Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion util/Setup/EnvironmentFileBuilder.cs
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,12 @@ private void Init()
{
["globalSettings__baseServiceUri__vault"] = _context.Config.Url,
["globalSettings__baseServiceUri__cloudRegion"] = _context.Install?.CloudRegion.ToString(),
["globalSettings__baseServiceUri__internalIdentity"] = "http://bitwarden-identity:5000",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❓ QUESTION: Are the other internal service URIs intentionally left on bare service names?

Details

This pins internalIdentity to http://bitwarden-identity:5000, but the other internal URIs still fall through to BuildInternalUri's default, which produces bare service names (http://identity:5000 style). For example, InternalNotifications resolves to http://notifications:5000 and is actively consumed by NotificationsApiPushEngine (src/Core/Platform/Push/Engines/NotificationsApiPushEngine.cs:28), so it shares the exact same cross-container hostname-collision failure mode this PR is fixing for identity.

If SHOT-97 is scoped only to auth traffic that's fine β€” just confirming whether InternalNotifications/InternalApi/InternalVault/InternalSso (and the mssql DataSource = "tcp:mssql,1433" at line 71) were deliberately left out of this change.

["globalSettings__baseServiceUri__internalApi"] = "http://bitwarden-api:5000",
["globalSettings__baseServiceUri__internalNotifications"] = "http://bitwarden-notifications:5000",
["globalSettings__baseServiceUri__internalSso"] = "http://bitwarden-sso:5000",
["globalSettings__baseServiceUri__internalAdmin"] = "http://bitwarden-admin:5000",
["globalSettings__baseServiceUri__internalVault"] = "http://bitwarden-web:5000",
["globalSettings__sqlServer__connectionString"] = $"\"{dbConnectionString.Replace("\"", "\\\"")}\"",
["globalSettings__identityServer__certificatePassword"] = _context.Install?.IdentityCertPassword,
["globalSettings__internalIdentityKey"] = _context.Stub ? "RANDOM_IDENTITY_KEY" :
Expand Down Expand Up @@ -120,7 +126,7 @@ private void Init()
_keyConnectorOverrideValues = new Dictionary<string, string>
{
["keyConnectorSettings__webVaultUri"] = _context.Config.Url,
["keyConnectorSettings__identityServerUri"] = "http://identity:5000",
["keyConnectorSettings__identityServerUri"] = "http://bitwarden-identity:5000",
["keyConnectorSettings__database__provider"] = "json",
["keyConnectorSettings__database__jsonFilePath"] = "/etc/bitwarden/key-connector/data.json",
["keyConnectorSettings__rsaKey__provider"] = "certificate",
Expand Down
36 changes: 18 additions & 18 deletions util/Setup/Templates/NginxConfig.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ server {
{{/if}}

location / {
proxy_pass http://web:5000/;
proxy_pass http://bitwarden-web:5000/;
{{#if Ssl}}
include /etc/nginx/security-headers-ssl.conf;
{{/if}}
Expand All @@ -79,7 +79,7 @@ server {
}

location = /app-id.json {
proxy_pass http://web:5000/app-id.json;
proxy_pass http://bitwarden-web:5000/app-id.json;
{{#if Ssl}}
include /etc/nginx/security-headers-ssl.conf;
{{/if}}
Expand All @@ -89,55 +89,55 @@ server {
}

location = /duo-connector.html {
proxy_pass http://web:5000/duo-connector.html;
proxy_pass http://bitwarden-web:5000/duo-connector.html;
}

location = /webauthn-connector.html {
proxy_pass http://web:5000/webauthn-connector.html;
proxy_pass http://bitwarden-web:5000/webauthn-connector.html;
}

location = /webauthn-fallback-connector.html {
proxy_pass http://web:5000/webauthn-fallback-connector.html;
proxy_pass http://bitwarden-web:5000/webauthn-fallback-connector.html;
}

location = /sso-connector.html {
proxy_pass http://web:5000/sso-connector.html;
proxy_pass http://bitwarden-web:5000/sso-connector.html;
}

location /attachments/ {
proxy_pass http://attachments:5000/;
proxy_pass http://bitwarden-attachments:5000/;
}

location /api/ {
proxy_pass http://api:5000/;
proxy_pass http://bitwarden-api:5000/;
}

location /icons/ {
proxy_pass http://icons:5000/;
proxy_pass http://bitwarden-icons:5000/;
}

location /notifications/ {
proxy_pass http://notifications:5000/;
proxy_pass http://bitwarden-notifications:5000/;
}

location /notifications/hub {
proxy_pass http://notifications:5000/hub;
proxy_pass http://bitwarden-notifications:5000/hub;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
}

location /notifications/anonymous-hub {
proxy_pass http://notifications:5000/anonymous-hub;
proxy_pass http://bitwarden-notifications:5000/anonymous-hub;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
}

location /events/ {
proxy_pass http://events:5000/;
proxy_pass http://bitwarden-events:5000/;
}

location /sso {
proxy_pass http://sso:5000;
proxy_pass http://bitwarden-sso:5000;
{{#if Ssl}}
include /etc/nginx/security-headers-ssl.conf;
{{/if}}
Expand All @@ -146,7 +146,7 @@ server {
}

location /identity {
proxy_pass http://identity:5000;
proxy_pass http://bitwarden-identity:5000;
{{#if Ssl}}
include /etc/nginx/security-headers-ssl.conf;
{{/if}}
Expand All @@ -155,7 +155,7 @@ server {
}

location /admin {
proxy_pass http://admin:5000;
proxy_pass http://bitwarden-admin:5000;
{{#if Ssl}}
include /etc/nginx/security-headers-ssl.conf;
{{/if}}
Expand All @@ -165,13 +165,13 @@ server {

{{#if EnableKeyConnector}}
location /key-connector/ {
proxy_pass http://key-connector:5000/;
proxy_pass http://bitwarden-key-connector:5000/;
}
{{/if}}
{{#if EnableScim}}

location /scim/ {
proxy_pass http://scim:5000/;
proxy_pass http://bitwarden-scim:5000/;
}
{{/if}}

Expand Down
Loading