====== WeTTY ======
[[https://butlerx.github.io/wetty/|WeTTY]] it's a web based terminal to your server. There are many other options to get a web-based console access to your server, but WeTTY is pretty simple and lightweight.
The goal is to have a terminal console on the server that you can access via web-browser. This is for when you desperately need remote access but cannot use any kind of terminal or Putty because the network blocks anything outside HTTPS or because you don't trust the computer you are using, or because you simply cannot run anything like on a kiosk or a locked-down tablet.
You could also run a web-based VNC display or something, but that might be overkill on the network bandwidth while the web tty approach is more resillient.
Please note that web-based TTY access is always limited and annoying, at best, it's only an emergency access route and probably not a comfortable day to day tool.
Security wise, you must put your WeTTY behind a secured reverse-proxy with strong password protection because due to the nature of the tool you will need to setup automatic connection with SSH keys (passwordless) and the only kind of "security-by-obscurity", which is in itself non-existent, is that you can request username input.
===== Installation =====
Due to a bug in the latest version (2.7.0) (see [[https://github.com/butlerx/wetty/issues/513|issue here]]) you need to install 2.6.0.
Now, as usual, create a dedicated user since it's not safe to run WeTTY as root:
useradd -d /data/daemons/wetty -m wetty
Install npm locally and generate an SSH key pair for the user and finally install WeTTY:
su - wetty
curl -sL https://raw.githubusercontent.com/nvm-sh/nvm/master/install.sh | bash
source .bashrc
nvm install 20
npm -g i wetty@2.6.0
ssh-keygen
Now, WeTTY will run as user **wetty** but the actual login will be done from user //wetty// to your target user, let's call it **user**, using either password or SSH key. I was not able to setup password login properly but i didn't investigate too much because that would be not advisable anyway.
You need to enable SSH key login from user **wetty** to all the **users** you want to login as from your web console. Let's assume your target user is **user**, you need to copy //wetty// public key to //user// **~/.ssh/authorized_keys** file, so for example (as root):
cat /data/daemons/wetty/.ssh/id_ed25519.pub >> /home/user/.ssh/authorized_keys
chmod 644 /home/user/.ssh/authorized_keys
Done.
===== Reverse Proxy =====
WeTTY by default is based on **https://yourodmain.com/wetty** so the following NGINX config should be enough:
location ^~ /wetty {
proxy_pass http://127.0.0.1:5522/wetty;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 43200000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
auth_pam "Casa";
auth_pam_service_name "nginx";
}
Please note that it is **critical** to enable reverse proxy auth because otherwise anybody will be able to access your server console without any protection.
See [[selfhost:nginx|The Reverse Proxy concept]] for more details.
===== Start & Autostart =====
Using OpenRC, drop the following script into /etc/init.d:
#!/sbin/openrc-run
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
description="Web SSH console"
pidfile="/run/wetty.pid"
command_background=true
command="/home/wetty/wetty_start.sh"
command_args=""
command_user="wetty:wetty"
depend() {
need net
}
And you will also need to create the following script under **/data/daemons/wetty/wetty_start.sh**:
#!/bin/bash
export NVM_DIR="$HOME/.nvm"
[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" # This loads nvm
[ -s "$NVM_DIR/bash_completion" ] && \. "$NVM_DIR/bash_completion" # This loads nvm bash_completion
wetty \
--host 127.0.0.1 \
--port 5522 \
--ssh-key ~/.ssh/id_ed25519 \
--ssh-host localhost \
--ssh-user user \
--ssh-auth publickey
You need to copy the last lines of the **.bashrc** in the script because NVM requires those lines and OpenRC will run as non-interactive shell, thus bypassing the //.bashrc//.
Note: if you want to leave the user out you can omit the //--ssh-user// part, but then you will need to point your browser to **https://mydomain.com/wetty/ssh/user** to access your console.
And make it executable, then create the links:
chmod +x /etc/init.d/wetty
chmod +x /home/wetty/wetty_start.sh
rc-update add wetty default
And you are all set.