From 116995274c49da63a9e18ec6a85423071e175280 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Tue, 19 Jul 2022 12:26:53 +0200
Subject: Adding apache2 reverse-proxy configuration.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 debian/control                                    |  2 +
 debian/examples/apache2-authbasic-file.conf       | 10 ++++
 debian/examples/apache2-authbasic-ip.conf         |  8 +++
 debian/examples/apache2-authbasic-ldap-group.conf | 16 ++++++
 debian/examples/apache2-authbasic-ldap-user.conf  | 16 ++++++
 debian/local/apache2/ttyd.conf                    | 18 +++++++
 debian/ttyd.README.Debian                         | 59 ++++++++++++++++++++---
 debian/ttyd.examples                              |  1 +
 debian/ttyd.install                               |  1 +
 9 files changed, 124 insertions(+), 7 deletions(-)
 create mode 100644 debian/examples/apache2-authbasic-file.conf
 create mode 100644 debian/examples/apache2-authbasic-ip.conf
 create mode 100644 debian/examples/apache2-authbasic-ldap-group.conf
 create mode 100644 debian/examples/apache2-authbasic-ldap-user.conf
 create mode 100644 debian/local/apache2/ttyd.conf
 create mode 100644 debian/ttyd.examples

diff --git a/debian/control b/debian/control
index 4b3ca58..80b1b24 100644
--- a/debian/control
+++ b/debian/control
@@ -20,5 +20,7 @@ Architecture: linux-any
 Depends:
  ${misc:Depends},
  ${shlibs:Depends},
+Suggests:
+ apache2,
 Description: Share your terminal over the web
  ttyd is a command-line tool for sharing a terminal over the web.
diff --git a/debian/examples/apache2-authbasic-file.conf b/debian/examples/apache2-authbasic-file.conf
new file mode 100644
index 0000000..5f28cb9
--- /dev/null
+++ b/debian/examples/apache2-authbasic-file.conf
@@ -0,0 +1,10 @@
+# /etc/ttyd/apache2-auth.conf
+
+<IfFile /etc/ttyd/htpasswd>
+	AuthName "ttyd"
+	AuthBasicProvider file
+	AuthType basic
+
+	AuthUserFile /etc/ttyd/htpasswd
+	Require valid-user
+</IfFile>
diff --git a/debian/examples/apache2-authbasic-ip.conf b/debian/examples/apache2-authbasic-ip.conf
new file mode 100644
index 0000000..8507a20
--- /dev/null
+++ b/debian/examples/apache2-authbasic-ip.conf
@@ -0,0 +1,8 @@
+# /etc/ttyd/apache2-auth.conf
+
+Order deny,allow
+Deny from all
+
+Allow from 10.0.0.0/8
+Allow from 172.16.0.0/12
+Allow from 192.168.0.0/16
diff --git a/debian/examples/apache2-authbasic-ldap-group.conf b/debian/examples/apache2-authbasic-ldap-group.conf
new file mode 100644
index 0000000..5827794
--- /dev/null
+++ b/debian/examples/apache2-authbasic-ldap-group.conf
@@ -0,0 +1,16 @@
+# /etc/ttyd/apache2-auth.conf
+
+AuthName "ttyd"
+AuthBasicProvider ldap
+AuthType basic
+
+AuthLDAPURL "ldaps://ldap.example.net:636/dc=example,dc=net?uid?sub"
+AuthLDAPBindDN cn=read-only,ou=srv-account,dc=example,dc=net
+AuthLDAPBindPassword "examplePassword"
+
+AuthLDAPRemoteUserAttribute uid
+AuthLDAPRemoteUserIsDN off
+AuthLDAPGroupAttribute memberUid
+AuthLDAPGroupAttributeIsDN off
+
+Require ldap-group cn=foo,ou=security,ou=groups,dc=example,dc=net
diff --git a/debian/examples/apache2-authbasic-ldap-user.conf b/debian/examples/apache2-authbasic-ldap-user.conf
new file mode 100644
index 0000000..5af7327
--- /dev/null
+++ b/debian/examples/apache2-authbasic-ldap-user.conf
@@ -0,0 +1,16 @@
+# /etc/ttyd/apache2-auth.conf
+
+AuthName "ttyd"
+AuthBasicProvider ldap
+AuthType basic
+
+AuthLDAPURL "ldaps://ldap.example.net:636/dc=example,dc=net?uid?sub"
+AuthLDAPBindDN cn=read-only,ou=srv-account,dc=example,dc=net
+AuthLDAPBindPassword "examplePassword"
+
+AuthLDAPRemoteUserAttribute uid
+AuthLDAPRemoteUserIsDN off
+AuthLDAPGroupAttribute memberUid
+AuthLDAPGroupAttributeIsDN off
+
+Require ldap-user foo bar baz
diff --git a/debian/local/apache2/ttyd.conf b/debian/local/apache2/ttyd.conf
new file mode 100644
index 0000000..d30fab8
--- /dev/null
+++ b/debian/local/apache2/ttyd.conf
@@ -0,0 +1,18 @@
+# /etc/apache2/conf-available/ttyd.conf
+
+<IfModule mod_proxy.c>
+	ProxyRequests Off
+	ProxyPreserveHost On
+
+	ProxyPass /ttyd/ws ws://localhost:7681/ws
+	ProxyPassReverse /ttyd/ws ws://localhost:7681/ws
+
+	ProxyPass /ttyd/ http://localhost:7681/ keepalive=on
+	ProxyPassReverse /ttyd/ http://localhost:7681/
+
+	<IfFile /etc/ttyd/apache2-auth.conf>
+		<Location /ttyd>
+			Include /etc/ttyd/apache2-auth.conf
+		</Location>
+	</IfFile>
+</IfModule>
diff --git a/debian/ttyd.README.Debian b/debian/ttyd.README.Debian
index 9af0faa..25281ca 100644
--- a/debian/ttyd.README.Debian
+++ b/debian/ttyd.README.Debian
@@ -1,17 +1,62 @@
 ttyd for Debian
 ===============
 
