Open SuperB69 opened 6 years ago
There's some parameter like --i-hereby-declare-i-want-no-security-whatsoever.
Yes but it's only to hide the warning message. But finally it's not secure. If i follow the link for the session, i have access to the session. The only security is the htpasswd (and it's not enough).
Resume: htpasswd password + link = total control on the terminal and it's bad.
butterfly in secure mode (default) relies on client certificate authentication (by user) and handle ssl for you. If you decide to let nginx handle the ssl part you have to run butterfly in unsecure mode (http and no authentication) and yes it's unsecure.
Maybe there's a way to proxy ssl client auth with nginx, I don't know but I'll merge any good PR that fixes this problem and welcome any edits in the wiki that offer a more secure way to use butterfly (which btw has not be made for that) as a ssh server .
If you decide to let nginx handle the ssl part you have to run butterfly in unsecure mode (http and no authentication) and yes it's unsecure.
In my case its apache instead of nginx.
But why is it considered less secure if apache (or nginx) handles the ssl part? In the end it's encrypted right?
Working Apache config by kg4iae: https://github.com/paradoxxxzero/butterfly/issues/165
And here how I start butterfly behind Apache:
[W 191125 23:55:45 butterfly.server:384] Butterfly is ready, open your browser to: http://localhost:57575/
For the 'sharing session' feature, is it possible to disable that (apart from just change the motd cosmetically)? Doesn't it imply a dangerous way of being compromised?
Hi all,
we can read the wiki to launch butterfly.server.py on a server with nginx conf. But the butterfly service will be launch in --unsecure. The only security is the .htpasswd but i have this message: "/!\ This session is UNSECURE everyone can access you terminal at: [URL_HERE]" My question is: how to launch the butterfly server in secure mode with nginx conf?
nano /etc/systemd/system/butterfly.service
at line:ExecStart=/var/www/rmarron/www/subdomains/butterfly/venv/bin/butterfly.server.py --unsecure --host=127.0.0.1 --login=true
if delete the --unsecure param, the server is inaccessible.Thx for your help.