Browse Source

atoz v2 (#291)

* atoz readme updated for version 2

* atoz tweaks
pull/299/head
userdocs 4 years ago
committed by GitHub
parent
commit
45c2537741
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
  1. 443
      docs/atoz.md

443
docs/atoz.md

@ -1,69 +1,67 @@
### Introduction # Introduction
This is an A to Z guide that will help you get `wetty` up and running on Debian This is an A to Z guide that will help you get WeTTY up and running on a Debian based system. It covers the key configuration areas by using copy and paste commands. This will help you install this application and get it securely up and running with minimal system interference and reversible changes. It should also provide enough information to allow you to understand and extend that configuration for your personal requirements.
Stable. It covers the key configuration areas by using copy and paste commands
to help you install this application and get it securely up and running. It
should also provide enough information to allow you to understand and extend
that configuration for your personal requirements.
### Required dependencies **Note:** Some of these configurations are optional, such as self signed SSL and public key authentication. The purpose of the guide is to show you how to correctly understand, configure, install and use these options should you wish to use them but they are not required to use WeTTY in general.
You will need the package `build-essential` to be installed. We need this ## Required dependencies
specifically for `node-gyp` to build packages when using `npm` or `yarn` to
install packages. `Node` - WeTTY requires node v14 or greater. We will install this locally for a non root user later in the guide.
`python` - This should be installed by default but we will include it in our `apt-get` command to be safe.
`build-essential` - We need this specifically for `node-gyp` to build packages when using `npm` or `yarn` to install packages.
As the `root` user run these commands: As the `root` user run these commands:
```bash ```bash
apt update apt update
apt install -y build-essential apt install -y build-essential python
``` ```
If you do not have root access and just want to check the dependency is If you have no root access and just want to check the dependencies are installed you can use these commands:
installed you can use this command:
```bash ```bash
dpkg -s python | grep Status:
dpkg -s build-essential | grep Status: dpkg -s build-essential | grep Status:
``` ```
If the program is installed you will see this result: If the package is installed you will see this result:
```bash ```bash
Status: install ok installed Status: install ok installed
``` ```
### Create a local user account ## Create a local user account
For this guide, unless specifically stated, you should not use a `root` account For this guide, unless specifically stated, you should not use a `root` account to install and run WeTTY. Please use an existing local account or create one now.
to install and run `wetty`. Please use an existing local account or create one
now.
**Note:** Whichever user runs `wetty` should be the same user you wish to **Note:** Whichever user runs WeTTY should be the same user you wish to authenticate with via `ssh` to keep this guide simple.
authenticate with via `ssh` to keep this simple.
If you need to create a local user account you can run this command: If you need to create a local user account you can run this command:
**Important note:** replace `username` with a user name of your choosing and **Important note:** replace `username` with a user name of your choosing and create a password when prompted
create a password when prompted
```bash ```bash
adduser --gecos "" username adduser --gecos "" username
``` ```
Switch to your local user now and open an `ssh` session to continue with this Switch to your local user now and open an `ssh` session to continue with this guide.
guide.
### Install node locally ## Install node locally
To install and manage `node` as a local user we are going to use To install and manage `node` as a local user we are going to use [Node Version Manager](https://github.com/nvm-sh/nvm). This is an established solution for installing and managing multiple versions of node without needing `root` access. This will allow you to install and use multiple versions of `node` at the same time.
[Node Version Manager](https://github.com/nvm-sh/nvm) as an established solution
to installing and managing multiple versions of node without needing `root` This command will download and install `nvm` and reload our shell.
access. We are going to install the `lts` or long term support release of `node`
to use with this application.
```bash ```bash
bash <(curl -s https://raw.githubusercontent.com/nvm-sh/nvm/master/install.sh) && source ~/.profile bash <(curl -s https://raw.githubusercontent.com/nvm-sh/nvm/master/install.sh) && source ~/.profile
nvm install --lts ```
This command will install the latest version of the v14 branch, which is the minimum required version for WeTTY.
