shrabok

Bitwarden Self-Hosted Password Manager on Docker

Recommended Posts

Posted (edited)

Recently I deployed Bitwarden (https://bitwarden.com/) in Synology Docker and thought I would share my experience for others looking to do so.

***For experienced individuals comfortable with synology command line and linux environments with docker, I take no responsibility for any issues encountered***

***Read fully before considering***

 

History:

I've used a number of password managers (lastpass, keeper, keepass, etc) and still use some for professional reasons.

For personal use I was using KeepassX so I could control the safe (in Dropbox) and did not want my personal data cloud hosted.
I need it to run on linux, windows, osx as well as mobile (android) support.

I also am a strong proponent of two factor authentication, keepass offers it but is a lackluster implementation.

I wanted a more robust self hosted password manager that I could host on my synology.

 

Feature Requirements:

There is a number of things I wanted in my personal password management that Bitwarden offered over the others

  • TOTP (Time Based One Time Passcode) Two factor authentication with Authy or Google Authenticator
  • Self hosted password manager with central database stored on my synology
  • Robust device and application support (Linux, Windows, OSX, IOS App, Android App, Browser integrations etc)
  • Push syncing of changes so conflicts in password safe are avoided or less likely
  • Secure software with good development (bitwarden has a cloud hosted solution as well as self hosted, so they are diligent in ensuring updates are made regularly https://help.bitwarden.com/security/ and community involvement is very good)
  • Free for personal use and open source

 

Setup Requirements:

You will need to have the following requirements met to follow this guide:

  • Latest XPenology/Synology: Currently on DSM 6.1.6-15266 with JUN'S LOADER v1.02b - DS3617xs
  • Latest Synology Docker Package: Currently on 17.05.0-0370 (https://www.synology.com/en-global/dsm/packages/Docker)
  • Your own public domain (in this use case I use a personal public facing domain with public DNS)
  • An understanding of Domains, Extenal DNS, SSL Certificates (Lets Encrypt), Reverse Proxies, Linux/Synology cli, Docker

 

Process:

Please fully read the bitwarden self hosting documentation (https://help.bitwarden.com/article/install-on-premise/) before attempting any of these steps

  • Create your bitwarden external DNS record (I used bw.<mydomain> this guides example will be bitwarden.domain.com)
    You have two options for your dns record:
    • "A record" which is a record to the External IP address you use to reach your synology/xpenology device (eg: bitwarden.domain.com A record to Your public IP)
    • "CNAME record" which is a record to the existing DNS Record of your synology/xpenology device (eg: bitwarden.domain.com CNAME record to nas.domain.com)
  • Create an SSL Certificate using Lets Encrypt within DSM Certificate Manager
    • Go to "Control Panel" -> "Security" -> "Certificate" -> "Add"
    • "Add a new certificate" -> "Next"
    • Description "Bitwarden Certificate""Get a certificate by Lets Encrypt" -> "Next"
    • Domain name: "bitwarden.domain.com", Email: "<your email address>" -> "Apply"
  • Create a Reverse Proxy in DSM to the docker port used by bitwarden
    • Go to "Control Panel" -> "Application Portal" -> "Reverse Proxy" -> "Create"
    • Description: "Bitwarden https reverse proxy"
    • Source: Protocol: "HTTPS", Hostname: "bitwarden.domain.com", Port: "443", HSTS and HTTP/2 "Unchecked"
    • Destination: Protocol: "HTTP", Hostname: "localhost", Port: "8123"
  • Associate Reverse Proxy with Certificate
    • Go to "Control Panel" -> "Security" -> "Certificate" -> "Configure"
    • Services: "bitwarden.domain.com"  Certificate: "bitwarden.domain.com" -> "OK"
  • Ensure docker is installed and collect docker folder location
    • Install docker from the package manager
    • Confirm docker shared folder location
      • "File Station" -> folder "docker" right click properties and collect path (mine was "/volume1/docker" and will be referenced as the path in this article)
  • SSH connect to synology/xpenology internal IP address or hostname as administrator account
    • linux/osx terminal command: ssh admin@<nas internal ip or dns> (enter admin user password)
    • windows use putty or bash for windows to connect (provide admin user and passwords as credentials)
  • Switch to root user for docker access
    • command: sudo su - (enter admin user password when prompted for password)
  • Change to the docker folder
    • command: cd /volume1/docker (or whatever your path to docker shared folder may be)
  • Follow bitwarden self hosted setup procedure (reference https://help.bitwarden.com/article/install-on-premise/)
  • Get a self hosting installation id and key here https://bitwarden.com/host
    • copy these value to be used when running installation
  • Import bitwarden.sh script
  • Run installation using script
    • command: ./bitwarden.sh install
  • follow prompts in code block:
    root@nas:/volume1/docker# ./bitwarden.sh install
     _     _ _                         _
    | |__ (_) |___      ____ _ _ __ __| | ___ _ __
    | '_ \| | __\ \ /\ / / _` | '__/ _` |/ _ \ '_ \
    | |_) | | |_ \ V  V / (_| | | | (_| |  __/ | | |
    |_.__/|_|\__| \_/\_/ \__,_|_|  \__,_|\___|_| |_|
    
