server icon indicating copy to clipboard operation
server copied to clipboard

Published 20 hours ago verified publisher icon bitwarden

Docker gateway IP in new Device email

Open kyberorg opened this issue 2 years ago • 3 comments

Steps To Reproduce

  1. Install self-hosted bitwarden
  2. Change http port to another like 12345 and disable https port
  3. Apply email server configuration
  4. Install Nginx Proxy Manager or Nginx as docker-compose stack to the same host
  5. Do vhost which do SSL termination and proxying everything to bitwarden-nginx (http://host:12345)
  6. Access bitwarden and login
  7. Wait for email (new device logged in

Expected Result

Your Bitwarden account was just logged into from a new device.
Date: Tuesday, September 6, 2022 at 10:38 AM UTC             
IP Address: 1.2.3.4 (external IP)             
Device Type: Firefox

Actual Result

Your Bitwarden account was just logged into from a new device.
Date: Tuesday, September 6, 2022 at 10:38 AM UTC             
IP Address: 172.27.0.1             
Device Type: Firefox

Screenshots or Videos

Email: image

Bitwarden-nginx container networks: image

Additional Context

My bwdata/config.yaml is:

real_ips:
- 192.168.5.1
- 192.168.5.0/30

192.168.5.1 is my nginx (npm) address.

which results following nginx config bwdata/nginx/default.conf:

set_real_ip_from 192.168.5.1;
set_real_ip_from 192.168.5.0/30;
real_ip_header X-Forwarded-For;
real_ip_recursive on;

X-Forwarded-For is forwarded for sure, because in logs I see:

172.27.0.1 - - [06/Sep/2022:10:57:06 +0000] "GET / HTTP/1.1" 200 617 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0" "90.191.77.225"
172.27.0.1 - - [06/Sep/2022:10:57:07 +0000] "GET /theme_head.5f24ba8d7aa944e6f52b.js HTTP/1.1" 200 330 "https://bw.domain.tld/" "Mozilla/5.0 (X11; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0" "90.191.77.225"

So 90.191.77.225 is $http_x_forwarded_for.

This might be not a bug, but pure configuration issue.

Build Version

2022.8.4

Environment

Self-Hosted

Environment Details

  • OS: ArchLinux
  • Env: Docker Swarm (docker engine version 20.10.17)
  • Hardware: VM (16 CPU/8 GB RAM)

kyberorg avatar Sep 06 '22 11:09 kyberorg

Solution from https://github.com/bitwarden/server/issues/509 doesn't help

kyberorg avatar Sep 06 '22 11:09 kyberorg

Hi @kyberorg thank you for raising this issue. Since this issue appears to be a support request, it would be better if handled by our Customer Success team. Kindly connect with our official support team for further investigation.

dbosompem avatar Sep 06 '22 11:09 dbosompem

@dbosompem support ain't helped much.

What I discovered by myself:

Nginx configuration has:

real_ip_header X-Forwarded-For;

Here application (bitwarden-web) reads X-Real-IP Header
https://github.com/bitwarden/server/blob/7f5f010e1eea400300c47f776604ecf46c4b4f2d/src/Core/Utilities/CoreHelpers.cs#L589

kyberorg avatar Sep 08 '22 07:09 kyberorg

Hi @kyberorg,

Sorry to hear you're running into this problem. I was able to find your support ticket with our awesome integration engineer and it sounds like the configuration issue here is that either: ​

  1. X-Real-IP should be used everywhere in the path, including being set by NPM, while not setting XFF (this is how my reverse proxy Caddy works), or,
  2. More subnets need to be added to real_ips because the XFF dict isn't getting parsed enough by ServiceCollectionExtensions to leave it with only a single IP address in the header, that of the client IP

This issue will now be closed, but please reach back out to us via that email thread if you need any further assistance. You can add a link to this issue for reference. Thanks!

Larry-Sussman avatar Oct 26 '22 01:10 Larry-Sussman