ezra
Contributor
- Joined
- Jan 15, 2015
- Messages
- 124
Hello!
I've made some steps to host your own bitwarden password server inside a jail.
I'm using this on my LAN with my mobile devices connected to a VPN to securely access my LAN remotely.
Using the server with native bitwarden apps eg. iOS/firefox. With this setup nothing goes to their servers.
All credit goes to https://github.com/jcs/rubywarden
** Make sure to:
* Create user "_rubywarden" when promted else it will fail (need to figure out how to auto fill username)
* Fill in Certificate details, or not (just enter through)
* Letsencrypt on request, not advisable to open this jail up to the internet...
# Create jail and login
# Install deps
* Create install script
Paste this and control + x to save and exit
* Edit nginx.conf
Paste this and control + x to save and exit
Now start nginx:
* Run the server with this ( Need help setting up an RC.D script for this one)
* Now use your app and set the server to: https://JAIL-IP (No need to set url vars)
* Now create a user and password
* To update your instance of Rubywarden, fetch the latest code:
* From https://github.com/jcs/rubywarden:
2-Factor Authentication
The Bitwarden browser extensions and mobile apps support accounts that require 2FA, by prompting you for the current code after successfully logging in. To activate Time-based One-Time Passwords (TOTP) on your account after you've signed up in the previous steps, run the tools/activate_totp.rb program on the server:
You'll be shown a data: URL that has a PNG-encoded QR code, which you must copy and paste into a browser, then scan with your mobile TOTP authenticator apps (assuming it supports scanning from the camera). Once scanned, the activation program will ask you to enter the current TOTP being shown in the app for verification, and then save the TOTP secret to your account in the SQLite database. Your security_stamp will be reset, forcing a new login on any devices that are logged into your account. Those devices will now prompt for a TOTP code upon future logins.[/CODE]
I've made some steps to host your own bitwarden password server inside a jail.
I'm using this on my LAN with my mobile devices connected to a VPN to securely access my LAN remotely.
Using the server with native bitwarden apps eg. iOS/firefox. With this setup nothing goes to their servers.
All credit goes to https://github.com/jcs/rubywarden
** Make sure to:
* Create user "_rubywarden" when promted else it will fail (need to figure out how to auto fill username)
* Fill in Certificate details, or not (just enter through)
* Letsencrypt on request, not advisable to open this jail up to the internet...
# Create jail and login
Code:
iocage create -n bitwarden -r 11.2-RELEASE vnet="on" boot="on" dhcp="on" bpf="yes" iocage console bitwarden
# Install deps
Code:
setenv ASSUME_ALWAYS_YES yes pkg update pkg install ruby rubygem-bundler sqlite3 nginx git sudo nano bash gem install bundler
* Create install script
Code:
nano /tmp/install.sh
Paste this and control + x to save and exit
Code:
######################## #!/bin/bash # Setup SSL + nginx openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /usr/local/etc/nginx/cert.key -out /usr/local/etc/nginx/cert.crt echo # Add user echo "Set the user below to: _rubywarden" echo "Enter every line, no need for other configs, only your password echo adduser cd /home/_rubywarden # Clone repo sudo -u _rubywarden git clone https://github.com/jcs/rubywarden.git # Install bundle rubywarden cd rubywarden sudo -u _rubywarden bundle install --path vendor/bundle # Create the initial database and the required tables sudo -u _rubywarden mkdir db/production sudo -u _rubywarden env RUBYWARDEN_ENV=production bundle exec rake db:migrate
Code:
bash /tmp/install.sh
* Edit nginx.conf
Code:
cat /dev/null > /usr/local/etc/nginx/nginx.conf
Code:
nano /usr/local/etc/nginx/nginx.conf
Paste this and control + x to save and exit
Code:
worker_processes 1; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 80; return 301 https://$host$request_uri; } server { listen 443; server_name localhost; ssl_certificate /usr/local/etc/nginx/cert.crt; ssl_certificate_key /usr/local/etc/nginx/cert.key; ssl on; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; ssl_prefer_server_ciphers on; access_log /var/log/nginx/rubywarden.log; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Fix the “It appears that your reverse proxy set up is broken" error. proxy_pass http://localhost:4567; proxy_read_timeout 90; proxy_redirect http://localhost:4567 https://localhost; } } }
Now start nginx:
Code:
sysrc nginx_enable="YES" service nginx start
* Run the server with this ( Need help setting up an RC.D script for this one)
Code:
cd /home/_rubywarden/rubywarden /usr/local/bin/sudo -u _rubywarden env RUBYWARDEN_ENV=production RUBYWARDEN_ALLOW_SIGNUPS=1 bundle exec rackup -p 4567 config.ru
* Now use your app and set the server to: https://JAIL-IP (No need to set url vars)
* Now create a user and password
* To update your instance of Rubywarden, fetch the latest code:
Code:
iocage console bitwarden cd /home/_rubywarden/rubywarden git pull --ff-only exit iocage restart bitwarden
* From https://github.com/jcs/rubywarden:
2-Factor Authentication
The Bitwarden browser extensions and mobile apps support accounts that require 2FA, by prompting you for the current code after successfully logging in. To activate Time-based One-Time Passwords (TOTP) on your account after you've signed up in the previous steps, run the tools/activate_totp.rb program on the server:
sudo -u _rubywarden env RUBYWARDEN_ENV=production bundle exec ruby /home/_rubywarden/rubywarden/tools/activate_totp.rb -u you@example.com
You'll be shown a data: URL that has a PNG-encoded QR code, which you must copy and paste into a browser, then scan with your mobile TOTP authenticator apps (assuming it supports scanning from the camera). Once scanned, the activation program will ask you to enter the current TOTP being shown in the app for verification, and then save the TOTP secret to your account in the SQLite database. Your security_stamp will be reset, forcing a new login on any devices that are logged into your account. Those devices will now prompt for a TOTP code upon future logins.[/CODE]
Last edited: