As a lot of the company’s background needs to be verified twice, each time you open the phone to look at the more troublesome. After installing the Bitwarden extension in Chrome, it is said to be able to auto-populate OTP CAPTCHA, and I happen to have an idle Aliyun Hong Kong VPS, so I’m considering using Vaultwarden to manage it.
I. Installing Vaultwarden
1.1 Installing Docker
Refer to the official documentation:https://docs.docker.com/engine/install/debian/#install-using-the-repository
# Add Docker's official GPG key:
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
1.2 Configuring the Docker Compose File
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: always
environment:
DOMAIN: "https://vw.yipai.me" # Replace domain to yours.
SIGNUPS_ALLOWED: "false" # Deactivate this with "false" after you have created your account so that no strangers can register
volumes:
- ./vw-data:/data # the path before the : can be changed
ports:
- 127.0.0.1:11001:80 # you can replace the 11001 with your preferred por
The SIGNUPS_ALLOWED field can be set to true first, then set to false and restart the service after installing the account you created.
1.3 启动 vaultwarden
sudo docker compose up -d && sudo docker compose logs -f
The startup log will be displayed. After observing that there are no problems, you can press CTRL+C to stop viewing the log.
2. Placement NGINX
2.1 Application for certification
The domain name is first pointed to the VPS and then the certificate is requested using certbot.
sudo certbot certonly --nginx --agree-tos --no-eff-email --staple-ocsp --preferred-challenges http -m [email protected] -d vw.yipai.me
When you get the certificate, you will be prompted where it is stored, which may be different for different Linux distributions or Certbot installations. Mine is stored in:
Certificate is saved at: /etc/letsencrypt/live/vw.yipai.me/fullchain.pem
Key is saved at: /etc/letsencrypt/live/vw.yipai.me/privkey.pem
2.2 Creating NGINX Configuration Files
Reference:https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples
upstream vaultwarden-default {
zone vaultwarden-default 64k;
server 127.0.0.1:11001;
keepalive 2;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' "";
}
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name vw.yipai.me;
if ($host = vw.yipai.me) {
return 301 https://$host$request_uri;
}
return 404;
}
server {
# For older versions of nginx appened http2 to the listen line after ssl and remove `http2 on`
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name vw.yipai.me;
access_log /var/log/nginx/vw.yipai.me.access.log;
error_log /var/log/nginx/vw.yipai.me.error.log;
ssl_certificate /etc/letsencrypt/live/vw.yipai.me/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vw.yipai.me/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/vw.yipai.me/fullchain.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
client_max_body_size 525M;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://vaultwarden-default;
}
}
I use Diffie-Hellman group certificates to improve security, so there is configuration in the SSL section. See my post here for more details:https://yipai.me/post/548.html
Restarting NGINX
sudo systemctl restart nginx
After reboot, you can visit vw.yipai.me to register an account and use it. I don’t know what’s wrong with the SSL error at first, then it got better on its own, I don’t know what’s wrong with it.
III. Practical experience
The actual experience with the Bitwarden Chrome extension to populate OTP CAPTCHA is not good, sometimes it automatically copies the CAPTCHA to the clipboard, sometimes you have to manually go to the menu and select the site. And just copying the captcha to the clipboard also requires you to paste it into the input box yourself. It’s also just that much easier than picking up the phone, unlocking the phone, unlocking Authenticator, finding the captcha, and filling it in manually.