Webui works, desktop clients & android clients do not

Third Party Help
1

Using the webUI, everything works fine, also the browser plugin works great.

Windows desktop app gives this error on login:

image
image797×260 23 KB

The android app gives:

“An error has occurred. Exception message: Cannot access a closed Stream.”

Interactions with the webUI generate normal log activity from the container. Desktop/Android apps show no action in the logs.

Proxied via Traefik V2 with the following config:

      # TRAEFIK CONFIG #
      
        - "traefik.enable=true"
        - "traefik.docker.network=traefik-public"
        
      # ROUTER AND SERVICE DEFINITION #
        
        - "traefik.http.routers.pass.rule=Host(`pass.mydomain.net`)"
        - "traefik.http.routers.pass.entrypoints=websecure"
        - "traefik.http.routers.pass.tls=true"
        - "traefik.http.routers.pass.tls.certresolver=letsencryptresolver"
        - "traefik.http.routers.pass.service=pass"        
        - "traefik.http.services.pass.loadbalancer.server.port=80"
        - "traefik.http.routers.pass.middlewares=admin"
        
      # WEBSOCKET ROUTER AND SERVICE DEFINITION
        
        - "traefik.http.routers.pass-websocket.entrypoints=websecure"
        - "traefik.http.routers.pass-websocket.rule=Host(`pass.mydomain.net`) && Path(`/notifications/hub`)"
        - "traefik.http.routers.pass-websocket.service=pass-websocket"
        - "traefik.http.services.pass-websocket.loadbalancer.server.port=3012"
        - "traefik.http.routers.pass-websocket.tls=true"       
        - "traefik.http.routers.pass-websocket.tls.certresolver=letsencryptresolver"
    
      # HTTPS HEADERS #
    
        - "traefik.http.middlewares.pass.headers.SSLRedirect=true"
        - "traefik.http.middlewares.pass.headers.STSSeconds=315360000"
        - "traefik.http.middlewares.pass.headers.browserXSSFilter=true"
        - "traefik.http.middlewares.pass.headers.contentTypeNosniff=true"
        - "traefik.http.middlewares.pass.headers.forceSTSHeader=true"
        - "traefik.http.middlewares.pass.headers.STSIncludeSubdomains=true"
        - "traefik.http.middlewares.pass.headers.STSPreload=true"
        - "traefik.http.middlewares.pass.headers.frameDeny=true"

support file:

* Bitwarden_rs version: v1.19.0
* Web-vault version: v2.18.1
* Running within Docker: true
* Internet access: true
* Uses a proxy: false
* DNS Check: true
* Time Check: true
* Domain Configuration Check: true
* HTTPS Check: true
* Database type: SQLite
* Clients used: 
* Reverse proxy and version: 
* Other relevant information: 

### Config (Generated via diagnostics page)
json
{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": false,
  "_enable_yubico": true,
  "_ip_header_enabled": true,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_max_conns": 10,
  "database_url": "****/**.*******",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://****.************.***",
  "domain_origin": "*****://****.************.***",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "enable_db_wal": true,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": "***",
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "invitation_org_name": "Bitwarden_RS",
  "invitations_allowed": true,
  "ip_header": "X-Real-Ip",
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "org_attachment_limit": null,
  "org_creation_users": "",
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "show_password_hint": true,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_explicit_tls": false,
  "smtp_from": "",
  "smtp_from_name": "Bitwarden_RS",
  "smtp_host": null,
  "smtp_password": null,
  "smtp_port": 587,
  "smtp_ssl": true,
  "smtp_timeout": 15,
  "smtp_username": "*****@************.***",
  "templates_folder": "data/templates",
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": true,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

I front the domain with cloudflare. By toggling between ‘DNS+Proxy’ and ‘DNS only’, either the cloudflare cert is served, or on dns only, the LE cert fetched by traefik is served. Both methods inspect fine over SSLlabs, but both have the same issue.

On SSL labs, I get the full chain, with chain issues: none, regardless of going through the cloudflare cert or the LE cert.

2

sigh.

Just me being dumb. I am using oauth middleware… obv this breaks the apps because they can’t do the redirect to/from the auth provider.

taking oauth middleware out, solves all issues.