mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2025-01-18 15:30:48 +01:00
Merge branch 'master' into rocket-0.4
This commit is contained in:
commit
bdcdb08fc1
4 changed files with 80 additions and 46 deletions
|
@ -39,14 +39,8 @@ RUN apt-get update \
|
||||||
ENV CARGO_HOME "/root/.cargo"
|
ENV CARGO_HOME "/root/.cargo"
|
||||||
ENV USER "root"
|
ENV USER "root"
|
||||||
|
|
||||||
# Creates a dummy project used to grab dependencies
|
|
||||||
RUN USER=root cargo new --bin app
|
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
|
|
||||||
# Copies over *only* your manifests and vendored dependencies
|
|
||||||
COPY ./Cargo.* ./
|
|
||||||
COPY ./rust-toolchain ./rust-toolchain
|
|
||||||
|
|
||||||
# Prepare openssl arm64 libs
|
# Prepare openssl arm64 libs
|
||||||
RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
|
RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
|
||||||
/etc/apt/sources.list.d/deb-src.list \
|
/etc/apt/sources.list.d/deb-src.list \
|
||||||
|
@ -61,19 +55,12 @@ ENV CROSS_COMPILE="1"
|
||||||
ENV OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu"
|
ENV OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu"
|
||||||
ENV OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
|
ENV OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
|
||||||
|
|
||||||
# Builds your dependencies and removes the
|
|
||||||
# dummy project, except the target folder
|
|
||||||
# This folder contains the compiled dependencies
|
|
||||||
RUN rustup target add aarch64-unknown-linux-gnu
|
|
||||||
RUN cargo build --release --target=aarch64-unknown-linux-gnu -v
|
|
||||||
RUN find . -not -path "./target*" -delete
|
|
||||||
|
|
||||||
# Copies the complete project
|
# Copies the complete project
|
||||||
# To avoid copying unneeded files, use .dockerignore
|
# To avoid copying unneeded files, use .dockerignore
|
||||||
COPY . .
|
COPY . .
|
||||||
|
|
||||||
# Builds again, this time it'll just be
|
# Build
|
||||||
# your actual source files being built
|
RUN rustup target add aarch64-unknown-linux-gnu
|
||||||
RUN cargo build --release --target=aarch64-unknown-linux-gnu -v
|
RUN cargo build --release --target=aarch64-unknown-linux-gnu -v
|
||||||
|
|
||||||
######################## RUNTIME IMAGE ########################
|
######################## RUNTIME IMAGE ########################
|
||||||
|
|
|
@ -26,27 +26,17 @@ RUN npm run dist \
|
||||||
|
|
||||||
########################## BUILD IMAGE ##########################
|
########################## BUILD IMAGE ##########################
|
||||||
# Musl build image for statically compiled binary
|
# Musl build image for statically compiled binary
|
||||||
FROM clux/muslrust:nightly-2018-08-24 as build
|
FROM clux/muslrust:nightly-2018-11-30 as build
|
||||||
|
|
||||||
# Creates a dummy project used to grab dependencies
|
ENV USER "root"
|
||||||
RUN USER=root cargo init --bin
|
|
||||||
|
|
||||||
# Copies over *only* your manifests and vendored dependencies
|
WORKDIR /app
|
||||||
COPY ./Cargo.* ./
|
|
||||||
COPY ./rust-toolchain ./rust-toolchain
|
|
||||||
|
|
||||||
# Builds your dependencies and removes the
|
|
||||||
# dummy project, except the target folder
|
|
||||||
# This folder contains the compiled dependencies
|
|
||||||
RUN cargo build --release
|
|
||||||
RUN find . -not -path "./target*" -delete
|
|
||||||
|
|
||||||
# Copies the complete project
|
# Copies the complete project
|
||||||
# To avoid copying unneeded files, use .dockerignore
|
# To avoid copying unneeded files, use .dockerignore
|
||||||
COPY . .
|
COPY . .
|
||||||
|
|
||||||
# Builds again, this time it'll just be
|
# Build
|
||||||
# your actual source files being built
|
|
||||||
RUN cargo build --release
|
RUN cargo build --release
|
||||||
|
|
||||||
######################## RUNTIME IMAGE ########################
|
######################## RUNTIME IMAGE ########################
|
||||||
|
@ -75,7 +65,7 @@ EXPOSE 3012
|
||||||
COPY .env .
