CentOS 7使用ttyd搭建一个WEB共享终端(WebSSH)

/ 0评 / 0

ttyd 是一个简单的命令行工具,用于在 Web 上共享终端,简单点说就是可以实现在网页上使用SSH终端服务,并且该软件是免费开源的。

安装ttyd

ttyd作者已经提供编译好的二进制文件,直接下载即可使用,最新版下载地址为:https://github.com/tsl0922/ttyd/releases,这里以CentOS 7为例:

<span class="hljs-comment">#下载ttyd</span>
wget -O ttyd https://github.com/tsl0922/ttyd/releases/download/1.6.0/ttyd_linux.x86_64
<span class="hljs-comment">#添加执行权限</span>
chmod +x ttyd
<span class="hljs-comment">#移动目录</span>
mv ttyd /usr/sbin

通过上面的几个步骤,我们已经完成ttyd安装,输入命令ttyd -v可查看当前版本:

[root@hosta29d0ffef5 ~]<span class="hljs-comment"># ttyd -v</span>
ttyd version 1.6.0-c15cfb7

运行ttyd

输入命令ttyd bash运行ttyd,注意防火墙需要放行7681端口,然后浏览器访问http://IP:7681即可打开WEB终端,如下图。

不过ttyd并没有保持后台运行,访问7681也不需要任何密码验证,非常不安全,接下来我们为ttyd创建一个systemd服务并设置用户名、密码验证。

新建服务

创建一个ttyd.service文件:vi /etc/systemd/system/ttyd.service内容如下:

[Unit]
Description=ttyd
After=network.target

[Service]
ExecStart=/usr/sbin/ttyd -c xiaoz:xiaoz.me bash

[Install]
WantedBy=multi-user.target

创建完毕后输入命令:systemctl daemon-reload让daemon生效。

上面使用了-c参数,这个参数的含义是设置用户名、密码验证,格式为-c 用户名:密码,上方设置的用户名为xiaoz,密码为xiaoz.me,请自行修改为自己的用户名、密码。

服务创建后,我们可以使用systemd命令来进行管理了,命令如下:

<span class="hljs-comment">#启动ttyd</span>
systemctl start ttyd
<span class="hljs-comment">#停止ttyd</span>
systemctl stop ttyd
<span class="hljs-comment">#重启ttyd</span>
systemctl restart ttyd
<span class="hljs-comment">#开机启动</span>
systemctl <span class="hljs-built_in">enable</span> ttyd

Nginx反向代理

如果您不喜欢通过IP + 端口的访问形式,也可以设置Nginx反向代理通过域名访问,配置如下:

如果是网站根目录

<span class="hljs-attribute">location</span> / {
    <span class="hljs-attribute">proxy_http_version</span> <span class="hljs-number">1</span>.<span class="hljs-number">1</span>;
    <span class="hljs-attribute">proxy_set_header</span> Host <span class="hljs-variable">$host</span>;
    <span class="hljs-attribute">proxy_set_header</span> X-Forwarded-Proto <span class="hljs-variable">$scheme</span>;
    <span class="hljs-attribute">proxy_set_header</span> X-Forwarded-For <span class="hljs-variable">$proxy_add_x_forwarded_for</span>;
    <span class="hljs-attribute">proxy_set_header</span> Upgrade <span class="hljs-variable">$http_upgrade</span>;
    <span class="hljs-attribute">proxy_set_header</span> Connection <span class="hljs-string">"upgrade"</span>;
    <span class="hljs-attribute">proxy_pass</span> http://127.0.0.1:7681;
}

如果是网站二级目录

<span class="hljs-attribute">location</span> <span class="hljs-regexp">~ ^/ttyd(.*)$</span> {
    <span class="hljs-attribute">proxy_http_version</span> <span class="hljs-number">1</span>.<span class="hljs-number">1</span>;
    <span class="hljs-attribute">proxy_set_header</span> Host <span class="hljs-variable">$host</span>;
    <span class="hljs-attribute">proxy_set_header</span> X-Forwarded-Proto <span class="hljs-variable">$scheme</span>;
    <span class="hljs-attribute">proxy_set_header</span> X-Forwarded-For <span class="hljs-variable">$proxy_add_x_forwarded_for</span>;
    <span class="hljs-attribute">proxy_set_header</span> Upgrade <span class="hljs-variable">$http_upgrade</span>;
    <span class="hljs-attribute">proxy_set_header</span> Connection <span class="hljs-string">"upgrade"</span>;
    <span class="hljs-attribute">proxy_pass</span> http://127.0.0.1:7681/<span class="hljs-variable">$1</span>;
}

注意上面的ttyd可以修改为自己想要的路径。

ttyd参数说明

输入ttyd -h可以查看ttyd帮助,说明如下:

USAGE:
    ttyd [options] <<span class="hljs-built_in">command</span>> [<arguments...>]

VERSION:
    1.6.0

OPTIONS:
    -p, --port              Port to listen (default: 7681, use `0` <span class="hljs-keyword">for</span> random port)
    -i, --interface         Network interface to <span class="hljs-built_in">bind</span> (eg: eth0), or UNIX domain socket path (eg: /var/run/ttyd.sock)
    -c, --credential        Credential <span class="hljs-keyword">for</span> Basic Authentication (format: username:password)
    -u, --uid               User id to run with
    -g, --gid               Group id to run with
    -s, --signal            Signal to send to the <span class="hljs-built_in">command</span> when <span class="hljs-built_in">exit</span> it (default: 1, SIGHUP)
    -a, --url-arg           Allow client to send <span class="hljs-built_in">command</span> line arguments <span class="hljs-keyword">in</span> URL (eg: http://localhost:7681?arg=foo&arg=bar)
    -R, --<span class="hljs-built_in">readonly</span>          Do not allow clients to write to the TTY
    -t, --client-option     Send option to client (format: key=value), repeat to add more options
    -T, --terminal-type     Terminal <span class="hljs-built_in">type</span> to report, default: xterm-256color
    -O, --check-origin      Do not allow websocket connection from different origin
    -m, --max-clients       Maximum clients to support (default: 0, no <span class="hljs-built_in">limit</span>)
    -o, --once              Accept only one client and <span class="hljs-built_in">exit</span> on disconnection
    -B, --browser           Open terminal with the default system browser
    -I, --index             Custom index.html path
    -b, --base-path         Expected base path <span class="hljs-keyword">for</span> requests coming from a reverse proxy (eg: /mounted/here)
    -6, --ipv6              Enable IPv6 support
    -S, --ssl               Enable SSL
    -C, --ssl-cert          SSL certificate file path
    -K, --ssl-key           SSL key file path
    -A, --ssl-ca            SSL CA file path <span class="hljs-keyword">for</span> client certificate verification
    -d, --debug             Set <span class="hljs-built_in">log</span> level (default: 7)
    -v, --version           Print the version and <span class="hljs-built_in">exit</span>
    -h, --<span class="hljs-built_in">help</span>              Print this text and <span class="hljs-built_in">exit</span>

Visit https://github.com/tsl0922/ttyd to get more information and report bugs.

总结

使用ttyd可以很方便快速的搭建一个WebSSH服务,但便利就意味着要承担更多的安全风险,虽然ttyd提供了基本的密码验证,但这种验证方式仍然不安全,使用ttyd的同时意味着你的服务器也多了一个入口,所以不建议用在生产环境,自己折腾倒是无所谓。

发表评论