This tutorial will show you how to redirect HTTP to HTTPS on Apache HTTP server in Linux. Before you can set up an Apache HTTP to HTTPS redirect for your domain, make sure you have SSL certificate installed and modrewrite is enabled in Apache. For more information on how to setup SSL on Apache, see following guides. I'm having problems configuring a bitwarden docker behind a reverse apache proxy. The configuration is mostly default, I'm using a self signed key against the proxy, and the proxy has a letsencrypt certificate to be connected from outside. Also, I selected yes when asked if using a reverse proxy in the bitwarden setup script.

• Bitwarden Apache
• Bitwarden Apache2
• Bitwarden Docker Apache
• Bitwarden_rs Apache

Będzie po angielsku bo może przyda się światu. ;)

Bitwarden Apache

Short instruction how to run Bitwarden service on home Qnap NAS.

Install „Container Station” on your Qnap. On the left panel of” Container Station” click on „Create” button and then on „Create Application” in upper right corner of window. In the text input field put content of the following listing and name this new application „bitwarden”.

Accept it and run. What you have really done is Docker Compose YAML configuration file which pulls 3 images from Docker Hub server:

Thanks for the article. It provides a nice and concise introduction to managing passwords on remote servers. Personally i use pass, too. Together with pass-tomb the file structure is encrypted. With pass-git you can push it to remote repos. I store my private key (to unlock the tomb) on an external device that I have to carry around with me. So a server solution seems attractive to me.

• bitwarden_rs – an unofficial Bitwarden server implemented in Rust language,
• nginx – web server required here as proxy for HTTPS requests,
• bw_backup – a docker image running cron job to backup bitwarden database.

and runs containers of them inside „Container Station”.

You should pay particular attention to the ports configuration, line with „580:80” and „5443:443” frases. „580” and „5443” are outside ports which are open on the Qnap itself. You can change to whatever fits for you but don’t use 80, 443 or 8080 because they are already taken by Qnap own services.

Before you run freshly created application (that’s Qnap Container Station’s name for docker-compose GUI) SSH log into Qnap and go to application folder:

Now, you must create configuration for nginx:

Save it as nginx.conf to /share/Container/container-station-data/application/bitwarden/data/nginx folder.

Now, you have to create self signed certificate to encrypt HTTP requests with SSL. To do this log in to Qnap with SSH and run following commands:

In this repo you’ll find two interesting files: data/ssl/bitwarden.ext:

and script called create_ssl.sh:

You can edit data/ssl/bitwarden.ext to make cert generating easier. Look at this lines:

and this:

Warning: your certificate will be valid only for above domains. I use Pi-hole local DNS to redirect bitwarden.fubar to my QNap IP address.

OK, run create_ssl.sh script and follow instructions. At the and you will find whole new structure of folders with files in ssl directory.

Copy certs and private folders to /share/Container/container-station-data/application/bitwarden/data/ssl.

Now, start Bitwarden application:

Open web browser and go to the URL like: https://bitwarden.fubar:5443, remeber to change domain to same value as in DNS.1 for ssl.

You should see Bitwarden login page:

Time to install and use Bitwarden clients on desktops (macOS, Linux, Windows) and mobiles (Android, iOS) but before you’ll do it first go back to SSH session on you Qnap and copy „myCA.crt” file on your computer.

This file is, root CA certificate that will make your Bitwarden clients think that certificate used to connect is valid even it is self signed by you.

Install CA certificate on every host you use with Bitwarden client:

macOS – double click on CRT file and it will open in Keychain Access, add it to System keychain and choose „Always Trust” option,

Linux (Debian/Ubuntu)- https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate

If your CA is in PEM format convert .pem file to a .crt file:

1. Create a directory for extra CA certificates in /usr/share/ca-certificates:

2. Copy server_rootCA.crt file to this directory:

3. Let Debian/Ubuntu add the .crt file’s path relative to /usr/share/ca-certificates to /etc/ca-certificates.conf:

3a. To do this non-interactively, run:

Windows – don’t use it.

Firefox – go to Preferences -> Privacy & Security -> View Certificates. Click Import, then choose PEM/CRT file, select „Trust this CA to identify websites.”

Chrome – in macOS it uses Keychain so you don’t need to add it again. For Linux check this website: https://thomas-leister.de/en/how-to-import-ca-root-certificate/. Quick hint: go to Settings -> Privacy & Security -> Security -> Manage Certificates and Import.

Warning! Original Bitwarden Desktop client use chromium sandbox so you HAVE TO install CA certificate into Chromium!!!

When CA certificate is in right place the last thing is:

before you connect every Bitwarden client must „know” the right address of Bitwarden server.

Run client and click gear icon:

then put your server address in 4 fields:

• Server URL
• Web vault server URL
• API server URL
• Identity server URL

Remember to put it in the following form: https://my.ip.address:myport, in case your server has IP 10.0.0.1 and port 5443 it should be: https://10.0.0.1:5443 like in image below. If you use domain name (as me) you should replace IP with domain:

Now, there’s time to create account, you can do it pointing browser to the very same URL as used above: https://10.0.0.1:5443.

It’s all now ready to use.

Few steps to consider:

• store database backup somewhere outside Qnap,
• import data from another password manager,
• set up VPN connection to Qnap to synchronize database when you outside.

UPDATE:

How to update docker images?

• ALWAYS MAKE BACKUP OF YOUR VAULT!!! Export it in JSON from Bitwarden client.
• go to your QNap, run FileStation and zip full content of you application data folder:

• stop application in ContainerStation, remove it. Go to Images tab and pull new version of images: bitwardenrs/server, bruceforce/bw_backup and nginx:1.15-alpine.
• create application as written at the beginnign of this article, don’t run it
• unzip content of previously backup data folder (configuration for nginx, ssl, vault and vault’s backup).
• run application.

Hello,
I recently installed Bitwarden_RS. If a user has two factor authentication enabled, the login fails from the Android-App and from the Web-Vault. It is not possible to enter a token. The server-time is correct. If the user only has enabled e-mail verification, an e-mail with a code is send.

Bitwarden Apache2

My environment:
Bitwarden_RS version: 1.15.0-52ed8e4d
Bitwarden Web version: 2.14.0
Install method: Docker image
Reverse proxy: Apache/2.4.38 (Debian Buster)

Relevant logs:

Bitwarden Docker Apache

[2020-06-14 20:04:48][request][INFO] POST /api/accounts/prelogin
[2020-06-14 20:04:48][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK
[2020-06-14 20:04:48][request][INFO] POST /identity/connect/token
[2020-06-14 20:04:48][error][ERROR] 2FA token not provided
[2020-06-14 20:04:48][response][INFO] POST /identity/connect/token (login) => 400 Bad Request

Bitwarden_rs Apache

docker-compose.yml:
Pastebin

Thank you very much!