Real client IP address

Hello to all,

In my self hosted instance, when the admin receive an email (on new connection or others topics), the IP (of the client) listed is the Docker ip bridge and not the real end user IP.
Is there any way to get the real IP address?
Thanks for any clue.
And thanks for Birwarden software: it rocks !

Sabamimi

What you are looking for is ngx_http_realip_module:
http://nginx.org/en/docs/http/ngx_http_realip_module.html

There is a “real_ips” option in Bitwarden’s config.yml where you can add the IPs of trusted forwarders, e.g. a proxy server.

It simply adds blocks like this to bwdata/nginx/default.conf:
set_real_ip_from 172.22.0.1;
real_ip_header X-Forwarded-For;
real_ip_recursive on;

1 Like

Thanks, that’s exactly what I was looking for.

Hi accolon,

All my attempts to specify an IP address (like) “real_ips: 172.22.0.1” in config.yml result in a crash during the update process…
Do you actually use this option ? can you explicit the syntax you use in config.yml ?
Thanks

PS/ worst case I will add the block in wdata/nginx/default.conf (but I would have to do it after each update…)

Yes, I’m using the option on my installation. The IPs are required as YAML list, so it should look like this (even when there is only one item):

real_ips:
- 172.22.0.1

I’m not sure whether this is documented anywhere, I remember looking at the source code…

1 Like

accolon,

Thanks a bunch !
(I should have know since I am using YAML config file in HomeAssistant…)
Thanks again for taking the time to help, appreciated !

Hello @accolon

I am using Bitwarden self-hosted version and I have the same issue,
I checked all settings mentioned by @sabamimi and tried to use your solution by adding the reverse proxy IP to real_ips entry in config.yml
but i failed to succeed let it works, I should mention the difference between my installation and sabamimi installation:
my installation uses [::1] as IP for reverse proxy in nginx config file so should I add to real_ips the following. ?
- 127.0.0.1
- ::1

or
- 127.0.0.1
- [::1]

or I need to bind to a specific IP other than the loopback to be able to do so ?

Thanks in advance,