-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
Using an alternate base dir
Traditionally, Bitwarden is limited to residing at the root of a subdomain, e.g. https://bitwarden.example.com
.
This limitation originates in the backend and web vault, which haven't been designed to accommodate alternate base dirs (see bitwarden/server#277). The mobile/desktop apps and browser extensions actually have no issues using a base URL with a path.
In bitwarden_rs, with the changes in PR#868, you can configure the backend server to work properly with an alternate base dir. With a bit more work, it's also possible to modify the web vault to work properly, resulting in a fully functional installation.
Simply configure your domain URL to include the base dir. For example, suppose you want to access your installation at https://bitwarden.example.com/secret-dir
.
- Stop bitwarden_rs.
- If you normally configure bitwarden_rs using the admin page, edit your
config.json
to look as follows:{ "domain": "https://bitwarden.example.com/secret-dir", // ... other values ... }
- If you normally configure bitwarden_rs via environment variables, update your config files/scripts to set the
DOMAIN
environment variable to the base URL. For example:docker run -e DOMAIN="https://bitwarden.example.com/secret-dir" ...
- Restart bitwarden_rs.
- You should now be able to access the web vault (assuming it has been modified appropriately; see the next section) at
https://bitwarden.example.com/secret-dir/
(note the trailing slash). For reasons not entirely clear, you may run into issues if you usehttps://bitwarden.example.com/secret-dir
(without the trailing slash). - Configure your apps or browser extensions to use
https://bitwarden.example.com/secret-dir
. If you add a trailing slash, the apps and extensions will automatically remove it before saving.
The issue with the web vault is there's no simple way to configure it for a specific base URL. Instead, the code generally just assumes the web vault URL is given by window.location.origin
, which always represents the root of the subdomain. This is true of both the upstream web vault and the patched version used in bitwarden_rs:
- https://github.com/bitwarden/web/blob/f7f7040/src/app/services/services.module.ts#L137-L144
- https://github.com/dani-garcia/bw_web_builds/blob/5c9de1a/patches/v2.11.0.patch#L17-L29
Here are some approaches you could take to modify the web vault to work at a different base dir.
Modify the upstream code and/or bitwarden_rs patches and rebuild the web vault. (Someone else can document this if they're interested.)
- Enter a shell in the bitwarden_rs container:
docker exec -it <container-name> /bin/sh
- Patch the web vault:
sed -i "s|window\.location\.origin|window.location.origin+'/secret-dir'|g" /web-vault/app/main*.js
(of course, replace/secret-dir
with your actual base dir)
Pros:
- It works just fine for normal purposes.
- This approach could be easily automated on container start.
Cons:
- It's a brittle solution, although it's probably not too likely
window.location.origin
would be used for anything else. - It will probably break the source map, but this won't matter unless you're doing development or need to troubleshoot with a developer.
- Which container image to use
- Starting a container
- Updating the vaultwarden image
- Using Docker Compose
- Using Podman
- Building your own docker image
- Building binary
- Pre-built binaries
- Third-party packages
- Deployment examples
- Proxy examples
- Logrotate example
- Overview
- Disable registration of new users
- Disable invitations
- Enabling admin page
- Disable the admin token
- Enabling WebSocket notifications
- Enabling Mobile Client push notification
- Enabling U2F and FIDO2 WebAuthn authentication
- Enabling YubiKey OTP authentication
- Changing persistent data location
- Changing the API request size limit
- Changing the number of workers
- SMTP configuration
- Translating the email templates
- Password hint display
- Disabling or overriding the Vault interface hosting
- Logging
- Creating a systemd service
- Syncing users from LDAP
- Using an alternate base dir (subdir/subpath)
- Other configuration