dani-garcia / vaultwarden

Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs
GNU Affero General Public License v3.0
38.47k stars 1.87k forks source link

Client IP not logging correctly in logs #893

Closed karrots closed 4 years ago

karrots commented 4 years ago

While attempting to validate the fail2ban setup I noticed that real IP addresses are not being shown correctly in the log files. I do have the transparent directive in the Caddyfile for each proxy entry. My config.json specifies X-Forwarded-For and X-Real-IP both had the same outcome.

Your environment

Steps to reproduce

Setup per instructions at link https://github.com/dani-garcia/bitwarden_rs/wiki/Using-Docker-Compose

Expected behavior

Should show actual client IP addresses as listed in the X-Real-IP or X-Forwarded-For headers.

Actual behavior

Shows internal Docker IP addresses.

Relevant logs

[error][ERROR] Username or password is incorrect. Try again. IP: 192.168.32.1. Username: example@example.com

BlackDex commented 4 years ago

What does the log file of caddy tell you where the connection is coming from? Try to enable logging for caddy if it is not already.

BlackDex commented 4 years ago

Also for a short while, try to increase the log_level of bitwarden_rs to trace. This should show all the headers received during the request.

jjlin commented 4 years ago

I don't think this is a bitwarden_rs issue. You probably need https://caddyserver.com/v1/docs/http.realip.

karrots commented 4 years ago

@jjlin your suggestion would be correct if I were running another proxy in front of Caddy and using Caddy as an HTTP server. I'm using Caddy as a reverse proxy to bitwarden_rs there is no other proxy in front of Caddy to add the X-Forwarded-For header in.

@BlackDex using trace level I am seeing the X-Real-Ip header with the docker private IP addresses. So it seems the issue is with the docker networking when using docker-compose. I'll have to see if I can find anything on this elsewhere.

Sample from log file. "X-Real-Ip"=[49, 57, 50, 46, 49, 54, 56, 46, 51, 50, 46, 49]

karrots commented 4 years ago

Fix is to specify host mode for the exposed ports.

https://github.com/moby/moby/issues/25526#issuecomment-463668116

In my docker-compose.yml I did it like this. If you have a newer docker-compose that supports the extended format mentioned in the link above you may not need to specify the host IP.

    ports:
      - "<HOSTIP>:80:80/tcp"
      - "<HOSTIP>:443:443/tcp"