Caddy proxy cannot login to vault when caddy heredoc respond is used

[Korel]

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.32.7
• Web-vault version: v2024.6.2c
• OS/Arch: linux/aarch64
• Running within a container: true (Base: Debian)
• Database type: PostgreSQL
• Database version: PostgreSQL 17.2 (Debian 17.2-1.pgdg120+1) on aarch64-unknown-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit
• Environment settings overridden!: false
• Uses a reverse proxy: false
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: false
• HTTPS Check: false
• Websocket Check: true
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "**********://***************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "****://*********************",
  "domain_origin": "****://*********",
  "domain_path": "************",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": null,
  "smtp_password": null,
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.32.7

Deployment method

Official Container Image

Custom deployment method

I deployed it using docker-compose. Here is a reproducing example (tried to keep it minimal):
compose.yaml

services:
  postgres:
    image: postgres:latest
    restart: unless-stopped
    environment:
      POSTGRES_USER: user
      POSTGRES_PASSWORD: password
      POSTGRES_DB: vaultwarden

  vaultwarden:
    image: vaultwarden/server:latest
    restart: unless-stopped
    ports: 
      - 8080:80 # to debug
    environment:
      DATABASE_URL: postgresql://user:password@postgres:5432/vaultwarden
      DOMAIN: http://localhost/vaultwarden
      ADMIN_TOKEN: eh9jQgDRClRZKWrDkrMTIIBI62colVJufQTzobU244Br0xg7rZK0Cn9QkIWLl8MP
      I_REALLY_WANT_VOLATILE_STORAGE: true

  caddy:
    image: caddy:latest
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
      - 443:443/udp
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile

Caddyfile

{
	log {
		output stdout
		level INFO
	}
}

# Handle HTTP requests for domains (assuming your domain is korel.ignorelist.com)
http://localhost {
	# Vaultwarden reverse proxy
	route /vaultwarden/* {
		reverse_proxy vaultwarden:80 {
			header_up X-Real-IP {remote_host}
			header_down Cache-Control no-cache
		}
	}

	header Content-Type text/html
	respond /somepath 200 {
		body <<HTML
			<head>
				<title>Links</title>
			</head>
			<body>
				<h1>Links</h1>
				<ul>
					<li><a href='/link1'>link1</a></li>
					<li><a href='/link2'>link2</a></li>
				</ul>
			</body>
			</html>
			HTML
	}
}

Reverse Proxy

caddy 2.8.4

Host/Server Operating System

Linux

Operating System Version

Ubuntu 24.04

Clients

Web Vault, Browser Extension

Client Version

Firefox Version 133.0.3

Steps To Reproduce

Use the example deployment.
Create an account in vaultwarden
Try to login

Expected Result

Should be able to login succesfully

Actual Result

Cannot login, response says username or password is wrong.

If you remove the heredoc respond in Caddyfile, then reverse proxy can login this time. So below Caddyfile (just the vaultwarden proxy part) works:

{
	log {
		output stdout
		level INFO
	}
}

# Handle HTTP requests for domains (assuming your domain is korel.ignorelist.com)
http://localhost {
	# Vaultwarden reverse proxy
	route /vaultwarden/* {
		reverse_proxy vaultwarden:80 {
			header_up X-Real-IP {remote_host}
			header_down Cache-Control no-cache
		}
	}

	# header Content-Type text/html
	# respond /somepath 200 {
	# 	body <<HTML
	# 		<head>
	# 			<title>Links</title>
	# 		</head>
	# 		<body>
	# 			<h1>Links</h1>
	# 			<ul>
	# 				<li><a href='/link1'>link1</a></li>
	# 				<li><a href='/link2'>link2</a></li>
	# 			</ul>
	# 		</body>
	# 		</html>
	# 		HTML
	# }
}

Logs

No response

Screenshots or Videos

No response

Additional Context

Works on Android client for some reason...
I think it's a weird problem and I don't know if it is a caddy or vaultwarden issue. I tried to narrow the problem down from a longer Caddyfile and saw the problem happening after I readded the respond part.

[BlackDex]

The heredoc response seems like it is overwriting the index.html i think. That is probably not wise. Not sure why you do this though.

But modifying the vault or the response is in your own risk.

[Korel]

Hmm, maybe I'm using the respond method in a wrong way. My idea was to route everything vaultwarden related to it's own path (in this case vaultwarden) and use other routes for other applications. Meanwhile I wanted to create a path that will make a list of hrefs to the reverse proxied routes and just used the heredoc method to have something quick and easy. I didn't expect an unrelated path would clash with it, because the main vaultwarden login and admin pages load and I can see the requests go to the vaultwarden backend, but the login fails.

I don't know if it's related with this setup, sometimes the vaultwarden page also doesn't load correctly ("Just returns vaultwarden text as body and other js items do not load with ns_error_corrupted_content"), but when I reload with ctrl+shift+r it works.

[BlackDex]

Probably a caddy config issue.
Maybe caddy doesn't route /vaultwarden correctly but does /vaultwarden/ note the trailing /

Not sure how caddy works though.

[Korel]

Oh I saw the warning about the trailing / and actually created a redir rule for /vaultwarden to /vaultwarden/ in the actual config. I wanted to reduce the things for the example. Maybe I'm using the caddy config in a wrong way... Especially since the error doesn't happen when connected directly. Thanks for the responses :)

[Korel]

@BlackDex You were right! I thought header Content-Type text/html line would only effect the respond /somepath 200 {... part but it actually modified the response from vaultwarden too...

The correct way to use header was to add the path to it too...: header /somepath Content-Type text/html