TLS mutual authentication #2267
Replies: 4 comments 4 replies
-
I do not think we will implement this for several reasons.
If you still want something like this, i suggest to use a reverse proxy which has this functionality, like Caddy, Nginx, Haproxy, traefik etc.. |
Beta Was this translation helpful? Give feedback.
-
I was looking into this myself, but for very different reasons. I agree with @BlackDex - if this breaks the clients, then there's no point in implementing this. You're best bet is to use the owasp/modsecurity-crs;nginx image to front vaultwarden so you can have WAF protecting your public facing install. Or just keep your vaultwarden behind a VPN. |
Beta Was this translation helpful? Give feedback.
-
One solution to improve security could be to use VPN on demand (on iOS). It is possible with Tailscale though not perfect. |
Beta Was this translation helpful? Give feedback.
-
@gtaws I think that there would actually be a point in implementing it. I'm running a simple Azure Container App (ACA) without VNET integration. A custom domain is used via Cloudflare, however the Vaultwarden installation is also still available via the standard https://*.azurecontainerapps.io. If we were to have mTLS we could do something similar like this: Authenticated Origin Pulls This would help securing Vaultwarden installations behind Cloudflare, by making sure only Cloudflare can access the Vaultwarden instance before making it accessible to the internet. |
Beta Was this translation helpful? Give feedback.
-
it's dangerous to deploy vaultwarden on internet, although it supports TLS, it is unilateral authentication,everyone could click 'continue' button in browser to pass the https errors to attack vaultwarden(such as brute force attack).
if vaultwarden could support TLS mutual authentication, then only the one who has the client certificate in browser or other clients could access vaultwarden on internet, it will be security more and more.
so, is there a plan to support TLS mutual authentication?
Beta Was this translation helpful? Give feedback.
All reactions