[GH-ISSUE #303] ignoring X-Forwarded-For headers? #163

New issue

Closed

opened 2026-03-03 01:26:12 +03:00 by kerem · 5 comments

kerem commented 2026-03-03 01:26:12 +03:00

Owner

Copy link

Originally created by @tycho on GitHub (Dec 17, 2018).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/303

I notice that when using a reverse proxy, bitwarden_rs logs the wrong IP address:

[2018-12-17][09:47:45][bitwarden_rs::api::identity][ERROR] Username or password is incorrect. Try again. IP: 127.0.0.1. Username: ...

This is especially sloppy looking since that error message gets surfaced to the user on the web vault.

My reverse proxy is setting the X-Forwarded-For header, but it seems that bitwarden_rs doesn't pay attention to that when determining the client IP?

Originally created by @tycho on GitHub (Dec 17, 2018). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/303 I notice that when using a reverse proxy, bitwarden_rs logs the wrong IP address: `[2018-12-17][09:47:45][bitwarden_rs::api::identity][ERROR] Username or password is incorrect. Try again. IP: 127.0.0.1. Username: ...` This is especially sloppy looking since that error message gets surfaced to the user on the web vault. My reverse proxy is setting the `X-Forwarded-For` header, but it seems that bitwarden_rs doesn't pay attention to that when determining the client IP?

kerem closed this issue 2026-03-03 01:26:13 +03:00

kerem commented 2026-03-03 01:26:13 +03:00

Author

Owner

Copy link

@dani-garcia commented on GitHub (Dec 17, 2018):

Rocket uses X-Real-IP for retrieving the clients IP address, instead of X-Forwarded-For.

The error message comes from a time where we didn't have any decent logging in place, but it could be changed now to hide that info from the user.

<!-- gh-comment-id:447940456 --> @dani-garcia commented on GitHub (Dec 17, 2018): Rocket uses `X-Real-IP` for retrieving the clients IP address, instead of `X-Forwarded-For`. The error message comes from a time where we didn't have any decent logging in place, but it could be changed now to hide that info from the user.

kerem commented 2026-03-03 01:26:14 +03:00

Author

Owner

Copy link

@tycho commented on GitHub (Dec 17, 2018):

Yep, I switched to X-Real-IP and that works! Thanks!

<!-- gh-comment-id:447940873 --> @tycho commented on GitHub (Dec 17, 2018): Yep, I switched to `X-Real-IP` and that works! Thanks!

kerem commented 2026-03-03 01:26:14 +03:00

Author

Owner

Copy link

@tycho commented on GitHub (Dec 17, 2018):

Oh, maybe the PROXY.md should make mention of the X-Real-IP thing. Here's what I did for nginx:

proxy_set_header X-Real-IP $proxy_add_x_forwarded_for;

<!-- gh-comment-id:447943065 --> @tycho commented on GitHub (Dec 17, 2018): Oh, maybe the `PROXY.md` should make mention of the `X-Real-IP` thing. Here's what I did for nginx: ``` proxy_set_header X-Real-IP $proxy_add_x_forwarded_for; ```

kerem commented 2026-03-03 01:26:14 +03:00

Author

Owner

Copy link

@dani-garcia commented on GitHub (Dec 17, 2018):

True, I use Caddy which does this by default, so I didn't know. What do you think of adding these (to be equivalent with what Caddy sends)?

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

<!-- gh-comment-id:447946691 --> @dani-garcia commented on GitHub (Dec 17, 2018): True, I use Caddy which does this by default, so I didn't know. What do you think of adding these (to be equivalent with what Caddy sends)? ``` proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; ```

kerem commented 2026-03-03 01:26:14 +03:00

Author

Owner

Copy link

@tycho commented on GitHub (Dec 17, 2018):

Seems reasonable to me!

<!-- gh-comment-id:447947899 --> @tycho commented on GitHub (Dec 17, 2018): Seems reasonable to me!

kerem referenced this issue 2026-03-03 02:20:12 +03:00

[PR #170] [MERGED] Fix editing users in Organization #2649

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#163

No description provided.