```bash
nvm install 14
``` ```
You can now call `node` to check it works using this command. You can now call `node` to check it works using this command.
@ -75,29 +73,20 @@ node -v
Your result should look something like this. Your result should look something like this.
```bash ```bash
v12.16.2 v14.14.0
``` ```
**Note:** There is consideration with this method. `node` is only in the local **Note:** There is an important consideration with the `nvm` method. `node` is only in the local user's path through sourcing of the `~/.nvm/nvm.sh` which is done when the user logs in and the shell sources the user's `.bashrc` file. So for some applications who are not aware of this local shell environment `node` will not be usable unless we provide a full path and `nvm` commands will also be unavailable. The way we over come this issue for the needs of this guide is by using this command substitution to provide the full path, where applicable:
user's path through sourcing of the `~/.nvm/nvm.sh` via the users `.bashrc`
file. Unless this is done `node` will not be usable unless directly linked to
and `nvm` commands will be unavailable.
The way we overcome this issue for the needs of this guide is by using this
command where applicable:
```bash ```bash
source ~/.nvm/nvm.sh && nvm which 14 $(source ~/.nvm/nvm.sh && nvm which 14)
``` ```
**Why?** This command will always provide us with the path to the most current **Why?** This command will always provide us with the path to the most current version of `node 14` installed via `nvm` regardless of other versions of `node` installed with `nvm`.
version of `node 12` installed via `nvm` regardless of other versions of `node`
installed.
### Generate openssl certificates. ## Generate OpenSSL certificates
**Why?** So that later we can configure `wetty` to work with `https` and make **Why?** So that later we can configure WeTTY to work with `https` and make sure we interact with WeTTY over a secure connection at all times.
sure we interact with `wetty` over a secure connection at all times.
Make the required directory using this command: Make the required directory using this command:
@ -105,13 +94,12 @@ Make the required directory using this command:
mkdir -p ~/.ssl mkdir -p ~/.ssl
``` ```
Generate the self-signed `openssl` certificates we will use to encrypt our web Generate the self signed `openssl` certificates we will use to encrypt our web traffic when using WeTTY using this command:
traffic when using `wetty` using this command:
**Note:** we are using`ecdsa` using the `secp521r1` curve. **Note:** we are using `ecdsa` using the `secp384r1` curve. Tested to be compatible with Chrome and Firefox browsers.
```bash ```bash
openssl req -x509 -nodes -days 1095 -newkey ec:<(openssl ecparam -name secp521r1) -subj "/C=GB/ST=None/L=None/O=None/OU=None/CN=None" -out ~/.ssl/wetty.crt -keyout ~/.ssl/wetty.key openssl req -x509 -nodes -days 1095 -newkey ec:<(openssl ecparam -name secp384r1) -subj "/C=GB/ST=None/L=None/O=None/OU=None/CN=None" -out ~/.ssl/wetty.crt -keyout ~/.ssl/wetty.key
``` ```
Now give these file and folders the correct permissions using these commands: Now give these file and folders the correct permissions using these commands:
@ -124,10 +112,9 @@ chmod 600 ~/.ssl/wetty.key
This is all we need to do for now in regards to https. This is all we need to do for now in regards to https.
### Generate the ssh key file ## Generate the ssh key file
**Why?** So that later we can set up automatic login via `ssh`. Our instance **Why?** So that later we can set up automatic login via `ssh`. Our instance will authorise using this key file stored locally.
will authorise using this key file stored locally.
