How do I block Vaultwarden's Web UI from outside my LAN via Caddy?

Hi, I'm working on improving the security of my home server.
I want to use the Bitwarden app and the Chrome/Firefox extensions outside my LAN, but I don't need Web Vault at all. How do I block access to Web Vault from outside the LAN in the Caddyfile?

pass.my-domain {
    @block_webvault_outside {
        not remote_ip 192.168.1.0/24 10.8.0.0/24
        
        # What should be there?
        # path /admin* will lock only admin options
    }

    respond @block_webvault_outside 403
    reverse_proxy vaultwarden:80
}

View original on feddit.org

Comments4

Snot Flickerman

lemmy.blahaj.zone

I personally don't expose services like these to the Internet directly but rather put them behind a Wireguard VPN that I stay connected to while remote to be able to access local network resources and ad-blocking without actually exposing anything in my internal network except the Wireguard port.

That doesn't work for everyone of course, but I personally would be really nervous exposing a service like Vaultwarden to the Internet without having it behind a VPN.

relaymoth

sh.itjust.works

If you're deploying Vaultwarden via docker, there's an ENV to disable web vault

WEB_VAULT_ENABLED=true

Set to false and redeploy.

LinusTor reply

feddit.org

But that will also block my access to WebVault within the LAN

relaymoth reply

sh.itjust.works

You're right.

If you login to Vaultwarden and access the Web vault, is there a path like /admin you can add to your blocked paths config?