收回隐私 (Taking Privacy Back)
Github Repo here!
Github回购在这里 !
With everything happening in the world many people are spending a lot more time at home, myself included. Due to that I got to spend the last few weeks upgrading my home lab, starting with a project I’ve been wanting to do for a while: self-hosting a password vault! Specifically Bitwarden, which is an open-source vault that boost comparable or better features to commercial ones like LastPass.
随着世界上发生的一切,许多人(包括我自己)在家里花费了更多时间。 因此,我必须花最后几个星期来升级我的家庭实验室,从我一直想做的项目开始:自我托管密码库! 尤其是Bitwarden,这是一个开放源代码的保险库,可以增强与LastPass等商业功能相当或更好的功能。
The official Bitwarden self-hosted server is located at https://github.com/bitwarden/server, however I choose not to use this version, mainly due to the requirement to use a large MSSQL database and the fact that some additional features are locked behind a paywall. Instead I choose to use https://github.com/dani-garcia/bitwarden_rs which at the time of writing had an update 5 days ago. This Rust-based implementation uses a lighter backend and more importantly, allows you to run this vault on a Raspberry Pi.
官方的Bitwarden自托管服务器位于https://github.com/bitwarden/server ,但是我选择不使用此版本,主要是因为要求使用大型MSSQL数据库以及某些其他功能已被使用的事实。锁在收费墙后面。 相反,我选择使用https://github.com/dani-garcia/bitwarden_rs ,它在撰写本文时已于5天前进行了更新。 此基于Rust的实现使用较轻的后端,更重要的是,允许您在Raspberry Pi上运行此保管库。
以下是整体设置的细分: (Here is the breakdown of the overall setup:)
- A Bitwarden_RS container, a Nginx reverse proxy container, and a Bitwarden backup container are stood up on a Pi Pi上竖立了一个Bitwarden_RS容器,一个Nginx反向代理容器和一个Bitwarden备份容器
- Creation of a private CA to allow the creation of trusted certificates for HTTPS 创建私有CA以允许为HTTPS创建受信任的证书
- (Optional) Implementation of PiVPN/OpenVPN to allow access to the vault from anywhere in the world (可选)实施PiVPN / OpenVPN以允许从世界任何地方访问保管库
I will cover the basic setup here, but a more detailed version is found on the README in the GitHub repository.
我将在此处介绍基本设置,但是可以在GitHub存储库中的README 上找到更详细的版本。
Bitwarden&Nginx设置 (Bitwarden & Nginx setup)
In order to setup Bitwarden and Nginx, I used docker-compose to create two separate containers, one for the actual Bitwarden server and one for a Nginx reverse proxy so that I could have SSL. Additionally I added a backup container that would just take a backup of the password database and store it in its separate container every 5 minutes.
为了设置Bitwarden和Nginx,我使用docker-compose创建了两个单独的容器,一个用于实际的Bitwarden服务器,一个用于Nginx反向代理,以便可以使用SSL。 另外,我添加了一个备份容器,该容器仅对密码数据库进行备份,并每5分钟将其存储在单独的容器中。
The docker-compose file is straight forward, it just spins up the three containers, attaches a few volumes and makes sure the correct ports are set up. The current master branch is set up to install on any x86 system, tested on Ubuntu 18.04 LTS. In order to use on a Raspberry Pi, you just need to swap the two container tags indicated in the file.
docker-compose文件是简单明了的,它只是旋转了三个容器,附加了几个卷,并确保设置了正确的端口。 当前的master分支设置为安装在任何x86系统上,并在Ubuntu 18.04 LTS上进行了测试。 为了在Raspberry Pi上使用,您只需要交换文件中指示的两个容器标签。
For the volumes, on the host side, you will need 3 files: the Nginx configuration, ssl cert and ssl private key. We will create the SSL files later, so for now let’s review the Nginx configuration.
对于卷,在主机端,您将需要3个文件:Nginx配置,ssl cert和ssl私钥。 稍后我们将创建SSL文件,因此现在让我们回顾一下Nginx配置。
Nginx配置 (Nginx Configuration)
This configuration just redirects any request to port 80 back to 443, to make sure we are using HTTPS and then terminates the HTTPS connection with the specific SSL certs and forwards the clear text to the Bitwarden container to be processed.
