Skip to main content

Installation Vaultwarden avec nginx en reverse et ssl

DOCKER:

docker-compose.yml:

version: "3"
services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    ports:
     - 8080:80
    volumes:
     - ./bitwarden:/data:rw
    environment:
     - ADMIN_TOKEN=${ADMIN_TOKEN}
     - WEBSOCKET_ENABLED=true
     - SIGNUPS_ALLOWED=true
     - SIGNUPS_VERIFY=true
     - SMTP_HOST=${SMTP_HOST}
     - SMTP_FROM=${SMTP_FROM}
     - SMTP_PORT=${SMTP_PORT}
     - SMTP_SSL=${SMTP_SSL}
     - SMTP_USERNAME=${SMTP_USERNAME}
     - SMTP_PASSWORD=${SMTP_PASSWORD}
     - DOMAIN=${DOMAIN}
.env:


ADMIN_TOKEN=edit!
WEBSOCKET_ENABLED=true
SIGNUPS_VERIFY=true
SIGNUPS_ALLOWED=true
SMTP_HOST=
SMTP_FROM=
SMTP_PORT=587
SMTP_SSL=true
SMTP_USERNAME=
SMTP_PASSWORD=
DOMAIN=https://vault.blah.local
config.json


{
  "domain": "https://vault.blah.local",
  "sends_allowed": true,
  "disable_icon_download": false,
  "signups_allowed": true,
  "signups_verify": true,
  "signups_verify_resend_time": 3600,
  "signups_verify_resend_limit": 6,
  "invitations_allowed": true,
  "password_iterations": 100000,
  "show_password_hint": false,
  "admin_token": "edit!",
  "invitation_org_name": "Vaultwarden",
  "ip_header": "X-Real-IP",
  "icon_cache_ttl": 2592000,
  "icon_cache_negttl": 259200,
  "icon_download_timeout": 10,
  "icon_blacklist_non_global_ips": true,
  "disable_2fa_remember": false,
  "authenticator_disable_time_drift": false,
  "require_device_email": false,
  "reload_templates": false,
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "disable_admin_token": false,
  "_enable_yubico": true,
  "_enable_duo": false,
  "_enable_smtp": true,
  "smtp_host": "smtp.office365.com",
  "smtp_ssl": false,
  "smtp_explicit_tls": false,
  "smtp_port": 587,
  "smtp_from": "",
  "smtp_from_name": "",
  "smtp_username": "",
  "smtp_password": "",
  "smtp_timeout": 15,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "_enable_email_2fa": true,
  "email_token_size": 6,
  "email_expiration_time": 600,
  "email_attempts_limit": 3
}


NGINX:

Générate cert ssl:

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/entité.key -out /etc/ssl/certs/vault.crt
openssl dhparam -out /etc/nginx/dhparam.pem 4096

conf nginx:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##


        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;

include /etc/nginx/sites-enabled/*;


server {
  listen          80;
  listen          443 ssl;
  ssl on;
  server_name     domain.local;
  include /etc/nginx/conf.d/ssl-parems.conf;
  ssl_certificate /etc/ssl/certs/vault.crt;
  ssl_certificate_key /etc/ssl/private/entite.key;
   ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
  location / {
          proxy_pass http://localhost:8080;
          proxy_set_header Host             $host;
          proxy_set_header X-Real-IP        $remote_addr;
          proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
          client_max_body_size 100M;
  }
}
}