https_proxy only works when specified as IP:Port, not Hostname:Port #391

New Issue

MrUnknownDE · 2026-04-05T21:07:08+02:00

MrUnknownDE commented

2026-04-05 21:07:08 +02:00

Originally created by @silentcreek on 8/23/2025

Prerequisites

I have searched the existing Closed AND Open Issues AND Discussions
I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.34.3
Web-vault version: v2025.7.0
OS/Arch: linux/x86_64
Running within a container: true (Base: Debian)
Database type: SQLite
Database version: 3.50.2
Uses config.json: false
Uses a reverse proxy: true
IP Header check: true (X-Real-IP)
Internet access: true
Internet access via a proxy: true
DNS Check: true
Browser/Server Time Check: true
Server/NTP Time Check: n/a
Domain Configuration Check: true
HTTPS Check: true
Websocket Check: true
HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "https://icons.bitwarden.net/",
  "_icon_service_url": "https://icons.bitwarden.net/{}/icon.png",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://***************",
  "domain_origin": "*****://***************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": "***************",
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "bitwarden",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.eu",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://api.bitwarden.eu",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "***************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "**********************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 90,
  "smtp_username": "********",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

1.34.3

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

Caddy 2.10.0

Host/Server Operating System

Linux

Operating System Version

Debian 12.11

Clients

Android

Client Version

2025.8.0 (20577)

Steps To Reproduce

Run the Vaultwarden container with the environment variable https_proxy pointing to a server with a DNS name, e.g. https_proxy=http://myproxy.mydomain.tld:8443/
Attempt to login to your Vault using the Android app

Expected Result

Successful login and access to Vault

Actual Result

Login fails with the error message:
Error getting push token from bitwarden server: error sending request for url

The login via the Web interface works, however.

I also found the solution, which is to replace the hostname of the proxy with its IP address in the environment variable, then it works - see "Additional Context" for more info.

Logs

[2025-08-23 22:28:59.713][reqwest::connect][DEBUG] starting new connection: https://identity.bitwarden.eu/
[2025-08-23 22:28:59.713][reqwest::connect][DEBUG] proxy(http://myproxy.mydomain.net:8443/) intercepts 'https://identity.bitwarden.eu/'
[2025-08-23 22:28:59.714][hickory_proto::xfer::dns_handle][DEBUG] querying: myproxy.mydomain.net. A
[2025-08-23 22:28:59.714][hickory_resolver::name_server::name_server_pool][DEBUG] sending request: [Query { name: Name("myproxy.mydomain.net."), query_type: A, query_class: IN }]
[2025-08-23 22:28:59.714][hickory_resolver::name_server::name_server][DEBUG] reconnecting: NameServerConfig { socket_addr: 192.168.139.1:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: false, bind_addr: None }
[2025-08-23 22:28:59.714][hickory_proto::xfer][DEBUG] enqueueing message:QUERY:[Query { name: Name("myproxy.mydomain.net."), query_type: A, query_class: IN }]
[2025-08-23 22:28:59.714][hickory_resolver::name_server::name_server][DEBUG] reconnecting: NameServerConfig { socket_addr: 10.0.2.3:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: false, bind_addr: None }
[2025-08-23 22:28:59.714][hickory_proto::xfer][DEBUG] enqueueing message:QUERY:[Query { name: Name("myproxy.mydomain.net."), query_type: A, query_class: IN }]
[2025-08-23 22:28:59.714][hickory_proto::udp::udp_client_stream][DEBUG] final message: ; header 8509:QUERY:RD:NoError:QUERY:0/0/0
; query
;; myproxy.mydomain.net. IN A

[2025-08-23 22:28:59.714][hickory_proto::udp::udp_client_stream][DEBUG] final message: ; header 35618:QUERY:RD:NoError:QUERY:0/0/0
; query
;; myproxy.mydomain.net. IN A

[2025-08-23 22:28:59.714][hickory_proto::udp::udp_stream][DEBUG] created socket successfully
[2025-08-23 22:28:59.714][hickory_proto::udp::udp_stream][DEBUG] created socket successfully
[2025-08-23 22:28:59.715][hickory_proto::udp::udp_client_stream][DEBUG] received message id: 35618
[2025-08-23 22:28:59.715][hickory_proto::error][DEBUG] response: ; header 35618:RESPONSE:RD,RA:NoError:QUERY:1/0/0
; query
;; myproxy.mydomain.net. IN A
; answers 1
myproxy.mydomain.net. 218 IN A 192.168.139.1
; nameservers 0
; additionals 0

[2025-08-23 22:28:59.715][hickory_proto::error][DEBUG] response: ; header 35618:RESPONSE:RD,RA:NoError:QUERY:1/0/0
; query
;; myproxy.mydomain.net. IN A
; answers 1
myproxy.mydomain.net. 218 IN A 192.168.139.1
; nameservers 0
; additionals 0

[2025-08-23 22:28:59.715][vaultwarden::api::push][ERROR] Error getting push token from bitwarden server: error sending request for url (https://identity.bitwarden.eu/connect/token)
[2025-08-23 22:28:59.715][response][INFO] (login) POST /identity/connect/token => 400 Bad Request

[Note: I removed the real hostname of my Vaultwarden server from the logs.)

Screenshots or Videos

No response

Additional Context

I have a Vaultwarden instance that I've been using for more than a year. It's set up behind a reverse proxy as well as a web proxy for http(s) access. It used to work just fine until I recently got logged out of the Bitwarden app on my phone and wanted to log in again. Then I first received the error message, that the push token from the Bitwarden server could not be received. I first suspected a routing or firewall issue, but it turned out to be something else. If I replace the hostname of the proxy server with its IP address, everything works again.

What puzzels me is this:

I have specified the proxy by name since I first set up Vaultwarden more than a year ago and never had any issues logging in. That leads me to believe that either something in the Vaultwarden code or the Android app has changed at some point. Also, none of my other containers have any issue using the proxy defined by it's hostname or DNS name.
When I look at the debug logs, it seems to me that Vaultwarden correctly resolves the hostname of the proxy server before sending the request (so it's not a DNS issue), but then the request still fails with the message "400 Bad Request".

Please note:
Before I replaced the hostname of the proxy with the IP address, the diagnostics page of the Admin panel world show that Internet Access doesn't work, but all the other tests (including DNS) pass. I think that was not the case when I initially set up aultwarden.

