I selected Bitwarden among other password managers for self-hosting as it proved to be a feature-rich and actively developed projects. And while playing around with it, I noticed that some places in Nginx config can be improved.
There are these lines in Nginx default.conf for self-hosted docker images:
resolver 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 valid=300s;
The thing is that “resolver” directive is configured in such a way that can be exploited with cache poisoning attacks. You can check it here
That was discovered a few years ago but it seems it’s still not fixed.
I suggest to remove “resolver” directive completely and leave just “ssl_trusted_certificate”. That will allow Nginx to take advantage of OCSP stapling and, at the same time, avoid insecure technique.
With such configuration Nginx does produce warnings (not errors) like this:
[warn] 29302#29302: no resolver defined to resolve ocsp.int-x3.letsencrypt. org while requesting certificate status…
But they do not prevent it from stapling responses because of the “ssl_trusted_certificate” directive → https:// nginx. org /en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate (added spaces to the link as new user cannot add more than two links to a post… )
If Bitwarden team doesn’t want to remove it, I suggest at least changing IPs of Google/OpenDNS resolvers to CloudFlare: 18.104.22.168 and 22.214.171.124 for the sake of privacy, security and speed.
CloudFlare’s resolver is far more fast and has several security features that others don’t. Also, they claim to not track DNS queries like Google does. More details over this link
Thank you for your work, Bitwarden guys! Your project is awesome!