Forum
Correct configuration for ShellInABox reverse proxy?
Tim Jacobs
5 February 2013, 01:56
Hi all,
First off thanks for Hiawatha, it's incredible!
Turnkey Linux ships with ShellInABox [code.google.com], a great web based SSH client. Its default design requires a connection directly to a configurable port in order to connect (port 12320 by default). If you want to secure things, the author recommends setting up a reverse proxy and disabling the port from the outside. Now that Hiawatha has reverse proxy support I gave it a shot!
In my hiawatha config, I have:
ReverseProxy ^/shell http://127.0.0.1:12320
I can then connect to mywebserver.com/shell and my shell pops up.
This works, but performance in the shell is quite slow. Don't get me wrong, when I say slow I mean slow in terms of a real-time use like this... maybe 200ms additional wait time between each keypress. It's just that without the reverse proxy in place response time is almost instant.
I'm wondering if I could be doing something better with my regex, and that the server is having to do too much work parsing it? Or maybe I'm doing this the wrong way... Is there a better way to do what I'm trying to do?
Also, how should I be handling the timeout setting in a situation like this? The connection is killed when the ReverseProxy times out. Should I just set a large number? Could I set to 0 (I'm worried that the session would stay open even if I closed it though)?
Thanks in advance!!
Hiawatha version: 8.7
Operating System: Turnkey Linux (Debian)
First off thanks for Hiawatha, it's incredible!
Turnkey Linux ships with ShellInABox [code.google.com], a great web based SSH client. Its default design requires a connection directly to a configurable port in order to connect (port 12320 by default). If you want to secure things, the author recommends setting up a reverse proxy and disabling the port from the outside. Now that Hiawatha has reverse proxy support I gave it a shot!
In my hiawatha config, I have:
ReverseProxy ^/shell http://127.0.0.1:12320
I can then connect to mywebserver.com/shell and my shell pops up.
This works, but performance in the shell is quite slow. Don't get me wrong, when I say slow I mean slow in terms of a real-time use like this... maybe 200ms additional wait time between each keypress. It's just that without the reverse proxy in place response time is almost instant.
I'm wondering if I could be doing something better with my regex, and that the server is having to do too much work parsing it? Or maybe I'm doing this the wrong way... Is there a better way to do what I'm trying to do?
Also, how should I be handling the timeout setting in a situation like this? The connection is killed when the ReverseProxy times out. Should I just set a large number? Could I set to 0 (I'm worried that the session would stay open even if I closed it though)?
Thanks in advance!!
Hiawatha version: 8.7
Operating System: Turnkey Linux (Debian)
Hugo Leisink
5 February 2013, 07:41
The main cause is because Hiawatha's reverse proxy doesn't use keep-alive connections. So, for every request, a new connection is made. Keep-alive connections require more complex code. Perhaps in the future Hiawatha will support it.
In my opinion, the author of ShellInABox had better created his shell deamon as a FastCGI application instead of a webserver. This can easily be done with this library [www.fastcgi.com].
The timeout depends on how much time you expect a command will need. Use that value plus a bit more as the timeout.
In my opinion, the author of ShellInABox had better created his shell deamon as a FastCGI application instead of a webserver. This can easily be done with this library [www.fastcgi.com].
The timeout depends on how much time you expect a command will need. Use that value plus a bit more as the timeout.
Tim Jacobs
5 February 2013, 16:20
Thanks Hugo!
I agree that the current shellinabox implementation is kind of strange, and not really usable in a production environment... I can't just leave a port open with direct ssh access on it. I think I'll look for a different web shell; if I can find a java-based ssh client that would do the trick! I could just serve it up from an internal page.
I agree that the current shellinabox implementation is kind of strange, and not really usable in a production environment... I can't just leave a port open with direct ssh access on it. I think I'll look for a different web shell; if I can find a java-based ssh client that would do the trick! I could just serve it up from an internal page.
Hugo Leisink
5 February 2013, 21:56
I can't just leave a port open with direct ssh access on it.
Why not? Just use a strong password and limit the access to that port via your firewall.
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
