DUO redirection after 2FA does not redirect to the subpath with 1.32.0 #989

New Issue

MrUnknownDE · 2026-04-06T01:31:31+02:00

MrUnknownDE commented

2026-04-06 01:31:31 +02:00

Originally created by @kilaketia on 8/14/2024

Subject of the issue

After 2FA verification is done, DUO redirect us to https://fqdn/duo-redirect-connector.html instead of https://fqdn/subpath/duo-redirect-connector.html.

Deployment environment

vaultwarden version: 1.32.0
Install method: Docker
Clients used: web vault
Reverse proxy and version: NGINX 1.22.1-9
MySQL/MariaDB or PostgreSQL version: MariaDB
Other relevant details:

Steps to reproduce

Try to login with DUO 2FA, with Vaultwarden accessible from a sub path only, using the old interface or the universal prompt of DUO.

Expected behaviour

User should be redirected to https://fqdn/subpath/duo-redirect-connector.html after 2FA verification with DUO.

Actual behaviour

User is redirected to https://fqdn/duo-redirect-connector.html and receive a 404 error.

Troubleshooting data

Vaultwarden is configured with domain as "https://fqdn/vault/".

NGINX configuration :

upstream vaultwarden-default {
  zone vaultwarden-default 64k;
  server 127.0.0.1:8080;
  keepalive 2;
}

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      "";
}

server {
        listen 443 ssl http2;
        server_name vault.mydomain.com;
        ssl_certificate /etc/ssl/private/cert.pem;
        ssl_certificate_key /etc/ssl/private/key.pem;
        client_max_body_size 128M;

        access_log /var/log/nginx/vault.access.log;
        error_log /var/log/nginx/vault.error.log warn;
        add_header X-Robots-Tag "none";

         location /vault/ {
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
        	proxy_pass http://vaultwarden-default;
        }

        location /vault/admin {
                allow 192.168.1.0/24;
                deny all;

                proxy_http_version 1.1;
                proxy_set_header "Connection" "";
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_pass http://vaultwarden-default;
        }

        proxy_connect_timeout       777;
        proxy_send_timeout          777;
        proxy_read_timeout          777;
        send_timeout                777;
}

server {
        listen 80;
        server_name vault.mydomain.com;
        return 301 https://$host$request_uri;
}

Temporary fix :

 location / {
                rewrite ^/duo-redirect-connector.html$ /vault/duo-redirect-connector.html?$args permanent;
}

*Originally created by @kilaketia on 8/14/2024* ### Subject of the issue After 2FA verification is done, DUO redirect us to https://fqdn/duo-redirect-connector.html instead of https://fqdn/subpath/duo-redirect-connector.html. ### Deployment environment * vaultwarden version: 1.32.0 * Install method: Docker * Clients used: web vault * Reverse proxy and version: NGINX 1.22.1-9 * MySQL/MariaDB or PostgreSQL version: MariaDB * Other relevant details: ### Steps to reproduce Try to login with DUO 2FA, with Vaultwarden accessible from a sub path only, using the old interface or the universal prompt of DUO. ### Expected behaviour User should be redirected to https://fqdn/subpath/duo-redirect-connector.html after 2FA verification with DUO. ### Actual behaviour User is redirected to https://fqdn/duo-redirect-connector.html and receive a 404 error. ### Troubleshooting data Vaultwarden is configured with domain as "https://fqdn/vault/". NGINX configuration : ``` upstream vaultwarden-default { zone vaultwarden-default 64k; server 127.0.0.1:8080; keepalive 2; } map $http_upgrade $connection_upgrade { default upgrade; '' ""; } server { listen 443 ssl http2; server_name vault.mydomain.com; ssl_certificate /etc/ssl/private/cert.pem; ssl_certificate_key /etc/ssl/private/key.pem; client_max_body_size 128M; access_log /var/log/nginx/vault.access.log; error_log /var/log/nginx/vault.error.log warn; add_header X-Robots-Tag "none"; location /vault/ { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://vaultwarden-default; } location /vault/admin { allow 192.168.1.0/24; deny all; proxy_http_version 1.1; proxy_set_header "Connection" ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://vaultwarden-default; } proxy_connect_timeout 777; proxy_send_timeout 777; proxy_read_timeout 777; send_timeout 777; } server { listen 80; server_name vault.mydomain.com; return 301 https://$host$request_uri; } ``` Temporary fix : ``` location / { rewrite ^/duo-redirect-connector.html$ /vault/duo-redirect-connector.html?$args permanent; } ```

MrUnknownDE closed this issue

2026-04-06 01:31:31 +02:00

Sign in to join this conversation.

No Label bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#989