Suggestion: use a reverse proxy for apps

suggestion

#1

I dont use additional software on mine but I’ve been looking at how do handle shell-in-a-box since its now an app.

I see that with the apps like CouchPotato that it’s http://host:5050/ …ala the default port for CP.

I see a few issues with this.

  1. It’s insecure
  2. how to handle services for multiple users.

A better option would be to setup the applications to only respond to ‘localhost:5050’ in the case of Couchpotato and then uses a reverse proxy so that https://host/couchpotato would connect to couchpotato. I know I’ve talked about it before and that works for single user systems but what about using the same format as the downloads section: https://host/user.rtorrent.downloads/ so it would be https://host/user.couchpotato/. This would solve the shell-in-a-box issue as well.

This would allow easy swapping out the certs for Lets Encrypt or other legit certs since they would be used by the main webserver.


#2

You can do that with Apache.

On my server i have 5 links at the moment :

  • domain.tld (dashboard)
  • rutorrent.domain.tld (rtorrent)
  • plex.domain.tld (plex)
  • sickrage.domain.tld (sickrage)
  • term.domain.tld (shell in a box)

All secured with let’s encrypt.

The most complicated is to change the link on the panel.menu.php :wink:


#3

@tomcdj71
you should write up a wiki i know many would love to learn :smiley:


#4

I’ll try this week :wink:


#5

Yeah, I know it can be done in apache. I was looking for it to be done in the actual code so that it remains through updates or if they move to nginx.


#6

I’m also highly interested in how you did it with ‘let’s encrypt’ :slight_smile:


#7

@RXWatcher, within the developer branch I have the reverse setup for a user-based link, i.e; username.console. Much like how it was with the first iteration. Now the port is inaccessible from http and it should accept the users own ssl certificates for access as I disabled the default .pem that is created for shellinabox.

Beta Squad members can view it here:


#8

Ok, I’m on the 2.4.2 dev branch on one of my boxes and it looks like there is something amiss with the starting of the shell-in-a-box. It wont start and I dont see any service for it.

I see the alias for it in aliases-seedbox.conf and I have the link on the side for it but on the services it’s enabled but the service will not start,

[[email protected]]:(0b)~$ systemctl list-units | grep jim
[email protected]                                                                    loaded active running   Deluge Bittorrent Client    Web Interface
[email protected]                                                                       loaded active running   Deluge Bittorrent Client Daemon
[email protected]                                                                         loaded active running   AutoDL IRSSI
[email protected]                                                                      loaded active running   rTorrent

[[email protected]]:(0b)~$ systemctl list-units | grep shell
[[email protected]]:(0b)~$

#9

That alias needs to be removed actually. Do you see a jim.console.conf in your sites available?

Also, can you attempt to start the service? systemctl start shellinabox.service


#10

Ok…so its the panel causing the issues. The service starts automatically on reboot(I’ve rebooted several times to validate). The panel will kill it but then it still thinks its enabled and running. No way to start it from the panel. all attempts to disable and enable fail.

sb2:~# systemctl status shellinabox.service
● shellinabox.service - Serve a login-terminal over http on  port 4224.
   Loaded: loaded (/etc/systemd/system/shellinabox.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2016-07-13 12:11:29 CDT; 9s ago
  Process: 890 ExecStart=/usr/bin/shellinaboxd -q --disable-ssl -background=/var/run/shellinaboxd.pid -c /var/lib/shellinabox -p 4224 -u shellinabox -g shellinabox --user-css Normal:+/etc/shellinabox/op
 Main PID: 910 (shellinaboxd)
   CGroup: /system.slice/shellinabox.service
           ├─910 /usr/bin/shellinaboxd -q --disable-ssl -background=/var/run/shellinaboxd.pid -c /var/lib/shellinabox -p 4224 -u shellinabox -g shellinabox --user-css Normal:+/etc/shellinabox/options-en
           └─911 /usr/bin/shellinaboxd -q --disable-ssl -background=/var/run/shellinaboxd.pid -c /var/lib/shellinabox -p 4224 -u shellinabox -g shellinabox --user-css Normal:+/etc/shellinabox/options-en

Disabling the service will kill the shellinabox but the service status in the panel still states enabled.

