WeTTY it's a web based terminal to your server. There are many other options to get a web-based console access to your server, but WeTTY is pretty simple and lightweight.

The goal is to have a terminal console on the server that you can access via web-browser. This is for when you desperately need remote access but cannot use any kind of terminal or Putty because the network blocks anything outside HTTPS or because you don't trust the computer you are using, or because you simply cannot run anything like on a kiosk or a locked-down tablet.

You could also run a web-based VNC display or something, but that might be overkill on the network bandwidth while the web tty approach is more resillient.

Please note that web-based TTY access is always limited and annoying, at best, it's only an emergency access route and probably not a comfortable day to day tool.

Security wise, you must put your WeTTY behind a secured reverse-proxy with strong password protection because due to the nature of the tool you will need to setup automatic connection with SSH keys (passwordless) and the only kind of “security-by-obscurity”, which is in itself non-existent, is that you can request username input.

Due to a bug in the latest version (2.7.0) (see issue here) you need to install 2.6.0.

Now, as usual, create a dedicated user since it's not safe to run WeTTY as root:

useradd -d /data/daemons/wetty -m wetty

Install npm locally and generate an SSH key pair for the user and finally install WeTTY:

su - wetty
curl -sL https://raw.githubusercontent.com/nvm-sh/nvm/master/install.sh | bash
source .bashrc 
nvm install 20
npm -g i wetty@2.6.0
ssh-keygen

Now, WeTTY will run as user wetty but the actual login will be done from user wetty to your target user, let's call it user, using either password or SSH key. I was not able to setup password login properly but i didn't investigate too much because that would be not advisable anyway.

You need to enable SSH key login from user wetty to all the users you want to login as from your web console. Let's assume your target user is user, you need to copy wetty public key to user ~/.ssh/authorized_keys file, so for example (as root):

cat /data/daemons/wetty/.ssh/id_ed25519.pub >> /home/user/.ssh/authorized_keys
chmod 644 /home/user/.ssh/authorized_keys

Done.

WeTTY by default is based on https://yourodmain.com/wetty so the following NGINX config should be enough:

wetty.conf

location ^~ /wetty {
        proxy_pass http://127.0.0.1:5522/wetty;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";
  proxy_read_timeout 43200000;
 
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header Host $http_host;
  proxy_set_header X-NginX-Proxy true;
          auth_pam "Casa";
        auth_pam_service_name "nginx";
}

Please note that it is critical to enable reverse proxy auth because otherwise anybody will be able to access your server console without any protection.

See The Reverse Proxy concept for more details.

To start WeTTY as a service, if you follow my Custom User Services, create the following script under /data/daemons/wetty/wetty_start.sh:

wetty_start.sh

#!/bin/bash

export NVM_DIR="$HOME/.nvm"
[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"  # This loads nvm
[ -s "$NVM_DIR/bash_completion" ] && \. "$NVM_DIR/bash_completion"  # This loads nvm bash_completion

wetty \
 --host 127.0.0.1 \
 --port 5522 \
 --ssh-key ~/.ssh/id_ed25519 \
 --ssh-host localhost \
 --ssh-user user \
 --ssh-auth publickey

You need to copy the last lines of the .bashrc in the script because NVM requires those lines and the _servicer.sh script will run as non-interactive shell, thus bypassing the .bashrc.

Note: if you want to leave the user out you can omit the –ssh-user part, but then you will need to point your browser to https://mydomain.com/wetty/ssh/user to access your console.

And make it executable, then create the links:

cd /etc/local.d
ln -s _servicer.sh 99-wetty--script.start
ln -s _servicer.sh 99-wetty--script.stop

And you are all set.