Install vaultwarden and configure nginx

As a lot of the company’s background needs to be verified twice, each time you open the phone to look at the more troublesome. After installing the Bitwarden extension in Chrome, it is said to be able to auto-populate OTP CAPTCHA, and I happen to have an idle Aliyun Hong Kong VPS, so I’m considering using Vaultwarden to manage it.

I. Installing Vaultwarden

1.1 Installing Docker

Refer to the official documentation:https://docs.docker.com/engine/install/debian/#install-using-the-repository

# Add Docker's official GPG key: 
sudo apt-get update 
sudo apt-get install ca-certificates curl 
sudo install -m 0755 -d /etc/apt/keyrings 
sudo curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc 
sudo chmod a+r /etc/apt/keyrings/docker.asc 
 
# Add the repository to Apt sources: 
echo \ 
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \ 
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ 
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null 
sudo apt-get update 
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

1.2 Configuring the Docker Compose File

services: 
  vaultwarden: 
    image: vaultwarden/server:latest 
    container_name: vaultwarden 
    restart: always 
    environment: 
      DOMAIN: "https://vw.yipai.me" # Replace domain to yours. 
      SIGNUPS_ALLOWED: "false" # Deactivate this with "false" after you have created your account so that no strangers can register 
    volumes: 
      - ./vw-data:/data # the path before the : can be changed 
    ports: 
      - 127.0.0.1:11001:80 # you can replace the 11001 with your preferred por

The SIGNUPS_ALLOWED field can be set to true first, then set to false and restart the service after installing the account you created.

1.3 启动 vaultwarden

sudo docker compose up -d && sudo docker compose logs -f

The startup log will be displayed. After observing that there are no problems, you can press CTRL+C to stop viewing the log.

2. Placement NGINX

2.1 Application for certification

The domain name is first pointed to the VPS and then the certificate is requested using certbot.

sudo certbot certonly --nginx --agree-tos --no-eff-email --staple-ocsp --preferred-challenges http -m [email protected] -d vw.yipai.me

When you get the certificate, you will be prompted where it is stored, which may be different for different Linux distributions or Certbot installations. Mine is stored in:

Certificate is saved at: /etc/letsencrypt/live/vw.yipai.me/fullchain.pem 
Key is saved at:         /etc/letsencrypt/live/vw.yipai.me/privkey.pem

2.2 Creating NGINX Configuration Files

Reference:https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples

upstream vaultwarden-default { 
  zone vaultwarden-default 64k; 
  server 127.0.0.1:11001; 
  keepalive 2; 
} 
 
map $http_upgrade $connection_upgrade { 
    default upgrade; 
    ''      ""; 
} 
 
# Redirect HTTP to HTTPS 
server { 
    listen 80; 
    listen [::]:80; 
    server_name vw.yipai.me; 
 
    if ($host = vw.yipai.me) { 
        return 301 https://$host$request_uri; 
    } 
    return 404; 
} 
 
server { 
    # For older versions of nginx appened http2 to the listen line after ssl and remove `http2 on` 
    listen 443 ssl; 
    listen [::]:443 ssl; 
    http2 on; 
    server_name vw.yipai.me; 
 
    access_log  /var/log/nginx/vw.yipai.me.access.log; 
    error_log   /var/log/nginx/vw.yipai.me.error.log; 
 
    ssl_certificate /etc/letsencrypt/live/vw.yipai.me/fullchain.pem; 
    ssl_certificate_key /etc/letsencrypt/live/vw.yipai.me/privkey.pem; 
    ssl_trusted_certificate /etc/letsencrypt/live/vw.yipai.me/fullchain.pem; 
 
    ssl_session_timeout  5m; 
    ssl_session_cache shared:MozSSL:10m; 
    ssl_session_tickets off; 
 
    ssl_protocols TLSv1.2 TLSv1.3; 
    ssl_prefer_server_ciphers on; 
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; 
    ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; 
    ssl_stapling on; 
    ssl_stapling_verify on; 
    ssl_dhparam /etc/ssl/certs/dhparam.pem; 
 
    client_max_body_size 525M; 
 
    location / { 
      proxy_http_version 1.1; 
      proxy_set_header Upgrade $http_upgrade; 
      proxy_set_header Connection $connection_upgrade; 
 
      proxy_set_header Host $host; 
      proxy_set_header X-Real-IP $remote_addr; 
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
      proxy_set_header X-Forwarded-Proto $scheme; 
 
      proxy_pass http://vaultwarden-default; 
    } 
}

I use Diffie-Hellman group certificates to improve security, so there is configuration in the SSL section. See my post here for more details:https://yipai.me/post/548.html

Restarting NGINX

sudo systemctl restart nginx

After reboot, you can visit vw.yipai.me to register an account and use it. I don’t know what’s wrong with the SSL error at first, then it got better on its own, I don’t know what’s wrong with it.

III. Practical experience

The actual experience with the Bitwarden Chrome extension to populate OTP CAPTCHA is not good, sometimes it automatically copies the CAPTCHA to the clipboard, sometimes you have to manually go to the menu and select the site. And just copying the captcha to the clipboard also requires you to paste it into the input box yourself. It’s also just that much easier than picking up the phone, unlocking the phone, unlocking Authenticator, finding the captcha, and filling it in manually.