Restrict Vaultwarden /admin to trusted networks (Tailscale + LAN)

Audit 2026-06-23 (P1): /admin was publicly reachable (200). Add a higher-priority Traefik router scoped to PathPrefix(/admin) with an ipallowlist middleware (Tailnet 100.64.0.0/10 + LAN 192.168.178.0/24); the main router stays native for browser and mobile clients. Documented in docs/DECISIONS.md. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-23 11:03:26 +02:00
parent 81151d8af4
commit 23a6975a67
2 changed files with 44 additions and 0 deletions
@@ -52,6 +52,17 @@ services:
      - traefik.http.routers.vaultwarden.tls=true
      - traefik.http.routers.vaultwarden.tls.certresolver=le
      - traefik.http.services.vaultwarden.loadbalancer.server.port=80
+      # Audit 2026-06-23 (P1): /admin war public mit 200 erreichbar. Zweiter, hoeher
+      # priorisierter Router scoped auf /admin und laesst nur Tailnet + LAN durch (sonst 403).
+      # Hauptrouter oben bleibt nativ, damit Browser-/Mobile-Clients von ueberall funktionieren.
+      - traefik.http.routers.vaultwarden-admin.rule=Host(`vault.kaleschke.info`) && PathPrefix(`/admin`)
+      - traefik.http.routers.vaultwarden-admin.entrypoints=websecure
+      - traefik.http.routers.vaultwarden-admin.tls=true
+      - traefik.http.routers.vaultwarden-admin.tls.certresolver=le
+      - traefik.http.routers.vaultwarden-admin.service=vaultwarden
+      - traefik.http.routers.vaultwarden-admin.priority=100
+      - traefik.http.routers.vaultwarden-admin.middlewares=vaultwarden-admin-allowlist@docker
+      - traefik.http.middlewares.vaultwarden-admin-allowlist.ipallowlist.sourcerange=100.64.0.0/10,192.168.178.0/24
      
 networks:
  frontend_net: