From 87b183066b0061bb39f1d34e4e9963d585229116 Mon Sep 17 00:00:00 2001 From: Micaiah Martin Date: Mon, 29 Jun 2026 13:34:21 -0600 Subject: [PATCH 1/3] [SHOT-97] fix: target container names instead of bare service hostnames nginx proxy_pass and the internal identity service URI used bare Docker service names, which can resolve to the wrong container when another container sharing the network answers to that name, returning 502s and misrouting auth traffic. Point them at the unique bitwarden-* container names. - NginxConfig.hbs: all proxy_pass upstreams use bitwarden-* names - EnvironmentFileBuilder.cs: pin internalIdentity and the Key Connector identityServerUri to http://bitwarden-identity:5000 --- util/Setup/EnvironmentFileBuilder.cs | 3 ++- util/Setup/Templates/NginxConfig.hbs | 36 ++++++++++++++-------------- 2 files changed, 20 insertions(+), 19 deletions(-) diff --git a/util/Setup/EnvironmentFileBuilder.cs b/util/Setup/EnvironmentFileBuilder.cs index e3166cd57b8b..55dbad2a75d0 100644 --- a/util/Setup/EnvironmentFileBuilder.cs +++ b/util/Setup/EnvironmentFileBuilder.cs @@ -83,6 +83,7 @@ private void Init() { ["globalSettings__baseServiceUri__vault"] = _context.Config.Url, ["globalSettings__baseServiceUri__cloudRegion"] = _context.Install?.CloudRegion.ToString(), + ["globalSettings__baseServiceUri__internalIdentity"] = "http://bitwarden-identity:5000", ["globalSettings__sqlServer__connectionString"] = $"\"{dbConnectionString.Replace("\"", "\\\"")}\"", ["globalSettings__identityServer__certificatePassword"] = _context.Install?.IdentityCertPassword, ["globalSettings__internalIdentityKey"] = _context.Stub ? "RANDOM_IDENTITY_KEY" : @@ -120,7 +121,7 @@ private void Init() _keyConnectorOverrideValues = new Dictionary { ["keyConnectorSettings__webVaultUri"] = _context.Config.Url, - ["keyConnectorSettings__identityServerUri"] = "http://identity:5000", + ["keyConnectorSettings__identityServerUri"] = "http://bitwarden-identity:5000", ["keyConnectorSettings__database__provider"] = "json", ["keyConnectorSettings__database__jsonFilePath"] = "/etc/bitwarden/key-connector/data.json", ["keyConnectorSettings__rsaKey__provider"] = "certificate", diff --git a/util/Setup/Templates/NginxConfig.hbs b/util/Setup/Templates/NginxConfig.hbs index 3c42a3058cc0..731398d4621e 100644 --- a/util/Setup/Templates/NginxConfig.hbs +++ b/util/Setup/Templates/NginxConfig.hbs @@ -62,7 +62,7 @@ server { {{/if}} location / { - proxy_pass http://web:5000/; + proxy_pass http://bitwarden-web:5000/; {{#if Ssl}} include /etc/nginx/security-headers-ssl.conf; {{/if}} @@ -78,7 +78,7 @@ server { } location = /app-id.json { - proxy_pass http://web:5000/app-id.json; + proxy_pass http://bitwarden-web:5000/app-id.json; {{#if Ssl}} include /etc/nginx/security-headers-ssl.conf; {{/if}} @@ -88,55 +88,55 @@ server { } location = /duo-connector.html { - proxy_pass http://web:5000/duo-connector.html; + proxy_pass http://bitwarden-web:5000/duo-connector.html; } location = /webauthn-connector.html { - proxy_pass http://web:5000/webauthn-connector.html; + proxy_pass http://bitwarden-web:5000/webauthn-connector.html; } location = /webauthn-fallback-connector.html { - proxy_pass http://web:5000/webauthn-fallback-connector.html; + proxy_pass http://bitwarden-web:5000/webauthn-fallback-connector.html; } location = /sso-connector.html { - proxy_pass http://web:5000/sso-connector.html; + proxy_pass http://bitwarden-web:5000/sso-connector.html; } location /attachments/ { - proxy_pass http://attachments:5000/; + proxy_pass http://bitwarden-attachments:5000/; } location /api/ { - proxy_pass http://api:5000/; + proxy_pass http://bitwarden-api:5000/; } location /icons/ { - proxy_pass http://icons:5000/; + proxy_pass http://bitwarden-icons:5000/; } location /notifications/ { - proxy_pass http://notifications:5000/; + proxy_pass http://bitwarden-notifications:5000/; } location /notifications/hub { - proxy_pass http://notifications:5000/hub; + proxy_pass