前言
之前主要使用lastpass,目前是浏览器端免费,其它都要收费,而且密码存在别人服务器总是不放心。
所以我们要本地部署vaultwarden并且可以在各种Bitwarden正常使用。这里使用vaultwarden是因为相比原生更加轻量,占用资源极少。
部署
环境准备
服务器要求:腾讯云服务器(1核2GB内存,Ubuntu/Debian系统)。
开放端口:80(HTTP)、443(HTTPS),通过腾讯云控制台配置安全组
注:
如果家里本身就有公网ip,或者只是本地玩玩,是不需要公网服务器的。我这里公网服务器资源紧张,用来做转发,实际服务部署到内网机,所以公网和内网交互需要内网穿透,我这里使用的是zerotier。
内网机部署
为了方便从云服务器转发到内网,所以通过nginx包一层,给vaultwarden套一个前缀,比如:/bitwarden。否则云服务nginx转发会很乱
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
| services:
nginx-proxy:
image: nginx:alpine
container_name: nginx-proxy
ports:
- "8000:80"
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
- ./ssl:/etc/nginx/ssl
networks:
- vaultwarden-net
depends_on:
- vaultwarden
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
networks:
- vaultwarden-net
volumes:
- ./vw-data/:/data/
expose:
- "80"
- "3012"
networks:
vaultwarden-net:
driver: bridge
|
挂载目录结构如下
1
2
3
4
5
6
7
8
9
10
11
| vaultwarden/
├── docker-compose.yaml
└── volumes
├── nginx
│ ├── conf.d
│ │ └── default.conf
│ ├── ssl
│ │ ├── certificate.crt
│ │ └── private.key
│ └── uwsgi_params
└── vw-data
|
conf.d/default.conf配置
这里nginx.conf会默认引入所有conf.d/*.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
| server {
listen 80;
listen [::]:80;
server_name localhost;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name localhost;
ssl_certificate /etc/nginx/ssl/certificate.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
location /bitwarden/ {
proxy_pass http://vaultwarden/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
sub_filter_once off;
sub_filter_types *;
sub_filter 'href="/' 'href="/bitwarden/';
sub_filter 'src="/' 'src="/bitwarden/';
}
location /bitwarden/notifications/hub {
proxy_pass http://vaultwarden:3012;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
|
配置自签名证书
1
2
3
4
|
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout ./volumes/nginx/ssl/private.key \
-out ./volumes/nginx/ssl/certificate.crt
|
服务启动
测试访问
1
| https://10.241.189.234:8443/bitwarden
|
公网ECS配置nginx(无域名)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
| cd /etc/nginx/conf.d
[root@VM-8-12-centos conf.d]# cat 234-proxy-443.conf
server {
listen 443 ssl;
server_name 替换为你的公网域名或IP;
ssl_certificate /etc/nginx/ssl/certificate.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
location /bitwarden {
proxy_pass https://10.241.189.234:8443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_ssl_verify off;
}
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
}
|
nginx -s reload
测试
1
2
3
| https://ECS公网IP/bitwarden
|
公网ECS配置nginx(有域名)
以腾讯ECS为例
域名配置
根据官方提示,将域名绑定到ECS机器
进行域名备案
调整nginx配置
使用免费或者付费的ssl证书,下载后替换nginx中配置的证书信息
1
2
3
|
ssl_certificate /etc/nginx/ssl/自己的域名.crt;
ssl_certificate_key /etc/nginx/ssl/自己的域名.xyz.key;
|
客户端配置
- 下载安装bitwarden相关客户端,包括app端,浏览器插件等
- 配置为自托管,然后按照自己设置的用户密码登录即可
备份
找一个自己觉得安全的地方备份自己的挂载(volumes目录),比如NAS或者网盘,U盘等
问题处理
console-log.service.ts:53 Unhandled error in angular Error: Could not instantiate WebCryptoFunctionService. Could not locate Subtle crypto.
分析处理
必须使用https访问,否则报错
安卓客户端无法访问,提示无法验证服务器证书
分析处理
这个真得有域名了。