Make the required directory, if it does not exist, using this command: Make the required directory, if it does not exist, using this command:
@ -135,16 +122,13 @@ Make the required directory, if it does not exist, using this command:
mkdir -p ~/.ssh mkdir -p ~/.ssh
``` ```
Create the `ssh` private key using `ed25519` that we need to authorise our local Create the `ssh` private key using `ed25519` that we need to authorise our local connection, using this command:
connection, using this command:
```bash ```bash
ssh-keygen -q -C "wetty-keyfile" -t ed25519 -N '' -f ~/.ssh/wetty 2>/dev/null <<< y >/dev/null ssh-keygen -q -C "wetty-keyfile" -t ed25519 -N '' -f ~/.ssh/wetty 2>/dev/null <<< y >/dev/null
``` ```
**Important Note:** You must add the public key to your `authorized_keys` file **Important Note:** You must add the public key to your `authorized_keys` file in order to be able to log in using your `ssh` key file when accessing WeTTY via a web browser.
in order to be able to log in using your `ssh` key file when accessing `wetty`
via a web browser.
Copy the key to our `~/.ssh/authorized_keys` file, using this command: Copy the key to our `~/.ssh/authorized_keys` file, using this command:
@ -160,215 +144,202 @@ chmod 644 ~/.ssh/authorized_keys
chmod 600 ~/.ssh/wetty chmod 600 ~/.ssh/wetty
``` ```
**Optional:** A housekeeping command. If you need to remove all entries of the **Optional:** A housekeeping command. If you need to remove all entries of the WeTTY public key with the comment `wetty-keyfile` from the `~/.ssh/authorized_keys` file use this command. Otherwise ignore this.
`wetty` public key with the comment `wetty-keyfile` from the
`~/.ssh/authorized_keys` file use this command. Otherwise ignore this.
```bash ```bash
sed -r '/^ssh-ed25519(.*)wetty-keyfile$/d' -i ~/.ssh/authorized_keys sed -r '/^ssh-ed25519(.*)wetty-keyfile$/d' -i ~/.ssh/authorized_keys
``` ```
### Install wetty ## Install WeTTY
**Note:** we are using `-g` for `npm` or `global` for `yarn` along with **Note:** we are using `-g` for `npm` or `global` for `yarn` along with `--prefix ~/` so that the application's symbolic link is installed to our `~/bin` directory and available in our local user's `PATH`.
`--prefix ~/` so that the application symbolic link is installed to our `~/bin`
directory and available in our local user's `PATH`.
As your local user run these commands to install `wetty` and `forever`. We will As your local user run these commands:
need `forever` later to run wetty in the background.
First, we need to make sure the local user's `~/bin` folder exists and is in the To make sure the local user's `~/bin` directory exists and is in the `PATH` please run the following command.
`PATH` for the following commands to work.
```bash ```bash
mkdir -p ~/bin && source ~/.profile mkdir -p ~/bin && source ~/.profile
``` ```
Please use either the `npm` or `yarn` method and not both. The `yarn` method is Now use `npm` to install the `yarn` packet manager.
recommended but I provide both as you may have a personal preference. The
outcome is effectively the same.
`npm ` - optional - use `npm` to install wetty
```bash ```bash
npm install -g wetty forever --prefix ~/ npm install -g yarn --prefix ~/
``` ```
`yarn` - recommended - use `yarn` to install wetty Then use `yarn` to install `wetty`.
```bash ```bash
npm install -g yarn --prefix ~/ yarn global add wetty --prefix ~/
yarn global add wetty forever --prefix ~/
``` ```
Once successfully installed the application should be available in your local Once successfully installed the application should be available in your local user's `PATH`. To test the installation was successful please use this command:
user's `PATH`. To test the installation was successful please use this command:
```bash ```bash
wetty -h wetty -h
``` ```
### Accessing the web interface. ## Accessing the web interface via our external IP
This needs to be done here because it is not easy to do in the next steps if If you are using your external IP and not a domain to access WeTTY this step needs to be done here because it is not easy to do in the next steps if WeTTY is running in the terminal.
`wetty` is running in the terminal.
This command will generate the correct URL you need to visit after using the This command will generate the correct URL you need to visit after using the start up commands in the following section.
start up commands in the following section.
