I have follow these instruction
and unable to get the ssl to work and unable to use the mobile device.
where is state real_ip: what ip the address should be? is it opnsense ip address where ngix plugin install?
Yes - real_ips should list any proxies that are responsible for passing the traffic onto the Bitwarden server:
However, the effect of mis-configuring real_ips will simply be that Bitwarden reports the wrong IP address of external users. It will not affect SSL.
I’d recommend looking through the SSL setup documentation here:
and checking that your setup respects this part of the docs:
I’m sure it’s just a typo in this post, but just FYI the actual variable is “BW_REAL_IPS”, not REAL_IP. Or perhaps you aren’t talking about the Bitwarden Container variable but the nginx variable?
So i will have to put my opnsense ip address for ngix proxies plugin?
The following section of /bwdata/config.yml should point to your opnsense reverse proxy, yes:
#
# Defines "real" IPs in nginx.conf. Useful for defining proxy servers that forw>
# client IP address.
# Learn more: https://nginx.org/en/docs/http/ngx_http_realip_module.html
#
# Defined as a dictionary, e.g.:
# real_ips: ['10.10.0.0/24', '172.16.0.0/16']
real_ips:
This is as described here:
So example: 192.168.1.0/24 or 192.168.1.1? Right?
There are examples of valid values for real_ips, including values for individual IPs and dictionaries of IPs, in the linked article. Please refer to the article when setting values that work for your installation!
This where I get confused!
Can you give me some examples? Please and thank you
There are examples contained within the guide here if you want to set multiple IPs, and here for a single IP.
You likely have a single IP, so you should:
- edit config.yml
- set the real_ips part to match your opnsense IP, e.g.:
# real_ips: ['10.10.0.0/24', '172.16.0.0/16']
real_ips:
- 192.168.25.15/32
if your OPNsense IP is 192.168.25.15
- run the rebuild command
- run the restart command
So if my opnsense is on 192.168.1.1 i will have to put 192.168.1.1/32
Have put my real ip - 192.168.1.1/32 still not working for ngix and acme client in my opnsense but still allowed to use my own domain access to bitwarden ssl is not working
As we discussed previously, the real_ips setting is not related to SSL handling:
However, the effect of mis-configuring real_ips will simply be that Bitwarden reports the wrong IP address of external users. It will not affect SSL.
I think that what would be best at this stage would be that you:
- look into the error logs being reported. The relevant sources of logs are your browser, Bitwarden’s /logs/nginx/access and /logs/nginx/error logs (the access in particular will tell you whether traffic is actually making it to Bitwarden), and the equivalent logs at the nginx reverse proxy on OPNsense (accessible via the GUI as indicated in the Guide)
- start again, taking what you’ve learned from this attempt and looking out for specific areas related to your issues. E.g., in the reverse-proxy settings between the OPNsense nginx instance and Bitwarden’s nginx container there are settings related specifically to the TLS certificate presented by the Bitwarden nginx container. Have you set these correctly?
Using a combination of these 2 approaches you should be able to get things going. If you need more help, then be sure to bring your own diagnosis & supporting error-logs along so that the community can help you!