|
COPY .env .
|
||||||
COPY Rocket.toml .
|
COPY Rocket.toml .
|
||||||
COPY --from=vault /web-vault ./web-vault
|
COPY --from=vault /web-vault ./web-vault
|
||||||
COPY --from=build /volume/target/x86_64-unknown-linux-musl/release/bitwarden_rs .
|
COPY --from=build /app/target/x86_64-unknown-linux-musl/release/bitwarden_rs .
|
||||||
|
|
||||||
# Configures the startup!
|
# Configures the startup!
|
||||||
CMD ./bitwarden_rs
|
CMD ./bitwarden_rs
|
||||||
|
|
|
@ -39,14 +39,8 @@ RUN apt-get update \
|
||||||
ENV CARGO_HOME "/root/.cargo"
|
ENV CARGO_HOME "/root/.cargo"
|
||||||
ENV USER "root"
|
ENV USER "root"
|
||||||
|
|
||||||
# Creates a dummy project used to grab dependencies
|
|
||||||
RUN USER=root cargo new --bin app
|
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
|
|
||||||
# Copies over *only* your manifests and vendored dependencies
|
|
||||||
COPY ./Cargo.* ./
|
|
||||||
COPY ./rust-toolchain ./rust-toolchain
|
|
||||||
|
|
||||||
# Prepare openssl armhf libs
|
# Prepare openssl armhf libs
|
||||||
RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
|
RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
|
||||||
/etc/apt/sources.list.d/deb-src.list \
|
/etc/apt/sources.list.d/deb-src.list \
|
||||||
|
@ -61,19 +55,12 @@ ENV CROSS_COMPILE="1"
|
||||||
ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf"
|
ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf"
|
||||||
ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
|
ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
|
||||||
|
|
||||||
# Builds your dependencies and removes the
|
|
||||||
# dummy project, except the target folder
|
|
||||||
# This folder contains the compiled dependencies
|
|
||||||
RUN rustup target add armv7-unknown-linux-gnueabihf
|
|
||||||
RUN cargo build --release --target=armv7-unknown-linux-gnueabihf -v
|
|
||||||
RUN find . -not -path "./target*" -delete
|
|
||||||
|
|
||||||
# Copies the complete project
|
# Copies the complete project
|
||||||
# To avoid copying unneeded files, use .dockerignore
|
# To avoid copying unneeded files, use .dockerignore
|
||||||
COPY . .
|
COPY . .
|
||||||
|
|
||||||
# Builds again, this time it'll just be
|
# Build
|
||||||
# your actual source files being built
|
RUN rustup target add armv7-unknown-linux-gnueabihf
|
||||||
RUN cargo build --release --target=armv7-unknown-linux-gnueabihf -v
|
RUN cargo build --release --target=armv7-unknown-linux-gnueabihf -v
|
||||||
|
|
||||||
######################## RUNTIME IMAGE ########################
|
######################## RUNTIME IMAGE ########################
|
||||||
|
|
70
README.md
70
README.md
|
@ -40,6 +40,11 @@ _*Note, that this project is not associated with the [Bitwarden](https://bitward
|
||||||
- [Password hint display](#password-hint-display)
|
- [Password hint display](#password-hint-display)
|
||||||
- [Disabling or overriding the Vault interface hosting](#disabling-or-overriding-the-vault-interface-hosting)
|
- [Disabling or overriding the Vault interface hosting](#disabling-or-overriding-the-vault-interface-hosting)
|
||||||
- [Other configuration](#other-configuration)
|
- [Other configuration](#other-configuration)
|
||||||
|
- [Fail2Ban Setup](#fail2ban-setup)
|
||||||
|
- [Logging Failed Login Attempts to Syslog](#logging-failed-login-attempts-to-syslog)
|
||||||
|
- [Fail2Ban Filter](#fail2ban-filter)
|
||||||
|
- [Fail2Ban Jail](#fail2ban-jail)
|
||||||
|
- [Testing Fail2Ban](#testing-fail2ban)
|
||||||
- [Building your own image](#building-your-own-image)
|
- [Building your own image](#building-your-own-image)
|
||||||
- [Building binary](#building-binary)
|
- [Building binary](#building-binary)
|
||||||
- [Available packages](#available-packages)
|
- [Available packages](#available-packages)
|
||||||
|
@ -416,6 +421,71 @@ Note that you can also change the path where bitwarden_rs looks for static files
|
||||||
|
|
||||||
Though this is unlikely to be required in small deployment, you can fine-tune some other settings like number of workers using environment variables that are processed by [Rocket](https://rocket.rs), please see details in [documentation](https://rocket.rs/guide/configuration/#environment-variables).
