Vaultwarden 是一个用 Rust 编写的非官方 Bitwarden 服务器实现,兼容 Bitwarden 官方客户端,专为自托管用户设计,适合个人、家庭或小型团队使用。
优势
| 特性 | 描述 |
|---|---|
| 轻量级 | 相比官方服务器资源占用极低,512MB 内存即可运行 |
| 全功能 | 支持 MFA、TOTP、附件上传、组织共享、密码发送等,官方免费版没有的功能它也支持 |
| 跨平台兼容 | 支持 Windows、macOS、Linux、iOS、Android 等客户端 |
| 数据自主掌控 | 自托管部署,数据存储在你自己的服务器上,增强隐私安全 |
| 开源透明 | 基于 AGPL-3.0 协议,代码完全开源 |
项目官网
https://github.com/dani-garcia/vaultwarden
快速运行
docker run -d --name vaultwarden \ -v /data/vw-data/:/data/ \ --restart unless-stopped \ -p 127.0.0.1:33002:80 \ -e WEBSOCKET_ENABLED=true \ -e SIGNUPS_ALLOWED=true \ -e WEB_VAULT_ENABLED=true \ -e ADMIN_TOKEN=`openssl rand -base64 48` \ -e SHOW_PASSWORD_HINT=true \ -e DOMAIN="https://yourdomain.tld" \ vaultwarden/server:1.34.3 # 国内镜像 swr.cn-east-3.myhuaweicloud.com/cncr/docker.io/vaultwarden/server:1.34.3
NGINX配置
upstream bitwarden-default { server 127.0.0.1:8889; }
upstream bitwarden-ws { server 127.0.0.1:8810; }
server {
listen 80;
listen 443 ssl http2;
server_name yourdomain.tld;
ssl_certificate /path/to/cert;
ssl_certificate_key /path/to/key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
if ($scheme = http){
return 301 https://$host$request_uri;
}
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy upgrade-insecure-requests;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "no-referrer-when-downgrade";
client_max_body_size 128M;
# reverse proxy
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://bitwarden-default;
}
location /notifications/hub/negotiate {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://bitwarden-default;
}
location /notifications/hub {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://bitwarden-ws;
}
}
访问后台
-
访问
域名+/admin
查看管理员口令
[root@localhost ~]$ docker inspect vaultwarden | grep ADMIN_TOKEN
"ADMIN_TOKEN=JaHlFVdiIYcoY70hDTgxTfsPUZwaGmg17D4fA4d1CIovznYvBPgs2gAwhaZYIV47",
备份
#!/bin/sh
set -e
username=xxx
password=xxx
filename="bitwarden-`date +%F`.tar.gz"
cd /path/to/your/vaultwarden-basedir/
tar czf "${filename}" bw-data/
curl -u "${username}:${password}" -T "${filename}" "https://dav.jianguoyun.com/dav/bitwarden/"
客户端