public/geek-cookbook
1
0
Fork 0
mirror of https://github.com/funkypenguin/geek-cookbook/ synced 2025-12-13 01:36:23 +00:00
Code Issues Releases Wiki Activity
Files
0c3b4600d3b3198bb60cb3c4af2ba0cfb40f6e49
geek-cookbook/manuscript/recipes/wetty.md
David Young 892adb4704 Update Traefik Forward Auth for v2 (#169)
2021-01-29 23:09:22 +13:00

3.6 KiB
Raw Blame History

hero: Terminal in a browser, baby! 💻

Wetty

Wetty is a responsive, modern terminal, in your web browser. Yes, your browser. When combined with secure authentication and SSL encryption, it becomes a useful tool for quick and easy remote access.

Wetty Screenshot

Why would you need SSH in a browser window?

Need shell access to a node with no external access? Deploy Wetty behind an oauth_proxy with a SSL-terminating reverse proxy (traefik), and suddenly you have the means to SSH to your private host from any web browser (protected by your oauth_proxy of course, and your OAuth provider's 2FA)

Here are some other possible use cases:

  1. Access to SSH / CLI from an environment where outgoing SSH is locked down, or SSH client isn't / can't be installed. (i.e., a corporate network)
  2. Access to long-running processes inside a tmux session (like irrsi)
  3. Remote access to a VM / container running Kali linux, for penetration testing

--8<-- "recipe-standard-ingredients.md"

Preparation

Prepare environment

Create wetty.env, and populate with the following variables per the oauth_proxy instructions:

OAUTH2_PROXY_CLIENT_ID=
OAUTH2_PROXY_CLIENT_SECRET=
OAUTH2_PROXY_COOKIE_SECRET=

# To use WeTTY to SSH to a host besides the (mostly useless) alpine container it comes with
SSHHOST=batcomputer.batcave.com
SSHUSER=batman

Setup Docker Swarm

Create a docker swarm config file in docker-compose syntax (v3), something like this:

--8<-- "premix-cta.md"

version: "3"
services:
  wetty:
    image: krishnasrinivas/wetty
    env_file : /var/data/config/wetty/wetty.env
    networks:
        - internal
  proxy:
    image: funkypenguin/oauth2_proxy:latest
    env_file: /var/data/config/wetty/wetty.env
    networks:
      - internal
      - traefik_public
    deploy:
      labels:
        - traefik.frontend.rule=Host:wetty.funkypenguin.co.nz
        - traefik.docker.network=traefik_public
        - traefik.port=4180
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/data/config/wetty/authenticated-emails.txt:/authenticated-emails.txt
    command: |
      -cookie-secure=false
      -upstream=http://wetty:3000
      -redirect-url=https://wetty.funkypenguin.co.nz
      -http-address=http://0.0.0.0:4180
      -provider=github
      -authenticated-emails-file=/authenticated-emails.txt

networks:
  traefik_public:
    external: true
  internal:
    driver: overlay
    ipam:
      config:
        - subnet: 172.16.45.0/24

--8<-- "reference-networks.md"

Serving

Launch Wetty stack

Launch the Wetty stack by running docker stack deploy wetty -c <path -to-docker-compose.yml>

Browse to your new browser-cli-terminal at https://YOUR-FQDN. Authenticate with your OAuth provider, and then proceed to login, either to the remote host you specified (batcomputer.batcave.com, in the example above), or using user and password "term" to log directly into the Wetty alpine container (from which you can establish egress SSH)

--8<-- "recipe-footer.md"

Reference in New Issue View Git Blame Copy Permalink