bitwarden密码管理平台部署

`bitwarden`密码管理平台部署

参考：

https://blog.csdn.net/qq_41587397/article/details/106683873 （此处主要为自建SSL证书）

一. 执行部署

`0.`镜像可选

1
2
3

# 官方 阿里云私有仓库
vaultwarden/server
registry.cn-hangzhou.aliyuncs.com/zznn/mycentos:vaultwarden

`1. docker-compose.yml`文件

version: "3"
services:
  bitwarden:
    image: vaultwarden/server
    container_name: vaultwarden
    restart: always
    ports:
        - 90:80  #将宿主机8087端口映射到docker的80端口
        - 3012:3012
    volumes:
      - ./bw-data:/data
    environment:
      websocket_enabled: "true" #是否开启websocket
      signups_allowed: "true"   #是否开启注册，自用的话自己搭建好注册后改成false
      web_vault_enabled: "true" #是否开启web客户端
      #admin_token: "   #后台登陆密码，建议openssl rand -base64 48 生成admin_token确保安全，当前是没启用，如需启用去掉admin_token前面的 # ，并生成安全密码

`2.` 部署

1 2	# 部署 docker-compose up -d

这样就可以使用ip:80访问Bitwarden服务器了，但是还无法使用，会提示启用https，入下图所示

二. 设置`SSL`证书 (此处提供免费证书-建议购买)

`1.`安装`openssl`并创建证书

# 安装openssl
apt install openssl -y
#生成ssl证书
#生成ssl秘钥
openssl genrsa -des3 -out ssl.key 2048
// 返回
Generating RSA private key, 1024 bit long modulus (2 primes)
....+++++
......+++++
e is 65537 (0x010001)
Enter pass phrase for ssl.key:             # 输入密码
Verifying - Enter pass phrase for ssl.key: # 再次输入密码
root@zznn:/opt/bitwarden# ls
bw-data  docker-compose.yml  ssl.key
# 配置无密码的秘钥，也可不配置，不配置的话reload nginx会提示输入密码
openssl rsa -in ssl.key -out ssl_nopass.key
// 返回
Enter pass phrase for ssl.key:  # 输入上面的密码
writing RSA key
# 此时生成两个文件"ssl.key ssl_nopass.key"
root@zznn:/opt/bitwarden# ls
ssl.key  ssl_nopass.key
# 生成公钥证书
openssl  req -new -key ssl_nopass.key  -out ssl.csr
// 返回
Cant load /root/.rnd into RNG
140349062406592:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:0.0.0.0    # 此处填服务器地址或0.0.0.0建议填0.0.0.0其他均回车不填
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# 此处生成ssl.csr
root@zznn:/opt/bitwarden# ls
ssl.csr  ssl.key  ssl_nopass.key
# 自签名CA证书，时间可以设置久一点
root@zznn:/opt/bitwarden# openssl  x509 -req -days 365 -in ssl.csr -signkey ssl_nopass.key -out ssl.crt
Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = 0.0.0.0
Getting Private key
# 此时生成ssl.crt
root@zznn:/opt/bitwarden# ls
bw-data  docker-compose.yml  ssl.crt  ssl.csr  ssl.key  ssl_nopass.key

三. 配置`nginx` nginx安装传送门修改`nginx.conf`配置文件

NOTE: 此处`nginx`为编译安装配置文件位于`/usr/local/nginx/conf/nginx.conf`

`1.`参考文件（按照此配置未成功）

server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  _;
        root         /usr/share/nginx/html;
#
        ssl_certificate "/etc/nginx/key/ssl.crt";          #这里写你实际的ssl.crt和ssl_nopass.key文件路径
        ssl_certificate_key "/etc/nginx/key/ssl_nopass.key";
#        ssl_session_cache shared:SSL:1m;
#        ssl_session_timeout  10m;
#        ssl_ciphers HIGH:!aNULL:!MD5;#        ssl_prefer_server_ciphers on;
#        ssl_prefer_server_ciphers on;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
            proxy_pass http://10.0.0.90:8888;
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

`2.`参考花猪ngnix ssl证书配置文档

server {
    listen 443 ssl; #监听443端口
    server_name cnhuazhu.top; #域名
    root /var/www/blog-LeadPage; #项目的根目录
    index index.html index.htm;
    ssl_certificate  cert/www.cnhuazhu.top.pem; #ssl配置文件（注意路径）
    ssl_certificate_key cert/www.cnhuazhu.top.key; #ssl配置文件（注意路径）
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    location / {
        index index.html index.htm;
    }
}

server{
        listen 80; #监听80端口
        server_name cnhuazhu.top; #域名
        rewrite ^/(.*)$ https://cnhuazhu.top:443/$1 permanent; #重定向到443端口
}

`2.`自配置`/usr/local/nginx/conf/nginx.conf`

# ------------------------------------分割线 ------------------------------------
#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.htm;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}


    # HTTPS server
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}
    server {
        listen 443 ssl; #监听443端口
        server_name localhost; #域名
        root /usr/local/nginx/html; #项目的根目录
        index index.html index.htm;
        ssl_certificate /usr/local/nginx/key/ssl.crt; #ssl配置文件（注意路径）
        ssl_certificate_key /usr/local/nginx/key/ssl_nopass.key; #ssl配置文件（注意路径）
        ssl_session_timeout 5m;
        #ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        location / {
            proxy_pass http://10.0.0.10:90;
            #index index.html index.htm;
        }
        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }


}
# ------------------------------------分割线 ------------------------------------

`3.`解析(只需要在`https`模块添加如下配置即可)

server {
    listen 443 ssl; #监听443端口
    server_name localhost; #域名
    root /usr/local/nginx/html; #项目的根目录
    index index.html index.htm;
    ssl_certificate /usr/local/nginx/key/ssl.crt; #ssl配置文件（注意路径）
    ssl_certificate_key /usr/local/nginx/key/ssl_nopass.key; #ssl配置文件（注意路径）
    ssl_session_timeout 5m;
    #ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    location / {
        proxy_pass http://10.0.0.10:90;
        #index index.html index.htm;
    }
    error_page 404 /404.html;
        location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }
}