Sample configurations for running Bitwarden behind popular reverse proxies
A guide for an example deployment can be found on the Bitwarden Community Forums
A guide for an example deployment can also be found on the Bitwarden Community Forums
When proxying to Bitwarden, there are a few features of Bitwarden where the end-user IP address should be passed through to the Bitwarden server. These include:
- nginx access and error logs (/bwdata/logs/nginx)
- ‘New Device Logged in emails’
- Event Logs
When Bitwarden is directly accessed (i.e., connections from the Internet / an internal network directly hit the Bitwarden nginx container), the correct IPv4/v6 of the end-user will be passed through.
If Bitwarden is not directly accessed (i.e., access is first made to a a reverse proxy server, which then proxies the connection onto the Bitwarden nginx container), then without special configuration the IP address of this proxy service will be logged. In nginx, in order to pass through the real IPs, ngx_http_realip_module should be used.
This is not included by default in the nginx version packaged up in many package managers, including apt used in Debian / Ubuntu. Without the module being specifically installed, real IPs cannot be passed through, so this is an essential first configuration step.
Instructions for building nginx from source can be found here