From 7b6911d7dd4ce98957db138f28f5c00ac52a80b4 Mon Sep 17 00:00:00 2001 From: Iwasaki Yudai Date: Mon, 24 Aug 2015 16:43:03 +0900 Subject: [PATCH] Support TLS/SSL encryption --- README.md | 17 +++++++++++++++-- app/app.go | 38 +++++++++++++++++++++++++++++++++++--- main.go | 20 ++++++++++++++++++++ 3 files changed, 70 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 998efca..57678fe 100644 --- a/README.md +++ b/README.md @@ -55,12 +55,13 @@ By default, gotty starts a web server at port 8080. Open the URL on your web bro --credential, -c Credential for Basic Authentication (ex: user:pass) [$GOTTY_CREDENTIAL] --random-url, -r Add a random string to the URL [$GOTTY_RANDOM_URL] --profile-file, -f "~/.gotty" Path to profile file [$GOTTY_PROFILE_FILE] +--enable-tls, -t Enable TLS/SSL [$GOTTY_ENABLE_TLS] +--tls-cert "~/.gotty.crt" TLS/SSL cert [$GOTTY_TLS_CERT] +--tls-key "~/.gotty.key" TLS/SSL key [$GOTTY_TLS_KEY] --title-format "GoTTY - {{ .Command }} ({{ .Hostname }})" Title format of browser window [$GOTTY_TITLE_FORMAT] --auto-reconnect "-1" Seconds to automatically reconnect to the server when the connection is closed (default: disabled) [$GOTTY_AUTO_RECONNECT] ``` -By default, gotty doesn't allow clients to send any keystrokes or commands except terminal window resizing. When you want to permit clients to write input to the PTY, add the `-w` option. However, accepting input from remote clients is dangerous for most commands. Make sure that only trusted clients can connect to your gotty server when you activate this option. If you need interaction with the PTY, consider starting gotty with tmux or GNU Screen and run your main command on it. - ### Profile File You can customize your terminal (hterm) by providing a profile file to the `gotty` command, which is a JSON file that has a map of preference keys and values. Gotty loads a profile file at `~/.gotty` by default when it exists. @@ -76,6 +77,18 @@ The following example makes the font size smaller and the background color a lit Available preferences are listed in [the hterm source code](https://chromium.googlesource.com/apps/libapps/+/master/hterm/js/hterm_preference_manager.js) +### Security Options + +By default, gotty doesn't allow clients to send any keystrokes or commands except terminal window resizing. When you want to permit clients to write input to the PTY, add the `-w` option. However, accepting input from remote clients is dangerous for most commands. When you need interaction with the PTY for some reasons, consider starting gotty with tmux or GNU Screen and run your main command on it (see "Sharing with Multiple Clients" section for detail). + +To restrict client access, you can use the `-c` option to enable the basic authentication. With option, clients need to input the specified username and passwords to connect to the gotty server. The `-r` option is a little bit casualer way to restrict access. With this option, gotty generates a random URL so that only people who know the URL can access to the server. + +All traffic between servers and clients are NOT encrypted by default. When you send secret information through gotty, we strongly recommend you use the `-t` option which enables TLS/SSL on the session. By default, gotty loads the cert and key files placed at `~/.gotty.cert` and `~/.gotty.key`. You can overwrite these file paths with the `--tls-cert` and `--tls-key` options. When you need to generate a self-sined certification file, you can use the `openssl` command. + +```sh +openssl req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout ~/.gotty.key -out ~/.gotty.crt +``` + ## Sharing with Multiple Clients Gotty starts a new process when a new client connects to the server. This means users cannot share a single terminal with others by default. However, you can use terminal multiplexers for sharing a single process with multiple clients. diff --git a/app/app.go b/app/app.go index 816133d..660c9ad 100644 --- a/app/app.go +++ b/app/app.go @@ -38,12 +38,17 @@ type Options struct { Credential string RandomUrl bool ProfileFile string + EnableTLS bool + TLSCert string + TLSKey string TitleFormat string AutoReconnect int Command []string } const DefaultProfileFilePath = "~/.gotty" +const DefaultTLSKeyPath = "~/.gotty.key" +const DefaultTLSCertPath = "~/.gotty.crt" func New(options Options) (*App, error) { titleTemplate, err := template.New("title").Parse(options.TitleFormat) @@ -125,33 +130,60 @@ func (app *App) Run() error { siteHandler = wrapLogger(siteHandler) + scheme := "http" + if app.options.EnableTLS { + scheme = "https" + } log.Printf( "Server is starting with command: %s", strings.Join(app.options.Command, " "), ) if app.options.Address != "" { log.Printf( - "URL: %s", (&url.URL{Scheme: "http", Host: endpoint, Path: path + "/"}).String(), + "URL: %s", + (&url.URL{Scheme: scheme, Host: endpoint, Path: path + "/"}).String(), ) } else { for _, address := range listAddresses() { log.Printf( "URL: %s", (&url.URL{ - Scheme: "http", + Scheme: scheme, Host: net.JoinHostPort(address, app.options.Port), Path: path + "/", }).String(), ) } } - if err := http.ListenAndServe(endpoint, siteHandler); err != nil { + + var err error + if app.options.EnableTLS { + cert, key := app.loadTLSFiles() + err = http.ListenAndServeTLS(endpoint, cert, key, siteHandler) + } else { + err = http.ListenAndServe(endpoint, siteHandler) + } + if err != nil { return err } return nil } +func (app *App) loadTLSFiles() (cert string, key string) { + cert = app.options.TLSCert + if app.options.TLSCert == DefaultTLSCertPath { + cert = os.Getenv("HOME") + "/.gotty.crt" + } + + key = app.options.TLSKey + if app.options.TLSKey == DefaultTLSKeyPath { + key = os.Getenv("HOME") + "/.gotty.key" + } + + return +} + func (app *App) handleWS(w http.ResponseWriter, r *http.Request) { log.Printf("New client connected: %s", r.RemoteAddr) diff --git a/main.go b/main.go index 451b141..afa9fd5 100644 --- a/main.go +++ b/main.go @@ -49,6 +49,23 @@ func main() { Usage: "Path to profile file", EnvVar: "GOTTY_PROFILE_FILE", }, + cli.BoolFlag{ + Name: "enable-tls, t", + Usage: "Enable TLS/SSL", + EnvVar: "GOTTY_ENABLE_TLS", + }, + cli.StringFlag{ + Name: "tls-cert", + Value: app.DefaultTLSCertPath, + Usage: "TLS/SSL cert", + EnvVar: "GOTTY_TLS_CERT", + }, + cli.StringFlag{ + Name: "tls-key", + Value: app.DefaultTLSKeyPath, + Usage: "TLS/SSL key", + EnvVar: "GOTTY_TLS_KEY", + }, cli.StringFlag{ Name: "title-format", Value: "GoTTY - {{ .Command }} ({{ .Hostname }})", @@ -77,6 +94,9 @@ func main() { c.String("credential"), c.Bool("random-url"), c.String("profile-file"), + c.Bool("enable-tls"), + c.String("tls-cert"), + c.String("tls-key"), c.String("title-format"), c.Int("auto-reconnect"), c.Args(),