自搭建Bitwarden密码管理服务器
最近想登录一下uplay玩一下已经埋灰很久的刺客信条,却突然发现居然忘记uplay账号了,由于是很久注册的,所以现在是找不回来了,现在下定决心搞一个密码 管理软件来帮我记密码,看了市面上各种密码软件像keepass,1 password之类的都不太理想,毕竟密码这东西还是要掌握在自己手中比较好,所以就找到了Bitwarden这款软件,开源免费,可以自搭建服务器,跨平台,好用。
Bitwarden需要使用https访问,这里我使用的ip+自建ssl证书,但是为了安全非常非常建议去阿里或者其他地方买一个域名和ssl证书,这里就不再继续讨论了。
我这里是使用阿里的云服务器Centos 7,安装docker搭建Bitwarden服务器,在云服务器中搭建nginx启用https,再使用反向代理到Bitwarden服务器。
下面开始搭建:
1.使用docker搭建Bitwarden
#安装docker
[[email protected] ~]# yum install -y docker
#pull Bitwarden镜像
[[email protected] ~]# docker pull bitwardenrs/server:latest
#运行Bitwarden镜像,将80端口映射到宿主机的8888端口,将数据文件夹/data映射到本地的/usr/local/bw-data/下
[[email protected] ~]# docker run -d --name bitwarden -v /usr/local/bw-data/:/data/ -p 8888:80 bitwardenrs/server:latest
#这样就可以使用ip:8888访问Bitwarden服务器了,但是还无法使用,会提示启用https,入下图所示
2.创建ssl证书
#安装openssl
[[email protected] ~]# yum install openssl
#生成ssl证书
#生成ssl秘钥
[[email protected] opt]# openssl genrsa -des3 -out ssl.key 1024
Generating RSA private key, 1024 bit long modulus
......++++++
.....................++++++
e is 65537 (0x10001)
Enter pass phrase for ssl.key: #填写密码
Verifying - Enter pass phrase for ssl.key: #再次填写上一步的密码
#这样就生成了一个秘钥
[[email protected] opt]# ls
ssl.key
#配置无密码的秘钥,也可不配置,不配置的话reload nginx会提示输入密码
[[email protected] opt]# openssl rsa -in ssl.key -out ssl_nopass.key
Enter pass phrase for ssl.key: #输入上面的密码
writing RSA key
[[email protected] opt]# ls
ssl.key ssl_nopass.key
#生成公钥证书
[[email protected] opt]# openssl req -new -key ssl_nopass.key -out ssl.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:0.0.0.0 #这里填服务器地址或者是域名,其他可以不填
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[[email protected] opt]# ls
ssl.csr ssl.key ssl_nopass.key
#自签名CA证书,时间可以设置久一点
[[email protected] opt]# openssl x509 -req -days 365 -in ssl.csr -signkey ssl_nopass.key -out ssl.crt
Signature ok
subject=/C=cn/L=Default City/O=Default Company Ltd/CN=0.0.0.0
Getting Private key
[[email protected] opt]# ls
ssl.crt ssl.csr ssl.key ssl_nopass.key
3.搭建nginx,配置https,做反向代理
#搭建nginx
[[email protected] opt]# yum install -y nginx
#修改/etc/nginx.conf配置文件
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
root /usr/share/nginx/html;
#
ssl_certificate "/etc/nginx/key/ssl.crt"; #这里写你实际的ssl.crt和ssl_nopass.key文件路径
ssl_certificate_key "/etc/nginx/key/ssl_nopass.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;# ssl_prefer_server_ciphers on;
# ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
proxy_pass http://119.23.252.197:8888;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
#重启nginx且设置自启
[[email protected] ~]# systemctl restart nginx && systemctl enable
#这样就通过https://公网ip访问Bitwarder服务器了,但因为是自建的证书,浏览器会发出警告,这里直接无视即可
#这样Bitwarden服务器就搭建好了,可以尽情使用咯。
###最后最后啰嗦一句,最好,最好,最好去购买一个ssl证书,这样比较安全,我这里只是给出了一个不购买ssl证书的解决办法。