Bitwarden Local

1. Bitwarden Internet Explorer
2. Bitwarden Local Vault
3. Bitwarden Local
4. Bitwarden Local File
5. Bitwarden Localhost

This is the first of two posts in Part 9 discussing adding a Bitwarden password manager to the same server hosting our simple WordPress app. Unfortunately, there isn't much to skip, but if you'd like to just get to the Bitwarden installation you can skip ahead to Bitwarden Installation.

This is Part 9a in a series describing a project to create a local WordPress development environment using Docker-Compose. The series is structured as follows:

In order to verify Self-hosted Bitwarden email, we are going to use local Postfix relay via Gmail SMTP. Therefore, install and configure Postfix to use Gmail SMTP relay by following the guide below; Configure Postfix to Use Gmail SMTP on Ubuntu 20.04. Next, configure Postfix to allow Bitwarden docker containers to sent emails through it.

• Bitwarden operates on port 80 by default. Visit the WebUI and create a user for yourself. Backups Now your bitwarden docker is fully set up, we will get some automatic backups sorted to protect your data. There are multiple different backup techniques you can use. A couple of options are listed below. Option 1 - Duplicati.
• Bitwarden, Inc., parent company of 8bit Solutions LLC, brings you Bitwarden. Bitwarden is the easiest and safest way to store all of your logins and passwords while conveniently keeping them synced between all of your devices. Password theft is a serious problem. The websites and apps that you use are under attack every day.
• Bitwarden works on the same devices as 1Password, so you can use it with any computer, phone, tablet, or browser. If you prefer to use a local vault and you want to avoid 1Password's.
• Hi there, I have setup a Bitwarden Docker Image on my Synology NAS. Unfortunately it works fine on the web interface and the Linux client (running on Arch Linux). The only problem i have is on the Bitwarden iOS App.

• Part 9a – Installing and configuring a Bitwarden password manager

As I discussed in Part 8, our local WordPress app is largely complete barring some performance, security and other enhancements that I'll get to in future articles. First up though I want to cover adding a password manager, specifically Bitwarden, to our server. I've found it very handy having a password manager incorporated into my development environment to easily serve up passwords to the various sites involved in managing my site. If you struggle in this area and think Bitwarden might help, continue on.

When I first set up my Ubuntu server my main objective was to have it host a local Bitwarden password manager for something unrelated to website development. That setup was straight forward following Bitwarden's on-premises hosting installation guide. The problem came when I tried to host a WordPress app on the same server as well. That's not hard to do but required that I access the WordPress app on ports other than port 80 or 443, as Bitwarden uses them by default. As I explained in Part 1 though, I wanted to use standard URLs for accessing my WordPress app rather than having to specify a port in the URL. I needed some other solution to get both these apps up and running on my server in a manner consistent with my goals.

I tried many ways to get both apps running at the same time. In one I assigned other ports to Bitwarden and let my WordPress app use the default ports, but this prevented Bitwarden's web browser extensions from working properly. I rejected that approach since the browser extension greatly enhances the usefulness of Bitwarden. Finally, I found a discussion about hosting Bitwarden behind a reverse proxy which seemed to be exactly what I wanted. The discussion wasn't directly applicable to my setup, but it pointed me in the proper direction and with some trial and error I was able to get it working for the most part. The only limitation I found was that the Microsoft Edge browser extension didn't work. But the Google Chrome extension did so that was sufficient for me. Note: Bitwarden's browser extension works on the new Microsoft Edge browser, which is based on the same open-source project as Chrome.

As you can see from the diagram of my wife's development environment, discuss in Part 1, below, I ended up installing the entire Bitwarden app behind the WordPress app's nginx web server. Seems simple, and in fact, on the WordPress app side, the setup was very similar to what we did in Part 8 when we added additional WordPress services to our app. The tricky part was modifying the stand-alone Bitwarden app to work behind my WordPress app.

You'll notice that there are two nginx servers in the setup above, one in the WordPress app and one in the Bitwarden app. The solution here, as I learned in the discussion linked to above, was putting the two nginx services on their own external Docker network and configuring Bitwarden properly. Once done it seems simple, but getting there from scratch needed a bit of trial and error on my part. At the end of Part 9b I discuss an alternate configuration that I tried with the WordPress app served by the Bitwarden nginx service.

Beyond the practical benefits of having a password manager, this tutorial can be generalized to demonstrate some of the other issues that might come up when hosting multiple apps on a server. We've already address one consideration in choosing to access our apps via a nginx web server, rather than, for example, a specific port on our server, which we covered in Part 3 – Adding a Web Server to Our Simple WordPress App. We also saw in Part 8 that it is relatively simple to add additional apps by modifying our Compose and nginx configuration files.

