Bitwarden Apache

by



  1. What is Bitwarden? Bitwarden is a free and open-source password management service that stores sensitive information such as website credentials in an encrypted vault. The Bitwarden platform offers a variety of client applications including a web interface, desktop applications, browser extensions, mobile apps, and a CLI.
  2. Bitwarden + apache reverse proxy: selfhosted.

Będzie po angielsku bo może przyda się światu. ;)

Short instruction how to run Bitwarden service on home Qnap NAS.

Bitwarden works by having a 'master key' that is computed from your email and password. This needs to be kept 'safe', but this is a CLI program. We could store the master key on disk somewhere, but that's a bad idea. I now get this screen for nextcloud and bitwarden: I have reconfigured my swag (letsencrypt) so that it now uses a proxy network. I have no errors in the logs for swag, nextcloud and bitwarden and the external urls all get the above screen but with their correct URL. So i think i must have my default apache or nginx configured incorrectly.

Install „Container Station” on your Qnap. On the left panel of” Container Station” click on „Create” button and then on „Create Application” in upper right corner of window. In the text input field put content of the following listing and name this new application „bitwarden”.

Accept it and run. What you have really done is Docker Compose YAML configuration file which pulls 3 images from Docker Hub server:

  • bitwarden_rs – an unofficial Bitwarden server implemented in Rust language,
  • nginx – web server required here as proxy for HTTPS requests,
  • bw_backup – a docker image running cron job to backup bitwarden database.

Bitwarden Apache2

and runs containers of them inside „Container Station”.

You should pay particular attention to the ports configuration, line with „580:80” and „5443:443” frases. „580” and „5443” are outside ports which are open on the Qnap itself. You can change to whatever fits for you but don’t use 80, 443 or 8080 because they are already taken by Qnap own services.

Before you run freshly created application (that’s Qnap Container Station’s name for docker-compose GUI) SSH log into Qnap and go to application folder:

Now, you must create configuration for nginx:

Save it as nginx.conf to /share/Container/container-station-data/application/bitwarden/data/nginx folder.

Now, you have to create self signed certificate to encrypt HTTP requests with SSL. To do this log in to Qnap with SSH and run following commands:

Bitwarden Docker Apache

In this repo you’ll find two interesting files: data/ssl/bitwarden.ext:

and script called create_ssl.sh:

You can edit data/ssl/bitwarden.ext to make cert generating easier. Look at this lines:

and this:

Warning: your certificate will be valid only for above domains. I use Pi-hole local DNS to redirect bitwarden.fubar to my QNap IP address.

OK, run create_ssl.sh script and follow instructions. At the and you will find whole new structure of folders with files in ssl directory.

Copy certs and private folders to /share/Container/container-station-data/application/bitwarden/data/ssl.

Now, start Bitwarden application:

Open web browser and go to the URL like: https://bitwarden.fubar:5443, remeber to change domain to same value as in DNS.1 for ssl.

You should see Bitwarden login page:

Time to install and use Bitwarden clients on desktops (macOS, Linux, Windows) and mobiles (Android, iOS) but before you’ll do it first go back to SSH session on you Qnap and copy „myCA.crt” file on your computer.

This file is, root CA certificate that will make your Bitwarden clients think that certificate used to connect is valid even it is self signed by you.

Install CA certificate on every host you use with Bitwarden client:

macOS – double click on CRT file and it will open in Keychain Access, add it to System keychain and choose „Always Trust” option,

Linux (Debian/Ubuntu)- https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate

If your CA is in PEM format convert .pem file to a .crt file:

  1. Create a directory for extra CA certificates in /usr/share/ca-certificates:

2. Copy server_rootCA.crt file to this directory:

3. Let Debian/Ubuntu add the .crt file’s path relative to /usr/share/ca-certificates to /etc/ca-certificates.conf:

3a. To do this non-interactively, run:

Windows – don’t use it.

Firefox – go to Preferences -> Privacy & Security -> View Certificates. Click Import, then choose PEM/CRT file, select „Trust this CA to identify websites.”

Chrome – in macOS it uses Keychain so you don’t need to add it again. For Linux check this website: https://thomas-leister.de/en/how-to-import-ca-root-certificate/. Quick hint: go to Settings -> Privacy & Security -> Security -> Manage Certificates and Import.

Warning! Original Bitwarden Desktop client use chromium sandbox so you HAVE TO install CA certificate into Chromium!!!

When CA certificate is in right place the last thing is:

before you connect every Bitwarden client must „know” the right address of Bitwarden server.

Run client and click gear icon:

then put your server address in 4 fields:

  • Server URL
  • Web vault server URL
  • API server URL
  • Identity server URL

Remember to put it in the following form: https://my.ip.address:myport, in case your server has IP 10.0.0.1 and port 5443 it should be: https://10.0.0.1:5443 like in image below. If you use domain name (as me) you should replace IP with domain:

Now, there’s time to create account, you can do it pointing browser to the very same URL as used above: https://10.0.0.1:5443.

It’s all now ready to use.

Few steps to consider:

  • store database backup somewhere outside Qnap,
  • import data from another password manager,
  • set up VPN connection to Qnap to synchronize database when you outside.

UPDATE:

Bitwarden_rs apache

How to update docker images?

  • ALWAYS MAKE BACKUP OF YOUR VAULT!!! Export it in JSON from Bitwarden client.
  • go to your QNap, run FileStation and zip full content of you application data folder:

Bitwarden Apache

Bitwarden apache2
  • stop application in ContainerStation, remove it. Go to Images tab and pull new version of images: bitwardenrs/server, bruceforce/bw_backup and nginx:1.15-alpine.
  • create application as written at the beginnign of this article, don’t run it
  • unzip content of previously backup data folder (configuration for nginx, ssl, vault and vault’s backup).
  • run application.

Related posts:

Hey Everyone,

we installed a Proxy (Apache) for our Bitwarden_rs installation, so we could redirect http to https. Which is working just fine.
The Proxy is listening on Port 80 and 443 and redirects the traffic to port 5443 (which is disabled in the firwall of the Host). I start the Bitwarden-Server using Docker-Compose setting ROCKET_PORT to 443 and the following Port Configuration:

Bitwarden_rs Apache

Bitwarden is working totally fine when opening it via “https://Bitwarden.domain.de” and “http://bitwarden.domain.de”, with the http Version redirecting to https. If i however try to reach “http://IP:5443” it will connect me with an unsecure http connection, even though, that all Incoming Traffic to Port 5443 is set to be dropped on the Host.

Bitwarden apache2

Also the Proxy and Docker/Bitwarden are running on the same Server.

I am pretty sure, that i missed something very obvious, but i simply can´t find out what i missed. Any helped will be highly appreciated!