summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2022-07-19 10:26:53 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2022-07-19 11:55:51 +0000
commit116995274c49da63a9e18ec6a85423071e175280 (patch)
treefc3f80a704a017dcbc856003b4af944ae1af0f8f
parentUpdating to standards version 4.6.1. (diff)
downloadttyd-116995274c49da63a9e18ec6a85423071e175280.tar.xz
ttyd-116995274c49da63a9e18ec6a85423071e175280.zip
Adding apache2 reverse-proxy configuration.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
-rw-r--r--debian/control2
-rw-r--r--debian/examples/apache2-authbasic-file.conf10
-rw-r--r--debian/examples/apache2-authbasic-ip.conf8
-rw-r--r--debian/examples/apache2-authbasic-ldap-group.conf16
-rw-r--r--debian/examples/apache2-authbasic-ldap-user.conf16
-rw-r--r--debian/local/apache2/ttyd.conf18
-rw-r--r--debian/ttyd.README.Debian59
-rw-r--r--debian/ttyd.examples1
-rw-r--r--debian/ttyd.install1
9 files changed, 124 insertions, 7 deletions
diff --git a/debian/control b/debian/control
index 4b3ca58..80b1b24 100644
--- a/debian/control
+++ b/debian/control
@@ -20,5 +20,7 @@ Architecture: linux-any
Depends:
${misc:Depends},
${shlibs:Depends},
+Suggests:
+ apache2,
Description: Share your terminal over the web
ttyd is a command-line tool for sharing a terminal over the web.
diff --git a/debian/examples/apache2-authbasic-file.conf b/debian/examples/apache2-authbasic-file.conf
new file mode 100644
index 0000000..5f28cb9
--- /dev/null
+++ b/debian/examples/apache2-authbasic-file.conf
@@ -0,0 +1,10 @@
+# /etc/ttyd/apache2-auth.conf
+
+<IfFile /etc/ttyd/htpasswd>
+ AuthName "ttyd"
+ AuthBasicProvider file
+ AuthType basic
+
+ AuthUserFile /etc/ttyd/htpasswd
+ Require valid-user
+</IfFile>
diff --git a/debian/examples/apache2-authbasic-ip.conf b/debian/examples/apache2-authbasic-ip.conf
new file mode 100644
index 0000000..8507a20
--- /dev/null
+++ b/debian/examples/apache2-authbasic-ip.conf
@@ -0,0 +1,8 @@
+# /etc/ttyd/apache2-auth.conf
+
+Order deny,allow
+Deny from all
+
+Allow from 10.0.0.0/8
+Allow from 172.16.0.0/12
+Allow from 192.168.0.0/16
diff --git a/debian/examples/apache2-authbasic-ldap-group.conf b/debian/examples/apache2-authbasic-ldap-group.conf
new file mode 100644
index 0000000..5827794
--- /dev/null
+++ b/debian/examples/apache2-authbasic-ldap-group.conf
@@ -0,0 +1,16 @@
+# /etc/ttyd/apache2-auth.conf
+
+AuthName "ttyd"
+AuthBasicProvider ldap
+AuthType basic
+
+AuthLDAPURL "ldaps://ldap.example.net:636/dc=example,dc=net?uid?sub"
+AuthLDAPBindDN cn=read-only,ou=srv-account,dc=example,dc=net
+AuthLDAPBindPassword "examplePassword"
+
+AuthLDAPRemoteUserAttribute uid
+AuthLDAPRemoteUserIsDN off
+AuthLDAPGroupAttribute memberUid
+AuthLDAPGroupAttributeIsDN off
+
+Require ldap-group cn=foo,ou=security,ou=groups,dc=example,dc=net
diff --git a/debian/examples/apache2-authbasic-ldap-user.conf b/debian/examples/apache2-authbasic-ldap-user.conf
new file mode 100644
index 0000000..5af7327
--- /dev/null
+++ b/debian/examples/apache2-authbasic-ldap-user.conf
@@ -0,0 +1,16 @@
+# /etc/ttyd/apache2-auth.conf
+
+AuthName "ttyd"
+AuthBasicProvider ldap
+AuthType basic
+
+AuthLDAPURL "ldaps://ldap.example.net:636/dc=example,dc=net?uid?sub"
+AuthLDAPBindDN cn=read-only,ou=srv-account,dc=example,dc=net
+AuthLDAPBindPassword "examplePassword"
+
+AuthLDAPRemoteUserAttribute uid
+AuthLDAPRemoteUserIsDN off
+AuthLDAPGroupAttribute memberUid
+AuthLDAPGroupAttributeIsDN off
+
+Require ldap-user foo bar baz
