I’m hosting a Vaultwarden intance and was looking into a way to harden the admin interface since my instance is public. I was already using a very strong admin token, hashed with ARGON2 but I wanted to take it a step further.

Why leave the admin page exposed to the internet in the first place? Doesn’t matter if I have fail2ban and all other sorts of security measures. There are simply no reason to want the admin panel accessible to the World Wide Web.

But how?

It’s actually pretty simple. All there is to do is add the following in the advanced section of the NGINX-Proxy-Manager entry.

location /admin { return 404; }

That’s it! As you can probably figure out, browsing https://myvault.domain.tld/admin will simply return a 404 error.

How do I access the admin panel then?

I created a new DNS record and NGINX entry for https://admin.myvault.domain.tld that points to my VPN IP address. The admin panel is now only accessible from devices with VPN access to my server and I still retain the SSL requirement for Vaultwarden’s admin panel.