前言
之前主要使用lastpass,目前是浏览器端免费,其它都要收费,而且密码存在别人服务器总是不放心。
所以我们要本地部署vaultwarden并且可以在各种Bitwarden正常使用。这里使用vaultwarden是因为相比原生更加轻量,占用资源极少。
部署
环境准备
服务器要求:腾讯云服务器(1核2GB内存,Ubuntu/Debian系统)。
开放端口:80(HTTP)、443(HTTPS),通过腾讯云控制台配置安全组
注:
如果家里本身就有公网ip,或者只是本地玩玩,是不需要公网服务器的。我这里公网服务器资源紧张,用来做转发,实际服务部署到内网机,所以公网和内网交互需要内网穿透,我这里使用的是zerotier。
内网机部署
为了方便从云服务器转发到内网,所以通过nginx包一层,给vaultwarden套一个前缀,比如:/bitwarden。否则云服务nginx转发会很乱
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
| services: nginx-proxy: image: nginx:alpine container_name: nginx-proxy ports: - "8000:80" volumes: - ./nginx.conf:/etc/nginx/nginx.conf - ./ssl:/etc/nginx/ssl networks: - vaultwarden-net depends_on: - vaultwarden vaultwarden: image: vaultwarden/server:latest container_name: vaultwarden restart: unless-stopped networks: - vaultwarden-net volumes: - ./vw-data/:/data/ expose: - "80" - "3012"
networks: vaultwarden-net: driver: bridge
|
挂载目录结构如下
1 2 3 4 5 6 7 8 9 10 11
| vaultwarden/ ├── docker-compose.yaml └── volumes ├── nginx │ ├── conf.d │ │ └── default.conf │ ├── ssl │ │ ├── certificate.crt │ │ └── private.key │ └── uwsgi_params └── vw-data
|
conf.d/default.conf配置
这里nginx.conf会默认引入所有conf.d/*.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63
| server { listen 80; listen [::]:80; server_name localhost;
return 301 https://$host$request_uri;
}
server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name localhost;
ssl_certificate /etc/nginx/ssl/certificate.crt; ssl_certificate_key /etc/nginx/ssl/private.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on;
location / { root /usr/share/nginx/html; index index.html index.htm; }
location /bitwarden/ { proxy_pass http://vaultwarden/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off; sub_filter_once off; sub_filter_types *; sub_filter 'href="/' 'href="/bitwarden/'; sub_filter 'src="/' 'src="/bitwarden/'; }
location /bitwarden/notifications/hub { proxy_pass http://vaultwarden:3012; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }
error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } }
|
配置自签名证书
1 2 3 4
| sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout ./volumes/nginx/ssl/private.key \ -out ./volumes/nginx/ssl/certificate.crt
|
服务启动
测试访问
1
| https://10.241.189.234:8443/bitwarden
|
公网ECS配置nginx(无域名)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
| cd /etc/nginx/conf.d
[root@VM-8-12-centos conf.d]# cat 234-proxy-443.conf server { listen 443 ssl; server_name 替换为你的公网域名或IP;
ssl_certificate /etc/nginx/ssl/certificate.crt; ssl_certificate_key /etc/nginx/ssl/private.key;
location /bitwarden { proxy_pass https://10.241.189.234:8443; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme;
proxy_ssl_verify off; }
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; }
|
nginx -s reload
测试
1 2 3
| https://ECS公网IP/bitwarden
|
公网ECS配置nginx(有域名)
以腾讯ECS为例
域名配置
根据官方提示,将域名绑定到ECS机器
进行域名备案
调整nginx配置
使用免费或者付费的ssl证书,下载后替换nginx中配置的证书信息
1 2 3
| ssl_certificate /etc/nginx/ssl/自己的域名.crt; ssl_certificate_key /etc/nginx/ssl/自己的域名.xyz.key;
|
客户端配置
- 下载安装bitwarden相关客户端,包括app端,浏览器插件等
- 配置为自托管,然后按照自己设置的用户密码登录即可
备份
找一个自己觉得安全的地方备份自己的挂载(volumes目录),比如NAS或者网盘,U盘等
问题处理
console-log.service.ts:53 Unhandled error in angular Error: Could not instantiate WebCryptoFunctionService. Could not locate Subtle crypto.
分析处理
必须使用https访问,否则报错
安卓客户端无法访问,提示无法验证服务器证书
分析处理
这个真得有域名了。