http://bitwarden-notifications:5000/hub; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; } location /notifications/anonymous-hub { - proxy_pass http://notifications:5000/anonymous-hub; + proxy_pass http://bitwarden-notifications:5000/anonymous-hub; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; } location /events/ { - proxy_pass http://events:5000/; + proxy_pass http://bitwarden-events:5000/; } location /sso { - proxy_pass http://sso:5000; + proxy_pass http://bitwarden-sso:5000; {{#if Ssl}} include /etc/nginx/security-headers-ssl.conf; {{/if}} @@ -145,7 +145,7 @@ server { } location /identity { - proxy_pass http://identity:5000; + proxy_pass http://bitwarden-identity:5000; {{#if Ssl}} include /etc/nginx/security-headers-ssl.conf; {{/if}} @@ -154,7 +154,7 @@ server { } location /admin { - proxy_pass http://admin:5000; + proxy_pass http://bitwarden-admin:5000; {{#if Ssl}} include /etc/nginx/security-headers-ssl.conf; {{/if}} @@ -164,13 +164,13 @@ server { {{#if EnableKeyConnector}} location /key-connector/ { - proxy_pass http://key-connector:5000/; + proxy_pass http://bitwarden-key-connector:5000/; } {{/if}} {{#if EnableScim}} location /scim/ { - proxy_pass http://scim:5000/; + proxy_pass http://bitwarden-scim:5000/; } {{/if}} From 0fb9440c5348947ea0982d4b575d9a342d99616c Mon Sep 17 00:00:00 2001 From: Micaiah Martin Date: Tue, 30 Jun 2026 08:38:08 -0600 Subject: [PATCH 2/3] Pin remaining internal service URIs to container names --- util/Setup/EnvironmentFileBuilder.cs | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/util/Setup/EnvironmentFileBuilder.cs b/util/Setup/EnvironmentFileBuilder.cs index 55dbad2a75d0..2616221f1d40 100644 --- a/util/Setup/EnvironmentFileBuilder.cs +++ b/util/Setup/EnvironmentFileBuilder.cs @@ -84,6 +84,12 @@ private void Init() ["globalSettings__baseServiceUri__vault"] = _context.Config.Url, ["globalSettings__baseServiceUri__cloudRegion"] = _context.Install?.CloudRegion.ToString(), ["globalSettings__baseServiceUri__internalIdentity"] = "http://bitwarden-identity:5000", + ["globalSettings__baseServiceUri__internalApi"] = "http://bitwarden-api:5000", + ["globalSettings__baseServiceUri__internalNotifications"] = "http://bitwarden-notifications:5000", + ["globalSettings__baseServiceUri__internalSso"] = "http://bitwarden-sso:5000", + ["globalSettings__baseServiceUri__internalAdmin"] = "http://bitwarden-admin:5000", + ["globalSettings__baseServiceUri__internalVault"] = "http://bitwarden-web:5000", + ["globalSettings__baseServiceUri__internalScim"] = "http://bitwarden-scim:5000", ["globalSettings__sqlServer__connectionString"] = $"\"{dbConnectionString.Replace("\"", "\\\"")}\"", ["globalSettings__identityServer__certificatePassword"] = _context.Install?.IdentityCertPassword, ["globalSettings__internalIdentityKey"] = _context.Stub ? "RANDOM_IDENTITY_KEY" : From f05fadd20199149b4f563feebce3de6d189fa15d Mon Sep 17 00:00:00 2001 From: Micaiah Martin Date: Tue, 30 Jun 2026 09:09:43 -0600 Subject: [PATCH 3/3] Remove inert internalScim override --- util/Setup/EnvironmentFileBuilder.cs | 1 - 1 file changed, 1 deletion(-) diff --git a/util/Setup/EnvironmentFileBuilder.cs b/util/Setup/EnvironmentFileBuilder.cs index 4f5eb3f84b0c..00b4e42d6a5b 100644 --- a/util/Setup/EnvironmentFileBuilder.cs +++ b/util/Setup/EnvironmentFileBuilder.cs @@ -89,7 +89,6 @@ private void Init() ["globalSettings__baseServiceUri__internalSso"] = "http://bitwarden-sso:5000", ["globalSettings__baseServiceUri__internalAdmin"] = "http://bitwarden-admin:5000", ["globalSettings__baseServiceUri__internalVault"] = "http://bitwarden-web:5000", - ["globalSettings__baseServiceUri__internalScim"] = "http://bitwarden-scim:5000", ["globalSettings__sqlServer__connectionString"] = $"\"{dbConnectionString.Replace("\"", "\\\"")}\"", ["globalSettings__identityServer__certificatePassword"] = _context.Install?.IdentityCertPassword, ["globalSettings__internalIdentityKey"] = _context.Stub ? "RANDOM_IDENTITY_KEY" :