```bash ```bash
echo https://$(curl -s4 icanhazip.com):3000 echo https://$(curl -s4 icanhazip.com):3000
``` ```
_Please make make a note of this URL now._ *Please make make a note of this URL now.*
### Running wetty ## Running WeTTY
Now we have all the ground work done we can focus on our `wetty` server Now we have all the ground work done we can focus on our WeTTY server configuration settings.
configuration settings.
For example, the below command would provide a `https` instance with automatic For example, the below command would provide a `https` instance with automatic `ssh` authorisation using our `wetty` private key on port `3000` accessible at `https://IP:3000` .
`ssh` authorisation using our `wetty` private key on port `3000` accessible at
`https://IP:3000` . Refer to the previous URL generation command.
**Important note:** This command will run in your current terminal session and **Important note:** This command will run in your current terminal session and not in the background. The key combination of `CTRL` + `c` will exit the application.
not in the background.
```bash ```bash
wetty --host 0.0.0.0 -p 3000 --title wetty --base / --sshkey ~/.ssh/wetty --sshhost localhost --sshuser $(whoami) --sshport 22 --sshauth publickey --sslkey ~/.ssl/wetty.key --sslcert ~/.ssl/wetty.crt wetty --host 0.0.0.0 -port 3000 --title wetty -base / --ssh-key ~/.ssh/wetty --ssh-host localhost --ssh-user $(whoami) --ssh-port 22 --ssh-auth publickey --ssl-key ~/.ssl/wetty.key --ssl-cert ~/.ssl/wetty.crt
``` ```
#### forever to manage wetty Since you may not need all these settings we will look through what each one does below so that you can decide how to best configure your instance.
Now you can use `forever` we installed to run `wetty` in the background instead ### Environment settings explained
of directly in your terminal
```bash Let's break it down so that we can understand what's being done and why.
forever start ~/bin/wetty --host 0.0.0.0 -p 3000 --title wetty --base / --sshkey ~/.ssh/wetty --sshhost localhost --sshuser $(whoami) --sshport 22 --sshauth publickey --sslkey ~/.ssl/wetty.key --sslcert ~/.ssl/wetty.crt
```
To stop `wetty` from running you can use this command
```bash ```bash
forever stop ~/bin/wetty --host 0.0.0.0 -p 3000 --title wetty --base /
``` ```
#### Optional - config file. `--host 0.0.0.0` - defines the interface we want to bind to. Using `0.0.0.0` means that we bind to all available interfaces so using this setting just works. When we use nginx we can change this to `--host 127.0.0.1` in order to prevent generic port access to the application and force traffic through our nginx reverse proxy URL.
Create a directory to store our configuration data using this command: `-p 3000` - defines the local listening port. You will use this port to connect via the remotely accessible web server or when configuring a reverse proxy through nginx.
```bash `--title wetty` - an optional setting to set the window title for this `wetty` session.
mkdir -p ~/.config/wetty
```
Now populate our `config` file with some settings. This example is the same `--base /` - changes the default base URL setting from `/wetty/` to define the remote URL. We use `--base /` to make `wetty` accessible on the URL format `https://IP:3000` instead of `https://IP:3000/wetty` but we would change this back if we use nginx to reverse proxy the application.
command as above.
```bash ### SSH settings explained
echo -n '{ "server": { "host": "0.0.0.0", "port": 3000, "title": "WeTTy", "base": "/" }, "ssh": {"key": "~/.ssh/wetty", "host": "localhost", "user": "$(whoami)", "port": 22, "auth": "publickey"}, "ssl": { "key": "~/.ssl/wetty.key", "cert": "~/.ssl/wetty.crt"}}' > ~/.config/wetty/config.json
```
This configuration file is now available here for you to manage your settings. These settings are all specific to `ssh` and will enable you to automatically log into you `ssh` session for the selected user.