    Open source password management solutions
    Copyright 2015-2018, 8bit Solutions LLC
    https://bitwarden.com, https://github.com/bitwarden
    
    ===================================================
    
    
    Docker version 17.05.0-ce, build 9f07f0e-synology
    docker-compose version 1.14.0, build c7bdf9e
    
    (!) Enter the domain name for your bitwarden instance (ex. bitwarden.company.com): bitwarden.domain.com
    (!) Do you want to use Let's Encrypt to generate a free SSL certificate? (y/n): n
    1.17.2: Pulling from bitwarden/setup
    Digest: sha256:cf55e0288b6392ee9c35022089396c3c561773ddc963945f1afea8fce359757f
    Status: Image is up to date for bitwarden/setup:1.17.2
    (!) Enter your installation id (get it at https://bitwarden.com/host): <my_installation_id>
    (!) Enter your installation key: <my_installation_key>
    (!) Do you have a SSL certificate to use? (y/n): n
    (!) Do you want to generate a self-signed SSL certificate? (y/n): n
    !!!!!! WARNING !!!!!!
    You are not using an SSL certificate. Bitwarden requires HTTPS to operate. You must front your installation with a HTTPS proxy. The web vault (and other Bitwarden apps) will not
    work properly without HTTPS.
    !!!!!!!!!!!!!!!!!!!!!
    Generating key for IdentityServer.
    Generating a 4096 bit RSA private key
    ....................................................................................++
    ......................................++
    writing new private key to 'identity.key'
    -----
    (!) Do you want to use the default ports for HTTP (80) and HTTPS (443)? (y/n): n
    (!) HTTP port: 8123
    (!) Is your installation behind a reverse proxy? (y/n): y
    (!) Do you use the default ports on your reverse proxy (80/443)? (y/n): y
    (!) Do you want to use push notifications? (y/n): y
    Building nginx config.
    Building docker environment files.
    Building docker environment override files.
    Building app settings.
    Building FIDO U2F app id.
    Building docker-compose.yml.
    
    Setup complete

     

  • Once setup is complete you will need to create some missing folders (this is due to the docker version on synology not creating bind mount locations on container creation, likely a version bug)
    • there should be a new folder creating in your /volume1/docker location called /volume1/docker/bwdata
    • create the following folders in the bwdata directory from your current location (/volume1/docker location)
      • command: mkdir bwdata/core bwdata/core/attachments
      • command: mkdir bwdata/ca-certificates
      • command: mkdir bwdata/logs bwdata/logs/admin bwdata/logs/api bwdata/logs/identity bwdata/logs/mssql bwdata/logs/nginx bwdata/logs/notifications bwdata/logs/icons
      • command: mkdir bwdata/mssql bwdata/mssql/data bwdata/mssql/backups
    • If there are any failures on the ./bitwarden.sh start stating "ERROR: for <container name> Cannot start service <container name>: Bind mount failed: '/volume1/docker/bwdata/<path>' does not exists" make sure to create that missing <path> specified in the error
  • Run setup using script
    • command: ./bitwarden.sh start
    • if there are not missing folders as per notes above the service should now be running on port 8123 and reachable from your external dns entry https://bitwarden.domain.com
  • Run updatedb using script
    • command: ./bitwarden.sh updatedb
    • this will run database migrations on bitwarden for any latest database changes to run
  • Additional changes to consider:
    • modify your bwdata/env/global.override.env for the following features
      • add smtp email
      • disable registrations after you create your accounts
      • other override features specific to your use case
    • restart containers after change to global environment vars

 

Update bitwarden version:

To update to the latest version run:

  • command : ./bitwarden.sh updateself 
  • command: ./bitwarden.sh update

 

Hopefully this guide is helpful to anyone looking to host bitwarden on their synology/xpenology device.

Edited by shrabok
Addition of two new logs directories (notifications and icons) needed creation on v1.24
  • Like 3
  • Thanks 1

Share this post


Link to post
Share on other sites

Good writeup. There are a couple of "corrections" or changes since this has been created:

 

1. There is a mismatch in this command as it starts out log and then moves to logs:

command: mkdir bwdata/log bwdata/log/admin bwdata/log/api bwdata/logs/identity bwdata/logs/mssql bwdata/logs/nginx

2. Instead of running ./bitwarden.sh setup it is now ./bitwarden.sh start

 

Addition:

 

To update run ./bitwarden.sh updateself and then ./bitwarden.sh update

  • Thanks 1

Share this post


Link to post
Share on other sites
Posted (edited)

Hi @ebell
Thanks for mentioning the corrections. It seems I'm no longer able to edit the original post. Referencing the Bitwarden docs for all the latest changes is highly recommended as it does change frequently. Hopefully Synology can get Docker updated to a point where we no longer need to manually create the folders that were missing as well. 
Also for clarity the line `command: mkdir bwdata/log bwdata/log/admin bwdata/log/api bwdata/logs/identity bwdata/logs/mssql bwdata/logs/nginx`
should be changed to
`command: mkdir bwdata/logs bwdata/logs/admin bwdata/logs/api bwdata/logs/identity bwdata/logs/mssql bwdata/logs/nginx`

Edited by shrabok
Added clarity on correction for logs path

Share this post


Link to post
Share on other sites
Posted (edited)

In order to access the Bitwarden Admin site on the Synology you will need to perform the following:

  • Modify the bitwarden-admin container
    • Stop the container.
    • Click on Edit
    • Click on the Port Settings tab
    • Add the following settings
      • Local port - 8124
      • Container port - 5000
      • Type - TCP
    • Click Apply
    • Start the container
  • Modify the reverse proxy settings via SSH
    • SSH into your Synology Server
    • Change to this directory: /usr/local/etc/nginx/conf.d
    • Create a file in this director (i.e., www.rproxy.bw_admin.conf)
    • Add the following content
      •         location ~ /admin/ {
                    proxy_pass http://localhost:8124;
                }

         

    • Save the file and test the configuration. The following should return "Syntax is OK" and "Test is successful"
      • nginx -T > /tmp/nginx.conf

         

    • Restart nginx
      • nginx -s reload

         

Now bwitwarden.url/admin should redirect you to the appropriate page where you can login with an admin account.

Edited by ebell
formatting

Share this post


Link to post
Share on other sites
10 hours ago, ebell said:

In order to access the Bitwarden Admin site on the Synology you will need to perform the following:

  • Modify the bitwarden-admin container
    • Stop the container.
    • Click on Edit
    • Click on the Port Settings tab
    • Add the following settings
      • Local port - 8124
      • Container port - 5000
      • Type - TCP
    • Click Apply
    • Start the container
  • Modify the reverse proxy settings via SSH
    • SSH into your Synology Server
    • Change to this directory: /usr/local/etc/nginx/conf.d
    • Create a file in this director (i.e., www.rproxy.bw_admin.conf)
    • Add the following content
      • 
                location ~ /admin/ {
                    proxy_pass http://localhost:8124;
                }

         

    • Save the file and test the configuration. The following should return "Syntax is OK" and "Test is successful"
      • 
        nginx -T > /tmp/nginx.conf

         

    • Restart nginx
      • 
        nginx -s reload

         

Now bwitwarden.url/admin should redirect you to the appropriate page where you can login with an admin account.

 

Hi @ebell

 

In my current installation I can reach the admin site using https://bitwarden.domain.com/admin/login/  without a dedicated port. There is an issue open regarding the https://bitwarden.domain.com/admin redirecting to a non https port here https://github.com/bitwarden/core/issues/253.

 

Your approach could be interesting alternative as a dedicated url specific to admin that is internal only and not public facing.

 

Also I have edit capability to the orginal post  and will attempt to keep it relevant and recent. 

Share this post


Link to post
Share on other sites

I followed the instructions, but am having a problem. I can't login to bitwarden from the android app when connected to LTE. I can only login to the android app when connected to my LAN/WiFi.

 

I can login to the Bitwarden webUI/vault from a web browser on my PC and android phone (on WiFi and LTE), I can login with a browser extension from a PC on the same LAN.

 

Any ideas? I assume it is something with the certificates? I don't think it is port forwarding as I port forwarded port 443 and even tried to DMZ briefly to see if the firewall was the problem.

Share this post


Link to post
Share on other sites
On 7/5/2018 at 1:58 AM, GKay said:

I followed the instructions, but am having a problem. I can't login to bitwarden from the android app when connected to LTE. I can only login to the android app when connected to my LAN/WiFi.

 

I can login to the Bitwarden webUI/vault from a web browser on my PC and android phone (on WiFi and LTE), I can login with a browser extension from a PC on the same LAN.

 

Any ideas? I assume it is something with the certificates? I don't think it is port forwarding as I port forwarded port 443 and even tried to DMZ briefly to see if the firewall was the problem.

 

Fixed it... IPV6 firewall was not port-forwarded, while the IPV4 firewall was. T-mobile LTE is IPV6 only and would only try to connect through IPV6.

Share this post


Link to post
Share on other sites
19 hours ago, GKay said:

 

Fixed it... IPV6 firewall was not port-forwarded, while the IPV4 firewall was. T-mobile LTE is IPV6 only and would only try to connect through IPV6.

Thanks for sharing @GKay, I have not come across IPV6 connection yet so thats a good thing to keep in mind

Share this post


Link to post
Share on other sites

After following these instructions to the letter, I'm trying to go to https://bw.domain.com and it's acting like the site doesn't exist, but if I go to http://bw.domain.com I'm able to reach the site, of course without the SSL certificate.  Any ideas as to what my issue is?  Happy to provide any add'l information needed.

 

Edit: I also just realized that when I go to create my account, I click on "Submit" but nothing happens.  Maybe this is related in some way?

 

Edit2: Nevermind, y'all.  Went to incognito and it worked, so probably just clear cache and I'll be good.  I'm leaving my stupidity up for the world to see, just in case it helps anybody else in the future.

Edited by jermz162

Share this post


Link to post
Share on other sites

Upgrade to version 1.24 requires creation of two new log directories in your bitwarden location

  • bwdata/logs/notifications
  • bwdata/logs/icons

Edited Original Post for additional changes on new deployments

  • Like 1

Share this post


Link to post
Share on other sites

Hello,

 

I am trying to install Bitwarden, but running the bitwarden.sh install script it doesn't prompt for the proxy information eg.:

Quote

(!) Do you want to use the default ports for HTTP (80) and HTTPS (443)? (y/n): n (!) HTTP port: 8123 (!) Is your installation behind a reverse proxy? (y/n): y (!) Do you use the default ports on your reverse proxy (80/443)? (y/n): y (!) Do you want to use push notifications? (y/n): y

 

I've got no idea how to get bitwarden to ask these questions and  I do not know what to include in the ./bwdata/config.yml to manually add the proxy. Can anyone help me out here?

Share this post


Link to post
Share on other sites

Hi @Binkem

 

It seems as though bitwarden setup has changed over time. I had a look at my config.yml and it looks like this (FYI - I've excluded all the comments):

url: https://bw.domain.com
generate_compose_config: true
generate_nginx_config: true
http_port: 8123
https_port:
compose_version:
ssl: false
ssl_versions:
ssl_ciphersuites:
ssl_managed_lets_encrypt: false
ssl_certificate_path:
ssl_key_path:
ssl_ca_path:
ssl_diffie_hellman_path:
push_notifications: true
database_docker_volume: false

Also sounds like you can reconfigure your deployment using the commands here:

https://help.bitwarden.com/article/install-on-premise/#post-install-environment-configuration

 

I've not attempted an install since my original post. Please let me know if this is helpful with regard to your setup.

 

Share this post


Link to post
Share on other sites

@shrabok

 

This seems to be helpful. I can now start BItwarden and connect to it from my home network. Tomorrow i'll try to get it to work outside the network.

 

Yours,

 

Binkem 

Share this post


Link to post
Share on other sites

I am now getting mssql restarts. According to the internet this may be a memory problem. My DS216+ has only 1 GB of memory and mssql wants a minimum of two. Has anyone else got the same problem? Or can you run mssql on a 1 Gb machine?

Share this post


Link to post
Share on other sites

Hi @Binkem, 

 

This could very well be a possibility. There are multiple containers used by bitwarden and mssql is quite large as well. Here are my current docker stats:
 

CONTAINER           CPU %               MEM USAGE / LIMIT     MEM %               NET I/O             BLOCK I/O           PIDS
370126b59277        0.00%               14MiB / 15.63GiB      0.09%               1.85MB / 1.28MB     0B / 0B             0
291a000cfd52        0.93%               746.6MiB / 15.63GiB   4.66%               701kB / 537kB       0B / 0B             0
c4f8e956a4ae        0.03%               27.76MiB / 15.63GiB   0.17%               139kB / 0B          0B / 0B             0
0911a92c79e6        0.06%               39.08MiB / 15.63GiB   0.24%               726kB / 148kB       0B / 0B             0
0ba98ce071b3        0.02%               59.76MiB / 15.63GiB   0.37%               607kB / 520kB       0B / 0B             0
e3e8ac74eea8        0.02%               42.95MiB / 15.63GiB   0.27%               1.28MB / 449kB      0B / 0B             0
49b58a990b7f        0.02%               17.88MiB / 15.63GiB   0.11%               139kB / 0B          0B / 0B             0
7ca297b1174c        0.02%               35.82MiB / 15.63GiB   0.22%               214kB / 60.8kB      0B / 0B             0
75ddff907b44        0.01%               16.79MiB / 15.63GiB   0.10%               139kB / 0B          0B / 0B             0

you can also try `docker logs bitwarden-mssql` to see the logs and what is causing the restart. 

 

Share this post


Link to post
Share on other sites

@Binkem the DS216 may not be able to handle it due to the limited amount of RAM as mine is is using around 500 MB. Here are my stats...not as high memory util as @shrabok though:

 

image.png.c2b86ffed000f541978ccca81cbfb233.png

Share this post


Link to post
Share on other sites

Just upgraded the memory. It was quite easy, and gave me the chance to remove a lot of dust from the DIsk Station.

Now Bitwarden works perfectly. Thanks all for helping.

 

Yours,

BInkem

Share this post


Link to post
Share on other sites

Hi!

 

I am getting this error

for nginx  Cannot start service nginx: driver failed programming external connectivity on endpoint bitwarden-nginx (64e618a8b5ae951d8857fe07d08cf85d36f20ab7e05a6316907c1a43be7d9797): Error starting userland proxy: listen tcp 0.0.0.0:443: bind: address already in use

but i dont know why bind already exists. There is just the DSM it self.

Share this post


Link to post
Share on other sites
19 minutes ago, StifflersMoM said:

Hi!

 

I am getting this error


for nginx  Cannot start service nginx: driver failed programming external connectivity on endpoint bitwarden-nginx (64e618a8b5ae951d8857fe07d08cf85d36f20ab7e05a6316907c1a43be7d9797): Error starting userland proxy: listen tcp 0.0.0.0:443: bind: address already in use

but i dont know why bind already exists. There is just the DSM it self.

 

Trying determining what is listening on that port - https://www.cyberciti.biz/faq/what-process-has-open-linux-port/

Did you choose the option to use the default ports when setting up Bitwarden?

Share this post


Link to post
Share on other sites

Like Binkem posted before, i did not got asked for the ports.

Hm I cant see a service which is configured with port 443

Just see

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      -

Edited by StifflersMoM

Share this post


Link to post
Share on other sites
On 10/31/2018 at 10:48 PM, shrabok said:

Hi @Binkem

 

It seems as though bitwarden setup has changed over time. I had a look at my config.yml and it looks like this (FYI - I've excluded all the comments😞


url: https://bw.domain.com
generate_compose_config: true
generate_nginx_config: true
http_port: 8123
https_port:
compose_version:
ssl: false
ssl_versions:
ssl_ciphersuites:
ssl_managed_lets_encrypt: false
ssl_certificate_path:
ssl_key_path:
ssl_ca_path:
ssl_diffie_hellman_path:
push_notifications: true
database_docker_volume: false

Also sounds like you can reconfigure your deployment using the commands here:

https://help.bitwarden.com/article/install-on-premise/#post-install-environment-configuration

 

I've not attempted an install since my original post. Please let me know if this is helpful with regard to your setup.

 

Changing the config still does not work for me (http and https)

Share this post


Link to post
Share on other sites

Hi @StifflersMoM

Sorry to hear about your issues. Could you try the following commands and post your results:
 

docker ps

this will provide all running containers and also show their port forwarding

 

Are you also using a unique domain name for your bitwarden instance and proxying it to bitwarden?

 

 

Share this post


Link to post
Share on other sites

Thanks for you help!

 

I forgot to ./bitwarden rebuild after changing the config. Now all containers are up and running!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now