search

bitwarden / self-host

Bitwarden's self-hosted release repository
GNU General Public License v3.0
335 stars 61 forks source link

real_ips no longer forwards the real client IP address for integration with fail2ban #104

Closed vinnyperella closed 1 year ago

vinnyperella commented 1 year ago

I don't know when this stopped working I know for a fact it worked at some point but I had just noticed recently the container IP address is shown in the identity logs rather than the real client IP address. The container IP address is also prepended with "::ffff:" which appears to be "an IPv4 address placed inside an IPv6 space" according to what I've found online. This is not my post but closely describes the problem I am seeing: https://community.bitwarden.com/t/identity-log-still-showing-container-ip-instead-of-real-ip/12836

I've configured the real_ips parameter in config.yml correctly (has not changed since it stopped working).

real_ips:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16

I've verified they are added to the nginx default.conf and that the header "X-Forwarded-For" is set (I assume this is done when you perform a rebuild).

root@bitwarden:/opt/bitwarden/bwdata/nginx# grep real_ip default.conf 
  set_real_ip_from 10.0.0.0/8;
  set_real_ip_from 172.16.0.0/12;
  set_real_ip_from 192.168.0.0/16;
  real_ip_header X-Forwarded-For;
  real_ip_recursive on;
root@bitwarden:/opt/bitwarden/bwdata/nginx#

172.16.0.0/12 should cover any IP address the container gets assigned (172.16.0.0 - 172.31.255.255).

When I trigger a failed login this is what I see in the identity logs.

2023-05-16 12:06:45.345 -04:00 [Warning] Failed login attempt. ::ffff:172.20.0.9

And this is what I see in the nginx access.log which shows the real IPv4 address of the client.

169.150.197.121 - - [16/May/2023:16:23:37 +0000] "POST /identity/accounts/prelogin HTTP/2.0" 200 72 "-" "Mozilla/5.0 (Windows NT 10.0; rv:115.0) Gecko/20100101 Firefox/115.0" "-"
169.150.197.121 - - [16/May/2023:16:23:41 +0000] "POST /identity/connect/token HTTP/2.0" 400 166 "-" "Mozilla/5.0 (Windows NT 10.0; rv:115.0) Gecko/20100101 Firefox/115.0" "-"

I have a hunch this is due to the "::ffff:" prefix I'm not sure if that was present when I first set up fail2ban I have IPv6 disabled on my host that's running bitwarden. I've tried commenting out the IPv6 listeners in the nginx config but I still get the same result.

Looking for some guidance I've tried to investigate this myself for the past couple weeks and have not made any progress. Perhaps there's some config parameter I can change to get the real IP address again. I found an email generated by fail2ban back in November 2022 banning an IP for Bitwarden failed login so I know this worked and I have not changed anything on my end so I assume something with Bitwarden/docker/etc changed.

MarsCandyBars commented 1 year ago

Hi there!

Thank you for your report, it seems like it is a duplicate of this one: https://github.com/bitwarden/server/issues/2908

If you wish to add any further information/screenshots/recordings etc., please feel free to do so at any time in there - our engineering team will be happy to review these.

This issue will now be closed.

Thanks!