Wrong IP is banned with docker and nginx #2047

New Issue

OVERLORD · 2025-10-09T17:43:06+03:00

OVERLORD commented

2025-10-09 17:43:06 +03:00

Originally created by @timaschew on GitHub.

I'm using dokku (docker + nginx) and bitwarden_rs is showing the internal IP which is used to ban. But the real IP is not shown in the bitwarden logs. Instead the nginx contains the IP (access_log), but the context is missing (if it was an successful login or not). There is only the timestamp which could be used, but both have a different format and is it possible at all to substitute the IP from another log file filtered by a converted timestamp?

nginx/bitwardn-access.log:

89.145.194.0 - - [10/Aug/2019:23:05:28 +0200] "GET /admin HTTP/2.0" 200 1830 "https://bitwardn.awspace.de/admin" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36

bitwarden.log

[2019-08-10 20:58:54][bitwarden_rs::api::admin][ERROR] Invalid admin token. IP: 172.17.0.1

BTW: I tried both: with chain=FORWARD and without

Originally created by @timaschew on GitHub. I'm using dokku (docker + nginx) and bitwarden_rs is showing the internal IP which is used to ban. But the real IP is not shown in the bitwarden logs. Instead the nginx contains the IP (access_log), but the context is missing (if it was an successful login or not). There is only the timestamp which could be used, but both have a different format and is it possible at all to substitute the IP from another log file filtered by a converted timestamp? nginx/bitwardn-access.log: ``` 89.145.194.0 - - [10/Aug/2019:23:05:28 +0200] "GET /admin HTTP/2.0" 200 1830 "https://bitwardn.awspace.de/admin" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 ``` bitwarden.log ``` [2019-08-10 20:58:54][bitwarden_rs::api::admin][ERROR] Invalid admin token. IP: 172.17.0.1 ``` BTW: I tried both: with `chain=FORWARD` and without

OVERLORD closed this issue

2025-10-09 17:43:07 +03:00

OVERLORD commented

2025-10-09 17:43:09 +03:00

@timaschew commented on GitHub:

Why bitwarden_rs is not using X-Forwarded-For which seems to be quite common?

Anyway, it works using X-Real-IP, thanks!

@timaschew commented on GitHub: Why bitwarden_rs is not using `X-Forwarded-For` which seems to be quite common? Anyway, it works using `X-Real-IP`, thanks!

OVERLORD commented

2025-10-09 17:43:10 +03:00

@dani-garcia commented on GitHub:

You need to make sure that the proxy is sending the X-Real-IP Header, otherwise it won't work correctly. Look at the example in the wiki: https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples#nginx-by-shauder

@dani-garcia commented on GitHub: You need to make sure that the proxy is sending the X-Real-IP Header, otherwise it won't work correctly. Look at the example in the wiki: https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples#nginx-by-shauder

OVERLORD commented

2025-10-09 17:43:10 +03:00

@BlackDex commented on GitHub:

@timaschew I have it setup the same as the link @dani-garcia posted.
I get for both the default login and /admin login the correct IP in both the bitwarden log and my nginx log.
The only thing which is a bit strange/out-of-standards is that the default login page returns a HTTP 400 and the admin token login returns a 303. Which i think should be 401 Unauthorized.

@BlackDex commented on GitHub: @timaschew I have it setup the same as the link @dani-garcia posted. I get for both the default login and /admin login the correct IP in both the bitwarden log and my nginx log. The only thing which is a bit strange/out-of-standards is that the default login page returns a HTTP 400 and the admin token login returns a 303. Which i think should be 401 Unauthorized.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#2047