diff options
9 files changed, 124 insertions, 7 deletions
diff --git a/debian/control b/debian/control
index 4b3ca58..80b1b24 100644
--- a/debian/control
+++ b/debian/control
@@ -20,5 +20,7 @@ Architecture: linux-any
+ apache2,
Description: Share your terminal over the web
ttyd is a command-line tool for sharing a terminal over the web.
diff --git a/debian/examples/apache2-authbasic-file.conf b/debian/examples/apache2-authbasic-file.conf
new file mode 100644
index 0000000..5f28cb9
--- /dev/null
+++ b/debian/examples/apache2-authbasic-file.conf
@@ -0,0 +1,10 @@
+# /etc/ttyd/apache2-auth.conf
+<IfFile /etc/ttyd/htpasswd>
+ AuthName "ttyd"
+ AuthBasicProvider file
+ AuthType basic
+ AuthUserFile /etc/ttyd/htpasswd
+ Require valid-user
diff --git a/debian/examples/apache2-authbasic-ip.conf b/debian/examples/apache2-authbasic-ip.conf
new file mode 100644
index 0000000..8507a20
--- /dev/null
+++ b/debian/examples/apache2-authbasic-ip.conf
@@ -0,0 +1,8 @@
+# /etc/ttyd/apache2-auth.conf
+Order deny,allow
+Deny from all
+Allow from
+Allow from
+Allow from
diff --git a/debian/examples/apache2-authbasic-ldap-group.conf b/debian/examples/apache2-authbasic-ldap-group.conf
new file mode 100644
index 0000000..5827794
--- /dev/null
+++ b/debian/examples/apache2-authbasic-ldap-group.conf
@@ -0,0 +1,16 @@
+# /etc/ttyd/apache2-auth.conf
+AuthName "ttyd"
+AuthBasicProvider ldap
+AuthType basic
+AuthLDAPURL "ldaps://,dc=net?uid?sub"
+AuthLDAPBindDN cn=read-only,ou=srv-account,dc=example,dc=net
+AuthLDAPBindPassword "examplePassword"
+AuthLDAPRemoteUserAttribute uid
+AuthLDAPRemoteUserIsDN off
+AuthLDAPGroupAttribute memberUid
+AuthLDAPGroupAttributeIsDN off
+Require ldap-group cn=foo,ou=security,ou=groups,dc=example,dc=net
diff --git a/debian/examples/apache2-authbasic-ldap-user.conf b/debian/examples/apache2-authbasic-ldap-user.conf
new file mode 100644
index 0000000..5af7327
--- /dev/null
+++ b/debian/examples/apache2-authbasic-ldap-user.conf
@@ -0,0 +1,16 @@
+# /etc/ttyd/apache2-auth.conf
+AuthName "ttyd"
+AuthBasicProvider ldap
+AuthType basic
+AuthLDAPURL "ldaps://,dc=net?uid?sub"
+AuthLDAPBindDN cn=read-only,ou=srv-account,dc=example,dc=net
+AuthLDAPBindPassword "examplePassword"
+AuthLDAPRemoteUserAttribute uid
+AuthLDAPRemoteUserIsDN off
+AuthLDAPGroupAttribute memberUid
+AuthLDAPGroupAttributeIsDN off
+Require ldap-user foo bar baz
diff --git a/debian/local/apache2/ttyd.conf b/debian/local/apache2/ttyd.conf
new file mode 100644
index 0000000..d30fab8
--- /dev/null
+++ b/debian/local/apache2/ttyd.conf
@@ -0,0 +1,18 @@
+# /etc/apache2/conf-available/ttyd.conf
+<IfModule mod_proxy.c>
+ ProxyRequests Off
+ ProxyPreserveHost On
+ ProxyPass /ttyd/ws ws://localhost:7681/ws
+ ProxyPassReverse /ttyd/ws ws://localhost:7681/ws
+ ProxyPass /ttyd/ http://localhost:7681/ keepalive=on
+ ProxyPassReverse /ttyd/ http://localhost:7681/
+ <IfFile /etc/ttyd/apache2-auth.conf>
+ <Location /ttyd>
+ Include /etc/ttyd/apache2-auth.conf
+ </Location>
+ </IfFile>
diff --git a/debian/ttyd.README.Debian b/debian/ttyd.README.Debian
index 9af0faa..25281ca 100644
--- a/debian/ttyd.README.Debian
+++ b/debian/ttyd.README.Debian
@@ -1,17 +1,62 @@
ttyd for Debian
- * After installing ttyd it will by default listen on http://localhost:7681
- in multi-user read-write "login"-mode:
+1. Default configuration
- - multi-user means that more than one user can connect at the same time.
+After installing ttyd it will by default listen on http://localhost:7681
+in multi-user read-write "login"-mode:
- - read-write means that anyone connecting to the website can input data.
+ * multi-user means that more than one user can connect at the same time.
- - Login mode means that the user gets a login prompt (like getty) where
- user and password has to be entered.
+ * read-write means that anyone connecting to the website can input data.
- * Edit /etc/default/ttyd and check the ttyd(1) manpage for the exact options.
+ * Login mode means that the user gets a login prompt (like getty) where
+ user and password has to be entered.
+Edit /etc/default/ttyd and check the ttyd(1) manpage for more information
+about available options.
+2. Reverse proxy
+To make ttyd accessible on the network, it is advised to hide it behind a
+reverse proxy that does TLS and performs user authentication.
+To enable the apache2 proxy configuration, the following modules and
+configuration need to be enabled:
+ * sudo a2enmod proxy proxy_http proxy_http2 proxy_wstunnel
+ * sudo a2enconf ttyd
+ * sudo service apache2 reload
+ttyd is then accessible as <>.
+3. Apache authentication
+The apache reverse-proxy configuration automatically includes
+/etc/ttyd/apache2-auth.conf, if existing, to protect access to '/ttyd'.
+There are some examples in /usr/share/doc/ttyd/examples that can be
+used as starting point.
+To enable HTTP basic authentication, the following steps can be used:
+ * sudo mkdir -p /etc/ttyd
+ * sudo ln -s /usr/share/doc/ttyd/examples/apache2-authbasic-file.conf \
+ /etc/ttyd/apache2-auth.conf
+ * sudo htpasswd -c -b /etc/ttyd/htpasswd daniel password123
+ * sudo service apache2 reload
+This will allow the user 'daniel' to access ttyd with the password
+'password123'. Further users can be added, see htpasswd(1).
-- Daniel Baumann <> Sun, 21 Feb 2021 17:19:20 +0100
diff --git a/debian/ttyd.examples b/debian/ttyd.examples
new file mode 100644
index 0000000..55b78ae
--- /dev/null
+++ b/debian/ttyd.examples
@@ -0,0 +1 @@
diff --git a/debian/ttyd.install b/debian/ttyd.install
index 70f696a..3182f36 100644
--- a/debian/ttyd.install
+++ b/debian/ttyd.install
@@ -1 +1,2 @@
+debian/local/apache2/* /etc/apache2/conf-available
debian/local/default/* /etc/default