Real IP of Client With BW Self Host and Nginix Proxy Manager in a Container?

Alphanaut · July 23, 2025, 6:07pm

I have Bitwarden Unified in a Container running on a Synology NAS. I use Nginix Proxy Manager as a reverse proxy. In the Bitwarden logs it looks like all clients are coming from the Nginix Proxy Manager container IP. I have found half a dozen ‘solutions’ to pass the real IP of the client to Bitwarden, however not a single one I have found has worked so far. Has anyone found a working solution to this? I’d love some help, spent probably 10 hours on this so far with no success.

DenBesten · July 23, 2025, 9:53pm

The existence of carrier-grade-NAT makes source-address filtering an unsustainable solution unless you are renting a public IP from your ISP and avoiding mobile devices.

Much more sustainable are mTLS (which the Bitwarden client does not yet support – vote for it), communicating over a client-to-site VPN, or using a strong Master Password and trusting Bitwarden’s encryption.

Alphanaut · July 24, 2025, 12:59am

All good reccomendations, just none which address my issue. In the end I’ll probably give up and just close the WAN door and VPN in. Feels like defeat, but more secure than having the door open in the first place of course.

Carini · July 31, 2025, 9:59am

Even having a public IP doesn’t solve this issue. The likely culprit is that the bitwarden-nginx container receives incoming connections through Docker’s NAT, which masks the real client IP.

Has anyone managed to resolve this?

Alphanaut · July 31, 2025, 10:58am

I redeployed the Bitwarden Container with the REAL_IPS flag set to the Nginix container IP and Bitwarden now reports the actual connecting client IP. In the end the fix was much simpler than I’ve found online saying I had to edit Nginix configs and set advanced settings in the proxy. It just works now and I haven’t done any of those other recommendations.

Carini · July 31, 2025, 12:58pm

Where is the REAL_IPS flag actually defined?
I tried modifying ./bwdata/config.yml (no effect), and also tried setting it via the uid.override.env file (didn’t work either).

Even using the entire Docker subnet (172.16.0.0/12) produced no result.

Note, following the example in precompiled config.yml made Bitwarden automatically rewrite config.yml:

I’ll write

real_ips: ['10.10.0.0/24', '172.16.0.0/16']

After the first run i found:

real_ips:
- 10.10.0.0/24
- 172.16.0.0/12

system · August 30, 2025, 12:59pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Real client IP address Password Manager	6	5934	December 2, 2020
Double NGINX configuration Password Manager app:all , server:self-hosted	4	1670	January 14, 2025
Identity log still showing container IP instead of real IP Password Manager	3	3858	July 30, 2025
Real IP behind a WAF Password Manager	1	1274	November 12, 2020
Bitwarden Self-Hosted Behind Nginx Reverse Proxy Password Manager app:all , server:self-hosted	2	2044	January 24, 2024

Real IP of Client With BW Self Host and Nginix Proxy Manager in a Container?

Related topics