Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 14:35

    gustavosbarreto on agent_info

    agent: add platform, arch to de… (compare)

  • 11:59
    eduardoveiga labeled #523
  • 11:59
    eduardoveiga opened #523
  • 11:59
    eduardoveiga review_requested #523
  • 11:58

    eduardoveiga on namespace

    wip (compare)

  • Oct 27 22:15

    eduardoveiga on namespace

    wip (compare)

  • Oct 27 19:44

    eduardoveiga on namespace

    wip (compare)

  • Oct 27 17:51

    eduardoveiga on namespace

    wip (compare)

  • Oct 26 21:00

    gustavosbarreto on master

    agent: override default handler… (compare)

  • Oct 26 21:00

    gustavosbarreto on agent_handler

    (compare)

  • Oct 26 21:00
    gustavosbarreto closed #522
  • Oct 26 20:49
    eduardoveiga review_requested #522
  • Oct 26 19:50
    gustavosbarreto opened #522
  • Oct 26 19:50

    gustavosbarreto on agent_handler

    agent: override default handler… (compare)

  • Oct 26 14:29

    gustavosbarreto on v0.4.3-rc.1

    (compare)

  • Oct 26 14:29

    gustavosbarreto on v0.4.3-rc.1

    (compare)

  • Oct 26 14:29

    gustavosbarreto on master

    Bump version to v0.4.3-rc.1 (compare)

  • Oct 26 13:24

    gustavosbarreto on store_create_user

    (compare)

  • Oct 26 13:24

    gustavosbarreto on master

    api: add CreateUser to store T… (compare)

  • Oct 26 13:24
    gustavosbarreto closed #516
Otavio Salvador
@otavio
No worries :-) Glad to help
Otavio Salvador
@otavio
@sixhills applied :-D
Mike
@sixhills
@otavio Thank you for all your help.
aminits
@aminits
Hi. Today I tried ShellHub and it looks really nice! Can this solution scale (I mean the self-hosted solution)? Can I run multiple instances of the dockers (api/ssh) with LB and it will still work?
Otavio Salvador
@otavio
@aminits our cloud runs on a k8s cluster
Jaime Campos
@jcampos79_gitlab
Hi, I am trying to enable SSL for my selfhost shellhub environment, I set SHELLHUB_PROXY=true and install nginx on the host, but my logs shows broken header errors:
gateway_1 | 2020/08/24 22:05:01 [error] 10#10: 72 broken header: "GET / HTTP/1.1
gateway_1 | Host: 192.168.0.19:8080
gateway_1 | Connection: keep-alive
gateway_1 | Cache-Control: max-age=0
gateway_1 | Upgrade-Insecure-Requests: 1 gateway_1 | DNT: 1
gateway_1 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36
gateway_1 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,
/*;q=0.8,application/signed-exchange;v=b3;q=0.9
gateway_1 | Accept-Encoding: gzip, deflate gateway_1 | Accept-Language: en-US,en;q=0.9,es;q=0.8 gateway_1 | If-None-Match: "5f32e353-8c3" gateway_1 | If-Modified-Since: Tue, 11 Aug 2020 18:28:35 GMT gateway_1 |
gateway_1 | " while reading PROXY protocol, client: 192.168.0.23, server: 0.0.0.0:80
Any advice?
aminits
@aminits
@otavio Thanks!
Otavio Salvador
@otavio
@jcampos79_gitlab are you using our docker compose files?
Jaime Campos
@jcampos79_gitlab
@otavio Yes.
Otavio Salvador
@otavio
@gustavosbarreto can you take a look?
Mike
@sixhills
@otavio I'm also trying to implement an ssl nginx proxy (as a separate non-Docker process) in front of the ShellHub server. Web access via the proxy works fine with SHELLHUB_PROXY=false but as soon as I set SHELLHUB_PROXY=true and restart the Shellhub containers, every GET results in a broken header error in the gateway log very similar to @jcampos79_gitlab. Is there an example nginx conf file from when this was tested that we could try?
Otavio Salvador
@otavio
@sixhills if possible open an issue. It is easier ;-)
Mike
@sixhills
Mike
@sixhills
@jcampos79_gitlab If you're still reading, please see solution at shellhub-io/shellhub#347 which may fix your problem, too.
Jaime Campos
@jcampos79_gitlab
@sixhills @otavio @gustavosbarreto Thank you very much
Otavio Salvador
@otavio
@jcampos79_gitlab thank @sixhills and @gustavosbarreto :-)
Jaime Campos
@jcampos79_gitlab
Hi again, I have managed to work with the provided solution for the Proxy. Now I found some weird with Centos7: I received the following error:
nsenter: cannot open /proc/1/ns/cgroup: No such file or directory.
It is weird because ubuntu and debian hosts works fine.
Anyone has similar errors?
Otavio Salvador
@otavio
It is likely due to their kernel lacking namespace support
Jaime Campos
@jcampos79_gitlab
Thanks @otavio, is there a way to workaround?
Otavio Salvador
@otavio
Need check if their kernel supports it; but we ought also fix the installer script to ensure it error out properly
Jaime Campos
@jcampos79_gitlab
Thanks again, I found this that could be useful for others:
User namespaces options RedHat
Glyn Hudson
@glynhudson
Hi, I've just installed shellhub on my server using docker and nginx proxy. The web UI is working great :-D . However, when I try to connect to a device the web UI terminal is blank. I think this could be because I had to specify a different port for ssh in .env e.g SHELLHUB_SSH_PORT=44. My client device (standard Raspberry Pi) will be expecting ssh connection on 22. How can I use a non-standard port for shellhub? I need to maintain ssh access on port 22 to my main server
Otavio Salvador
@otavio
@glynhudson did you follow our docs?
Glyn Hudson
@glynhudson
I think so, there was not much explanation how to use a different ssh port https://docs.shellhub.io/admin-manual/configuring/
SHELLHUB_SSH_PORT
The port is for the server side. The client does not listen to any port
Glyn Hudson
@glynhudson
ok, so using SHELLHUB_SSH_PORT=44 should work fine with a client using port 22. I wonder why the terminal doesn't work?
Screenshot from 2020-09-04 17-28-42.png
Otavio Salvador
@otavio
Are you using which version?
Glyn Hudson
@glynhudson
v0.3.7
Otavio Salvador
@otavio
Try to set the var as SSH_PORT
Glyn Hudson
@glynhudson
I think SHELLHUB_SSH_PORT var is correct, it's what docker-compose.yml is expecting. I tried changing SHELLHUB_SSH_PORT to SSH_PORT in .env and got the following error:
ERROR: The Compose file './docker-compose.yml' is invalid because:
services.ssh.ports contains an invalid type, it should be a number, or an object
Otavio Salvador
@otavio
@gustavosbarreto any idea?
Glyn Hudson
@glynhudson