-  * After installing ttyd it will by default listen on http://localhost:7681
-    in multi-user read-write "login"-mode:
+1. Default configuration
+------------------------
 
-    - multi-user means that more than one user can connect at the same time.
+After installing ttyd it will by default listen on http://localhost:7681
+in multi-user read-write "login"-mode:
 
-    - read-write means that anyone connecting to the website can input data.
+  * multi-user means that more than one user can connect at the same time.
 
-    - Login mode means that the user gets a login prompt (like getty) where
-      user and password has to be entered.
+  * read-write means that anyone connecting to the website can input data.
 
-  * Edit /etc/default/ttyd and check the ttyd(1) manpage for the exact options.
+  * Login mode means that the user gets a login prompt (like getty) where
+    user and password has to be entered.
 
+Edit /etc/default/ttyd and check the ttyd(1) manpage for more information
+about available options.
+
+
+2. Reverse proxy
+----------------
+
+To make ttyd accessible on the network, it is advised to hide it behind a
+reverse proxy that does TLS and performs user authentication.
+
+To enable the apache2 proxy configuration, the following modules and
+configuration need to be enabled:
+
+  * sudo a2enmod proxy proxy_http proxy_http2 proxy_wstunnel
+
+  * sudo a2enconf ttyd
+
+  * sudo service apache2 reload
+
+ttyd is then accessible as <http://example.org/ttyd>.
+
+
+3. Apache authentication
+------------------------
+
+The apache reverse-proxy configuration automatically includes
+/etc/ttyd/apache2-auth.conf, if existing, to protect access to '/ttyd'.
+
+There are some examples in /usr/share/doc/ttyd/examples that can be
+used as starting point.
+
+To enable HTTP basic authentication, the following steps can be used:
+
+  * sudo mkdir -p /etc/ttyd
+
+  * sudo ln -s /usr/share/doc/ttyd/examples/apache2-authbasic-file.conf \
+      /etc/ttyd/apache2-auth.conf
+
+  * sudo htpasswd -c -b /etc/ttyd/htpasswd daniel password123
+
+  * sudo service apache2 reload
+
+This will allow the user 'daniel' to access ttyd with the password
+'password123'. Further users can be added, see htpasswd(1).
 
  -- Daniel Baumann <daniel.baumann@progress-linux.org>  Sun, 21 Feb 2021 17:19:20 +0100
diff --git a/debian/ttyd.examples b/debian/ttyd.examples
new file mode 100644
index 0000000..55b78ae
--- /dev/null
+++ b/debian/ttyd.examples
@@ -0,0 +1 @@
+debian/examples/*
diff --git a/debian/ttyd.install b/debian/ttyd.install
index 70f696a..3182f36 100644
--- a/debian/ttyd.install
+++ b/debian/ttyd.install
@@ -1 +1,2 @@
+debian/local/apache2/*	/etc/apache2/conf-available
 debian/local/default/*	/etc/default
-- 
cgit v1.2.3