEVEL=debug
LOG_FILE=data/vaultwarden.log
## Rocket specific settings
## See https://rocket.rs/v0.5/guide/configuration/ for more details.
ROCKET_ADDRESS=192.168.0.14
## The default port is 8000, unless running in a Docker container, in which case it is 80.
ROCKET_PORT=8000

My apache config :

<VirtualHost *:443>

    <IfModule mod_headers.c>
	    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    </IfModule>

    <IfModule mod_proxy_http.c>

 	ServerName	vaultwarden.my_domain.fr

	SSLProxyEngine on
	ProxyPreserveHost On
	ProxyRequests Off

	<Location /> 
	    RequestHeader set X-Real-IP %{REMOTE_ADDR}s
	    RewriteEngine On
	    ProxyPass http://192.168.0.14:8000/ upgrade=websocket
	</Location>
    
    </IfModule>

</VirtualHost>

Note : I'm not using docker. I've followed the installation steps from :
https://www.bloovis.com/posts/2023-10-06-vaultwarden-without-docker

Regards.

Xuo.

[ericxuo]

Marking the topic as closed.