Service is dead:

b2:~# systemctl status shellinabox.service
● shellinabox.service - Serve a login-terminal over http on  port 4224.
   Loaded: loaded (/etc/systemd/system/shellinabox.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Wed 2016-07-13 12:17:34 CDT; 2min 20s ago
  Process: 890 ExecStart=/usr/bin/shellinaboxd -q --disable-ssl -background=/var/run/shellinaboxd.pid -c /var/lib/shellinabox -p 4224 -u shellinabox -g shellinabox --user-css Normal:+/etc/shellinabox/op
 Main PID: 910 (code=exited, status=0/SUCCESS)

Jul 13 12:11:28 sb2 systemd[1]: Starting Serve a login-terminal over http on  port 4224....
Jul 13 12:11:29 sb2 systemd[1]: Started Serve a login-terminal over http on  port 4224..
Jul 13 12:15:17 sb2 login[2710]: pam_unix(login:session): session opened for user jim by SHELLINABOX(uid=0)

Web link on the side is still there and produces:
Service Unavailable

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

Open the console up in a different window and it says the service is active and enabled:

systemctl still saids its dead.
    b2:~# systemctl status shellinabox.service
    ● shellinabox.service - Serve a login-terminal over http on  port 4224.
       Loaded: loaded (/etc/systemd/system/shellinabox.service; enabled; vendor preset: enabled)
       Active: inactive (dead) since Wed 2016-07-13 12:17:34 CDT; 6min ago
      Process: 890 ExecStart=/usr/bin/shellinaboxd -q --disable-ssl -background=/var/run/shellinaboxd.pid -c /var/lib/shellinabox -p 4224 -u shellinabox -g shellinabox --user-css Normal:+/etc/shellinabox/op
     Main PID: 910 (code=exited, status=0/SUCCESS)

Jul 13 12:11:28 sb2 systemd[1]: Starting Serve a login-terminal over http on  port 4224....
Jul 13 12:11:29 sb2 systemd[1]: Started Serve a login-terminal over http on  port 4224..
Jul 13 12:15:17 sb2 login[2710]: pam_unix(login:session): session opened for user jim by SHELLINABOX(uid=0)

Oh, I should add that shellinabox does work on reboot and the link does work. I can ssh in on chrome and my certs are valid, etc.


#11

Interesting as I actually resolved this on the Stable Branch. I am wondering if this never got ported over, but it should.

/* enable & start services */
case 66:
  $process = $_GET['serviceenable'];
    if ($process == "btsync"){
      shell_exec("sudo systemctl enable $process");
      shell_exec("sudo systemctl start $process");
    } elseif ($process == "shellinabox"){
      shell_exec("sudo systemctl enable $process");
      shell_exec("sudo systemctl start $process");
    } else {
      shell_exec("sudo systemctl enable [email protected]$username");
      shell_exec("sudo systemctl start [email protected]$username");
    }
  header('Location: https://' . $_SERVER['HTTP_HOST'] . '/');
break;

/* disable & stop services */
case 77:
  $process = $_GET['servicedisable'];
    if ($process == "btsync"){
      shell_exec("sudo systemctl stop $process");
      shell_exec("sudo systemctl disable $process");
    } elseif ($process == "shellinabox"){
      shell_exec("sudo systemctl stop $process");
      shell_exec("sudo systemctl disable $process");
      shell_exec("sudo pkill -f $process");
    } else {
      shell_exec("sudo systemctl stop [email protected]$username");
      shell_exec("sudo systemctl disable [email protected]$username");
    }
  header('Location: https://' . $_SERVER['HTTP_HOST'] . '/');
break;

/* restart services */
case 88:
  $process = $_GET['servicestart'];
    if ($process == "btsync"){
      shell_exec("sudo systemctl restart $process");
    } elseif ($process == "shellinabox"){
      shell_exec("sudo systemctl enable $process");
      shell_exec("sudo systemctl restart $process");
    } else {
      shell_exec("sudo systemctl restart [email protected]$username");
    }
  header('Location: https://' . $_SERVER['HTTP_HOST'] . '/');
break;

This is interesting as it is working for me on Ubuntu without any issues. You’re testing against Debian yes? Or did you hop over to Ubuntu as well?


#12

I’m on ubuntu 16.04.

This box was on 2.4.1 stable and I moved it to 2.4.2 dev per the dev readme:
rm -rf ~/QuickBox
apt-get -yqq update; apt-get -yqq upgrade; apt-get -yqq install git lsb-release;
git clone --recursive [email protected]:QuickBox/quickbox_dev.git QuickBox &&
bash ~/QuickBox/setup/quickbox-setup

and walked through the setup.

You’re welcome to have access to the box if you want.


#13

I was able to reproduce this… I think I need to modify the line to be $service rather than $process. Yeah, it’s the disable process is having an issue form the panel for some reason or other.

Ok, silly me… I ported everything over but the ability to fire it in the sudoers template. Updating now.

####Here’s the commit for review:


#14

Ok…panel control works as expected but 2 small issues.

  1. The shell opens up in the same window as the panel. You then have to use the browser back button to get back to the panel. It would probably be best to open a new windows when you select the web console on the side.

  2. The web console link on the side is active no matter if you have the console enabled or not. Disabled produces the “Service Unavailable” message when clicking on it.


#15
  1. Noted - I’ll add in a quick target="_blank" to address that.

  2. I’ll wrap the link in an if/process then hide/no hide