[GH-ISSUE #566] Wrong IP is banned with docker and nginx #369

New issue

Closed

opened 2026-03-03 01:28:27 +03:00 by kerem · 3 comments

kerem commented 2026-03-03 01:28:27 +03:00

Owner

Copy link

Originally created by @timaschew on GitHub (Aug 10, 2019).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/566

I'm using dokku (docker + nginx) and bitwarden_rs is showing the internal IP which is used to ban. But the real IP is not shown in the bitwarden logs. Instead the nginx contains the IP (access_log), but the context is missing (if it was an successful login or not). There is only the timestamp which could be used, but both have a different format and is it possible at all to substitute the IP from another log file filtered by a converted timestamp?

nginx/bitwardn-access.log:

89.145.194.0 - - [10/Aug/2019:23:05:28 +0200] "GET /admin HTTP/2.0" 200 1830 "https://bitwardn.awspace.de/admin" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36

bitwarden.log

[2019-08-10 20:58:54][bitwarden_rs::api::admin][ERROR] Invalid admin token. IP: 172.17.0.1

BTW: I tried both: with chain=FORWARD and without

Originally created by @timaschew on GitHub (Aug 10, 2019). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/566 I'm using dokku (docker + nginx) and bitwarden_rs is showing the internal IP which is used to ban. But the real IP is not shown in the bitwarden logs. Instead the nginx contains the IP (access_log), but the context is missing (if it was an successful login or not). There is only the timestamp which could be used, but both have a different format and is it possible at all to substitute the IP from another log file filtered by a converted timestamp? nginx/bitwardn-access.log: ``` 89.145.194.0 - - [10/Aug/2019:23:05:28 +0200] "GET /admin HTTP/2.0" 200 1830 "https://bitwardn.awspace.de/admin" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 ``` bitwarden.log ``` [2019-08-10 20:58:54][bitwarden_rs::api::admin][ERROR] Invalid admin token. IP: 172.17.0.1 ``` BTW: I tried both: with `chain=FORWARD` and without

kerem closed this issue 2026-03-03 01:28:27 +03:00

kerem commented 2026-03-03 01:28:28 +03:00

Author

Owner

Copy link

@dani-garcia commented on GitHub (Aug 10, 2019):

You need to make sure that the proxy is sending the X-Real-IP Header, otherwise it won't work correctly. Look at the example in the wiki: https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples#nginx-by-shauder

<!-- gh-comment-id:520181616 --> @dani-garcia commented on GitHub (Aug 10, 2019): You need to make sure that the proxy is sending the X-Real-IP Header, otherwise it won't work correctly. Look at the example in the wiki: https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples#nginx-by-shauder

kerem commented 2026-03-03 01:28:28 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Aug 13, 2019):

@timaschew I have it setup the same as the link @dani-garcia posted.
I get for both the default login and /admin login the correct IP in both the bitwarden log and my nginx log.
The only thing which is a bit strange/out-of-standards is that the default login page returns a HTTP 400 and the admin token login returns a 303. Which i think should be 401 Unauthorized.

<!-- gh-comment-id:520776310 --> @BlackDex commented on GitHub (Aug 13, 2019): @timaschew I have it setup the same as the link @dani-garcia posted. I get for both the default login and /admin login the correct IP in both the bitwarden log and my nginx log. The only thing which is a bit strange/out-of-standards is that the default login page returns a HTTP 400 and the admin token login returns a 303. Which i think should be 401 Unauthorized.

kerem commented 2026-03-03 01:28:28 +03:00

Author

Owner

Copy link

@timaschew commented on GitHub (Aug 24, 2019):

Why bitwarden_rs is not using X-Forwarded-For which seems to be quite common?

Anyway, it works using X-Real-IP, thanks!

<!-- gh-comment-id:524580155 --> @timaschew commented on GitHub (Aug 24, 2019): Why bitwarden_rs is not using `X-Forwarded-For` which seems to be quite common? Anyway, it works using `X-Real-IP`, thanks!

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#369

No description provided.