安装 vaultwarden 并配置 nginx
由于公司很多后台都需要二次验证,每次打开还要看下手机比较麻烦。在 Chrome 安装 Bitwarden 扩展后据说可以自动填充 OTP 验证码,正好有一台闲置的阿里云香港VPS,所以考虑使用 Vaultwarden 来管理。
一、安装 Vaultwarden
1.1 安装 Docker
参考官方文档:https://docs.docker.com/engine/install/debian/#install-using-the-repository
# Add Docker's official GPG key:
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin1.2 配置 Docker Compose 文件
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: always
environment:
DOMAIN: "https://vw.yipai.me" # Replace domain to yours.
SIGNUPS_ALLOWED: "false" # Deactivate this with "false" after you have created your account so that no strangers can register
volumes:
- ./vw-data:/data # the path before the : can be changed
ports:
- 127.0.0.1:11001:80 # you can replace the 11001 with your preferred porSIGNUPS_ALLOWED 字段可先设置为 true,安装好自己创建好帐号后再设置为 false 并重启服务。
1.3 启动 vaultwarden
sudo docker compose up -d && sudo docker compose logs -f会显示启动日志,观察无问题后,可按 CTRL+C 停止查看日志。
二、配置 NGINX
2.1 申请证书
域名先指向 VPS,然后用 certbot 申请证书。
sudo certbot certonly --nginx --agree-tos --no-eff-email --staple-ocsp --preferred-challenges http -m [email protected] -d vw.yipai.me获取到的证书后会提示证书存储在什么位置,可能不同的 Linux 发行版或 Certbot 安装方式会存储在不同位置。我的是存储在:
Certificate is saved at: /etc/letsencrypt/live/vw.yipai.me/fullchain.pem
Key is saved at: /etc/letsencrypt/live/vw.yipai.me/privkey.pem2.2 创建 NGINX 配置文件
参考:https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples
upstream vaultwarden-default {
zone vaultwarden-default 64k;
server 127.0.0.1:11001;
keepalive 2;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' "";
}
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name vw.yipai.me;
if ($host = vw.yipai.me) {
return 301 https://$host$request_uri;
}
return 404;
}
server {
# For older versions of nginx appened http2 to the listen line after ssl and remove `http2 on`
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name vw.yipai.me;
access_log /var/log/nginx/vw.yipai.me.access.log;
error_log /var/log/nginx/vw.yipai.me.error.log;
ssl_certificate /etc/letsencrypt/live/vw.yipai.me/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vw.yipai.me/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/vw.yipai.me/fullchain.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
client_max_body_size 525M;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://vaultwarden-default;
}
}我使用了 Diffie-Hellman 组证书来提升安全性,所以在 SSL 段落有相关配置。具体可参考我这篇:https://yipai.me/post/548.html
重启 NGINX
sudo systemctl restart nginx重启后即可访问 vw.yipai.me 注册帐号了使用了。一开始不知道怎么回事报 SSL 错误,后来又自己好了,不知道咋回事。
三、实际体验
Bitwarden Chrome 扩展程序填充 OTP 验证码的实际体验并不好,有时候能自动复制验证码到剪贴板,有时候还得手动去到菜单中选择站点。而且仅仅是复制验证码到剪贴板,还需要自己粘贴进输入框。比拿起手机、解锁手机、解锁 Authenticator、找到验证码、手动填写验证码也就方便了那么一丢丢。
两步验证是大趋势~~