https_proxy only works when specified as IP:Port, not Hostname:Port

[silentcreek]

Prerequisites

• I have searched the existing Closed AND Open Issues AND Discussions
• I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.34.3
• Web-vault version: v2025.7.0
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Database type: SQLite
• Database version: 3.50.2
• Uses config.json: false
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: true
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: n/a
• Domain Configuration Check: true
• HTTPS Check: true
• Websocket Check: true
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "https://icons.bitwarden.net/",
  "_icon_service_url": "https://icons.bitwarden.net/{}/icon.png",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://***************",
  "domain_origin": "*****://***************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": "***************",
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "bitwarden",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.eu",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://api.bitwarden.eu",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "***************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "**********************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 90,
  "smtp_username": "********",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

1.34.3

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

Caddy 2.10.0

Host/Server Operating System

Linux

Operating System Version

Debian 12.11

Clients

Android

Client Version

2025.8.0 (20577)

Steps To Reproduce

1. Run the Vaultwarden container with the environment variable https_proxy pointing to a server with a DNS name, e.g. https_proxy=http://myproxy.mydomain.tld:8443/
2. Attempt to login to your Vault using the Android app

Expected Result

Successful login and access to Vault

Actual Result

Login fails with the error message:
Error getting push token from bitwarden server: error sending request for url

The login via the Web interface works, however.

I also found the solution, which is to replace the hostname of the proxy with its IP address in the environment variable, then it works - see "Additional Context" for more info.

Logs

[2025-08-23 22:28:59.713][reqwest::connect][DEBUG] starting new connection: https://identity.bitwarden.eu/
[2025-08-23 22:28:59.713][reqwest::connect][DEBUG] proxy(http://myproxy.mydomain.net:8443/) intercepts 'https://identity.bitwarden.eu/'
[2025-08-23 22:28:59.714][hickory_proto::xfer::dns_handle][DEBUG] querying: myproxy.mydomain.net. A
[2025-08-23 22:28:59.714][hickory_resolver::name_server::name_server_pool][DEBUG] sending request: [Query { name: Name("myproxy.mydomain.net."), query_type: A, query_class: IN }]
[2025-08-23 22:28:59.714][hickory_resolver::name_server::name_server][DEBUG] reconnecting: NameServerConfig { socket_addr: 192.168.139.1:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: false, bind_addr: None }
[2025-08-23 22:28:59.714][hickory_proto::xfer][DEBUG] enqueueing message:QUERY:[Query { name: Name("myproxy.mydomain.net."), query_type: A, query_class: IN }]
[2025-08-23 22:28:59.714][hickory_resolver::name_server::name_server][DEBUG] reconnecting: NameServerConfig { socket_addr: 10.0.2.3:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: false, bind_addr: None }
[2025-08-23 22:28:59.714][hickory_proto::xfer][DEBUG] enqueueing message:QUERY:[Query { name: Name("myproxy.mydomain.net."), query_type: A, query_class: IN }]
[2025-08-23 22:28:59.714][hickory_proto::udp::udp_client_stream][DEBUG] final message: ; header 8509:QUERY:RD:NoError:QUERY:0/0/0
; query
;; myproxy.mydomain.net. IN A

[2025-08-23 22:28:59.714][hickory_proto::udp::udp_client_stream][DEBUG] final message: ; header 35618:QUERY:RD:NoError:QUERY:0/0/0
; query
;; myproxy.mydomain.net. IN A

[2025-08-23 22:28:59.714][hickory_proto::udp::udp_stream][DEBUG] created socket successfully
[2025-08-23 22:28:59.714][hickory_proto::udp::udp_stream][DEBUG] created socket successfully
[2025-08-23 22:28:59.715][hickory_proto::udp::udp_client_stream][DEBUG] received message id: 35618
[2025-08-23 22:28:59.715][hickory_proto::error][DEBUG] response: ; header 35618:RESPONSE:RD,RA:NoError:QUERY:1/0/0
; query
;; myproxy.mydomain.net. IN A
; answers 1
myproxy.mydomain.net. 218 IN A 192.168.139.1
; nameservers 0
; additionals 0

