github-starred/vaultwarden
2
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-03-12 01:45:56 -05:00
Code Issues 79 Packages Projects Releases 78 Wiki Activity

Healthcheck fails if vaultwarden installed in subfolder with domain_path set #4762

New Issue
Closed
opened 2026-03-07 20:00:07 -06:00 by GiteaMirror · 4 comments
GiteaMirror commented 2026-03-07 20:00:07 -06:00
Owner
Copy Link

Originally created by @sataris on GitHub (Sep 27, 2021).

Subject of the issue

Using portainer I can see that the healthcheck is failing.

This may be a configuration issue on my end but it doesn't feel like it.

In my scenario I have bitwarden installed in a subfolder (https://domain.com/bitwarden) with yubikey authentication enabled.

The only way I could get the yubikey authentication to work correctly was to ensure that DOMAIN in the config,json contained only the domain eg. "domain": "https://domain.com/" and not the subfolder as noted in #925 and fixed in #927

I was able to work out the health check fails if vaultwarden is hosted on a subfolder, the "domain_path" key is set, and the "domain" key does not contain the subfolder.

This causes the health check to fail as /healthcheck.sh will return http://localhost:80/alive as the healthcheck url

I have gotten around this in my installation by taking the domain_path variable from the config.json so my healthcheck url is http://localhost:80/${domain_path}/alive

I can do a PR if you wish, but the healthcheck script could become a mess with having to deal with paths in both domain and domain_path keys 😄 (and I'm not sure if i'd break anything else)

Deployment environment

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.22.2
  • Web-vault version: v2.21.1
  • Running within Docker: true
  • Environment settings overridden: true
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Database type: SQLite
  • Database version: 3.35.4
  • Clients used:
  • Reverse proxy and version: Nginx
  • Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: SIGNUPS_ALLOWED, INVITATIONS_ALLOWED, ADMIN_TOKEN

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_ip_header_enabled": true,
  "admin_token": "*****",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_max_conns": 10,
  "database_url": "******/**.*******",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://******.***",
  "domain_origin": "*****://******.***",
  "domain_path": "/****",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "enable_db_wal": true,
  "extended_logging": false,
  "helo_name": null,
  "hibp_api_key": "*******",
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "invitation_org_name": "Bitwarden_RS",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "WARN",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "org_attachment_limit": null,
  "org_creation_users": "",
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": true,
  "signups_allowed": false,
  "signups_domains_whitelist": "******.***",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_explicit_tls": false,
  "smtp_from": "*******@******.***",
  "smtp_from_name": "*** ***",
  "smtp_host": "****.******.***",
  "smtp_password": "******",
  "smtp_port": 587,
  "smtp_ssl": true,
  "smtp_timeout": 15,
  "smtp_username": "*******@******.***",
  "templates_folder": "data/templates",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": true,
  "websocket_port": 3012,
  "yubico_client_id": "67046",
  "yubico_secret_key": "*******",
  "yubico_server": null
}

Steps to reproduce

Install vaultwarden on a subfolder

enable yubikey on an account

set DOMAIN to a FQDN without a subfolder (http://abc.com/)
set DOMAIN_PATH to the subfolder (/bitwarden)

Healthcheck.sh will return http://localhost:80/alive (and fail) and Yubikey will authenticate

I'm raising this because I don't want to choose between yubikey authentication and the healthcheck

Expected behaviour

Healthcheck.sh should build the correct healthcheck url when domain and domain_path are specified in config.json

Actual behaviour

Healthcheck sh returns 404 not found and completely disregards the setting of domain_path.

