I notice that when using a reverse proxy, bitwarden_rs logs the wrong IP address:
[2018-12-17][09:47:45][bitwarden_rs::api::identity][ERROR] Username or password is incorrect. Try again. IP: 127.0.0.1. Username: ...
This is especially sloppy looking since that error message gets surfaced to the user on the web vault.
My reverse proxy is setting the X-Forwarded-For header, but it seems that bitwarden_rs doesn't pay attention to that when determining the client IP?
Rocket uses X-Real-IP for retrieving the clients IP address, instead of X-Forwarded-For.
The error message comes from a time where we didn't have any decent logging in place, but it could be changed now to hide that info from the user.
Yep, I switched to X-Real-IP and that works! Thanks!
Oh, maybe the PROXY.md should make mention of the X-Real-IP thing. Here's what I did for nginx:
proxy_set_header X-Real-IP $proxy_add_x_forwarded_for;
True, I use Caddy which does this by default, so I didn't know. What do you think of adding these (to be equivalent with what Caddy sends)?
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
Seems reasonable to me!