But what about more complex apps, especially one that comes configured to communicate over specific ports which might conflict with ones you're already using? In that case you'll have a bit of work to do to eliminate any conflicts between the apps and get them working together. This was the case in getting Bitwarden to work with our WordPress app. I'll step you through it for our WordPress app with something similar to the configuration of my wife's development environment shown above.

We're going to be continuing on with our project from Part 8. You can copy the Part 8 directory and rename it. I've called mine part-9.

Installing Bitwarden

Installing Bitwarden for self-hosting is straightforward. Simply follow the Host it Yourself instructions on Bitwarden's download page. I've incorporated the appropriate steps at the time of writing below for our project. As previously in this tutorial, I'm going to take a barebones approach at first to just give us a working version of Bitwarden. In a subsequent post I'll discuss a few other enhancements that you might want to make to your Bitwarden setup, but are too lengthy to cover here.

For starters, I'm going to keep both Bitwarden and our WordPress app together in a single project folder. This makes it easier working through the various parts of this tutorial series. Ultimately though, you might want to separate your apps into different folders. We'll be installing Bitwarden directly to our part-9 folder. You could also add it to a /bitwarden subdirectory, but I found this didn't add much separation as Bitwarden already installs most of its files in a subfolder.

First download the Bitwarden master script by running the following command from within your part-9 folder.

This command downloads the Bitwarden master script and makes it executable. You might want to examine the script before proceeding further. The master script provides commands to install, update, rebuild, start, and stop Bitwarden. During the installation of Bitwarden you will need a host id and key. You can get yours here.

Next, install bitwarden using the following command.

The Bitwarden installation script will prompt you for information specific to your installation. I've shown a sample below as of the time of this writing. The installation script does seem to change from time to time so if additional information is requested from what is presented below then look ahead for additional configuration details.

For our project, provide the information as shown below. I'll use the local domain bw.local to access Bitwarden but you can use whatever name suits you. Just be sure to use that name in place of bw.local going forward. Bitwarden requires a secure https connection but we'll handle this with our WordPress app nginx service. As such, reply in the negative, with an ‘n‘, to the three questions related to SSL certificates. When prompted for an installation id and key, provide the ones you obtained above.

The Bitwarden installation script creates a folder, bwdata, and populates it with the folders and files needed to run our local copy of the Bitwarden password manager. We could start Bitwarden at this point, but then, as discussed above, we wouldn't be able to run our WordPress app as Bitwarden, by default, uses ports 80 and 443, the same as our WordPress app. To get them both running together we'll need to modify the Bitwarden configuration.

Modifying the Bitwarden Base Configuration

Of main interest to us at this point are the /bwdata/docker folder and the Bitwarden configuration file, /bwdata/config.yml. If you've been following along with this tutorial series, the contents of the /bwdata/docker folder will be familiar. It contains the Docker Compose file and environment variable files for the Bitwarden services. We'll be adding a docker-compose.override.yml file to this folder that will connect the Bitwarden nginx service to the one in our WordPress app, allowing the two apps to communicate. We discussed the Compose override file in Part 4b if you'd like to go back and review how to use it.

Best selling sub compact size suv. The /bwdata/config.yml file contains parameters that allow you to change Bitwarden's installed configuration. This file is mainly used to alter Bitwarden's default installation options, but can also be used to make changes to the inputs you provided while running the installation script.

Let's start by modifying the /bwdata/config.yml file. Open the file for editing and make the following changes to the noted Bitwarden variables.

• url: verify the domain name you want to use to access Bitwarden or change it as desired. You'll need this domain name in several of the changes we'll be making here and in Part 9b.
• http_port: Bitwarden specifies port 80 by default for client http communications. Since our nginx service will handle these communications we'll leave this variable blank. That is, delete the 80 currently assigned to this variable. Behind the scenes Bitwarden exposes port 8080 for internal communications. Our WordPress app nginx service will pass client requests to Bitwarden on that port.
• https_port: as above, leave this variable blank. That is, delete the 443 that Bitwarden specifies by default. Behind the scenes Bitwarden exposes port 8443 for https communications. We won't use this port in Part 9 but will revisit it in a future article so our WordPress app nginx service passes requests to Bitwarden over https protocol.
• push_notifications: I've set this to false for my app. If you want to experiment with Bitwarden's mobile app features you might want to leave this as true.

After you have saved your changes, we need to rebuild Bitwarden to reflect them as follows.

Rebuilding Bitwarden causes the autogenerated configuration files to be regenerated based on the contents of the /bwdata/config.yml file.