Error.log
2026/05/04 15:23:01 [warn] 1#1: the “listen … http2” directive is deprecated, use the “http2” directive instead in /etc/nginx/conf.d/default.conf:>
2026/05/04 15:23:01 [warn] 1#1: the “listen … http2” directive is deprecated, use the “http2” directive instead in /etc/nginx/conf.d/default.conf:>
2026/05/04 15:29:30 [warn] 36#36: *19 an upstream response is buffered to a temporary file /var/cache/nginx/proxy_temp/1/00/0000000001 while reading>
2026/05/04 15:29:30 [warn] 36#36: *19 an upstream response is buffered to a temporary file /var/cache/nginx/proxy_temp/2/00/0000000002 while reading>
2026/05/04 15:29:31 [warn] 36#36: *19 an upstream response is buffered to a temporary file /var/cache/nginx/proxy_temp/3/00/0000000003 while reading>
2026/05/04 19:30:29 [warn] 1#1: the “listen … http2” directive is deprecated, use the “http2” directive instead in /etc/nginx/conf.d/default.conf:>
2026/05/04 19:30:29 [warn] 1#1: the “listen … http2” directive is deprecated, use the “http2” directive instead in /etc/nginx/conf.d/default.conf:>
2026/05/04 19:30:54 [error] 38#38: *9 connect() failed (111: Connection refused) while connecting to upstream, client: 10.100.0.81, server: 10.50.0.>
2026/05/04 19:30:54 [error] 38#38: *9 connect() failed (111: Connection refused) while connecting to upstream, client: 10.100.0.81, server: 10.50.0.>
2026/05/04 19:30:57 [warn] 38#38: *14 an upstream response is buffered to a temporary file /var/cache/nginx/proxy_temp/1/00/0000000001 while rea>
2026/05/04 19:30:58 [warn] 38#38: *14 an upstream response is buffered to a temporary file /var/cache/nginx/proxy_temp/2/00/0000000002 while reading>
2026/05/04 19:30:59 [warn] 38#38: *14 an upstream response is buffered to a temporary file /var/cache/nginx/proxy_temp/3/00/0000000003 while reading>
2026/05/04 20:09:12 [warn] 1#1: the “listen … http2” directive is deprecated, use the “http2” directive instead in /etc/nginx/conf.d/default.conf:>
2026/05/04 20:09:12 [warn] 1#1: the “listen … http2” directive is deprecated, use the “http2” directive instead in /etc/nginx/conf.d/default.conf:>
2026/05/04 20:10:11 [warn] 36#36: *5 an upstream response is buffered to a temporary file /var/cache/nginx/proxy_temp/1/00/0000000001 while reading >
2026/05/04 20:10:11 [warn] 36#36: *5 an upstream response is buffered to a temporary file /var/cache/nginx/proxy_temp/2/00/0000000002 while reading >
2026/05/04 20:10:12 [warn] 36#36: *5 an upstream response is buffered to a temporary file /var/cache/nginx/proxy_temp/3/00/0000000003 while reading >
Access.log
[04/May/2026:00:00:04 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:00:34 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:01:04 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:01:34 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:02:04 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:02:34 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:03:05 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:03:35 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:04:05 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:04:35 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:05:05 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:05:35 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:06:05 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:06:35 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:07:05 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:07:35 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:08:05 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:08:35 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:09:05 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:09:35 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:10:06 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:10:36 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:11:06 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:11:36 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:12:06 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:12:36 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:13:06 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:13:36 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:14:06 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:14:36 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:15:06 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:15:36 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:16:06 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:16:37 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:17:07 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:17:37 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:18:07 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:18:37 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:19:07 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:19:37 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:20:07 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:20:37 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:21:07 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:21:37 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:22:07 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:22:37 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:23:07 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:23:38 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:24:08 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:24:38 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
::1 - - [04/May/2026:00:25:08 +0000] “GET /alive HTTP/2.0” 200 5 “-” “curl/8.17.0” “-”
These are the logs from the Bitwarden-provided nginx container? You’ll need to provide all logs, as detailed in the previous post.
This accesslog shows that no external clients are hitting it.
The errorlog has a couple of interesting lines. What happens in the accesslog at 2026/05/04 19:30:54 ? You can tail all logs while attempting an external connection to see which ones actually matter. What do those IPs refer to? You can use docker container inspect to check.
It looks like you’re missing logs from the other layers of this stack - you’ll need to look at those to troubleshoot effectively.
To my opnsense 192.168.1.1 nginx plugin
Do you mean inspect Nginx docker or bitwarden??
You should use docker container inspect to identify what is responsible for:
2026/05/04 19:30:54 [error] 38#38: *9 connect() failed (111: Connection refused) while connecting to upstream, client: 10.100.0.81, server: 10.50.0.>
2026/05/04 19:30:54 [error] 38#38: *9 connect() failed (111: Connection refused) while connecting to upstream, client: 10.100.0.81, server: 10.50.0.>
That command will show a lot of information about the containers, including the IP they’ve been assigned for the current instantiation. You can use that information to understand what is the client and what is the server.
Regardless of this, the real troubleshooting will be performed by understanding the end-to-end flow, and tailing the logs (at all points - especially the OPNsense nginx instance), seeing where the errors occur.
Do i need to remove the ssl cert location off because when i setup my bitwarden it’s signed on there. In config.yml ssl directory.