Troubleshooting data

Originally created by @sataris on GitHub (Sep 27, 2021). <!-- # ### NOTE: Please update to the latest version of vaultwarden before reporting an issue! This saves you and us a lot of time and troubleshooting. See: * https://github.com/dani-garcia/vaultwarden/issues/1180 * https://github.com/dani-garcia/vaultwarden/wiki/Updating-the-vaultwarden-image # ### --> <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unnecessary for your issue, feel free to remove them. Remember to hide/redact personal or confidential information, such as passwords, IP addresses, and DNS names as appropriate. --> ### Subject of the issue Using portainer I can see that the healthcheck is failing. This **may** be a configuration issue on my end but it doesn't feel like it. In my scenario I have bitwarden installed in a subfolder (https://domain.com/bitwarden) with yubikey authentication enabled. The only way I could get the yubikey authentication to work correctly was to ensure that DOMAIN in the config,json contained **only** the domain eg. "domain": "https://domain.com/" and **not the subfolder** as noted in #925 and fixed in #927 I was able to work out the health check fails if vaultwarden is hosted on a subfolder, the "domain_path" key is set, and the "domain" key does not contain the subfolder. This causes the health check to fail as /healthcheck.sh will return `http://localhost:80/alive` as the healthcheck url I have gotten around this in my installation by taking the domain_path variable from the config.json so my healthcheck url is `http://localhost:80/${domain_path}/alive` I can do a PR if you wish, but the healthcheck script could become a mess with having to deal with paths in both domain and domain_path keys 😄 (and I'm not sure if i'd break anything else) ### Deployment environment <!-- ========================================================================================= Preferably, use the `Generate Support String` button on the admin page's Diagnostics tab. That will auto-generate most of the info requested in this section. ========================================================================================= --> ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.22.2 * Web-vault version: v2.21.1 * Running within Docker: true * Environment settings overridden: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.35.4 * Clients used: * Reverse proxy and version: Nginx * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** SIGNUPS_ALLOWED, INVITATIONS_ALLOWED, ADMIN_TOKEN ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_ip_header_enabled": true, "admin_token": "*****", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "authenticator_disable_time_drift": false, "data_folder": "data", "database_max_conns": 10, "database_url": "******/**.*******", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://******.***", "domain_origin": "*****://******.***", "domain_path": "/****", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_expiration_time": 600, "email_token_size": 6, "enable_db_wal": true, "extended_logging": false, "helo_name": null, "hibp_api_key": "*******", "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "invitation_org_name": "Bitwarden_RS", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "WARN", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "org_attachment_limit": null, "org_creation_users": "", "password_iterations": 100000, "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": true, "signups_allowed": false, "signups_domains_whitelist": "******.***", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_explicit_tls": false, "smtp_from": "*******@******.***", "smtp_from_name": "*** ***", "smtp_host": "****.******.***", "smtp_password": "******", "smtp_port": 587, "smtp_ssl": true, "smtp_timeout": 15, "smtp_username": "*******@******.***", "templates_folder": "data/templates", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_syslog": false, "user_attachment_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": true, "websocket_port": 3012, "yubico_client_id": "67046", "yubico_secret_key": "*******", "yubico_server": null } ``` </details> ### Steps to reproduce <!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults) and how did you start vaultwarden? --> Install vaultwarden on a subfolder enable yubikey on an account set DOMAIN to a FQDN without a subfolder (http://abc.com/) set DOMAIN_PATH to the subfolder (/bitwarden) Healthcheck.sh will return http://localhost:80/alive (and fail) and Yubikey will authenticate I'm raising this because I don't want to choose between yubikey authentication and the healthcheck ### Expected behaviour <!-- Tell us what you expected to happen --> Healthcheck.sh should build the correct healthcheck url when domain and domain_path are specified in config.json ### Actual behaviour <!-- Tell us what actually happened --> Healthcheck sh returns 404 not found and completely disregards the setting of domain_path. ### Troubleshooting data <!-- Share any log files, screenshots, or other relevant troubleshooting data -->
GiteaMirror commented 2026-03-07 20:00:08 -06:00
Author
Owner
Copy Link

@jjlin commented on GitHub (Sep 27, 2021):

You probably need the fix in #1950. It is in the testing images, but hasn't made it into a release yet.

@jjlin commented on GitHub (Sep 27, 2021): You probably need the fix in #1950. It is in the `testing` images, but hasn't made it into a release yet.
GiteaMirror commented 2026-03-07 20:00:08 -06:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Sep 27, 2021):

@sataris, i see you mentioned that you modified the config.json manually. This is not the recommend way, and this also causes the issue you have. From the output i see that the DOMAIN variable does not have the path configured, which is what you need to do.

Those other values for the domain are auto generated and non-editable. Since you did this manually, it breaks the config, and thus the health check.

Either use env variables, or change the config via the admin interface.

@BlackDex commented on GitHub (Sep 27, 2021): @sataris, i see you mentioned that you modified the config.json manually. This is not the recommend way, and this also causes the issue you have. From the output i see that the DOMAIN variable does not have the path configured, which is what you need to do. Those other values for the domain are auto generated and non-editable. Since you did this manually, it breaks the config, and thus the health check. Either use env variables, or change the config via the admin interface.
GiteaMirror commented 2026-03-07 20:00:09 -06:00
Author
Owner
Copy Link

@sataris commented on GitHub (Sep 28, 2021):

@sataris, i see you mentioned that you modified the config.json manually. This is not the recommend way, and this also causes the issue you have. From the output i see that the DOMAIN variable does not have the path configured, which is what you need to do.

Those other values for the domain are auto generated and non-editable. Since you did this manually, it breaks the config, and thus the health check.

Either use env variables, or change the config via the admin interface.

At the moment I need the webauthn to function more than I need the healthcheck to pass.

I'll wait for the fix in #1950 and then reconfigure bitwarden.

Thanks!

@sataris commented on GitHub (Sep 28, 2021): > > > @sataris, i see you mentioned that you modified the config.json manually. This is not the recommend way, and this also causes the issue you have. From the output i see that the DOMAIN variable does not have the path configured, which is what you need to do. > > Those other values for the domain are auto generated and non-editable. Since you did this manually, it breaks the config, and thus the health check. > > Either use env variables, or change the config via the admin interface. At the moment I need the webauthn to function more than I need the healthcheck to pass. I'll wait for the fix in #1950 and then reconfigure bitwarden. Thanks!
GiteaMirror commented 2026-03-07 20:00:09 -06:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Sep 28, 2021):

Well you need both, and the correct config, and that patch.
You can run the testing image which had that patch already.

@BlackDex commented on GitHub (Sep 28, 2021): Well you need both, and the correct config, and that patch. You can run the `testing` image which had that patch already.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#4762
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?