此配置只是将对端口80的所有请求重定向回443,以确保我们使用的是HTTPS,然后终止具有特定SSL证书的HTTPS连接,并将明文转发到Bitwarden容器进行处理。
HTTPS设置 (HTTPS Setup)
So the main issue I ran into for this endeavor was that the iOS Bitwarden app does not like self-signed certificates. And since I didn’t want to expose my vault to the public internet to do something like LetsEncrypt, the next best thing was just to become my own personal CA, which was remarkably easy. Inside the Git repo there is a file create_ssl.sh, which will run automatically as part of setup.sh.
因此,为此我遇到的主要问题是iOS Bitwarden应用程序不喜欢自签名证书。 而且,由于我不想将自己的保管库暴露给公共互联网来进行类似LetsEncrypt的操作,因此下一个最好的事情就是成为我自己的个人CA,这非常容易。 在Git仓库中有一个文件create_ssl.sh ,它将作为setup.sh的一部分自动运行。
This script will create both a root level CA and key, called myCA.crt and myCA.key, and will also create the certificates needed for Bitwarden server, based on that CA. Once they are all created, it will automatically copy them to the ./data/ssl/ folder, which is where the Nginx container will be pulling them from (If you have your own certs, load them into that file with the name bitwarden.crt and bitwarden.key).
该脚本将创建根级CA和密钥myCA.crt和myCA.key,还将基于该CA创建Bitwarden服务器所需的证书。 创建完所有文件后,它将自动将它们复制到./data/ssl/文件夹,这是Nginx容器从中提取它们的位置(如果您有自己的证书,请使用bitwarden名称将它们加载到该文件中。 crt和bitwarden.key)。
On the client side, you will need to install the root level CA (myCA.crt) on each client that you want to connect to this instance. The bright side is that once you’ve created and installed this root CA, any other project that you add HTTPS to (while making sure to use this same CA) will automatically be fully trusted.
在客户端,您需要在要连接到该实例的每个客户端上安装根级别的CA( myCA.crt )。 好的一面是,一旦创建并安装了此根CA,添加HTTPS的任何其他项目(同时确保使用相同的CA)将自动获得完全信任。
One hiccup I ran into when installing on iOS is to make sure that after you install the certificate, you also give it full trust permissions, full steps for that are in the README. I mainly used this link as a reference to create the various SSL certs needed.
在iOS上进行安装时,我遇到的一个麻烦是要确保在安装证书后,您还赋予了它完全的信任权限,有关全部步骤,请参见README 。 我主要使用此链接作为参考来创建所需的各种SSL证书。
安装过程 (Installation process)
git clone https://github.com/JulianRunnels/Bitwarden_Self_Host.git
cd Bitwarden_Self_host
chmod +x ./setup.shFrom here there are three different installation paths, depending on your existing setup and needs:
从这里开始,有三种不同的安装路径,具体取决于您现有的设置和需求:
1. No docker/docker-compose installed, want to create a full private CA and client certificate:
1.未安装docker / docker-compose,要创建完整的私有CA和客户端证书:
sudo ./setup.sh - This will install docker and docker-compose and has option to guide you through creating the needed CA and certs 这将安装docker和docker-compose,并具有引导您创建所需的CA和证书的选项
2. Docker/docker-compose installed, want to create a full private CA and client certificate:
2.安装了Docker / docker-compose,想要创建完整的私有CA和客户端证书:
sudo ./create_ssl.sh - This will just create the needed SSL certificates 这只会创建所需的SSL证书
3. Don’t want to install docker or create certs, just spin up containers:
3.不想安装docker或创建证书,只需旋转容器即可:
sudo docker-compose up -d - This will just spin up the containers, you will need to supply your own cert in ./data/ssl 这只会旋转容器,您需要在./data/ssl中提供自己的证书
4. Transfer the created root CA to client devices
4.将创建的根CA传输到客户端设备
5. Spin up dockers with `sudo docker-compose -d`
5.用`sudo docker-compose -d`启动dockers
6. Access your vault at https://hostname
6.通过https://主机名访问您的保管库
