Bitwarden_rs: ignoring X-Forwarded-For headers?

Created on 17 Dec 2018  路  5Comments  路  Source: dani-garcia/bitwarden_rs

I notice that when using a reverse proxy, bitwarden_rs logs the wrong IP address:

[2018-12-17][09:47:45][bitwarden_rs::api::identity][ERROR] Username or password is incorrect. Try again. IP: 127.0.0.1. Username: ...

This is especially sloppy looking since that error message gets surfaced to the user on the web vault.

My reverse proxy is setting the X-Forwarded-For header, but it seems that bitwarden_rs doesn't pay attention to that when determining the client IP?

All 5 comments

Rocket uses X-Real-IP for retrieving the clients IP address, instead of X-Forwarded-For.

The error message comes from a time where we didn't have any decent logging in place, but it could be changed now to hide that info from the user.

Yep, I switched to X-Real-IP and that works! Thanks!

Oh, maybe the PROXY.md should make mention of the X-Real-IP thing. Here's what I did for nginx:

proxy_set_header X-Real-IP $proxy_add_x_forwarded_for;

True, I use Caddy which does this by default, so I didn't know. What do you think of adding these (to be equivalent with what Caddy sends)?

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

Seems reasonable to me!

Was this page helpful?
0 / 5 - 0 ratings

Related issues

mprasil picture mprasil  路  4Comments

jjlin picture jjlin  路  5Comments

Jungack picture Jungack  路  3Comments

mikkelnl picture mikkelnl  路  3Comments

newkind picture newkind  路  4Comments