Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Internal Proxy IP being logged instead of remote WAN IP when behind proxy #2535

Closed
1 task done
Tracked by #2480
seanob86 opened this issue Jan 4, 2023 · 1 comment
Closed
1 task done
Tracked by #2480

Internal Proxy IP being logged instead of remote WAN IP when behind proxy #2535

seanob86 opened this issue Jan 4, 2023 · 1 comment
Labels
bug bw-unified-deploy An Issue related to Bitwarden unified deployment

Comments

@seanob86
Copy link

seanob86 commented Jan 4, 2023
edited
Loading

Steps To Reproduce

  1. Configure Bitwarden Unified server behind proxy i.e. nginx proxy manager. Configure SMTP settings appropriately.
  2. Create a new user in Bitwarden and login for first time to generate ‘New device Logged In’ email
  3. Open email and IP being logged is the Proxy host IP address
  4. Additionally identity logs in /var/log/bitwarden are also logging internal proxy host IP and not expected WAN IP.

There have been similar issues logged historically similar to this and real ip from config.yml needed to be updated with ip address of proxy host. Couldn’t find where this needs to be set in Unified deployment.

Expected Result

IP logged should be WAN IP

Actual Result

IP logged is the internal IP of the Proxy host.

The proxy in front of Bitwarden unified is logging the real WAN IP via client [121.x.x.x]. I can see so in the access log.

[04/Jan/2023:15:14:14 +1100] - 200 200 - POST https mybitwardenserver.tld "/identity/a
ccounts/prelogin" [Client 121.x.x.x] [Length 47] [Gzip -] [Sent-to 10.0.0.3] "Mozilla/5.0 (i
Phone; CPU iPhone OS 16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.2 M
obile/15E148 Safari/604.1" "https://mybitwardenserver.tld/"

The internal nginx proxy in the docker Bitwarden unified image, logs the remote IP incorrectly as the fronted proxy host server internal IP in /var/log/nginx/access.log. [10.0.0.24]

10.0.0.24 - - [04/Jan/2023:15:14:14 +1100] "POST /identity/accounts/prelogin HTTP/1.1" 200 58 "https://mybitwardenserver.tld/" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.2 Mobile/15E148 Safari/604.1" "121.x.x.x, 121.x.x.x"

Nginx.conf logs per this

  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

Also WAN IP is not logged correctly in /var/log/bitwarden/identity.log, which is logging the host IP of the internal fronted proxy server which Bitwarden sits behind, and it seems this IP is being used when sending new device login emails.

Failed login attempt, 2FA invalid. 10.0.0.24

Screenshots or Videos

90C51AD2-4AFD-4BB1-B5C9-341E18700E7E

Additional Context

Nginx proxy manager advanced config of the fronted proxy server which bitwarden sits behind:

location / {
        real_ip_header CF-Connecting-IP;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_set_header        Host              $host;
        proxy_set_header        X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        proxy_pass http://x.x.x.x:8888;
    }

Githash Version

455d62e-dirty

Environment Details

  • Operating System - DietPi 8.12.1
  • Environment - Docker
  • Hardware - RPi4

Database Image

postgres:14

Issue-Link

#2480

Issue Tracking Info

  • I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
@seanob86 seanob86 added bug bw-unified-deploy An Issue related to Bitwarden unified deployment labels Jan 4, 2023
@seanob86 seanob86 changed the title Proxy IP being logged when behind proxy Internal Proxy IP being logged instead of remote WAN IP when behind proxy Jan 4, 2023
@seanob86
Copy link
Author

seanob86 commented Jan 4, 2023
edited
Loading

I managed to work around this issue by copying proxy.conf to the host and modifying and adding 1 line per below. Then i mapped proxy.conf in the docker-compose.yml.

set_real_ip_from [my proxy ip];

Now nginx inside the image is logging with WAN IP - 121.x.x.x
121.x.x.x - - [04/Jan/2023:18:49:10 +1100] "GET /70501c97b33df95adb32.json HTTP/1.1" 304 0 "https://mybitwardenserver.tld/" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.2 Mobile/15E148 Safari/604.1" "121.x.x.x, 121.x.x.x.x"

In identity.log and entering incorrect credentials, WAN IP is now being logged correctly.

Failed login attempt, 2FA invalid. 121.x.x.x

I am by no means an expert so for now this will get me by. Perhaps there is an environment variable which can be added to specify the IP/IP’s.

EDIT: Closing this. There is indeed an environment variable which I wasn’t aware of in the first place BW_REAL_IPS

@seanob86 seanob86 closed this as completed Jan 4, 2023
@justindbaur justindbaur mentioned this issue Jan 12, 2023
Open
54 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug bw-unified-deploy An Issue related to Bitwarden unified deployment
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@seanob86