Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Synology Bitwarden_rs Websocket setup without SSH
#!/bin/bash
LOC_DIR="/etc/nginx"
if [ ! -f $LOC_DIR/ws.locations ]; then
echo """
location /notifications/hub {
proxy_pass http://localhost:$3;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";
}
location /notifications/hub/negotiate {
proxy_pass http://localhost:$2;
}
""" >> $LOC_DIR/ws.locations
fi
if ! grep -q "ws.locations" /etc/nginx/app.d/server.ReverseProxy.conf; then
sed -i "/$1;/ a\ include $LOC_DIR/ws.locations;" /etc/nginx/app.d/server.ReverseProxy.conf
if nginx -t 2>/dev/null; then synoservicecfg --reload nginx; else exit 1; fi
fi

Synology Bitwarden_rs Websocket Setup

Below steps allow you to setup Websocket support for your Bitwarden_rs installation running on Synology Diskstation. You can do all steps using the GUI so there is no SSH Access needed.

Prerequisites

  • Working HTTPS Reverse proxy Setup (Control Panel -> Application Portal -> Reverse Proxy)
  • Set Enviourment Variable WEBSOCKET_ENABLED=true in your Bitwarden container and expose the container port 3012 to a local port, in my case 5556.

Upload script

  1. Download enable_ws.sh
  2. Upload the script "enable_ws.sh" onto your Diskstation. I would recommand putting it in your Bitwarden directory. In my case /volume1/docker/bitwarden

Create scheduled Task

Control Panel -> Task Scheduler -> Create -> Scheduled Task -> User-defined Script

Make sure to amend the command according to your setup.

  • /volume1/docker/bitwarden/enable_ws.sh = Full path to previously uploaded script
  • vault.example.com = Hostname of your Bitwarden_rs as configured in the Reverse Proxy
  • 5555 = Exposed ROCKET_PORT by Docker (The same as in your Reverse Proxy setup)
  • 5556 = Exposed WEBSOCKET_PORT by Docker

Run Command (My example):

bash /volume1/docker/bitwarden/enable_ws.sh vault.example.com 5555 5556

  General Settings
      Task -> Enable BW WS
      User -> root
      Enabled -> Tick
  Schedule
      Run on the following days -> Daily
      Frequency -> Every hour
  Task Settings:
      (Optional) Enable Notifications
      Run Command: <Paste Command Crafted Above> 

Save and run the new task by selecting Run. Login into your Webvault and confirm in your web browsers developer console that the connection to wss:// succeded.

@Autonomous120
Copy link

Autonomous120 commented May 11, 2022

Issue report:
Upgraded to DSM 7.1-42661 Update 1, the script doesn't work.

@MilesTEG1
Copy link

MilesTEG1 commented May 11, 2022

Issue report: Upgraded to DSM 7.1-42661 Update 1, the script doesn't work.

Witch one ?
Mine (or the translated version by @RonV42), or the one from @ClusterDuckster ?

The original script from @nstanke didn't work since DSM7.

@Autonomous120
Copy link

Autonomous120 commented May 12, 2022

I checked and confirm the script is translated version by @RonV42

The error message in Bitwarden.app (by pressing F12) shows that:

WebSocket connection to 'wss://vault.xxxx.com:8001/notifications/hub?access_token=xxxx' failed: Error during WebSocket handshake: Unexpected response code: 504
WebSocketTransport.js:99
Utils.js:218 [2022-05-12T12:08:52.520Z] Error: Failed to start the connection: Error: There was an error with the transport.
e.log @ Utils.js:218
zone.js:3083 20:08:52.536 › Error: There was an error with the transport.
    at WebSocket.o.onerror [as __zone_symbol__ON_PROPERTYerror] (vendor.js:2)
    at WebSocket.T (vendor.js:2)
    at e.invokeTask (vendor.js:2)
    at Object.onInvokeTask (vendor.js:2)
    at e.invokeTask (vendor.js:2)
    at t.runTask (vendor.js:2)
    at t.invokeTask [as invoke] (vendor.js:2)
    at b (vendor.js:2)
    at WebSocket.v (vendor.js:2)
i.<computed> @ zone.js:3083

websocket.locations.vaultwarden:


location /notifications/hub {
    proxy_pass http://192.168.11.11:8002;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
}

location /notifications/hub/negotiate {
    proxy_pass http://192.168.11.11:8000;
}


docker-compose_vaultwarden.yml:

