guanglinlv / shellinabox

Automatically exported from code.google.com/p/shellinabox
Other
0 stars 0 forks source link

SSL doesn't work on Ubuntu 10.10 #85

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?

1. Download shellinabox from SVN (r212).
2. Create package using dpkg-buildpackage, and install the package.
3. Configure Nginx to proxy default site to http://localhost:4200

What is the expected output? What do you see instead?
shellinabox should appear in the browser window.

Instead, Firefox reports "Unable to connect".

I added ""--debug" to the command-line options in /etc/defaults/shellinabox, 
then found I had to remove the "-q" option from /etc/init.d/shellinabox as it 
complained they were mutually exclusive (isn't there some way of making one 
particular setting override the other?).

Anyhow, on the detailed debug output, I get:

 * Starting Shell In A Box Daemon shellinabox
Command line: /usr/bin/shellinaboxd --background=/var/run/shellinaboxd.pid -c 
/var/lib/shellinabox -p 4200 -u shellinabox -g shellinabox --user-css Black on 
White:+/etc/shellinabox/options-enabled/00+Black on White.css,White On 
Black:-/etc/shellinabox/options-enabled/00_White On Black.css;Color 
Terminal:+/etc/shellinabox/options-enabled/01+Color 
Terminal.css,Monochrome:-/etc/shellinabox/options-enabled/01_Monochrome.css 
--no-beep --debug
   ...done.
Listening on port 4200
victorhooi@DBSYDWS0284:/etc$ Accepted connection from localhost:53681
Handling "GET" "/"
Compressed response from 4883 to 2099
localhost - - [19/Aug/2010:09:52:29 +1000] "GET / HTTP/1.0" 200 2192
Closing connection to localhost:53681
Accepted connection from localhost:53682
Handling "GET" "/styles.css"
Compressed response from 3199 to 851
localhost - - [19/Aug/2010:09:52:29 +1000] "GET /styles.css HTTP/1.0" 200 982
Closing connection to localhost:53682
Accepted connection from localhost:53683
Handling "GET" "/ShellInABox.js"
Compressed response from 169881 to 38624
localhost - - [19/Aug/2010:09:52:29 +1000] "GET /ShellInABox.js HTTP/1.0" 200 
38739
Closing connection to localhost:53683

I then found that if I add "-t" to the commandline options in 
/etc/default/shellinabox, the site now works. So I'm assuming this is something 
to do with the SSL setup on the default Debian package?

I also tried changing the Nginx config to proxy to the https site:

proxy_pass https://127.0.0.1:4200/;

but still no luck there, unfortunately.

What version of the product are you using? On what operating system?

SVN r212, running on Ubuntu 10.10.

Proxying through Nginx 0.8.49 (from https://launchpad.net/~jdub/+archive/ppa).

Please provide any additional information below.

Original issue reported on code.google.com by victorh...@gmail.com on 18 Aug 2010 at 2:30

GoogleCodeExporter commented 8 years ago
This is most likely behavior as intended. If you decide to use a reverse proxy 
in front of ShellInABox, it is your responsibility to configure the proxy to do 
the SSL encoding.

The whole point of a proxy is that it can see the plain text communication and 
make changes to it (e.g. rewrite URLs, cache content, ...). So, while the 
communication between the browser and the proxy might be encrypted, the 
communication between the proxy and the web server (i.e. ShellInABox) has to be 
plain text for the proxy to do its job.

Original comment by zod...@gmail.com on 18 Aug 2010 at 4:18

GoogleCodeExporter commented 8 years ago
heya,

Aha, aweseome, thanks for the very quick reply =). It's so awesome to see an 
author who responds so quickly on his project.

Ok, so fair enough - if it's a setup thing, you wouldn't happen to know what I 
have to do to get Nginx to work with Shellinabox? Or any pointers on what sort 
of things I should look for?

And I'm guessing if I add "-t" and disable SSL like that - over the internet, 
that's completely insecure right? And all my keystrokes are sent in the clear?

Thanks,
Victor

Original comment by victorh...@gmail.com on 18 Aug 2010 at 9:04

GoogleCodeExporter commented 8 years ago
For nginx, something like this should work:

server {
  location / {
    proxy_pass http://localhost:4200;
  }
}

server {
  listen 443;
  ssl on;
  ssl_certificate /var/lib/shellinabox/certificate.pem;
  ssl_certificate_key /var/lib/shellinabox/certificate.pem;
  location / {
    proxy_pass http://localhost:4200;
  }
}

If you decide to run the service at a different relative URL, you have to edit 
1) the "location" in the nginx configuration file, and 2) pass a suitable 
"-s/...:LOGIN" option to shellinaboxd. On Debian, you can probably do the 
latter by editing /etc/default/shellinabox.

In general, when using a reverse proxy, you should probably also set the 
--localhost-only option.

You do _not_ want to give the --disable-ssl option. While you do not want 
ShellInABox to do the SSL encryption, you still want it to automatically change 
URLs to the https URL.

Original comment by zod...@gmail.com on 18 Aug 2010 at 10:02