Installing and deploying. Category: On-premises Hosting. This article will walk you through how to install and deploy Bitwarden to your own server. Because Bitwarden is a cross platform application, you can install and deploy it on Linux, macOS, and Windows machines. Seems going to bitwarden-nginx on 8443 as https did the job and it's now forwarding correctly! Kspearrin closed this May 24, 2020 Sign up for free to join this conversation on GitHub. Bitwarden Server is an open source project that contains all of the core infrastructure backend of all Bitwarden client applications. This includes APIs, database, Docker and other infrastructure items. Bitwarden is an open source password management solution that stores sensitive information in.
Introduction
This article will cover setting up your own self-hosted Bitwarden instance with Docker and configuring ngnix to allow for public exposure for cross-device access to your vault.
What is Bitwarden?
Bitwarden is a free and open-source password management service that stores sensitive information such as website credentials in an encrypted vault. The Bitwarden platform offers a variety of client applications including a web interface, desktop applications, browser extensions, mobile apps, and a CLI.
I use Bitwarden as my main password vault. It stores my card details for automating the filling out of payment forms. Saves me from having to find or remember my card details. I also use Bitwarden for storing all of my passwords.
Having Bitwarden as a public endpoint means that I can connect to my password vault using the Bitwarden app on Android, specifying my self hosted instance.
Setting up the Bitwarden Server
This section of the tutorial is to set up the main Bitwarden 'hub'. This will be a publicly exposed Bitwarden API that will live on your server.
Step 1: Setting up your Linux server
You'll need to either have an existing server instance or create one. I use a Proxmox instance running on a server in my loft. You could also use something like Digital Ocean to host your Bitwarden Server. Using the following link will give you $100 worth of credits for 60 days to play around with, just sign up using this link.
Once you have the server set up, or have logged in. You'll need to do some updates and run some prerequisite installs.
Step 2: Provisioning your Bitwarden Server
Next, you'll need to create a new folder, this will house your Bitwarden Server, you can call it anything memorable. I'll just call mine
bitwarden
Next, you'll need to create a
docker-compose.yml
file. This is an orchistration file which docker-compose
will use to provision your Docker instance.Next, you'll need to edit your `docker-compose.yml` file and paste in the following content.
I'm using bitwarden_rs as it's written in Rust, faster and more reliable. Also entirely opensource with a heavy user-base.
Save your
docker-compose.yml
file and exit back to your bitwarden
directory.Step 3: Running your Bitwarden Server locally
Now, you have everything provisioned for running your Bitwarden Server.
The next thing to do is run it.
This will start up your Bitwarden Server inside Docker, it may take some time to pull down the images.
You can eventually see your instance running by executing the following
This will list your running instance.
![Docker Docker](https://bitwarden.com/help/images/directory-connector/app.png)
If all is well, you can locally view your Bitwarden Server by navigating to
http://localhost:PORT
. Or from another machine by using your ip address instead of localhost
You should see something that looks like the following.
Finally, you'll just need to register for an account on your new hosted instance.
Voodoopad 5 2 0 – notepad with many advanced features. Click the
Create Account
buttonThen fill out your details. If you have an existing Bitwarden account, you'll still have to create a new account on this instance. You can then Export and Import between accounts.
The last thing to do is hit
Submit
Step 4: Exposing your new server publicly
This part may sound scary, but it is required to allow your Bitwarden Clients (Android, iOS, Chrome extension etc) to connect to your server.
We're going to be using nginx.
Setting up nginx
![Bitwarden Bitwarden](https://user-images.githubusercontent.com/30197206/56624675-c40b0d00-6631-11e9-8875-53b8ba2c2da5.png)
Nginx is a reverse proxy that allows you to point incoming web traffic to your new Bitwardeb server.
Firstly, install nginx if you haven't already
If you have UFW installed, you will have to Allow Nginx through your local firewall.
I have a tutorial for setting up UFW here
As you can see, there are three profiles available for Nginx:
- Nginx Full: This profile opens both port 80 (normal, unencrypted web traffic) and port 443 (TLS/SSL encrypted traffic)
- Nginx HTTP: This profile opens only port 80 (normal, unencrypted web traffic)
- Nginx HTTPS: This profile opens only port 443 (TLS/SSL encrypted traffic)
It is recommended that you enable the most restrictive profile that will still allow the traffic you’ve configured. Since we will be configuring SSL for our server we will need to allow traffic on port 443.
You can enable this by typing:
Next thing to do is just double check your nginx server is up and running
You should see something that looks like the following
The next part allows us to take incoming traffic and point it to your container instance. Allowing you to expose your Bitwarden server to the internet.
Navigate to
/etc/nginx/
Use your favorite text editor and open the following file with sudo
I use the following code for my syncing server
Port-forwarding
You will need to port forward your instance to allow public access to your instance. This will involve googling how to port forward from your router.
You'll need to point port 443 to your instance where nginx is set up.
Linking Bitwarden Server with your public domain
You will also need to set up a public domain name. This can then be used to call your new public instance with port 443 exposed.
For example, I would set up a subdomain on
bowlerdesign.tech
to be vault.bowlerdesign.tech
. Notice this is also the domain I specified in my nginx config above.Here's something to search for with regards to setting up a domain name
Setting up Certbot
Certbot allows us to generate SSL certificates for free with Let's Encrypt. It's simple to install and use. Even hooks in with nginx, meaning that there's no more manual configuration required.
