starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-26 01:35:54 +03:00
Code Issues 39 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #551] "New Device Logged In" shows wrong IP #355

New issue
Closed
opened 2026-03-03 01:28:19 +03:00 by kerem · 2 comments
kerem commented 2026-03-03 01:28:19 +03:00
Owner
Copy link

Originally created by @tycho on GitHub (Aug 1, 2019).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/551

The "New Device Logged In" email gave me this:

Date: Thursday, August 1, 2019 at 10:19
IP Address: 127.0.0.1
Device Type: Chrome

My nginx config is setting the X-Real-IP and X-Forwarded-For headers for the reverse proxy. Am I missing some other one that would make it recognize what the real client IP is? Or is bitwarden_rs just ignoring those headers for some reason?

Originally created by @tycho on GitHub (Aug 1, 2019). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/551 The "New Device Logged In" email gave me this: ``` Date: Thursday, August 1, 2019 at 10:19 IP Address: 127.0.0.1 Device Type: Chrome ``` My nginx config is setting the `X-Real-IP` and `X-Forwarded-For` headers for the reverse proxy. Am I missing some other one that would make it recognize what the real client IP is? Or is bitwarden_rs just ignoring those headers for some reason?
kerem closed this issue 2026-03-03 01:28:19 +03:00
kerem commented 2026-03-03 01:28:19 +03:00
Author
Owner
Copy link

@janost commented on GitHub (Aug 1, 2019):

Are you sure you are properly setting X-Real-IP?

I was able to reproduce the issue without that header, however adding it back fixed the issue.

<!-- gh-comment-id:517280406 --> @janost commented on GitHub (Aug 1, 2019): Are you sure you are properly setting `X-Real-IP`? I was able to reproduce the issue without that header, however adding it back fixed the issue.
kerem commented 2026-03-03 01:28:20 +03:00
Author
Owner
Copy link

@tycho commented on GitHub (Aug 1, 2019):

I just figured it out. nginx seems to violate the "principle of least astonishment" for me rather frequently.

Here's basically what I had (removed the unimportant stuff to focus on the issue itself):

upstream bitwarden {
        server 127.0.0.1:8378;
        keepalive 16;
}
server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        [...]

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        location / {
                proxy_http_version 1.1;
                proxy_set_header Connection "";
                proxy_pass http://bitwarden;
        }

        location /notifications/hub {
                proxy_pass http://127.0.0.1:3012;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
        }

        location /notifications/hub/negotiate {
                proxy_http_version 1.1;
                proxy_set_header Connection "";
                proxy_pass http://bitwarden;
                access_log off;
        }
}

The problem was that apparently the proxy_set_headers in the server{} scope don't propagate to child location ... {} scopes. When I do this, it works as intended:

upstream bitwarden {
        server 127.0.0.1:8378;
        keepalive 16;
}
server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        [...]


        location / {
                proxy_http_version 1.1;
                proxy_set_header Connection "";

                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;

                proxy_pass http://bitwarden;
        }

        location /notifications/hub {
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";

                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;

                proxy_pass http://127.0.0.1:3012;
        }

        location /notifications/hub/negotiate {
                proxy_http_version 1.1;
                proxy_set_header Connection "";

                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;

                proxy_pass http://bitwarden;
                access_log off;
        }
}

I feel like I should just write a tool that generates my nginx configs at this point. They are uncomfortably verbose and I end up doing a lot of duplication to get things to behave.

<!-- gh-comment-id:517287371 --> @tycho commented on GitHub (Aug 1, 2019): I just figured it out. nginx seems to violate the "principle of least astonishment" for me rather frequently. Here's basically what I had (removed the unimportant stuff to focus on the issue itself): ``` upstream bitwarden { server 127.0.0.1:8378; keepalive 16; } server { listen 443 ssl http2; listen [::]:443 ssl http2; [...] proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; location / { proxy_http_version 1.1; proxy_set_header Connection ""; proxy_pass http://bitwarden; } location /notifications/hub { proxy_pass http://127.0.0.1:3012; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location /notifications/hub/negotiate { proxy_http_version 1.1; proxy_set_header Connection ""; proxy_pass http://bitwarden; access_log off; } } ``` The problem was that apparently the `proxy_set_header`s in the `server{}` scope don't propagate to child `location ... {}` scopes. When I do this, it works as intended: ``` upstream bitwarden { server 127.0.0.1:8378; keepalive 16; } server { listen 443 ssl http2; listen [::]:443 ssl http2; [...] location / { proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://bitwarden; } location /notifications/hub { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://127.0.0.1:3012; } location /notifications/hub/negotiate { proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://bitwarden; access_log off; } } ``` I feel like I should just write a tool that generates my nginx configs at this point. They are uncomfortably verbose and I end up doing a *lot* of duplication to get things to behave.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
revert-7033-patch-1
cached-config-operations
test_dylint
1.35.8
1.35.7
1.35.6
1.35.5
1.35.4
1.35.3
1.35.2
1.35.1
1.35.0
1.34.3
1.34.2
1.34.1
1.34.0
1.33.2
1.33.1
1.33.0
1.32.7
1.32.6
1.32.5
1.32.4
1.32.3
1.32.2
1.32.1
1.32.0
1.31.0
1.30.5
1.30.4
1.30.3
1.30.2
1.30.1
1.30.0
1.29.2
1.29.1
1.29.0
1.28.1
1.28.0
1.27.0
1.26.0
1.25.2
1.25.1
1.25.0
1.24.0
1.23.1
1.23.0
1.22.2
1.22.1
1.22.0
1.21.0
1.20.0
1.19.0
1.18.0
1.17.0
1.16.3
1.16.2
1.16.1
1.16.0
1.15.1
1.15.0
1.14.2
1.14.1
1.14
1.13.1
1.13.0
1.12.0
1.11.0
1.10.0
1.9.1
1.9.0
1.8.0
1.7.0
1.6.1
1.6.0
1.5.0
1.4.0
1.3.0
1.2.0
1.1.0
1.0.0
0.13.0
0.12.0
0.11.0
0.10.0
0.9.0
Labels
Clear labels   
SSO

   
Third party

   
better for forum

   
bug

   
bug

   
documentation

   
duplicate

   
enhancement

   
future Vault

   
future Vault

   
future Vault

   
good first issue

   
help wanted

   
low priority

   
notes

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
troubleshooting

   
wontfix
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vaultwarden#355
No description provided.