Hi I run my own self-hosted Bitwarden_rs installation. It works really well.
I’ve been running it locally within the LAN and it seems to perform very well. It sits behind an nginx reverse proxy and I use SSL termination at the reverse proxy and then re-encrypt to the backend/upstream SSL bitwarden VM. The admin interface is protected via a http password and an authenticator program (known as Authelia - that requirers two-factor authentication to access the admin portal - https://github.com/authelia/authelia). Access to the admin portal is also limited to local IP addressess.
If wanting to expose the bitwarden server to the outside world, what security measures are recommended? Most of the clients would be using phones or computers and it would really be hard to restrict by IP address. I’m thinking of some combination of iptables modifications coupled with fail2ban but just wondering if any other measures would seem reasonable (other than putting reverse proxy/bitwarden_rs in DMZ).