```bash ```bash
~/.config/wetty/config.json --ssh-key ~/.ssh/wetty --ssh-host localhost --ssh-user $(whoami) --ssh-port 22 --ssh-auth publickey
``` ```
Now we can load this file as part of the command we pass to `wetty` with shell `--ssh-key ~/.ssh/wetty` - we are telling WeTTY to load our `ssh` key file that we generated earlier.
expansion and command substitution.
```bash `--ssh-host localhost` - optional setting telling WeTTY to connect the host `localhost`
wetty --conf ~/.config/wetty/config.json
```
#### forever using a config file `--ssh-user $(whomai)` - defines our `ssh` username. In this case via the command substitution of `whoami` which will not require your input of a username.
Now you can use `forever` to run it in the background instead of directly in `--ssh-port 22` - optional setting to set the `ssh` port we need to connect to.
your terminal
```bash `--ssh-auth publickey` defines the accepted authentication types. You do not have to use the key file and you can instead require a password but setting this to `--sshauth password`. You can specify both `--sshauth publickey,password`
forever start ~/bin/wetty --conf ~/.config/wetty/config.json
```
To stop `wetty` from running you can use this command: `--ssh-config configfile` - (not used for this guide) alternative ssh configuration file. From ssh(1):
```bash > If a configuration file is given on the command line, the system-wide
forever stop ~/bin/wetty > configuration file (/etc/ssh/ssh_config) will be ignored. The default for the
``` > per-user configuration file is ~/.ssh/config.
#### Environment settings explained ### SSL settings explained
Let's break it down so that we can understand what's being done and why. These settings are specific to `openssl` to make WeTTY load https webserver so that all data is transmitted over a secure connection.
```bash ```bash
--host 0.0.0.0 -p 3000 --title wetty --base / --ssl-key ~/.ssl/wetty.key --ssl-cert ~/.ssl/wetty.crt
``` ```
`--host 0.0.0.0` - defines the interface we want to bind to. Using `0.0.0.0` `--ssl-key ~/.ssl/wetty.key` - tells WeTTY to load our `openssl` generated key file.
means that we bind to all available interfaces so using this setting just works.
When we use nginx we can change this to `--host 127.0.0.1` in order to prevent
generic port access to the application and force traffic through our nginx
reverse proxy URL.
`-p 3000` - defines the local listening port. You will use this port to connect `--ssl-cert ~/.ssl/wetty.crt` - tells WeTTY to load our `openssl` generates certificate file.
via the remotely accessible web server or when configuring a reverse proxy
through nginx.
`--title wetty` - an optional setting to set the window title for this `wetty` ### Optional - load settings via a configuration file
session.
`--base /` - changes the default base URL setting from `/wetty/` to define the As of WeTTY v2 there is official support for a configuration file used with the flag `--conf` to specify the location of this file.
remote URL. We use `--base /` to make `wetty` accessible on the URL format
`https://IP:3000` instead of `https://IP:3000/wetty` but we would change this
back if we use nginx to reverse proxy the application.
#### SSH settings explained Create the directory where we will store this configuration file.
These settings are all specific to `ssh` and will enable you to automatically ```bash
log into you ssh session for the selected user. mkdir -p ~/.config/wetty
```
Use `nano` to open a file for editing.
```bash ```bash
--sshkey ~/.ssh/wetty --sshhost localhost --sshuser $(whoami) --sshport 22 --sshauth publickey nano ~/.config/wetty/config.json
``` ```
`--ssh-key ~/.ssh/wetty` - we are telling `wetty` to load our `ssh` key file Here is the template `config.json` you need to use.
that we generated earlier.
`--ssh-host localhost` - optional setting telling `wetty` to connect the host **Note:** All option that you do not want to use can be commented out using `//`. For example `// title: 'Terminal', // Page title` will comment out this line and it will be ignored.
