Caddy real IP not showing

Hi,

I have a problem with the logging of the IP address.
In the logs (and also in the login notification emails) only the local IP address of the Docker container appears instead of the IP address of the device used for login.

For the configuration I used the examples from the wiki.

docker-compose.yml:

version: '3'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    environment:
      - WEBSOCKET_ENABLED=true  # Enable WebSocket notifications.
      - SIGNUPS_ALLOWED=false
      - INVITATIONS_ALLOWED=false
      - DOMAIN=https://sub.domain.tld
      - LOG_FILE=/Data/vaultwarden.log
      - LOG_LEVEL=warn
      - EXTENDED_LOGGING=true
    volumes:
      - ./vw-data:/data

  caddy:
    image: caddy:2
    container_name: caddy
    restart: always
    ports:
      - 80:80  # Needed for the ACME HTTP-01 challenge.
      - 443:443
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - ./caddy-config:/config
      - ./caddy-data:/data
    environment:
      - DOMAIN=https://sub.domain.tld  # Your domain, prefixed with http or https.
      - EMAIL=myemail@domain.tld       # The email address to use for ACME registration.
      - LOG_FILE=/data/access.log

My Caddyfile:

sub.domain.tld:443 {
  log {
    level INFO
    output file {$LOG_FILE} {
      roll_size 10MB
      roll_keep 10
    }
  }

  # Use the ACME HTTP-01 challenge to get a cert for the configured domain.
  tls myemail@domain.tld

  # This setting may have compatibility issues with some browsers
  # (e.g., attachment downloading on Firefox). Try disabling this
  # if you encounter issues.
  encode gzip

  # Notifications redirected to the WebSocket server
  reverse_proxy /notifications/hub vaultwarden:3012

  # Proxy everything else to Rocket
  reverse_proxy vaultwarden:80 {
       # Send the true remote IP to Rocket, so that vaultwarden can put this in the
       # log, so that fail2ban can ban the correct IP.
       header_up X-Real-IP {remote_host}
  }
}

Partial output of docker logs vaultwarden:

Error: Username or password is incorrect. Try again. IP: 172.31.0.1. Username: wrongemail@domain.tld.

Where am I making a mistake?

Thank you for your answers

Should be

{$DOMAIN}:443 {

and

Should be changed back to

tls {$EMAIL}

These should use the environment variables set in your docker-compose file to match the subdomain and email set under the caddy service.

Those are the only main differences I can see compared to my setup, everything else looks good.
I would try to make those changes to your caddyfile, and stop and restart your docker-compose.
Hopefully that helps and will work to pass the proper IP from caddy into the Vaultwarden logs.

@cksapp
Thanks for your answer.

Unfortunately, these changes do not change the problem with the IP address. The IP address is still the local one of the docker container.