Modifying the Bitwarden Docker Compose Configuration

Because our Bitwarden and WordPress apps are separate Docker Compose projects they cannot communicate with each other without modification. Compose provides a top-level key, networks, that we can use to link our applications. We can use this key to specify an external network and then include the networks key in each nginx service to join them to that network. You can learn more about the use of Docker networks in Networking in Compose.

It is a simple matter to create an external network with the docker network create command. Let's create one named wp-bw-net for use by our applications.

That's it. You can use the docker network ls command to list the networks docker has created. You should see something like the list below for your system.

We can use the wp-bw-net network to support communications between our Bitwarden and WordPress apps. To do so on the Bitwarden side we must modify Bitwarden's default Docker Compose configuration to allow access to this network. We could do this by modifying Bitwarden's Compose file, /bwdata/docker/docker-compose.yml, but since this file is automatically generated, any changes would be overwritten if we rebuild Bitwarden again. However, we can use the Compose file override feature we discussed in Part 4b. This allows us to specify additional configuration parameters in a file named docker-compose.override.yml, without modifying the original Compose file. That way, if you ever rebuild Bitwarden, the changes you made in the override file will be preserved.

Create the following Compose override file in the /bwdata/docker folder.

/bwdata/docker/docker-compose.override.yml

You'll notice I used Compose file version 3 here, the same as that used by Bitwarden at the time of this writing. You should use the same Compose version as used in your Bitwarden docker-compose.yml file. Our override file adds our external network, wp-bw-net, to the Bitwarden nginx service as follows:

• networks: under the nginx service the networks key directs Compose to join the nginx service to the wp-bw-net, which is defined under the top-level networks key as an external network. Since the network is specified as external, Compose will not create it when we start Bitwarden, but will just check that it exists. If it doesn't Compose will fail to run with an error that the network could not be found.

Wrapping Up

That's it on the Bitwarden side of things. Next up we'll modify our WordPress app to act as a reverse proxy for Bitwarden in Part 9b – Hosting Bitwarden Behind a Reverse Proxy Server.

Bitwarden is an open-source password manager. Using Bitwarden_rs, it is possible to create a self-hosted server, using little resources, enabling you to use all its features.

Bitwarden makes it possible to share and sync usernames and passwords across all devices and webbrowsers.

In this example I'll be using two pc's: One for compiling and one for hosting, because the VPS I run this on isn't powerful enough to compile the binaries.

On compile machine

Install dependencies

Compile bitwarden_rs

Compile vault

Clone and checkout repository

Patch web vault to work with Bitwarden RS

Download the most recent Bitwarden_RS patch for the Bitwarden web vault. This can be done using one of two ways:

A. Download and apply a patch based on the version that you just checked out using git.

B. Does this give a 404 Not Found error? In that case there might not be new changes in the most recent Bitwarden web release that need to be patched in order to work with Bitwarden RS.

• Go to https://github.com/dani-garcia/bw_web_builds/tree/master/patches.
• Click on the patch that is closest to the version you checked out in git (visible by executing the command git tag --sort=v:refname | tail -n1).
• Click on 'raw' to get a direct link to the patch file.
• Download with wget and use git apply.

For example:

Build the web vault

NB: Do not run the following commands as root. Building the web vault will fail.

Copy

on remote host

Use this file as a template. Alter all uncommented variables to match your environment.

Add nginx vault.conf. The following config assumes that you have already installed and configured certbot / letsencrypt and retrieved a certificate.

Set up Fail2ban

Bitwarden Internet Explorer

If you are using Fail2Ban, you can add this configuration to keep out unwanted guests:

Set up logrotation

Over time, the Bitwarden_RS log file can grow to a significant size. Using logrotate, we can periodically rotate logs.

NB: To view a compressed log file without manually decompressing:

Backup

Bitwarden Local Vault

If you'd like to backup the bitwarden server, please use the following steps to do so Knives out full stream.

Export the sqlite database:

We're going to be continuing on with our project from Part 8. You can copy the Part 8 directory and rename it. I've called mine part-9.

Installing Bitwarden

Installing Bitwarden for self-hosting is straightforward. Simply follow the Host it Yourself instructions on Bitwarden's download page. I've incorporated the appropriate steps at the time of writing below for our project. As previously in this tutorial, I'm going to take a barebones approach at first to just give us a working version of Bitwarden. In a subsequent post I'll discuss a few other enhancements that you might want to make to your Bitwarden setup, but are too lengthy to cover here.