Do I need to nginx proxy the ssh port? My nginx config is

server {

        listen 443 ssl http2;
        # Whitelist IP's
        include /etc/nginx/cloudflare-allow.conf;

        server_name shellhub.xxxxx.org;

        ssl_certificate /etc/nginx/ssl/site.crt;
        ssl_certificate_key /etc/nginx/ssl/site-key.pem;

        ssl_session_cache shared:SSL:20m;
        ssl_session_timeout 180m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        # add Strict-Transport-Security to prevent man in the middle attacks
        add_header Strict-Transport-Security "max-age=31536000";

        location / {
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://127.0.0.1:8999;

        }

I'm using SHELLHUB_HTTP_PORT=8999. The UI is working fine and I'm able to add devices

Mike
@sixhills
@glynhudson My experience as a user of ShellHub is that a blank web UI window means that the tunnel between the server and the device failed to connect, even though the device registered successfully. You may like to try the nginx proxy configuration described in shellhub-io/shellhub#347 , especially use of proxy_protocol. I can confirm that this works as does use of the valian nginx proxy container described later in that thread. You don't need to proxy the ssh port.
Glyn Hudson
@glynhudson
@sixhills thanks for your reply. I had seen that issue, unfortunately using the nginx stream does not work with server_name. I need to be able to assign a domain name if possible to shellhub https://stackoverflow.com/questions/45227491/nginx-server-name-inside-stream-block-possible
Mike
@sixhills

@glynhudson I've reproduced your issue locally, using your nginx config and an agent with enhanced logging. This shows that the attempt to establish the web socket is failing (NewListener in agent/main.go returns err="websocket: bad handshake" but this isn't visible to the user in v0.3.7).
For nginx to work with web sockets, it appears to need explicit upgrade and connection headers. I've added the following to your quoted nginx config:

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;

and it then works for me: the device registers successfully and the web terminal works.