|
Though this is unlikely to be required in small deployment, you can fine-tune some other settings like number of workers using environment variables that are processed by [Rocket](https://rocket.rs), please see details in [documentation](https://rocket.rs/guide/configuration/#environment-variables).
|
||||||
|
|
||||||
|
### Fail2Ban Setup
|
||||||
|
|
||||||
|
Bitwarden_rs logs failed login attempts to stdout. We need to set this so the host OS can see these. Then we can setup Fail2Ban.
|
||||||
|
|
||||||
|
#### Logging Failed Login Attempts to Syslog
|
||||||
|
|
||||||
|
We need to set the logging driver to syslog so the host OS and Fail2Ban can see them. Add the following to your docker-compose file:
|
||||||
|
```
|
||||||
|
bitwarden:
|
||||||
|
logging:
|
||||||
|
driver: "syslog"
|
||||||
|
options:
|
||||||
|
tag: "$TAG"
|
||||||
|
```
|
||||||
|
With the above settings in the docker-compose file. Any failed login attempts will look like this in your syslog file:
|
||||||
|
```
|
||||||
|
$DATE $TIME $SERVER $TAG[979]: ERROR: Username or password is incorrect. Try again. IP: XX.XX.XX.XX. Username: email@domain.com.
|
||||||
|
```
|
||||||
|
You can change the '$TAG' to anything you like. Just remember it because it will be in the Fail2Ban filter.
|
||||||
|
|
||||||
|
#### Fail2Ban Filter
|
||||||
|
|
||||||
|
Create the filter file
|
||||||
|
```
|
||||||
|
sudo nano /etc/fail2ban/filter.d/bitwarden.conf
|
||||||
|
```
|
||||||
|
And add the following
|
||||||
|
```
|
||||||
|
[INCLUDES]
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
failregex = ^%(__prefix_line)s.*$TAG.* ERROR: Username or password is incorrect. Try again. IP: <HOST>\. Username:.*$
|
||||||
|
ignoreregex =
|
||||||
|
```
|
||||||
|
Dont forget to change the '$TAG' to what you set it as from above.
|
||||||
|
|
||||||
|
#### Fail2Ban Jail
|
||||||
|
|
||||||
|
Now we need the jail, create the jail file
|
||||||
|
```
|
||||||
|
sudo nano /etc/fail2ban/jail.d/bitwarden.local
|
||||||
|
```
|
||||||
|
and add:
|
||||||
|
```
|
||||||
|
[bitwarden]
|
||||||
|
enabled = true
|
||||||
|
port = 80,443,8081
|
||||||
|
filter = bitwarden
|
||||||
|
action = iptables-allports[name=bitwarden]
|
||||||
|
logpath = /var/log/syslog
|
||||||
|
maxretry = 3
|
||||||
|
bantime = 14400
|
||||||
|
findtime = 14400
|
||||||
|
```
|
||||||
|
Feel free to change the options as you see fit.
|
||||||
|
|
||||||
|
#### Testing Fail2Ban
|
||||||
|
|
||||||
|
Now just try to login to bitwarden using any email (it doesnt have to be a valid email, just an email format)
|
||||||
|
If it works correctly and your IP is banned, you can unban the ip by running:
|
||||||
|
```
|
||||||
|
sudo fail2ban-client unban XX.XX.XX.XX bitwarden
|
||||||
|
```
|
||||||
|
|
||||||
## Building your own image
|
## Building your own image
|
||||||
|
|
||||||
Clone the repository, then from the root of the repository run:
|
Clone the repository, then from the root of the repository run:
|
||||||
|
|
Loading…
Reference in a new issue