Using Docker+Portainer to Install Open Source Password Manager - BitWarden - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Sunday, March 14, 2021

Using Docker+Portainer to Install Open Source Password Manager - BitWarden

Bitwarden is a free and open-source password management service that can store sensitive information such as website credentials in an encrypted vault. The Bitwarden platform offers a variety of client applications including a web interface, desktop applications, browser extensions, mobile apps, and a CLI.

In this post, I am going to show all steps that using Docker and Portainer to install BitWarden on your self hosted server. 





    Pre-requisites

    There are a couple of requirements you will need to meet:

    • DNS A record: Create a DNS A record to point it to your self hosted server public ip.
    • Install Docker on your self hosted linux server. 
    • Both Nginx and Portainer dockers have been installed. Certbot has been installed in Nginx docker. The detail steps is listed in this post: https://blog.51sec.org/2021/03/install-certbot-on-debian-docker-to.html
    • Certbot has been used to apply certificate for portainer. Portainer is running on https with sub domain. 
    • Make sure Firewall / Cloud Instance Access-list to open port 8000


    Launch BitWarden Docker

    Here is running steps:
    • Pull bitwardenrs  
    • Docker run latest bitwardenrs docker version in self hosted server.
    Docker image: bitwardenrs/server:latest
    Docker Hub url: https://hub.docker.com/r/bitwardenrs/server

    Commands to run in self hosted server:
    [root@centos7-docker-portainer /]# docker pull bitwardenrs/server:latest
    latest: Pulling from bitwardenrs/server
    a076a628af6f: Pull complete
    59dc56021c8b: Pull complete
    3ff63ec7cf6a: Pull complete
    e3df552e5bc3: Pull complete
    b1cb9364e73d: Pull complete
    b46d9f70e046: Pull complete
    8c3e54e3c958: Pull complete
    62f84183e518: Pull complete
    Digest: sha256:1cc26a5754dff74dd9df95bbbb79af168cd21dfbd83f627ea72c85fa5852ef15
    Status: Downloaded newer image for bitwardenrs/server:latest
    docker.io/bitwardenrs/server:latest
    [root@centos7-docker-portainer /]#  mkdir /bw-data
    mkdir: cannot create directory ‘/bw-data’: File exists
    [root@centos7-docker-portainer /]# docker run -d --name bitwarden -v /bw-data/:/data/ -p 8000:80 bitwardenrs/server:latest
    5e2d4b2085905db66cf663ec32604785a6718e6b917f09382f7984ea962d8f08
    [root@centos7-docker-portainer /]# docker ps
    CONTAINER ID        IMAGE                          COMMAND                  CREATED             STATUS                             PORTS                                      NAMES
    5e2d4b208590        bitwardenrs/server:latest      "/usr/bin/dumb-init …"   54 seconds ago      Up 52 seconds (health: starting)   3012/tcp, 0.0.0.0:8000->80/tcp             bitwarden
    3a4767f0c009        johnyan2/nginx1netsec:latest   "nginx -g 'daemon of…"   7 days ago          Up 7 days                          0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp   nginx
    90212707d5a6        portainer/portainer-ce         "/portainer"             7 days ago          Up 7 days                          8000/tcp, 0.0.0.0:9000->9000/tcp           portainer
    [root@centos7-docker-portainer /]# 

    Verify BitWarden Docker Service 


    Checking  Docker Status from Portainer Web Gui:



    Accessing http port 8000 to confirm connectivity and service status.





    Using CertBox to Configure Nginx to Get BitWarden Using HTTPS

    BitWarden URL has to be https, else you will get the following error message. 



    Create bw.conf file under /etc/nginx/conf.d folder. It can be copied from portainer.conf.

    root@3a4767f0c009:/# cd /etc/nginx/conf.d/
    root@3a4767f0c009:/etc/nginx/conf.d# cp portainer.conf bw.conf
    root@3a4767f0c009:/etc/nginx/conf.d# ls 
    bw.conf  default.conf  portainer.conf
    root@3a4767f0c009:/etc/nginx/conf.d# cat bw.conf 
    server {
        listen       80;
        server_name  bw.51sec.org;
    
    location / {
        proxy_pass       http://140.238.153.62:8000;
        proxy_redirect             off;
        proxy_http_version         1.1;
        proxy_set_header Upgrade   $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host      $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }
    root@3a4767f0c009:/etc/nginx/conf.d# 

    Run certbot to get certificate for bw.51sec.org and modify bw.conf configuration to use certificate.

    The output from command "certbot --nginx" can be found from post: https://blog.51sec.org/2021/03/install-certbot-on-debian-docker-to.html

    root@3a4767f0c009:/# cd /etc/nginx/conf.d
    root@3a4767f0c009:/etc/nginx/conf.d# 
    root@3a4767f0c009:/etc/nginx/conf.d# certbot --nginx
    root@3a4767f0c009:/etc/nginx/conf.d# 
    root@3a4767f0c009:/etc/nginx/conf.d# cat bw.conf
    server {
        listen       80;
        server_name  bw.51sec.org;
    
    location / {
        proxy_pass       http://140.238.153.62:8000;
        proxy_redirect             off;
        proxy_http_version         1.1;
        proxy_set_header Upgrade   $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host      $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    
    
        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/bw.51sec.org/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/bw.51sec.org/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    
    }
    root@3a4767f0c009:/etc/nginx/conf.d# service nginx restart


    Verify https://bw.51sec.org is working. 


    Now we can create account and mast password for this account:

    Log into BitWarden Web Gui:




    Disable Create Account

    After you created the accounts you needed, you might want to disable Create Account function to reduce the usage from other unknown persons. We can use Portainer's Duplicate/Edit button to add one environment variable into the settings.

    Set environment variable "SIGNUPS_ALLOWED" to false. 


    command line to add this environment variable into docker run :
    root@3a4767f0c009:/# docker run -d --name Bitwarden \
    -e SIGNUPS_ALLOWED=false \
    -v /bw-data/:/data/ \
    -p 8000:80 \
    bitwardenrs/server:latest

    YouTube Video:














    No comments:

    Post a Comment