`localhost`
`--ssh-user $(whomai)` - defines our `ssh` username. In this case via the ```json
command substitution of `whoami` which will not require your input of a {
username. ssh: {
user: 'username', // default user to use when ssh-ing
host: 'localhost', // Server to ssh to
auth: 'publickey,password', // shh authentication, method. Defaults to "password", you can use "publickey,password" instead'
pass: "password", // Password to use when sshing
key: "/home/username/.ssh/wetty", // path to an optional client private key, connection will be password-less and insecure!
port: 22, // Port to ssh to
knownHosts: '/dev/null', // ssh knownHosts file to use
},
server: {
base: '/terminal/', // URL base to serve resources from
port: 3000, // Port to listen on
host: '127.0.0.1', // address to listen on
title: 'Terminal', // Page title
bypassHelmet: false, // Disable Helmet security checks
},
`--ssh-port 22` - optional setting to set the `ssh` port we need to connect to. forceSSH: false, // Force sshing to local machine over login if running as root
command: 'login', // Command to run on server. Login will use ssh if connecting to different server
`--ssh-auth publickey` defines the accepted authentication types. You do not ssl:{
have to use the key file and you can instead require a password but setting this key: '/home/username/.ssl/wetty.key',
to `--ssh-auth password`. You can specify both `--ssh-auth publickey,password` cert: '/home/username/.ssl/wetty.crt',
}
`--ssh-config configfile` - alternative ssh configuration file. From ssh(1): }
```
> If a configuration file is given on the command line, the system-wide Press `ctrl` + `x` and then press `y` to save then press `enter` to confirm and exit `nano`.
> configuration file (/etc/ssh/ssh_config) will be ignored. The default for the
> per-user configuration file is ~/.ssh/config.
#### SSL settings explained ## System Environment Variables
These settings are specific to `openssl` to make `wetty` load https webserver so **Note:** We will not be using this section to configure WeTTY. We are simply documenting it.
that all data is transmitted over a secure connection.
There are some environment variables you can export that can be used by WeTTY to configure an instance.
```bash ```bash
--ssl-key ~/.ssl/wetty.key --ssl-cert ~/.ssl/wetty.crt BASE
PORT
TITLE
SSHUSER
SSHHOST
SSHAUTH
SSHPASS
SSHKEY
SSHPORT
KNOWNHOSTS
FORCESSH
COMMAND
``` ```
`--ssl-key ~/.ssl/wetty.key` - tells `wetty` to load our `openssl` generated key These can be used in the following way
file.
```bash
export PORT=3000
```
`--ssl-cert ~/.ssl/wetty.crt` - tells `wetty` to load our `openssl` generates There are currently no environment settings for variables not listed above.
certificate file.
### Systemd service settings ## Systemd service settings
We will use a local user `systemd` service file to manage the `wetty` service. We will use a local user `systemd` service file to manage the `wetty` service.
@ -378,42 +349,74 @@ First, create the required directory, if it does not exist.
mkdir -p ~/.config/systemd/user mkdir -p ~/.config/systemd/user
``` ```
#### Systemd service. ### Systemd service
Here is the example using our pseudo configuration file. All modifications to Here is an example template of how to use service file with hardcoded values you can set in the `wetty.service` file with all options enabled.
the start up of `wetty` will be done by editing the `~/.config/Wetty/config`
file and then reloading the ` wetty.service`.
Use `nano` to open the file for editing. Use `nano` to open a file for editing.
```bash
nano ~/.config/systemd/user/wetty.service
```
The copy and paste this code.
**Note:** This is an example service file based on all the options documented and configured so far. You may not want all these option enabled so please remove or modify the `ExecStart` command based on your needs.