diff --git a/debian/local/apache2/ttyd.conf b/debian/local/apache2/ttyd.conf
new file mode 100644
index 0000000..d30fab8
--- /dev/null
+++ b/debian/local/apache2/ttyd.conf
@@ -0,0 +1,18 @@
+# /etc/apache2/conf-available/ttyd.conf
+
+<IfModule mod_proxy.c>
+ ProxyRequests Off
+ ProxyPreserveHost On
+
+ ProxyPass /ttyd/ws ws://localhost:7681/ws
+ ProxyPassReverse /ttyd/ws ws://localhost:7681/ws
+
+ ProxyPass /ttyd/ http://localhost:7681/ keepalive=on
+ ProxyPassReverse /ttyd/ http://localhost:7681/
+
+ <IfFile /etc/ttyd/apache2-auth.conf>
+ <Location /ttyd>
+ Include /etc/ttyd/apache2-auth.conf
+ </Location>
+ </IfFile>
+</IfModule>
diff --git a/debian/ttyd.README.Debian b/debian/ttyd.README.Debian
index 9af0faa..25281ca 100644
--- a/debian/ttyd.README.Debian
+++ b/debian/ttyd.README.Debian
@@ -1,17 +1,62 @@
ttyd for Debian
===============
- * After installing ttyd it will by default listen on http://localhost:7681
- in multi-user read-write "login"-mode:
+1. Default configuration
+------------------------
- - multi-user means that more than one user can connect at the same time.
+After installing ttyd it will by default listen on http://localhost:7681
+in multi-user read-write "login"-mode:
- - read-write means that anyone connecting to the website can input data.
+ * multi-user means that more than one user can connect at the same time.
- - Login mode means that the user gets a login prompt (like getty) where
- user and password has to be entered.
+ * read-write means that anyone connecting to the website can input data.
- * Edit /etc/default/ttyd and check the ttyd(1) manpage for the exact options.
+ * Login mode means that the user gets a login prompt (like getty) where
+ user and password has to be entered.
+Edit /etc/default/ttyd and check the ttyd(1) manpage for more information
+about available options.
+
+
+2. Reverse proxy
+----------------
+
+To make ttyd accessible on the network, it is advised to hide it behind a
+reverse proxy that does TLS and performs user authentication.
+
+To enable the apache2 proxy configuration, the following modules and
+configuration need to be enabled:
+
+ * sudo a2enmod proxy proxy_http proxy_http2 proxy_wstunnel
+
+ * sudo a2enconf ttyd
+
+ * sudo service apache2 reload
+
+ttyd is then accessible as <http://example.org/ttyd>.
+
+
+3. Apache authentication
+------------------------
+
+The apache reverse-proxy configuration automatically includes
+/etc/ttyd/apache2-auth.conf, if existing, to protect access to '/ttyd'.
+
+There are some examples in /usr/share/doc/ttyd/examples that can be
+used as starting point.
+
+To enable HTTP basic authentication, the following steps can be used:
+
+ * sudo mkdir -p /etc/ttyd
+
+ * sudo ln -s /usr/share/doc/ttyd/examples/apache2-authbasic-file.conf \
+ /etc/ttyd/apache2-auth.conf
+
+ * sudo htpasswd -c -b /etc/ttyd/htpasswd daniel password123
+
+ * sudo service apache2 reload
+
+This will allow the user 'daniel' to access ttyd with the password
+'password123'. Further users can be added, see htpasswd(1).
-- Daniel Baumann <daniel.baumann@progress-linux.org> Sun, 21 Feb 2021 17:19:20 +0100
diff --git a/debian/ttyd.examples b/debian/ttyd.examples
new file mode 100644
index 0000000..55b78ae
--- /dev/null
+++ b/debian/ttyd.examples
@@ -0,0 +1 @@
+debian/examples/*
diff --git a/debian/ttyd.install b/debian/ttyd.install
index 70f696a..3182f36 100644
--- a/debian/ttyd.install
+++ b/debian/ttyd.install
@@ -1 +1,2 @@
+debian/local/apache2/* /etc/apache2/conf-available
debian/local/default/* /etc/default