BitWarden With Traefik
This guide will configure and start a working docker image with BitWarden. BitWarden is a fully-loaded password management suite that I have used for a few years now. It has browser/phone compatibility and will auto fill any password that I store into it for me. It's essentially is the paid version of Last Pass but free (open source). I would encourage you to check out their site for a complete list of services they offer here. This guide will just get the implementation running and ready for use. Any further customization's should be referenced from BitWarden's site for accuracy and instruction.
Make a directory for your BitWarden files, create the docker-compose.yml file and paste in the configuration after updating the necessary fields for your installation
mkdir -p bitwarden/bw-data; cd bitwarden/bw-data
vim docker-compose.yml
version: '3.7'
services:
bitwarden:
image: "vaultwarden/server:latest"
container_name: "bitwarden"
restart: always
volumes:
- ./bw-data:/data
environment:
- WEBSOCKET_ENABLED=true
networks:
- proxy
labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy"
# Entry Point for https
- "traefik.http.routers.bitwarden-secure.entrypoints=websecure"
- "traefik.http.routers.bitwarden-secure.rule=Host(`bw.yourdomain`)"
- "traefik.http.routers.bitwarden-secure.service=bitwarden-service"
- "traefik.http.services.bitwarden-service.loadbalancer.server.port=80"
# websocket
- "traefik.http.routers.bitwarden-ws.entrypoints=websecure"
- "traefik.http.routers.bitwarden-ws.rule=Host(`bw.yourdomain`) && Path(`/notifications/hub`)"
- "traefik.http.middlewares.bitwarden-ws=bw-stripPrefix@file"
- "traefik.http.routers.bitwarden-ws.service=bitwarden-websocket"
- "traefik.http.services.bitwarden-websocket.loadbalancer.server.port=3012"
networks:
proxy:
external: true
In this file you'll just need to update the lines that contain "bw.yourdomain" with your domain name. I've added a sample docker-compose.yml file for reference of what the file should look like once completed:
version: '3.7'
services:
bitwarden:
image: "vaultwarden/server:latest"
container_name: "bitwarden"
restart: always
volumes:
- ./bw-data:/data
environment:
- WEBSOCKET_ENABLED=true
networks:
- proxy
labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy"
# Entry Point for https
- "traefik.http.routers.bitwarden-secure.entrypoints=websecure"
- "traefik.http.routers.bitwarden-secure.rule=Host(`bw.mycooldomain.net`)"
- "traefik.http.routers.bitwarden-secure.service=bitwarden-service"
- "traefik.http.services.bitwarden-service.loadbalancer.server.port=80"
# websocket
- "traefik.http.routers.bitwarden-ws.entrypoints=websecure"
- "traefik.http.routers.bitwarden-ws.rule=Host(`bw.mycooldomain.net`) && Path(`/notifications/hub`)"
- "traefik.http.middlewares.bitwarden-ws=bw-stripPrefix@file"
- "traefik.http.routers.bitwarden-ws.service=bitwarden-websocket"
- "traefik.http.services.bitwarden-websocket.loadbalancer.server.port=3012"
networks:
proxy:
external: true
Run
docker-compose up -d
Give the installation about 10 minutes to complete before attempting to access your portal. One way to check whether the services have started is to open your traefik dashboard and watch for your "routers" and "services" sections to go up in count:
In the mean time, we'll need to make some changes to the config.json file. Within the "bitwarden/bw-data" path we just created. Below is the sample configuration for bw.mycooldomain.net:
"domain": "http://bw.mycooldomain.net", #<--change
"sends_allowed": true,
"disable_icon_download": false,
"signups_allowed": true,
"signups_verify": false,
"signups_verify_resend_time": 3600,
"signups_verify_resend_limit": 6,
"invitations_allowed": true,
"password_iterations": 100000,
"show_password_hint": false,
"admin_token": "", #<---------------------Add token hash
"invitation_org_name": "bw.mycooldomain", #<--change
"ip_header": "X-Real-IP",
"icon_cache_ttl": 2592000,
"icon_cache_negttl": 259200,
"icon_download_timeout": 10,
"icon_blacklist_non_global_ips": true,
"disable_2fa_remember": false,
"authenticator_disable_time_drift": false,
"require_device_email": false,
"reload_templates": false,
"log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
"disable_admin_token": false,
"_enable_yubico": true,
"_enable_duo": false,
"_enable_smtp": true,
"smtp_host": "",
"smtp_ssl": true,
"smtp_explicit_tls": false,
"smtp_port": ,
"smtp_from": "",
"smtp_from_name": "",
"smtp_username": "",
"smtp_password": "",
"smtp_auth_mechanism": "",
"smtp_timeout": 15,
"smtp_accept_invalid_certs": false,
"smtp_accept_invalid_hostnames": false,
"_enable_email_2fa": true,
"email_token_size": 6,
"email_expiration_time": 600,
"email_attempts_limit": 3
}
Create another password hash
htpasswd -nb admin <password>
Example
htpasswd -nb admin mypassword
admin:$apr1$bDYpIv27$D8nt54IltqswqV/K5s8g20
Remember that we only need the password hash here so remove the
admin:
that precedes the hash before pasting it into your configuration.
Save the file and restart BitWarden to login to the portal with your new password hash at bw.yourdomain/admin in your browser. From here, you'll need to add smtp information to send out email invitations as well as email confirmations for new account creation. I use Google's SMTP services for my configuration. Once you're through, test the email settings to just added and verify email receipt.
You are now ready to access your BitWarden Portal and register for an account! Go to https://bw.yourdomain (without the "/admin") to create your account. Your BitWarden Server will send out a confirmation email using the smtp server you just created so you can confirm and login. If you already have a BitWarden account, you can export your entire password vault and import it here (like I did) to start using your own server instead of BitWarden's public servers. Refer to BitWarden's documentation for instructions on this process (linked above) if you are unsure how to accomplish this.