Glyn Hudson
@glynhudson

Hi @sixhills, thanks so much for testing. I've just implemented you suggestion and indeed it works great! Thanks so much. For the record this is my nginx config:

server {

        listen 443 ssl http2;
        # Whitelist IP's
        include /etc/nginx/cloudflare-allow.conf;

        server_name xxxxxxxxx.com;

        ssl_certificate /etc/nginx/ssl/site.crt;
        ssl_certificate_key /etc/nginx/ssl/site-key.pem;

        ssl_session_cache shared:SSL:20m;
        ssl_session_timeout 180m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        # add Strict-Transport-Security to prevent man in the middle attacks
        add_header Strict-Transport-Security "max-age=31536000";

        location / {
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://127.0.0.1:8999;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;

        }
}

It would be a good idea to add an example config like this to the documentation.

Where can I send a donation?

Mike
@sixhills
@glynhudson Thanks for confirming that this works.
I think we now have three ways of implementing a reverse ssl proxy using nginx:
(1) Using stream and proxy_protocol, as described in shellhub-io/shellhub#347
(2) Using the Valian docker container, as described in the same issue.
(3) Specifying Upgrade and Connection headers as described above.
Solutions (1) and (3) require an existing ssl certificate, which suits users who already have one for the host or a wildcard certificate for the domain.
Solution (2) automatically obtains and installs a Let's Encrypt certificate, which suits users who don't already have a certificate and makes it very easy to obtain one but is unecessary when a certificate is already installed.
Solution (1) using stream doesn't work with server_name and so isn't suitable for users who need a CNAME pointing to a virtual host. It doesn't seem to have any advantage over solution (3).
So which solutions should be documented? Perhaps both (3) for users who already have a certificate and (2) for users who don't already have one?
MPP-SmartGarden
@MPP-SmartGarden

Hello community, I hope this is the right place to ask my question.
I just installed the newest version of shell hub via the 'git clone' command on my mac, used the command './bin/keygen' and started the 'docker-compose' command. In my docker desktop I see that everything runs perfectly and I can access the login screen as well via localhost.

After that, I ran the command './bin/add-user testUser testPassword testEmail' without the "<>" characters. My console prints out, that the user was created and I got the tenant-ID back. So far so good.
The problem now is, when I try to log in via the web ui, I always get back the server status 401 (unauthorized). I would really appreciate if someone of you has an idea, what I did wrong or where the problem could be.

Mike
@sixhills
@MPP-SmartGarden Check that the user has been defined in the database:
docker-compose exec mongo mongo --eval "db.users.find()" main
and check whether the logs report an error when trying to log in:
docker logs name-of-each-container
MPP-SmartGarden
@MPP-SmartGarden

@sixhills Thanks for your message and sorry for my late reply!
Adding user
I started today the docker containers again and created a new user: ./bin/add-user test2 test2 a@a.a and I can log in with that user. The last time I was not able to log in with the user name BUT I could log in with the user email... today I can also log in via the user name.

Checking mongo db
I checked the mongo db in "shellhub_mongo_1 mongo:3.4.19" and all my users are in the db. So that worked now!

Docker container logs
I tried now several times to log in and to log off and I also created several times a new device and connected it to my account. Everything worked!

SSH via webinterface
If I call the method GET /ssh/revdial? via the web interface, I see in the logs of the container, that the password is in clear text! I think it would be very nice, if the provider of the server can not see the password of the connected devices for doing a ssh connection...

Luis Gustavo S. Barreto
@gustavosbarreto
@jcampos79_gitlab security is a serious matter for us. Please read our security policy (https://github.com/shellhub-io/shellhub/blob/master/SECURITY.md) for how report security vulnerabilities
4 replies
Otavio Salvador
@otavio
/all we did 0.4.0 release; please take a look at the improved features and fixes
Mike
@sixhills
I've upgraded from 0.4.0 to 0.4.2 and it seems to ignore the value of SHELLHUB_HTTP_PORT in .env.override. I put "SHELLHUB_HTTP_PORT=8090" in .env.override and restarted but the server was still istening on port 80. I then edited .env to change this variable in that file, restarted and the server was then listening on port 8090. Is there anything I need to do to make it action the value in .env.override?
Otavio Salvador
@otavio
@gustavosbarreto
Luis Gustavo S. Barreto
@gustavosbarreto

I've upgraded from 0.4.0 to 0.4.2 and it seems to ignore the value of SHELLHUB_HTTP_PORT in .env.override. I put "SHELLHUB_HTTP_PORT=8090" in .env.override and restarted but the server was still istening on port 80. I then edited .env to change this variable in that file, restarted and the server was then listening on port 8090. Is there anything I need to do to make it action the value in .env.override?

I can't reproduce this here

Mike
@sixhills
That's odd. I've just checked again and the server is ignoring the contents of .env.override on my system. No problem - I just edit .env instead.