gateway_1 | 2020/08/24 22:05:01 [error] 10#10: 72 broken header: "GET / HTTP/1.1
gateway_1 | Host: 192.168.0.19:8080
gateway_1 | Connection: keep-alive
gateway_1 | Cache-Control: max-age=0
gateway_1 | Upgrade-Insecure-Requests: 1 gateway_1 | DNT: 1
gateway_1 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36
gateway_1 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/*;q=0.8,application/signed-exchange;v=b3;q=0.9
gateway_1 | Accept-Encoding: gzip, deflate gateway_1 | Accept-Language: en-US,en;q=0.9,es;q=0.8 gateway_1 | If-None-Match: "5f32e353-8c3" gateway_1 | If-Modified-Since: Tue, 11 Aug 2020 18:28:35 GMT gateway_1 |
gateway_1 | " while reading PROXY protocol, client: 192.168.0.23, server: 0.0.0.0:80
nsenter: cannot open /proc/1/ns/cgroup: No such file or directory.It is weird because ubuntu and debian hosts works fine.
Anyone has similar errors?
.env e.g SHELLHUB_SSH_PORT=44. My client device (standard Raspberry Pi) will be expecting ssh connection on 22. How can I use a non-standard port for shellhub? I need to maintain ssh access on port 22 to my main server
SHELLHUB_SSH_PORT
SHELLHUB_SSH_PORT var is correct, it's what docker-compose.yml is expecting. I tried changing SHELLHUB_SSH_PORT to SSH_PORT in .env and got the following error:ERROR: The Compose file './docker-compose.yml' is invalid because:
services.ssh.ports contains an invalid type, it should be a number, or an objectDo I need to nginx proxy the ssh port? My nginx config is
server {
listen 443 ssl http2;
# Whitelist IP's
include /etc/nginx/cloudflare-allow.conf;
server_name shellhub.xxxxx.org;
ssl_certificate /etc/nginx/ssl/site.crt;
ssl_certificate_key /etc/nginx/ssl/site-key.pem;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 180m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# add Strict-Transport-Security to prevent man in the middle attacks
add_header Strict-Transport-Security "max-age=31536000";
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8999;
}I'm using SHELLHUB_HTTP_PORT=8999. The UI is working fine and I'm able to add devices
stream does not work with server_name. I need to be able to assign a domain name if possible to shellhub https://stackoverflow.com/questions/45227491/nginx-server-name-inside-stream-block-possible
@glynhudson I've reproduced your issue locally, using your nginx config and an agent with enhanced logging. This shows that the attempt to establish the web socket is failing (NewListener in agent/main.go returns err="websocket: bad handshake" but this isn't visible to the user in v0.3.7).
For nginx to work with web sockets, it appears to need explicit upgrade and connection headers. I've added the following to your quoted nginx config:
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;and it then works for me: the device registers successfully and the web terminal works.
Hi @sixhills, thanks so much for testing. I've just implemented you suggestion and indeed it works great! Thanks so much. For the record this is my nginx config:
server {
listen 443 ssl http2;
# Whitelist IP's
include /etc/nginx/cloudflare-allow.conf;
server_name xxxxxxxxx.com;
ssl_certificate /etc/nginx/ssl/site.crt;
ssl_certificate_key /etc/nginx/ssl/site-key.pem;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 180m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# add Strict-Transport-Security to prevent man in the middle attacks
add_header Strict-Transport-Security "max-age=31536000";
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8999;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
}
}It would be a good idea to add an example config like this to the documentation.
Where can I send a donation?
I think we now have three ways of implementing a reverse ssl proxy using nginx:
(1) Using
stream and proxy_protocol, as described in shellhub-io/shellhub#347(2) Using the Valian docker container, as described in the same issue.
(3) Specifying
Upgrade and Connection headers as described above.Solutions (1) and (3) require an existing ssl certificate, which suits users who already have one for the host or a wildcard certificate for the domain.
Solution (2) automatically obtains and installs a Let's Encrypt certificate, which suits users who don't already have a certificate and makes it very easy to obtain one but is unecessary when a certificate is already installed.
Solution (1) using
stream doesn't work with server_name and so isn't suitable for users who need a CNAME pointing to a virtual host. It doesn't seem to have any advantage over solution (3).So which solutions should be documented? Perhaps both (3) for users who already have a certificate and (2) for users who don't already have one?
Hello community, I hope this is the right place to ask my question.
I just installed the newest version of shell hub via the 'git clone' command on my mac, used the command './bin/keygen' and started the 'docker-compose' command. In my docker desktop I see that everything runs perfectly and I can access the login screen as well via localhost.
After that, I ran the command './bin/add-user testUser testPassword testEmail' without the "<>" characters. My console prints out, that the user was created and I got the tenant-ID back. So far so good.
The problem now is, when I try to log in via the web ui, I always get back the server status 401 (unauthorized). I would really appreciate if someone of you has an idea, what I did wrong or where the problem could be.
@sixhills Thanks for your message and sorry for my late reply!
Adding user
I started today the docker containers again and created a new user: ./bin/add-user test2 test2 a@a.a and I can log in with that user. The last time I was not able to log in with the user name BUT I could log in with the user email... today I can also log in via the user name.
Checking mongo db
I checked the mongo db in "shellhub_mongo_1 mongo:3.4.19" and all my users are in the db. So that worked now!
Docker container logs
I tried now several times to log in and to log off and I also created several times a new device and connected it to my account. Everything worked!
SSH via webinterface
If I call the method GET /ssh/revdial? via the web interface, I see in the logs of the container, that the password is in clear text! I think it would be very nice, if the provider of the server can not see the password of the connected devices for doing a ssh connection...
4 replies
I've upgraded from 0.4.0 to 0.4.2 and it seems to ignore the value of SHELLHUB_HTTP_PORT in .env.override. I put "SHELLHUB_HTTP_PORT=8090" in .env.override and restarted but the server was still istening on port 80. I then edited .env to change this variable in that file, restarted and the server was then listening on port 8090. Is there anything I need to do to make it action the value in .env.override?
I can't reproduce this here