最近又有超星学习通的数据库被脱裤的消息,涉及了1.6亿条个人信息,又是一次密码大泄露,所以我也开始考虑使用密码管理器了。
因为1Password收费且价格不低,所以我想尝试一下可以自行部署的Bitwarden,但是当我看到官方版本的Docker部署时,头直接大一圈:
只能说官方的Docker脚本属实太全面,也难怪最低要求为2GB的RAM,普通用户属实是无福消受了
然后我在GitHub瞎晃的时候突然看见了名为Vaultwarden的项目,自介绍为使用Rust重写的Bitwarden Server API(官方为C语言),大幅减少了内存占用的同时也提供了更精简的镜像部署,非常适合个人的私有化部署,并且文档真的是相当详细了(从部署到数据库备份到恢复备份都有完整的文档说明),那么立即开整!
安装Docker
使用官方安装脚本,安装源为阿里云,默认最新发行版
curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
拉取镜像&&部署镜像
Docker 命令部署
docker run -d --restart=always --name vaultwarden \
-v /vw-data/:/data/ \
-p 3011:80 \
-e ADMIN_TOKEN=some_random_token_as_per_above_explanation \
-e WEBSOCKET_ENABLED=true \
vaultwarden/server:latest
Docker-Composer部署(附带Rclone自动备份)
version: '3'
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: always
ports:
- 3011:80
environment:
- PUSH_ENABLED=true
- PUSH_INSTALLATION_ID=xxxxx
- PUSH_INSTALLATION_KEY=xxxxxxx
volumes:
- /data/vaultwarden/:/data/
backup:
#备份服务
image: ttionya/vaultwarden-backup:latest
restart: always
environment:
RCLONE_REMOTE_NAME: 'rwk'
RCLONE_REMOTE_DIR: '/BitwardenBackup/'
# RCLONE_GLOBAL_FLAG: ''
CRON: '30 * * * *'
ZIP_ENABLE: 'TRUE'
ZIP_PASSWORD: 'xxxxxxx'
ZIP_TYPE: 'zip'
BACKUP_FILE_SUFFIX: '%Y%m%d'
ACKUP_KEEP_DAYS: 7
# PING_URL: ''
MAIL_SMTP_ENABLE: 'TRUE'
MAIL_SMTP_VARIABLES: ' -S smtp-use-starttls \ -S smtp=smtp://smtp.office365.com:587 \ -S smtp-auth=login \ -S [email protected] \ -S smtp-auth-password=xxxxxxxxxxxxxx \ -S [email protected](Vaultwarden_Backup)'
MAIL_TO: '[email protected]'
MAIL_WHEN_SUCCESS: 'FALSE'
MAIL_WHEN_FAILURE: 'TRUE'
TIMEZONE: 'Asia/Shanghai'
DATA_DIR: '/data'
volumes:
- /data/vaultwarden/:/data/
- vaultwarden-rclone-data:/config/
# - /path/to/env:/.env
volumes:
# vaultwarden-data:
# Specify the name of the volume where you save the vaultwarden data,
# use vaultwarden-data for new users
# and bitwardenrs-data for migrated users
# name: vaultwarden-data
# name: bitwardenrs-data
vaultwarden-rclone-data:
external: true
# Specify the name of the volume where you save the rclone configuration,
# use vaultwarden-rclone-data for new users
# and bitwardenrs-rclone-data for migrated users
name: vaultwarden-rclone-data
# name: bitwardenrs-rclone-data
参数解释:
/vw-data/
:数据存放位置,可以替换为自定义目录ADMIN_TOKEN
:管理员登录密钥,推荐使用openssl rand -base64 48
创建一个随机字符串PUSH_ENABLED
:移动设备推送,需要同时填写PUSH_INSTALLATION_ID
与PUSH_INSTALLATION_KEY
,推送密钥需要从官网获取:Requesting Hosting Installation ID & Key | Bitwarden-p
:端口设置,如果本机环境内有NGINX作为反向代理的话,则应该将80端口映射到其他端口上.