For starters, I'm going to keep both Bitwarden and our WordPress app together in a single project folder. This makes it easier working through the various parts of this tutorial series. Ultimately though, you might want to separate your apps into different folders. We'll be installing Bitwarden directly to our part-9 folder. You could also add it to a /bitwarden subdirectory, but I found this didn't add much separation as Bitwarden already installs most of its files in a subfolder.

First download the Bitwarden master script by running the following command from within your part-9 folder.

This command downloads the Bitwarden master script and makes it executable. You might want to examine the script before proceeding further. The master script provides commands to install, update, rebuild, start, and stop Bitwarden. During the installation of Bitwarden you will need a host id and key. You can get yours here.

Next, install bitwarden using the following command.

The Bitwarden installation script will prompt you for information specific to your installation. I've shown a sample below as of the time of this writing. The installation script does seem to change from time to time so if additional information is requested from what is presented below then look ahead for additional configuration details.

For our project, provide the information as shown below. I'll use the local domain bw.local to access Bitwarden but you can use whatever name suits you. Just be sure to use that name in place of bw.local going forward. Bitwarden requires a secure https connection but we'll handle this with our WordPress app nginx service. As such, reply in the negative, with an ‘n‘, to the three questions related to SSL certificates. When prompted for an installation id and key, provide the ones you obtained above.

The Bitwarden installation script creates a folder, bwdata, and populates it with the folders and files needed to run our local copy of the Bitwarden password manager. We could start Bitwarden at this point, but then, as discussed above, we wouldn't be able to run our WordPress app as Bitwarden, by default, uses ports 80 and 443, the same as our WordPress app. To get them both running together we'll need to modify the Bitwarden configuration.

Modifying the Bitwarden Base Configuration

Of main interest to us at this point are the /bwdata/docker folder and the Bitwarden configuration file, /bwdata/config.yml. If you've been following along with this tutorial series, the contents of the /bwdata/docker folder will be familiar. It contains the Docker Compose file and environment variable files for the Bitwarden services. We'll be adding a docker-compose.override.yml file to this folder that will connect the Bitwarden nginx service to the one in our WordPress app, allowing the two apps to communicate. We discussed the Compose override file in Part 4b if you'd like to go back and review how to use it.

Best selling sub compact size suv. The /bwdata/config.yml file contains parameters that allow you to change Bitwarden's installed configuration. This file is mainly used to alter Bitwarden's default installation options, but can also be used to make changes to the inputs you provided while running the installation script.

Let's start by modifying the /bwdata/config.yml file. Open the file for editing and make the following changes to the noted Bitwarden variables.

• url: verify the domain name you want to use to access Bitwarden or change it as desired. You'll need this domain name in several of the changes we'll be making here and in Part 9b.
• http_port: Bitwarden specifies port 80 by default for client http communications. Since our nginx service will handle these communications we'll leave this variable blank. That is, delete the 80 currently assigned to this variable. Behind the scenes Bitwarden exposes port 8080 for internal communications. Our WordPress app nginx service will pass client requests to Bitwarden on that port.
• https_port: as above, leave this variable blank. That is, delete the 443 that Bitwarden specifies by default. Behind the scenes Bitwarden exposes port 8443 for https communications. We won't use this port in Part 9 but will revisit it in a future article so our WordPress app nginx service passes requests to Bitwarden over https protocol.
• push_notifications: I've set this to false for my app. If you want to experiment with Bitwarden's mobile app features you might want to leave this as true.

After you have saved your changes, we need to rebuild Bitwarden to reflect them as follows.

Rebuilding Bitwarden causes the autogenerated configuration files to be regenerated based on the contents of the /bwdata/config.yml file.

Modifying the Bitwarden Docker Compose Configuration

Because our Bitwarden and WordPress apps are separate Docker Compose projects they cannot communicate with each other without modification. Compose provides a top-level key, networks, that we can use to link our applications. We can use this key to specify an external network and then include the networks key in each nginx service to join them to that network. You can learn more about the use of Docker networks in Networking in Compose.

It is a simple matter to create an external network with the docker network create command. Let's create one named wp-bw-net for use by our applications.

That's it. You can use the docker network ls command to list the networks docker has created. You should see something like the list below for your system.

We can use the wp-bw-net network to support communications between our Bitwarden and WordPress apps. To do so on the Bitwarden side we must modify Bitwarden's default Docker Compose configuration to allow access to this network. We could do this by modifying Bitwarden's Compose file, /bwdata/docker/docker-compose.yml, but since this file is automatically generated, any changes would be overwritten if we rebuild Bitwarden again. However, we can use the Compose file override feature we discussed in Part 4b. This allows us to specify additional configuration parameters in a file named docker-compose.override.yml, without modifying the original Compose file. That way, if you ever rebuild Bitwarden, the changes you made in the override file will be preserved.

