如果你用咗 Cloudflare CDN 嚟代理 Vaultwarden Server,或者你將 Vaultwarden 起喺 Docker 上面嘅話,咁當有新 Login 嘅時候,Server 就無辦法囉到 Login Client 嘅真實IP,導致 fail2ban 等依賴 IP 嚟運作嘅插件無辦法正常運作。
原因
Vaultwarden 用嘅 web server 係 Rocket,而由於 Rocket 唔支援 HTTP 常用於辨認客戶端最原始IP位址嘅 X-Forwarded-For Header,所以當你將 Vaultwarden 放喺反向代理嘅時候,客戶端嘅IP就會出錯。具體可以參考以下解釋:
Client IP address is wrong when server is behind proxy · Issue #600 · dani-garcia/vaultwarden (github.com): Vaultwarden 登入顯示真實IPBitwarden uses rocket’s client_id function of request which doesn’t use
X-Forwarded-Forheader to determine the client IP address.Proxies like Envoy and Aws Elastic Load Balancing uses
sercand commented on Sep 3, 2019X-Forwarded-Forheader instead ofX-Real-IPfor forwarding client IP addresses.
解決方案
透過將 Vaultwarden 連接到 Nginx, Apache, 或者 Caddy 等支持 X-Real-IP 同埋 X-Forwarded-For 嘅 web server,我地就可以將 Client 嘅 IP Address forward 比 vaultwarden。下面我會用 Nginx 嚟做示範:
- cd 到 Nginx 嘅文件路徑 (e.g. Debian, Ubuntu: /etc/nginx)
- 喺 Nginx
sites-enabled資料夾創建一個名為vaultwarden.conf嘅配置文件 - 輸入
nano sites-enabled/vaultwarden.conf,copy and paste 下面嘅 code
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
server { listen 80 default_server; server_name your.vaultwarden.com; set_real_ip_from 172.16.0.0/12; #哩到嘅IP Range可能會因為配置環境不同而有所改變,請按照實際情況更改。 real_ip_header X-Forwarded-For; location / { proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_pass http://192.168.12.3:10001; #Vaultwarden 嘅 IP address } } |
Control X (^X) Save 低配置檔案後,務必輸入 service nginx restart ,以令配置生效。
成果
打開 https://<你嘅vaultwarden域名>/admin,輸入 admin token,然後打開 Diagnostics。如果 IP header 顯示 Match,就代表配置已經成功。