```bash
[Unit]
Description=wetty
After=network-online.target
[Service]
Type=simple
ExecStart=/bin/bash -c "$$(source /home/$$(whoami)/.nvm/nvm.sh && nvm which 12) /home/$$(whoami)/bin/wetty --host 0.0.0.0 -p 3000 --title wetty --base / --ssh-key /home/$$(whoami)/.ssh/wetty --ssh-host localhost --ssh-user $$(whoami) --ssh-port 22 --ssh-auth publickey --ssl-key /home/$$(whoami)/.ssl/wetty.key --ssl-cert /home/$$(whoami)/.ssl/wetty.crt"
Restart=always
RestartSec=2
TimeoutStopSec=5
SyslogIdentifier=wetty
[Install]
WantedBy=default.target
``` ```
Press `ctrl` + `x` and then press `y` to save then press `enter` to confirm and exit `nano`.
### Optional - Systemd service with config file
Here is the example using our pseudo configuration file. All modifications to the start up of `wetty` will be done by editing the `~/.config/Wetty/config` file and then reloading the ` wetty.service`.
Use `nano` to open the file for editing.
```bash
nano ~/.config/systemd/user/wetty.service nano ~/.config/systemd/user/wetty.service
``` ```
The copy and paste this code. The copy and paste this code.
**Note:** This `ExecStart` assumes the location of your `config.json` to be `~/.config/wetty/config.json`. Please make sure you use the correct location for this file.
```bash ```bash
[Unit] [Unit]
Description=wetty Description=wetty
After=network.target After=network-online.target
[Service] [Service]
Type=simple Type=simple
WorkingDirectory=%h ExecStart=/bin/bash -c "$$(source /home/$$(whoami)/.nvm/nvm.sh && nvm which 14) /home/$$(whoami)/bin/wetty --conf /home/$$(whoami)/.config/wetty/config.json"
ExecStart=/bin/bash -c "$$(source /home/$$(whoami)/.nvm/nvm.sh && nvm which 12) /home/$$(whoami)/bin/wetty --conf /home/$$(whoami)/.config/wetty/config.json"
TimeoutStopSec=20
KillMode=mixed
Restart=always Restart=always
RestartSec=2 RestartSec=2
TimeoutStopSec=5
SyslogIdentifier=wetty
[Install] [Install]
WantedBy=multi-user.target WantedBy=default.target
``` ```
Press `ctrl` + `x` and then press `y` to save then press `enter` to confirm and Press `ctrl` + `x` and then press `y` to save then press `enter` to confirm and exit `nano`.
exit `nano`.
#### Activating your service ### Activating your service
The you can enable and start your service. The you can enable and start your service.
@ -421,7 +424,7 @@ The you can enable and start your service.
systemctl --user enable --now wetty systemctl --user enable --now wetty
``` ```
#### Managing your services ### Managing your services
These commands will help you manage your service. These commands will help you manage your service.
@ -435,22 +438,19 @@ systemctl --user disable --now wetty
systemctl --user enable --now wetty systemctl --user enable --now wetty
``` ```
### Nginx reverse proxy ## Nginx reverse proxy
If you want to use nginx as a revers proxy here is the configuration file you If you want to use nginx as a reverse proxy here is the configuration file you can use.
can use.
Please modify these specific environment settings: Please modify these specific environment settings:
**Why?** This will disable generic port access to the application and force **Why?** This will disable generic port access to the application and force traffic via the nginx reverse proxy.
traffic via the nginx reverse proxy.
```bash ```bash
--host 127.0.0.1 --host 127.0.0.1
``` ```
**Why?** This change is so that our application does not attempt to load as the **Why?** This change is so that our application does not attempt to load as the web root of `/` for nginx.
web root of `/` for nginx.
```bash ```bash
--base /wetty/ --base /wetty/
@ -458,38 +458,38 @@ web root of `/` for nginx.
Now you can use this nginx configuration file. Now you can use this nginx configuration file.
**Note:** we are using `https` here `https://127.0.0.1:3000/wetty;` because we **Note:** we are using `https` with `https://127.0.0.1:3000/wetty;` because we configured `wetty` to run via `https` using our self signed ssl certificates. If you chose not to run WeTTY with a self signed certificate you should changes this to `http://127.0.0.1:3000/wetty;`
configured `wetty` to run via `https`
The copy and paste this into the `https` server block of your enable server The copy and paste this into the `https` server block of your enable server configuration file.
configuration file.