Create the following Compose override file in the /bwdata/docker folder.

/bwdata/docker/docker-compose.override.yml

You'll notice I used Compose file version 3 here, the same as that used by Bitwarden at the time of this writing. You should use the same Compose version as used in your Bitwarden docker-compose.yml file. Our override file adds our external network, wp-bw-net, to the Bitwarden nginx service as follows:

• networks: under the nginx service the networks key directs Compose to join the nginx service to the wp-bw-net, which is defined under the top-level networks key as an external network. Since the network is specified as external, Compose will not create it when we start Bitwarden, but will just check that it exists. If it doesn't Compose will fail to run with an error that the network could not be found.

Wrapping Up

That's it on the Bitwarden side of things. Next up we'll modify our WordPress app to act as a reverse proxy for Bitwarden in Part 9b – Hosting Bitwarden Behind a Reverse Proxy Server.

Bitwarden is an open-source password manager. Using Bitwarden_rs, it is possible to create a self-hosted server, using little resources, enabling you to use all its features.

Bitwarden makes it possible to share and sync usernames and passwords across all devices and webbrowsers.

In this example I'll be using two pc's: One for compiling and one for hosting, because the VPS I run this on isn't powerful enough to compile the binaries.

On compile machine

Install dependencies

Compile bitwarden_rs

Compile vault

Clone and checkout repository

Patch web vault to work with Bitwarden RS

Download the most recent Bitwarden_RS patch for the Bitwarden web vault. This can be done using one of two ways:

A. Download and apply a patch based on the version that you just checked out using git.

B. Does this give a 404 Not Found error? In that case there might not be new changes in the most recent Bitwarden web release that need to be patched in order to work with Bitwarden RS.

• Go to https://github.com/dani-garcia/bw_web_builds/tree/master/patches.
• Click on the patch that is closest to the version you checked out in git (visible by executing the command git tag --sort=v:refname | tail -n1).
• Click on 'raw' to get a direct link to the patch file.
• Download with wget and use git apply.

For example:

Build the web vault

NB: Do not run the following commands as root. Building the web vault will fail.

Copy

on remote host

Use this file as a template. Alter all uncommented variables to match your environment.

Add nginx vault.conf. The following config assumes that you have already installed and configured certbot / letsencrypt and retrieved a certificate.

Set up Fail2ban

Bitwarden Internet Explorer

If you are using Fail2Ban, you can add this configuration to keep out unwanted guests:

Set up logrotation

Over time, the Bitwarden_RS log file can grow to a significant size. Using logrotate, we can periodically rotate logs.

NB: To view a compressed log file without manually decompressing:

Backup

Bitwarden Local Vault

If you'd like to backup the bitwarden server, please use the following steps to do so Knives out full stream.

Export the sqlite database:

Bitwarden Local

If you have already set up backups for other services, add these paths to your list of backup targets:

Upgrade Bitwarden RS and web vault

On build machine

Update system packages

Remove old build and sources

Upgrade Rust

Build Bitwarden RS

Build Bitwarden web vault

Clone Bitwarden web vault repository

Download the most recent Bitwarden_RS patch for the Bitwarden web vault

This can be done using one of two ways:

Bitwarden Local File

A. Download and apply a patch based on the version that you just checked out using git.

Bitwarden Localhost

B. Does this give a 404 Not Found error? In that case there might not be new changes in the most recent Bitwarden web release that need to be patched in order to work with Bitwarden RS.

• Go to https://github.com/dani-garcia/bw_web_builds/tree/master/patches.
• Click on the patch that is closest to the version you checked out in git (visible by executing the command git tag --sort=v:refname | tail -n1).
• Click on 'raw' to get a direct link to the patch file.
• Download with wget and use git apply.

For example:

Compile web vault

Copy upgraded binary and vault

On remote / public machine

Update notes

• 2020-07: Improved web-vault instructions, added upgrade steps.
• 2020-08: Noticed missing nginx config example. Added this.
• 2020-09: Added some cleanup steps.
• 2020-10: Updated to latest versions. Added new configuration options. Include MySQL and PostgreSQL backends next to the existing SQLite backend in compile steps.
• 2020-12: Update to latest versions. Added logrotate config.
• 2021-04: A reader notified me that the Bitwarden admin Fail2ban regex in /etc/fail2ban/filter.d/bitwarden-admin.conf should be updated. Bitwarden no longer prepends the log entry with 'Unauthorized Error: '. This has been corrected.