*Originally created by @silentcreek on 8/23/2025* ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.3 * Web-vault version: v2025.7.0 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.50.2 * Uses config.json: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: true * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: n/a * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "https://icons.bitwarden.net/", "_icon_service_url": "https://icons.bitwarden.net/{}/icon.png", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://***************", "domain_origin": "*****://***************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": "***************", "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "bitwarden", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": true, "push_identity_uri": "https://identity.bitwarden.eu", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://api.bitwarden.eu", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "***************", "smtp_from_name": "Vaultwarden", "smtp_host": "**********************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 90, "smtp_username": "********", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.34.3 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy Caddy 2.10.0 ### Host/Server Operating System Linux ### Operating System Version Debian 12.11 ### Clients Android ### Client Version 2025.8.0 (20577) ### Steps To Reproduce 1. Run the Vaultwarden container with the environment variable https_proxy pointing to a server with a DNS name, e.g. https_proxy=http://myproxy.mydomain.tld:8443/ 2. Attempt to login to your Vault using the Android app ### Expected Result Successful login and access to Vault ### Actual Result Login fails with the error message: Error getting push token from bitwarden server: error sending request for url The login via the Web interface works, however. I also found the solution, which is to replace the hostname of the proxy with its IP address in the environment variable, then it works - see "Additional Context" for more info. ### Logs ```text [2025-08-23 22:28:59.713][reqwest::connect][DEBUG] starting new connection: https://identity.bitwarden.eu/ [2025-08-23 22:28:59.713][reqwest::connect][DEBUG] proxy(http://myproxy.mydomain.net:8443/) intercepts 'https://identity.bitwarden.eu/' [2025-08-23 22:28:59.714][hickory_proto::xfer::dns_handle][DEBUG] querying: myproxy.mydomain.net. A [2025-08-23 22:28:59.714][hickory_resolver::name_server::name_server_pool][DEBUG] sending request: [Query { name: Name("myproxy.mydomain.net."), query_type: A, query_class: IN }] [2025-08-23 22:28:59.714][hickory_resolver::name_server::name_server][DEBUG] reconnecting: NameServerConfig { socket_addr: 192.168.139.1:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: false, bind_addr: None } [2025-08-23 22:28:59.714][hickory_proto::xfer][DEBUG] enqueueing message:QUERY:[Query { name: Name("myproxy.mydomain.net."), query_type: A, query_class: IN }] [2025-08-23 22:28:59.714][hickory_resolver::name_server::name_server][DEBUG] reconnecting: NameServerConfig { socket_addr: 10.0.2.3:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: false, bind_addr: None } [2025-08-23 22:28:59.714][hickory_proto::xfer][DEBUG] enqueueing message:QUERY:[Query { name: Name("myproxy.mydomain.net."), query_type: A, query_class: IN }] [2025-08-23 22:28:59.714][hickory_proto::udp::udp_client_stream][DEBUG] final message: ; header 8509:QUERY:RD:NoError:QUERY:0/0/0 ; query ;; myproxy.mydomain.net. IN A [2025-08-23 22:28:59.714][hickory_proto::udp::udp_client_stream][DEBUG] final message: ; header 35618:QUERY:RD:NoError:QUERY:0/0/0 ; query ;; myproxy.mydomain.net. IN A [2025-08-23 22:28:59.714][hickory_proto::udp::udp_stream][DEBUG] created socket successfully [2025-08-23 22:28:59.714][hickory_proto::udp::udp_stream][DEBUG] created socket successfully [2025-08-23 22:28:59.715][hickory_proto::udp::udp_client_stream][DEBUG] received message id: 35618 [2025-08-23 22:28:59.715][hickory_proto::error][DEBUG] response: ; header 35618:RESPONSE:RD,RA:NoError:QUERY:1/0/0 ; query ;; myproxy.mydomain.net. IN A ; answers 1 myproxy.mydomain.net. 218 IN A 192.168.139.1 ; nameservers 0 ; additionals 0 [2025-08-23 22:28:59.715][hickory_proto::error][DEBUG] response: ; header 35618:RESPONSE:RD,RA:NoError:QUERY:1/0/0 ; query ;; myproxy.mydomain.net. IN A ; answers 1 myproxy.mydomain.net. 218 IN A 192.168.139.1 ; nameservers 0 ; additionals 0 [2025-08-23 22:28:59.715][vaultwarden::api::push][ERROR] Error getting push token from bitwarden server: error sending request for url (https://identity.bitwarden.eu/connect/token) [2025-08-23 22:28:59.715][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [Note: I removed the real hostname of my Vaultwarden server from the logs.) ``` ### Screenshots or Videos _No response_ ### Additional Context I have a Vaultwarden instance that I've been using for more than a year. It's set up behind a reverse proxy as well as a web proxy for http(s) access. It used to work just fine until I recently got logged out of the Bitwarden app on my phone and wanted to log in again. Then I first received the error message, that the push token from the Bitwarden server could not be received. I first suspected a routing or firewall issue, but it turned out to be something else. If I replace the hostname of the proxy server with its IP address, everything works again. What puzzels me is this: 1. I have specified the proxy by name since I first set up Vaultwarden more than a year ago and never had any issues logging in. That leads me to believe that either something in the Vaultwarden code or the Android app has changed at some point. Also, none of my other containers have any issue using the proxy defined by it's hostname or DNS name. 2. When I look at the debug logs, it seems to me that Vaultwarden correctly resolves the hostname of the proxy server before sending the request (so it's not a DNS issue), but then the request still fails with the message "400 Bad Request". Please note: Before I replaced the hostname of the proxy with the IP address, the diagnostics page of the Admin panel world show that Internet Access doesn't work, but all the other tests (including DNS) pass. I think that was not the case when I initially set up aultwarden.

MrUnknownDE closed this issue

2026-04-05 21:07:08 +02:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#391