[2025-08-23 22:28:59.715][hickory_proto::error][DEBUG] response: ; header 35618:RESPONSE:RD,RA:NoError:QUERY:1/0/0
; query
;; myproxy.mydomain.net. IN A
; answers 1
myproxy.mydomain.net. 218 IN A 192.168.139.1
; nameservers 0
; additionals 0

[2025-08-23 22:28:59.715][vaultwarden::api::push][ERROR] Error getting push token from bitwarden server: error sending request for url (https://identity.bitwarden.eu/connect/token)
[2025-08-23 22:28:59.715][response][INFO] (login) POST /identity/connect/token => 400 Bad Request

[Note: I removed the real hostname of my Vaultwarden server from the logs.)

Screenshots or Videos

No response

Additional Context

I have a Vaultwarden instance that I've been using for more than a year. It's set up behind a reverse proxy as well as a web proxy for http(s) access. It used to work just fine until I recently got logged out of the Bitwarden app on my phone and wanted to log in again. Then I first received the error message, that the push token from the Bitwarden server could not be received. I first suspected a routing or firewall issue, but it turned out to be something else. If I replace the hostname of the proxy server with its IP address, everything works again.

What puzzels me is this:

1. I have specified the proxy by name since I first set up Vaultwarden more than a year ago and never had any issues logging in. That leads me to believe that either something in the Vaultwarden code or the Android app has changed at some point. Also, none of my other containers have any issue using the proxy defined by it's hostname or DNS name.
2. When I look at the debug logs, it seems to me that Vaultwarden correctly resolves the hostname of the proxy server before sending the request (so it's not a DNS issue), but then the request still fails with the message "400 Bad Request".

Please note:
Before I replaced the hostname of the proxy with the IP address, the diagnostics page of the Admin panel world show that Internet Access doesn't work, but all the other tests (including DNS) pass. I think that was not the case when I initially set up aultwarden.

[BlackDex]

The strange thing is that according to the logs it should work, the resolving of your proxy domain seems to be ok.

It only has an issue with reaching the Bitwarden hosts.
Is there anything useful on the proxy server logs? Or what do you see with tcpdump or some other networking tool if the connections are made or not.

A diagnostics output of a not working environment would also be nice.

Also, try to set the proxy env via ALL_PROXY and remove the HTTP(S)_PROXY env and see what that does.

You might also try the current testing tagged container images. But keep in mind that those change the WebauthN stored data, and rolling back too and older version of Vaultwarden will cause issues.
So, maybe test it via a new deployment.

[silentcreek]

And did you enabled the same features as Vaultwarden? Else it's not really a good comparison.

vaultwarden/Cargo.toml

Line 145 in a2ad1dc

reqwest = { version = "0.12.23", features = ["rustls-tls", "rustls-tls-native-roots", "stream", "json", "deflate", "gzip", "brotli", "zstd", "socks", "cookies", "charset", "http2", "system-proxy"], default-features = false}

I did not initially, but I did now. And it's the same result. It's probably still not a fair comparison since 1) it's a GET request instead of a POST request and 2) the rest of the code is still quite different as well. But I wanted to try it at least to see if this is a general problem with the library or crate.

I'm attaching the code I used.
_
simple_request.zip
_

[silentcreek]

Ok... One moment.... The IP of the hostname, is that a local/internal ip? Like 192., 10. Whatever???

Yes, it's a private IPv4 address within the 192.168.0.0/16 range.

[BlackDex]

Could you try to set HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS=false and see what happens?

[silentcreek]

Could you try to set HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS=false and see what happens?

Bingo. That works (in my "production" container with the latest stable release). But why is it not blocked when the proxy is set directly to its IP address?

[BlackDex]

Because we only block resolved IP's during lookup.
For the icons we still block manual provided IP's though.

Hmmm... Not sure how we can fix this in a decent way though.