```nginx ```nginx
location /wetty { location /wetty {
proxy_pass https://127.0.0.1:3000/wetty; proxy_pass https://127.0.0.1:3000/wetty;
#
proxy_pass_request_headers on; proxy_pass_request_headers on;
#
proxy_http_version 1.1;
proxy_set_header Host $host; proxy_set_header Host $host;
#
proxy_http_version 1.1;
#
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme; proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-NginX-Proxy true; proxy_set_header X-NginX-Proxy true;
#
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection; proxy_set_header Connection $http_connection;
proxy_set_header X-Forwarded-Ssl on;
proxy_read_timeout 43200000; proxy_read_timeout 43200000;
proxy_set_header X-Forwarded-Ssl on;
#
proxy_redirect off; proxy_redirect off;
proxy_buffering off; proxy_buffering off;
} }
``` ```
Press `ctrl` + `x` and then press `y` to save then press `enter` to confirm and Press `ctrl` + `x` and then press `y` to save then press `enter` to confirm and exit `nano`
exit `nano`
Now you would need to reload nginx service using this command: Now you would need to reload nginx service using this command:
@ -497,16 +497,27 @@ Now you would need to reload nginx service using this command:
systemctl restart nginx systemctl restart nginx
``` ```
#### Accessing the web interface via nginx ### Accessing the web interface via nginx
Visit the URL format `https://YourIPorDomain/wetty` and you can access WeTTY.
Visit the URL format `https://YourIP/wetty` and you can access `wetty`. This This command will generate the correct URL you need to visit it you are not using a domain.
command will generate the correct URL you need to visit.
```bash ```bash
echo https://$(curl -s4 icanhazip.com)/wetty echo https://$(curl -s4 icanhazip.com)/wetty
``` ```
### Configuration reference ## Protecting your instance of WeTTY
**Disclaimer:** It is not recommended by this guide that you run an instance of WeTTY on your server with no access control in place.
If you chose to not use a password to login in you should protect your instance behind either:
1: [Nginx basic auth](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/)
2: [Authelia](https://github.com/authelia/authelia)
## Configuration reference
`wetty -h` configuration options for reference. `wetty -h` configuration options for reference.
@ -520,7 +531,8 @@ echo https://$(curl -s4 icanhazip.com)/wetty
--ssh-port ssh server port [number] [default: 22] --ssh-port ssh server port [number] [default: 22]
--ssh-user ssh user [string] [default: ""] --ssh-user ssh user [string] [default: ""]
--title window title [string] [default: "WeTTy - The Web Terminal Emulator"] --title window title [string] [default: "WeTTy - The Web Terminal Emulator"]
--ssh-auth defaults to "password", you can use "publickey,password" instead [string] [default: "password"] --ssh-auth defaults to "password", you can use "publickey,password"
instead [string] [default: "password"]
--ssh-pass ssh password [string] --ssh-pass ssh password [string]
--ssh-key path to an optional client private key (connection will be --ssh-key path to an optional client private key (connection will be
password-less and insecure!) [string] password-less and insecure!) [string]
@ -532,5 +544,6 @@ echo https://$(curl -s4 icanhazip.com)/wetty
--port, -p wetty listen port [number] [default: 3000] --port, -p wetty listen port [number] [default: 3000]
--host wetty listen host [string] [default: "0.0.0.0"] --host wetty listen host [string] [default: "0.0.0.0"]
--command, -c command to run in shell [string] [default: "login"] --command, -c command to run in shell [string] [default: "login"]
--allow-iframe Allow wetty to be embedded in an iframe, defaults to allowing same origin [boolean] [default: false] --allow-iframe Allow wetty to be embedded in an iframe, defaults to allowing
same origin [boolean] [default: false]
``` ```
Loading…
Cancel
Save