#---
#Docker-compose file for Vaultwarden
#--- 
version: '3'
services:
  vaultwarden:
    container_name: vaultwarden
    restart: always
    image: vaultwarden/server:latest
    environment: 
    - TZ=Asia/Hong_Kong
    - LOG_FILE=/maintenance/vaultwarden.log
    - WEBSOCKET_ENABLED=true

    volumes:
    - /volume1/docker/Public/Vaultwarden/data:/data
    - /volume1/docker/Public/Vaultwarden/maintenance:/maintenance
    
    ports:
    - 8000:80
    - 8002:3012
    
    network_mode: "bridge"

Reverse proxy setting for vaultwarden:
Source: https://vault.xxxx.com:8001
Destination: http://localhost:8000

Running script parameters:
bash /volume1/docker/Public/Vaultwarden/websocket/enable_ws.sh vault.xxxx.com 8000 8002

I just recollected what I have done in recent days:

  1. Upgraded to DSM 7.1-42661 Update 1
  2. Enabled IPv6 in DSM, automatic mode, while enabled DHCPv6 stateless on my router.
  3. Switched network mode of docker container - AdguardHome from macvlan mode to host mode, and confirm that no port conflicting.

Wish those information could help.

@MilesTEG1
Copy link

MilesTEG1 commented May 12, 2022

Hello @Autonomous120
I just check on my Bitwarden .app, it seems the websocket works :
image

Maybe your problem is with IPv6 ?
I don't have my NAS in IPv6...
I have AdGuard Home too, in macvlan.
In AdGH, I've got a rewriting of my vaultwarden url to the LAN IP NAS.

@Autonomous120
Copy link

Autonomous120 commented May 13, 2022

@MilesTEG1
Good news! The script back to work again!
Here is my solution:

  1. Enter the DSM control panel.
  2. Navigate to Network → General → Advanced Settings
  3. Make sure the ‘Enable Multiple Gateways’ unchecked.

@MilesTEG1
Copy link

MilesTEG1 commented May 13, 2022

👍

@nstanke
Copy link
Author

nstanke commented May 13, 2022

@MilesTEG1
Copy link

MilesTEG1 commented Jul 17, 2022

Hello,
I'll may do a fork when I'll have some time 😃

But for now, I had to investigate why my setup doesn't work anymore with the last version (1.25.1) of VaultWarden. I had errors saying that WebSocket connection to xxxxxxxxxxxxxxxxxxx (anonymous) @ WebSocketTransport.js:99 when 1.25.0 works fine...

I had to add some things in the websocket.locations.vaultwarden file.
Here what I have now :

if [ -f $LOC_DIR/websocket.locations.vaultwarden ]; then
  rm $LOC_DIR/websocket.locations.vaultwarden
  part1=1
fi
echo """
location /notifications/hub/negotiate {
    proxy_http_version 1.1;
    proxy_set_header \"Connection\" \"\";
    
    proxy_set_header Host \$host;
    proxy_set_header X-Real-IP \$remote_addr;
    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto \$scheme;
    proxy_pass http://$IP_NAS:$PORT_ACCES;
}

location /notifications/hub {
    proxy_http_version 1.1;
    proxy_set_header Upgrade \$http_upgrade;
    proxy_set_header Connection \"upgrade\";

    proxy_set_header Host \$host;
    proxy_set_header X-Real-IP \$remote_addr;
    proxy_set_header Forwarded \$remote_addr;
    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto \$scheme;
    proxy_pass http://$IP_NAS:$PORT_CONT;
}

""" >>$LOC_DIR/websocket.locations.vaultwarden

And I had to remove entries for the websocket for the location / (in DSM, remove the two lines in the reverse proxy configuration to have only this :
image

And now, WebSockets Notifications works again ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment