ignoring X-Forwarded-For headers? #2254

New Issue

OVERLORD · 2025-10-09T17:53:34+03:00

OVERLORD commented

2025-10-09 17:53:34 +03:00

Originally created by @tycho on GitHub.

I notice that when using a reverse proxy, bitwarden_rs logs the wrong IP address:

[2018-12-17][09:47:45][bitwarden_rs::api::identity][ERROR] Username or password is incorrect. Try again. IP: 127.0.0.1. Username: ...

This is especially sloppy looking since that error message gets surfaced to the user on the web vault.

My reverse proxy is setting the X-Forwarded-For header, but it seems that bitwarden_rs doesn't pay attention to that when determining the client IP?

Originally created by @tycho on GitHub. I notice that when using a reverse proxy, bitwarden_rs logs the wrong IP address: `[2018-12-17][09:47:45][bitwarden_rs::api::identity][ERROR] Username or password is incorrect. Try again. IP: 127.0.0.1. Username: ...` This is especially sloppy looking since that error message gets surfaced to the user on the web vault. My reverse proxy is setting the `X-Forwarded-For` header, but it seems that bitwarden_rs doesn't pay attention to that when determining the client IP?

OVERLORD closed this issue

2025-10-09 17:53:36 +03:00

OVERLORD commented

2025-10-09 17:53:38 +03:00

@tycho commented on GitHub:

Seems reasonable to me!

@tycho commented on GitHub: Seems reasonable to me!

OVERLORD commented

2025-10-09 17:53:38 +03:00

@tycho commented on GitHub:

Oh, maybe the PROXY.md should make mention of the X-Real-IP thing. Here's what I did for nginx:

proxy_set_header X-Real-IP $proxy_add_x_forwarded_for;

@tycho commented on GitHub: Oh, maybe the `PROXY.md` should make mention of the `X-Real-IP` thing. Here's what I did for nginx: ``` proxy_set_header X-Real-IP $proxy_add_x_forwarded_for; ```

OVERLORD commented

2025-10-09 17:53:38 +03:00

@tycho commented on GitHub:

Yep, I switched to X-Real-IP and that works! Thanks!

@tycho commented on GitHub: Yep, I switched to `X-Real-IP` and that works! Thanks!

OVERLORD commented

2025-10-09 17:53:41 +03:00

@dani-garcia commented on GitHub:

Rocket uses X-Real-IP for retrieving the clients IP address, instead of X-Forwarded-For.

The error message comes from a time where we didn't have any decent logging in place, but it could be changed now to hide that info from the user.

@dani-garcia commented on GitHub: Rocket uses `X-Real-IP` for retrieving the clients IP address, instead of `X-Forwarded-For`. The error message comes from a time where we didn't have any decent logging in place, but it could be changed now to hide that info from the user.

OVERLORD commented

2025-10-09 17:53:41 +03:00

@dani-garcia commented on GitHub:

True, I use Caddy which does this by default, so I didn't know. What do you think of adding these (to be equivalent with what Caddy sends)?

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

@dani-garcia commented on GitHub: True, I use Caddy which does this by default, so I didn't know. What do you think of adding these (to be equivalent with what Caddy sends)? ``` proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; ```

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#2254