注意:
- 自1.29.0版本开始,WebSocket将不需要单独的端口进行通信,默认情况下将会直接使用80端口,同时在1.29.0版本将默认启用WebSocket,故此处将移除WebSocket相关配置。
- 自1.29.0版本开始,Vaultwarden将支持官方APP推送服务(Android-FCM/IOS-APNs),前提是需要设置推送密钥,推送密钥是从官网免费获取的,只需要填写服务器管理员邮箱即可。目前支持USA(美国)与EU(欧洲)推送服务器区域。启用此功能后APP同步将无需手动进行,在任意设备更改后会通过BitWarden Push API主动推送到全部移动设备上
- Push服务由于Bitwarden官方采用了Cloudflare CDN,所以国内部署存在Push API请求失败的问题,可通过squid自建HTTP/HTTPS代理的方式进行请求,Docker-Compose文件中环境变量配置
HTTP_PROXY
/HTTPS_PROXY
参数即可
NGINX反向代理(示例)
# WebSocket链接支持
map $http_upgrade $connection_upgrade {
default upgrade;
'' "";
}
# http
server {
listen 80;
listen [::]:80;
server_name bitwarden.example.com;
##防止搜索引擎收录
if ($http_user_agent ~* "qihoobot|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot|^$") {
return 404;
}
location / { # 访问80端口后的所有路径都转发到 proxy_pass 配置的ip中
root /usr/share/nginx/html;
index index.html index.htm;
##如果使用cloudflare加速就换成302
return 301 https://bitwarden.example.com;
}
}
# https
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name bitwarden.example.com;
if ($http_user_agent ~* "qihoobot|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot|^$") {
return 404;
}
#启用HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_certificate /path/to/ssl/cert;
ssl_certificate_key /path/to/cert/key;
keepalive_timeout 70;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
##填入你机器的DNS
resolver 8.8.8.8;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
location / {
root /usr/share/nginx/html;
#index index.html index.htm;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_pass http://localhost:xxxx;
}
}
备份
这里使用vaultwarden-backup项目
配置Rclone
docker run --rm -it \
--mount type=volume,source=vaultwarden-rclone-data,target=/config/ \
ttionya/vaultwarden-backup:latest \
rclone config
检查Rclone配置
docker run --rm -it \
--mount type=volume,source=vaultwarden-rclone-data,target=/config/ \
ttionya/vaultwarden-backup:latest \
rclone config show
# Microsoft Onedrive Example
# [YouRemoteName]
# type = onedrive
# token = {"access_token":"access token","token_type":"token type","refresh_token":"refresh token","expiry":"expiry time"}
# drive_id = driveid
# drive_type = personal
配置自动备份&&邮件发送
docker run -d \
--restart=always \
--name vaultwarden_backup \
--volumes-from=vaultwarden \
--mount type=volume,source=vaultwarden-rclone-data,target=/config/ \
-e RCLONE_REMOTE_NAME="YouRemoteName" \
-e DATA_DIR="/data" \
-e ZIP_ENABLE="TRUE" \
-e ZIP_PASSWORD="your-zip-password" \
-e BACKUP_KEEP_DAYS="7" \
-e CRON="*/60 * * * *" \
-e TIMEZONE="Asia/Shanghai" \
-e MAIL_SMTP_ENABLE="TRUE"\
-e MAIL_SMTP_VARIABLES="
-S smtp-use-starttls \
-S smtp=smtp://smtp.office365.com:587 \
-S smtp-auth=login \
-S smtp-auth-user=your-email-address \
-S smtp-auth-password=Your_APP_Password \
-S from=your-email-address(your-email-name)" \
-e MAIL_TO="your-email-address" \
ttionya/vaultwarden-backup:latest
Asia/Shanghai
,每小时压缩备份一次,并且在备份完成后发送邮件到MAIL_TO
地址。SMTP的示例为Outlook配置,请将your-email-address
、your-email-name
、Your_APP_Password
自行替换为邮件地址、发件人名称与应用密码!关于配置完成后,FIDO2认证在Windows Desktop客户端卡Loading的问题修复
根据Windows 10 Desktop app FIDO2 Webauthn stuck on “Loading” · Discussion #2111 · dani-garcia/vaultwarden来看,这是一个已知的程序问题,原因在于Vaultwarden处理FIDO2认证标头时出现了错误。但作者认为此问题很容易靠外部修复所以不在程序内进行修复。
解决办法一:
反向代理增加两个响应标头
proxy_hide_header Content-Security-Policy;
proxy_hide_header X-Frame-Options;
解决办法二:
在Admin-Setting-Advanced Settings-Allowed iframe ancestors
增加内容file://*
或者,在启动容器时增加下面的环境变量
ALLOWED_IFRAME_ANCESTORS="file://*"
暂无评论内容