导出现有的Bitwarden数据并切换到新实例 (Exporting existing Bitwarden data and switching to new instance)
1. Under the Settings in the browser plugin or web vault, choose the option Export Vault
1.在浏览器插件或Web保管库中的设置下,选择选项导出保管库
2. Keep the format as .json and enter your password to download the export
2.保持格式为.json并输入密码以下载导出
3. THIS EXPORT IS IN CLEAR-TEXT, DO NOT SEND OVER INSECURE CHANNELS AND DELETE RIGHT AFTER USE
3.此出口文本清晰,请勿在不安全的通道上使用,并在使用后正确删除
4. Log out of the existing instance
4.注销现有实例
5. Before you log back in, click the Settings gear in the top left corner
5.重新登录之前,单击左上角的“设置”齿轮
6. Enter the hostname for the vault instance that you spun up
6.输入您启动的保管库实例的主机名
7. Create a new user (can be same as the user on your existing setup)
7.创建一个新用户(可以与您现有设置中的用户相同)
8. In order to import, you will have to log into the web vault view, so go to https://hostname and log in there with the created user
8.为了导入,您将必须登录到Web Vault视图,因此请转至https:// hostname并使用创建的用户登录
9. Under Tools -> Import Data select json and choose the file you exported and click Import
9.在工具->导入数据下,选择json并选择导出的文件,然后单击导入。
从局域网外部访问保管库 (Accessing your vault from outside your LAN)
While having an internal password vault is all good, being able to access accounts while outside the house is equally important.
使用内部密码保险库固然很好,但在屋外访问帐户同样重要。
For my access I have a Raspberry Pi running PiHole, Unbound, and more importantly PiVPN, which allows me to create a split tunnel VPN to send all local LAN request and DNS request back to my home network. This means that for things like my phone and external devices, as long as I have this VPN up, I can access my vault just like normal.
对于我的访问,我有一个运行PiHole,Unbound,更重要的是PiVPN的Raspberry Pi,它允许我创建一个拆分隧道VPN,以将所有本地LAN请求和DNS请求发送回我的家庭网络。 这意味着,对于我的电话和外部设备,只要启用了此VPN,就可以像平常一样访问我的保管库。
A good guide to setup PiVPN is here. Once you have PiPVN, or any OpenVPN based solution set up you can enable a split tunnel, so that only LAN based traffic is sent back to you home network rather than routing everything through it. To enable a split tunnel:
此处提供了设置PiVPN的良好指南。 一旦设置了PiPVN或任何基于OpenVPN的解决方案,就可以启用拆分隧道,以便仅将基于LAN的流量发送回您的家庭网络,而不是通过它路由所有内容。 要启用拆分隧道:
sudo vim /etc/openvpn/server.conf
sudo vim /etc/openvpn/server.conf
Comment out
#push "redirect-gateway def1"注释掉
#push "redirect-gateway def1"
Add the following lines:
添加以下行:
push "route 192.168.1.0 255.255.255.0"(Change the 192 value to your personal private ip range)push "route 192.168.1.0 255.255.255.0"(将192的值更改为您的个人专用IP范围)
Obviously, this does put a little bit of a barrier in the way of using Bitwarden but it is a small trade-off to have full and complete control over your passwords and other important data. Of course, it’s very easy to adapt this repository to create a full publicly accessible instance, simply by adding port forwarding in your router, or running it in the cloud. Personally, I would stay away from both of those options, as they defeat the whole purpose of setting a private vault, but they are a solid compromise for functionality.
显然,这确实在使用Bitwarden的方式上设置了一些障碍,但是要完全,完全控制您的密码和其他重要数据是一个很小的折衷。 当然,只需通过在路由器中添加端口转发或在云中运行它,就可以很容易地修改此存储库以创建一个完全可公开访问的实例。 就我个人而言,我会避开这两个选项,因为它们会破坏设置私有保管库的全部目的,但是它们在功能上是一个坚实的折衷方案。
翻译自: https://medium.com/swlh/set-up-your-own-personal-password-vault-313d76374046
扫一扫
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
