Support TLS/SSL encryption

2024-09-19 12:36:34 +00:00 · 2015-08-24 16:43:03 +09:00 · 2015-08-24 16:43:03 +09:00 · 7b6911d7dd
commit 7b6911d7dd
parent c56e41b56b
3 changed files with 70 additions and 5 deletions
--- a/README.md
+++ b/README.md
@ -55,12 +55,13 @@ By default, gotty starts a web server at port 8080. Open the URL on your web bro
 --credential, -c                                             Credential for Basic Authentication (ex: user:pass) [$GOTTY_CREDENTIAL]
 --random-url, -r                                             Add a random string to the URL [$GOTTY_RANDOM_URL]
 --profile-file, -f "~/.gotty"                                Path to profile file [$GOTTY_PROFILE_FILE]
+--enable-tls, -t                                             Enable TLS/SSL [$GOTTY_ENABLE_TLS]
+--tls-cert "~/.gotty.crt"                                    TLS/SSL cert [$GOTTY_TLS_CERT]
+--tls-key "~/.gotty.key"                                     TLS/SSL key [$GOTTY_TLS_KEY]
 --title-format "GoTTY - {{ .Command }} ({{ .Hostname }})"    Title format of browser window [$GOTTY_TITLE_FORMAT]
 --auto-reconnect "-1"                                        Seconds to automatically reconnect to the server when the connection is closed (default: disabled) [$GOTTY_AUTO_RECONNECT]
 ```

-By default, gotty doesn't allow clients to send any keystrokes or commands except terminal window resizing. When you want to permit clients to write input to the PTY, add the `-w` option. However, accepting input from remote clients is dangerous for most commands. Make sure that only trusted clients can connect to your gotty server when you activate this option. If you need interaction with the PTY, consider starting gotty with tmux or GNU Screen and run your main command on it.
-
 ### Profile File

 You can customize your terminal (hterm) by providing a profile file to the `gotty` command, which is a JSON file that has a map of preference keys and values. Gotty loads a profile file at `~/.gotty` by default when it exists.
@ -76,6 +77,18 @@ The following example makes the font size smaller and the background color a lit

 Available preferences are listed in [the hterm source code](https://chromium.googlesource.com/apps/libapps/+/master/hterm/js/hterm_preference_manager.js)

+### Security Options
+
+By default, gotty doesn't allow clients to send any keystrokes or commands except terminal window resizing. When you want to permit clients to write input to the PTY, add the `-w` option. However, accepting input from remote clients is dangerous for most commands. When you need interaction with the PTY for some reasons, consider starting gotty with tmux or GNU Screen and run your main command on it (see "Sharing with Multiple Clients" section for detail).
+
+To restrict client access, you can use the `-c` option to enable the basic authentication. With option, clients need to input the specified username and passwords to connect to the gotty server. The `-r` option is a little bit casualer way to restrict access. With this option, gotty generates a random URL so that only people who know the URL can access to the server.
+
+All traffic between servers and clients are NOT encrypted by default. When you send secret information through gotty, we strongly recommend you use the `-t` option which enables TLS/SSL on the session. By default, gotty loads the cert and key files placed at `~/.gotty.cert` and `~/.gotty.key`. You can overwrite these file paths with the `--tls-cert` and `--tls-key` options. When you need to generate a self-sined certification file, you can use the `openssl` command.
+
+```sh
+openssl req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout ~/.gotty.key -out ~/.gotty.crt
+```
+
 ## Sharing with Multiple Clients

 Gotty starts a new process when a new client connects to the server. This means users cannot share a single terminal with others by default. However, you can use terminal multiplexers for sharing a single process with multiple clients.
--- a/app/app.go
+++ b/app/app.go
@ -38,12 +38,17 @@ type Options struct {
 	Credential    string
 	RandomUrl     bool
 	ProfileFile   string
+	EnableTLS     bool
+	TLSCert       string
+	TLSKey        string
 	TitleFormat   string
 	AutoReconnect int
 	Command       []string
 }

 const DefaultProfileFilePath = "~/.gotty"
+const DefaultTLSKeyPath = "~/.gotty.key"
+const DefaultTLSCertPath = "~/.gotty.crt"

 func New(options Options) (*App, error) {
 	titleTemplate, err := template.New("title").Parse(options.TitleFormat)
@ -125,33 +130,60 @@ func (app *App) Run() error {

 	siteHandler = wrapLogger(siteHandler)

+	scheme := "http"
+	if app.options.EnableTLS {
+		scheme = "https"
+	}
 	log.Printf(
 		"Server is starting with command: %s",
 		strings.Join(app.options.Command, " "),
 	)
 	if app.options.Address != "" {
 		log.Printf(
-			"URL: %s", (&url.URL{Scheme: "http", Host: endpoint, Path: path + "/"}).String(),
+			"URL: %s",
+			(&url.URL{Scheme: scheme, Host: endpoint, Path: path + "/"}).String(),
 		)
 	} else {
 		for _, address := range listAddresses() {
 			log.Printf(
 				"URL: %s",
 				(&url.URL{
-					Scheme: "http",
+					Scheme: scheme,
 					Host:   net.JoinHostPort(address, app.options.Port),
 					Path:   path + "/",
 				}).String(),
 			)
 		}
 	}
-	if err := http.ListenAndServe(endpoint, siteHandler); err != nil {
+
+	var err error
+	if app.options.EnableTLS {
+		cert, key := app.loadTLSFiles()
+		err = http.ListenAndServeTLS(endpoint, cert, key, siteHandler)
+	} else {
+		err = http.ListenAndServe(endpoint, siteHandler)
+	}
+	if err != nil {
 		return err
 	}

 	return nil
 }

+func (app *App) loadTLSFiles() (cert string, key string) {
+	cert = app.options.TLSCert
+	if app.options.TLSCert == DefaultTLSCertPath {
+		cert = os.Getenv("HOME") + "/.gotty.crt"
+	}
+
+	key = app.options.TLSKey
+	if app.options.TLSKey == DefaultTLSKeyPath {
+		key = os.Getenv("HOME") + "/.gotty.key"
+	}
+
+	return
+}
+
 func (app *App) handleWS(w http.ResponseWriter, r *http.Request) {
 	log.Printf("New client connected: %s", r.RemoteAddr)

--- a/main.go
+++ b/main.go
@ -49,6 +49,23 @@ func main() {
 			Usage:  "Path to profile file",
 			EnvVar: "GOTTY_PROFILE_FILE",
 		},
+		cli.BoolFlag{
+			Name:   "enable-tls, t",
+			Usage:  "Enable TLS/SSL",
+			EnvVar: "GOTTY_ENABLE_TLS",
+		},
+		cli.StringFlag{
+			Name:   "tls-cert",
+			Value:  app.DefaultTLSCertPath,
+			Usage:  "TLS/SSL cert",
+			EnvVar: "GOTTY_TLS_CERT",
+		},
+		cli.StringFlag{
+			Name:   "tls-key",
+			Value:  app.DefaultTLSKeyPath,
+			Usage:  "TLS/SSL key",
+			EnvVar: "GOTTY_TLS_KEY",
+		},
 		cli.StringFlag{
 			Name:   "title-format",
 			Value:  "GoTTY - {{ .Command }} ({{ .Hostname }})",
@ -77,6 +94,9 @@ func main() {
 				c.String("credential"),
 				c.Bool("random-url"),
 				c.String("profile-file"),
+				c.Bool("enable-tls"),
+				c.String("tls-cert"),
+				c.String("tls-key"),
 				c.String("title-format"),
 				c.Int("auto-reconnect"),
 				c.Args(),