To install Certbot, simply run the following command
Then, to set up your SSL certificate, run
Follow the instructions, select your domain name from the nginx list.
Also, select
Also, select
redirect
as this will upgrade any http requests to https.Step 5: Connecting to your new Bitwarden instance from a client.
I'm going to use the Firefox Bitwarden Plugin for this part of the tutorial. But the process is identical for all Bitwarden clients.
First, if you haven't already, install your chosen Bitwarden client and open it.
In the top left corner, click the cog icon
You'll then get some configuration. Simply add your full url into the
Server URL
fieldLike so, then just hit
Save
and log in as normalBitwarden Server Github
That's it
Pretty easy right?
Please don't hesitate to get in touch in the comments if you get stuck. I'd be more than happy to help out with any issues you may face.
Also, if this helped, please consider buying me a beer! It helps with server costs and providing these blog posts.
Thanks for reading!
November 12, 2018 ? 7 min readBitwarden is a password manager which uses a server which can be selfhosted. It provides various frontends, ranging from browser plugins over desktop application to mobile apps for all major browsers and plattforms. In this note I want to show you how I set up my Bitwarden server. In this note I want to show how I set up my Bitwarden server behind a nginx proxy with fail2ban and a daily backup.
I assume you have a server and nginx already installed. If not just look at my notes Secure Ubuntu 18.04 server setup as well as Ubuntu 18.04 server: nginx web server + Let’s Encrypt.
Obtain Let’s Encrypt certificate
To SSL encrypt the connection to our Bitwarden server, a certificate is required. We’ll use a Let’s encrypt certificate. Start by creating a nginx configuration file for our Bitwarden instance. The examples use the subdomain bitwarden.dennisnotes.com, change it according to the domain you want to use.
As in our basic nginx setup we start with a simple nginx configuration which just handles standard HTTP serving for our subdomain.
After creating the configuration file test it and restart nginx to enable it.
Now let certbot obtain a certificate for us and apply the default nginx SSL configuration like follows:
Select bitwarden.dennisnotes.com, fill in information like email etc.
nginx setup
Next we will edit the configuration file again to use nginx as a reverse proxy for our bitwarden instance.
Here is a example configuration file, which I use (using the port 5178 which will be mapped to 80 when accessing bitwarden.dennisnotes.com):
The installation of Bitwarden is quite simple and runs via docker-compose and installation scripts. Here I only show the short version, more information can be found on the Bitwarden website. You need docker and docker-composed to be installed on your server. During installation it will ask for a installation ID and key, you can get them here. It will also ask if you would like to use Let’s Encrypt or a own SSL certificate, enter no for all of these options, because we will use a SSL nginx proxy.
After the basic install, edit the configuration file at ./bwdata/config.yml. Most of it should be fine after running the installation script, just change the HTTP and SSL port accordingly to your configuration. e.g.
Afterwards you can add additional settings in the environment variables file. I would recommend to set up a SMTP server for email notifications (e.g. change password, activate account etc.) as well as to deactivate user registration, if you do not want to let strangers use your Bitwarden server. To do so edit ./bwdata/env/global.override.env. Mine looks like this:
After setting everything up rebuild and start bitwarden like follows:
You should now see the Bitwarden web interface when visiting your domain, e.g https://bitwarden.dennisnotes.com. You should now be able to create your user account. As a next step I would recommend to enable two-factor authentication for your account. This setting can be found under settings in the Bitwardens web interface.
Passwords are pretty important, so I want the bitwardens database to be backuped daily. For this I use borgbackup. I first encrypt the bwdata folder, which contains all data of bitwarden and store the encrypted file on a webdav server as my backup location.
Bitwarden Server Release
Setup WebDAV
First of all we need to make our webdav drive mountable. Install the following packages:
Bitwarden Server Github
Create a folder for the webdav drive, e.g. /mnt/webdav and append the following line (with your webdavs data) to /etc/fstab.
There are several webdav providers, so if you don’t have one yet, just google a bit for it. I use the free Magenta Cloud from German Telekom for my backup webdav drive. Next you’ll need to provide the credentials to the webdav drive. This can be done by appending them to /etc/davfs2/secrets. It should look like this:
Afterwards you should be able to mount the webdav drive with your account. You can test it with:
Now you should be able to see your webdav files in /mnt/webdav/ and also be able to add files there.
Borg Backup Initialization
First of all make sure, that your WebDAV drive is still mounted. Now we need to install borgbackup and initialize a backup repository in which the backup files will be stored.
This will lead you through a simple setup. Make sure you note your password, you will need it to create and decrypt backups.
Daily Backup Cronjob
Now we need to create our backup script, e.g. at /home/dennis/bitwarden_backup.sh. It should mount your webdav drive, then creating a backup of your bwdata folder. You can also specify how many backups you would like to store, see borg prune … in the script. My script looks like this.
After creating the script make it executable and create a cronjob which executes it.
Bitwarden Server Docker
My cronjob runs the script every day at 0:00 o’clock and looks like this:
Bitwarden Serverless
Now your bitwardens bwdata folder should be backuped as a encrypted file to your webdav drive every night at 0:00 o’clock. The logs for the backup are accessible via the bitwarden_backup_log.txt, so if anything doesn’t work correctly, check this file first.
Bitwarden Server Location
It seems like there are no logfiles provided which contain IP adresses of failed login attempts, so currently I do not see a way to use fail2ban with Bitwarden. This will hopefully change in the feature.