Bitwarden RS or Full

  • Keeping all my passowords in mind bothers me quite a while, so in the process of merging OMV4->OMV5 and all native services into docker I discovered the quite charming tool bitwarden.


    After a short research if figured out that many users use the bitwardenrs/server container. On the other hand there are the official containers, which separate each service part.


    I use letsencrypt with reverse proxy and nextcloud (subdomain-configuration) and I might need to integrate bitwarden in the existing setup. As far as I know, the installer script of bitwarden installs a separate letsencrypt-container which I already have. So I guess I need to configurate my letsencrypt to match both services, bitwaren and nextcloud with nextcloud.domain.com and bitwarden.domain.com and therefore I can't use the installer script.


    I lack the documentation (environment, ports, volumes, etc) of each of the required bitwarden containers and their connection.


    Can someone show me a direction or where to start?

    Is the usage of official containers the best way for me or should I stick to the RS?

    Chaos is found in greatest abundance wherever order is being sought.
    It always defeats order, because it is better organized.
    Terry Pratchett

  • The bitwardenrs is my alternative. I got the official setup running in a VM right now and have a look on reverse proxy configuration, environments, volumes etc.

    My goal would be to set it up with official and create a little HowTo.

    Chaos is found in greatest abundance wherever order is being sought.
    It always defeats order, because it is better organized.
    Terry Pratchett

  • The bitwardenrs image is a single container for everything. Bitwarden itself needs like 5 containers to run. Go with the rs container, if you want to go the easier route. If you want to switch, keep in mind that the data volumes are incompatible and you need to export and import again in the new one.


    Quoting the github page for bitwardenrs:


    Quote

    This is a Bitwarden server API implementation written in Rust compatible with upstream Bitwarden clients*, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.


    Reverse proxy (traefik2.0):


    You gotta take care of your "certresolver" name, if you were to use that config.



    Reverse proxy (traefik1.7):


    Code
    # - traefik.web.frontend.rule=Host:subdomain.domain.tld
    # - traefik.web.port=80
    # - traefik.hub.frontend.rule=Host:subdomain.domain.tld;Path:/notifications/hub
    # - traefik.hub.port=3012


    Greetings

    David

    "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"


    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

    Upload Logfile via WebGUI/CLI
    #openmediavault on freenode IRC | German & English | GMT+1
    Absolutely no Support via PM!

  • BitwardenRS is also my choice.

    (I use HAPROXY for SSL and proxy front end for all my apps reachable from outside)


    If you go for BitwardenRS, you may also consider:

    "bruceforce/bw_backup:latest"

    It will do backups (you can configure frequency and number of revisions) of the BitwardenRS database


    Cheers

  • Does the BitwardenRS-Server work with the payed features, like multiple user? As far as I cound figure out, even with self -hosting, a Bitwarden-Account is still needed and with more than one user, a little allowance to be due.

    Chaos is found in greatest abundance wherever order is being sought.
    It always defeats order, because it is better organized.
    Terry Pratchett

  • But how do you login with your clients? Setting server address is obvious, but login email and master password is still required.

    Chaos is found in greatest abundance wherever order is being sought.
    It always defeats order, because it is better organized.
    Terry Pratchett

  • Ah, awesome! Thanks. Makes sense.


    Morlan: How does your reverse proxy configuration with letsencrypt look like? Did you stick to the sample provided with the letsencrypt-container?



    EDIT: WORKS!


    Chaos is found in greatest abundance wherever order is being sought.
    It always defeats order, because it is better organized.
    Terry Pratchett

    Edited 2 times, last by riff-raff ().

  • If I remember correctly I edited some details according to the samples of the GitHub wiki. My bitwarden.subdomain.conf looks like this.


  • My bitwarden works like a charm, I enabled admin page and cancled registration, but exposing it gives me some worries due to possible brute force attempts. Having fail2ban would be a nice security pillow. Might be a good thing to set up on a rainy Sunday

    Chaos is found in greatest abundance wherever order is being sought.
    It always defeats order, because it is better organized.
    Terry Pratchett

  • Fail2Ban is integrated in the Linuxserver.io letsencrypt docker. Therefore the log file of Bitwarden needs to be accessible by the letsencrypt docker.

    First of all enable logging of the Bitwarden container by adding these lines in docker-compose:

    Code
    environment:
    LOG_FILE: 'log/bitwarden.log'
    LOG_LEVEL: 'warn'
    EXTENDED_LOGGING: 'true'
    TZ: 'Europe/Berlin'

    Then bind mount the bitwarden log folder to the letsencrypt log folder:

    Code
    volumes:
    - /srv/dev-disk-by-label-data/appdata/letsencrypt/log/bitwarden:/log

    I was not sure if Bitwarden would create the log file so created it manually touch /srv/dev-disk-by-label-data/appdata/letsencrypt/log/bitwarden/bitwarden.log

    Then I recreated the Bitwarden container with docker-compose up -d. I checked that logging worked by entering a wrong password on my Bitwarden Login Page.

    Code: bitwarden.log
    [2020-07-18 22:26:39][error][ERROR] Username or password is incorrect. Try again. IP: ********. Username: ******.

    Now setting up Fail2Ban. Again the wiki of the Bitwarden_rs project was very helpful https://github.com/dani-garcia…en_rs/wiki/Fail2Ban-Setup .

    I created the two files bitwarden.local and bitwarden-admin.local in /srv/dev-disk-by-label-data/appdata/letsencrypt/fail2ban/filter.d with following contents:

    Bash: bitwarden.local
    [INCLUDES]
    before = common.conf
    [Definition]
    failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
    ignoreregex =
    Code: bitwarden-admin.local
    [INCLUDES]
    before = common.conf
    [Definition]
    failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
    ignoreregex =

    and then added the following lines in /srv/dev-disk-by-label-data/appdata/letsencrypt/fail2ban/jail.local

    After that docker restart letsencrypt. Then I simulated another failed login attempt and checked /srv/dev-disk-by-label-data/appdata/letsencrypt/log/fail2ban/fail2ban.log:

    Code
    2020-07-18 22:26:39,101 fail2ban.filter [371]: INFO [bitwarden] Found ******** - 2020-07-18 22:26:39

    I also simulated 5 failed login attempts and the resulting ban worked, too. To unban my IP: docker exec -it letsencrypt fail2ban-client set bitwarden unbanip <IP>

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!