Howto forward the client IP when self hosting using Apache-Proxy


tl;dr: My problem:
Occasionally I get an E-Mail from my bitwarden instance, that someone accessed my vault. The problem is, that the client ip listed in the E-Mail is the private IP from my reverse proxy. That is not quite helpful as i don’t know from where the remote client was accessing it.

I have set up bitwarden on my proxmox server within a Virtual Machine (ubuntu 18.04 LTS) using the install script ( and docker. As a reverse proxy i’m using Apache, which also maintains certificates from let’s encrypt. I setup bitwarden to use self-signed certificates, therefore i need to use the SSLProxyCheck* directives.

How can i forward the correct client IP to bitwarden? Do i have to make a config change in the reverse proxy config, or do i have to change it in the bitwarden docker-compose.yml?

My config from /etc/apache2/sites-enabled/ is as follows:

<IfModule mod_ssl.c>
<VirtualHost *:443>
 ProxyPreserveHost On
 ProxyPass /.well-known !
 ProxyPass /
 ProxyPassReverse /
 RewriteEngine on

 SSLProxyEngine On
 SSLProxyVerify none
 SSLProxyCheckPeerCN off
 SSLProxyCheckPeerName off
 SSLProxyCheckPeerExpire off

 ErrorLog ${APACHE_LOG_DIR}/bitwarden.mydomain.com_error.log
 CustomLog ${APACHE_LOG_DIR}/bitwarden.mydomain.com_access.log combined

 # Some rewrite rules in this file were disabled on your HTTPS site,
 # because they have the potential to create redirection loops.

 # RewriteCond %{SERVER_NAME}
 # RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

 SSLCertificateFile /etc/letsencrypt/live/
 SSLCertificateKeyFile /etc/letsencrypt/live/
 Include /etc/letsencrypt/options-ssl-apache.conf

Thanks in advance,



Just in case someone lands also here. This was my solution.

open bwdata/config.yml on the bitwarden host and enter the IP address of the reverse proxy in the real_ips section.

# this is the private IP of my reverse proxy

afterwards i had to update the configurations with

./ updateconf

and restart bitwarden with

./ restart

Afterwards i got the correct IP addresses in the notification E-Mails.