Howto forward the client IP when self hosting using Apache-Proxy

Hi,

tl;dr: My problem:
Occasionally I get an E-Mail from my bitwarden instance, that someone accessed my vault. The problem is, that the client ip listed in the E-Mail is the private IP from my reverse proxy. That is not quite helpful as i don’t know from where the remote client was accessing it.

I have set up bitwarden on my proxmox server within a Virtual Machine (ubuntu 18.04 LTS) using the install script (bitwarden.sh) and docker. As a reverse proxy i’m using Apache, which also maintains certificates from let’s encrypt. I setup bitwarden to use self-signed certificates, therefore i need to use the SSLProxyCheck* directives.

How can i forward the correct client IP to bitwarden? Do i have to make a config change in the reverse proxy config, or do i have to change it in the bitwarden docker-compose.yml?

My config from /etc/apache2/sites-enabled/ is as follows:

<IfModule mod_ssl.c>
<VirtualHost *:443>
 ServerName bitwarden.mydomain.com
 ProxyPreserveHost On
 ProxyPass /.well-known !
 ProxyPass / https://192.168.2.40:443/
 ProxyPassReverse / https://192.168.2.40:443/
 RewriteEngine on

 SSLProxyEngine On
 SSLProxyVerify none
 SSLProxyCheckPeerCN off
 SSLProxyCheckPeerName off
 SSLProxyCheckPeerExpire off

 ErrorLog ${APACHE_LOG_DIR}/bitwarden.mydomain.com_error.log
 CustomLog ${APACHE_LOG_DIR}/bitwarden.mydomain.com_access.log combined

 # Some rewrite rules in this file were disabled on your HTTPS site,
 # because they have the potential to create redirection loops.

 # RewriteCond %{SERVER_NAME} =bitwarden.mydomain.com
 # RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

 SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
 Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Thanks in advance,

BR,

Michael

Just in case someone lands also here. This was my solution.

open bwdata/config.yml on the bitwarden host and enter the IP address of the reverse proxy in the real_ips section.

real_ips:
# this is the private IP of my reverse proxy
- 192.168.2.4

afterwards i had to update the configurations with

./bitwarden.sh updateconf

and restart bitwarden with

./bitwarden.sh restart

Afterwards i got the correct IP addresses in the notification E-Mails.

Thanks,

BR,

Michael