用 Rust 编写的 Bitwarden 服务器 API 的替代实现,与上游 Bitwarden 客户端兼容,非常适合运行官方资源密集型服务可能不理想的自托管部署。

Github:https://github.com/dani-garcia/vaultwarden

部署环境

  • 系统:Debian
  • 域名一个,并解析到服务器
  • 安装好 Docker、Docker-compose,见VPS部署
  • 安装好 Caddy,反向代理

部署

升级 packages,

apt update -y

安装常用的软件,

apt install wget curl sudo vim git

vaultwarden

创建安装目录,

mkdir -p /root/data/docker/vaultwarden
cd /root/data/docker/vaultwarden

创建并编辑 docker-compose.yml ,

version: '3.3'
services:
    server:
        container_name: vaultwarden
        environment:
            - WEBSOCKET_ENABLED=true
            - SIGNUPS_ALLOWED=true
        volumes:
            - './:/data/'
        restart: unless-stopped
        ports:
            - '3012:3012'
            - '3011:80'
        image: 'vaultwarden/server:latest'

首次登陆并注册后,将 WEBSOCKET_ENABLED 设为 false 并重新启动容器。

启动,

docker-compose up -d

更新

进入 docker-compose.yml 所在的文件夹,

cd /root/data/docker/vaultwarden

拉取最新的镜像,

docker-compose pull

重新更新当前镜像,

docker-compose up -d

卸载

进入 docker-compose 所在的文件夹,

cd /root/data/docker/vaultwarden

停止容器,此时不会删除映射到本地的数据,

docker-compose down

完全删除映射到本地的数据,

cd
rm -rf /root/data/docker/vaultwarden

反向代理

进入目录 /etc/caddy/sites ,创建并编辑 vw.amaranthinking.eu.org.conf

# Uncomment this in addition with the import admin_redir statement allow access to the admin interface only from local networks
# (admin_redir) {
#        @admin {
#                path /admin*
#                not remote_ip private_ranges
#        }
#        redir @admin /
# }

vw.amaranthinking.eu.org {
  log {
    level INFO
    output file /root/data/docker/vaultwarden/vw.log {
      roll_size 10MB
      roll_keep 10
    }
  }

  # Uncomment this if you want to get a cert via ACME (Let's Encrypt or ZeroSSL).
  # tls {$EMAIL}

  # Or uncomment this if you're providing your own cert. You would also use this option
  # if you're running behind Cloudflare.
  # tls {$SSL_CERT_PATH} {$SSL_KEY_PATH}

  # This setting may have compatibility issues with some browsers
  # (e.g., attachment downloading on Firefox). Try disabling this
  # if you encounter issues.
  encode gzip

  # Uncomment to improve security (WARNING: only use if you understand the implications!)
  # If you want to use FIDO2 WebAuthn, set X-Frame-Options to "SAMEORIGIN" or the Browser will block those requests
  header {
       # Enable HTTP Strict Transport Security (HSTS)
       Strict-Transport-Security "max-age=31536000;"
       # Enable cross-site filter (XSS) and tell browser to block detected attacks
       X-XSS-Protection "1; mode=block"
       # Disallow the site to be rendered within a frame (clickjacking protection)
       X-Frame-Options "SAMEORIGIN"
       # Prevent search engines from indexing (optional)
       X-Robots-Tag "none"
       # Server name removing
       -Server
  }

  # Uncomment to allow access to the admin interface only from local networks
# import admin_redir

  # Proxy everything to Rocket
  # if located at a sub-path the reverse_proxy line will look like:
  #   reverse_proxy /subpath/* <SERVER>:80
  reverse_proxy /notifications/hub 127.0.0.1:3012
  reverse_proxy 127.0.0.1:3011 {
       # Send the true remote IP to Rocket, so that Vaultwarden can put this in the
       # log, so that fail2ban can ban the correct IP.
       header_up X-Real-IP {remote_host}
  }
}
文章目录