dahjah/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-06-02 21:05:13 -06:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

I could not, for the love of me, find this in any of the open/closed discussions/bugs/wiki. I now know how easy it was to fix; I just had to look at the tooltip of the deprecated env variable. For the next me, it would be great to have this page describing this specific scenario, which I think is pretty common when homelabbing. I will also suggest a modification to the sidebar + Main wiki page to have direct hyperlinks to this page. Thanks for taking the time to read this! Hope you all have a great day.

Luciano Godoy 2026-05-19 16:08:22 -03:00
parent be50984de7
commit ce786eed88
1 changed files with 78 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
Allowing-Vaultwarden-to-Fetch-Icons-from-Internal-Services.md Normal file

@ -0,0 +1,78 @@
# Allowing Vaultwarden to Fetch Icons from Internal Services
This configuration applies to self-hosted environments where Vaultwarden needs to fetch icons from services hosted on internal/private networks, for example:
- A NAS or server hosting multiple self-hosted applications
- Services accessed through a local network
- Services exposed only through VPNs such as Tailscale
- Reverse proxy setups using internal IPs or split DNS
By default, Vaultwarden blocks requests to non-global/private IP addresses as a security measure. Because of this, icons may fail to load for services that resolve to:
- LAN IPs (`192.168.x.x`, `10.x.x.x`, etc.)
- Tailscale/CGNAT ranges (`100.x.x.x`)
- Other internal-only addresses
## Configuration
Set the following environment variable:
```env
HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS=false
```
Depending on the Vaultwarden version, you may also need to set:
```env
ICON_BLACKLIST_NON_GLOBAL_IPS=false
```
However, `ICON_BLACKLIST_NON_GLOBAL_IPS` is deprecated and newer versions use `HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS`.
Then restart/redeploy Vaultwarden.
## TrueNAS SCALE Important Note
When running Vaultwarden as a TrueNAS SCALE App, setting the environment variable alone may not be enough.
TrueNAS can override some Vaultwarden settings internally through the application configuration interface.
You must also:
1. Open the Vaultwarden Admin Panel
2. Go to `Advanced Settings`
3. Locate `Block non global IPs`
4. Set it to `false` / disabled
5. Save and restart the app
If this setting remains enabled, Vaultwarden will continue blocking icon downloads from internal IP ranges even if the environment variable is already present.
## Security Considerations
Disabling `HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS` reduces protection against SSRF (Server-Side Request Forgery) attacks.
With this setting disabled, Vaultwarden is allowed to make HTTP requests to internal/private IP ranges. This is required for environments where self-hosted services are intentionally exposed only through internal networking, VPNs, or private DNS.
Only disable this setting if:
- You trust the users who can create/edit vault entries
- Your Vaultwarden instance is private and properly secured
- You understand that Vaultwarden will be able to access internal network resources
For most self-hosted homelab or internal infrastructure setups, this tradeoff is acceptable and required for proper icon fetching functionality.
## Symptoms
Vaultwarden logs may contain warnings similar to:
```text
IP 100.x.x.x for domain 'service.example.com' is not a global IP!
```
or:
```text
IP 192.168.x.x for domain 'service.example.com' is not a global IP!
```
After disabling the restriction, icons for internal/self-hosted services should begin working normally.