search

paradoxxxzero / butterfly

A web terminal based on websocket and tornado
http://paradoxxxzero.github.io/2014/02/28/butterfly.html
Other
2.9k stars 314 forks source link

Launch butterfly server with nginx (reverse proxy conf) #156

Open SuperB69 opened 6 years ago

SuperB69 commented 6 years ago

Hi all,

we can read the wiki to launch butterfly.server.py on a server with nginx conf. But the butterfly service will be launch in --unsecure. The only security is the .htpasswd but i have this message: "/!\ This session is UNSECURE everyone can access you terminal at: [URL_HERE]" My question is: how to launch the butterfly server in secure mode with nginx conf? nano /etc/systemd/system/butterfly.service at line: ExecStart=/var/www/rmarron/www/subdomains/butterfly/venv/bin/butterfly.server.py --unsecure --host=127.0.0.1 --login=true if delete the --unsecure param, the server is inaccessible.

Thx for your help.

osmarks commented 6 years ago

There's some parameter like --i-hereby-declare-i-want-no-security-whatsoever.

SuperB69 commented 6 years ago

Yes but it's only to hide the warning message. But finally it's not secure. If i follow the link for the session, i have access to the session. The only security is the htpasswd (and it's not enough).

Resume: htpasswd password + link = total control on the terminal and it's bad.

paradoxxxzero commented 6 years ago

butterfly in secure mode (default) relies on client certificate authentication (by user) and handle ssl for you. If you decide to let nginx handle the ssl part you have to run butterfly in unsecure mode (http and no authentication) and yes it's unsecure.

Maybe there's a way to proxy ssl client auth with nginx, I don't know but I'll merge any good PR that fixes this problem and welcome any edits in the wiki that offer a more secure way to use butterfly (which btw has not be made for that) as a ssh server .

153 should probably also be fixed.

brtgh commented 4 years ago

If you decide to let nginx handle the ssl part you have to run butterfly in unsecure mode (http and no authentication) and yes it's unsecure.

In my case its apache instead of nginx.

But why is it considered less secure if apache (or nginx) handles the ssl part? In the end it's encrypted right?

Working Apache config by kg4iae: https://github.com/paradoxxxzero/butterfly/issues/165

And here how I start butterfly behind Apache:

butterfly.server.py --unsecure --login --i-hereby-declare-i-dont-want-any-security-whatsoever

[W 191125 23:55:45 butterfly.server:384] Butterfly is ready, open your browser to: http://localhost:57575/

For the 'sharing session' feature, is it possible to disable that (apart from just change the motd cosmetically)? Doesn't it imply a dangerous way of being compromised?