Best advice on how to secure Bitwarden Server?

Hi I run my own self-hosted Bitwarden_rs installation. It works really well.

I’ve been running it locally within the LAN and it seems to perform very well. It sits behind an nginx reverse proxy and I use SSL termination at the reverse proxy and then re-encrypt to the backend/upstream SSL bitwarden VM. The admin interface is protected via a http password and an authenticator program (known as Authelia - that requirers two-factor authentication to access the admin portal - Access to the admin portal is also limited to local IP addressess.

If wanting to expose the bitwarden server to the outside world, what security measures are recommended? Most of the clients would be using phones or computers and it would really be hard to restrict by IP address. I’m thinking of some combination of iptables modifications coupled with fail2ban but just wondering if any other measures would seem reasonable (other than putting reverse proxy/bitwarden_rs in DMZ).

You could look into restricting access based on self signed certificates and distribute them to user devices that need them. This would require anyone that wants access to your site a copy of the certificate installed on their device. I’m pretty sure nginx supports this.

@FredFerrell I’ve made client certificates before and set them up in between nginx proxies and even Chrome/FF browsers and nginx servers but I’ve yet to try on mobile platforms. Do you know is the process with creating the p12 file and importing that into the mobile space is similar?

You should be able to use the browser on the device and download the cert through that. There is usually a process that you then have to go through to have it trusted. Another common method is to use an MDM solution.

I’ll look up MDM, however I don’t think the iOS app of bitwarden supports client certificates.

I believe it would just be a matter of installing it on iOS, and not anything to do with the app itself.