Auth Proxy

The -H, --auth-header command-line flag will configure ttyd to let a HTTP reverse proxy handle authentication.

Running ttyd

Security NOTICE: Since the auth proxy feature will make ttyd trust any request with none empty X-WEBAUTH-USER header value, you should always start ttyd on a unix domain socket. If you really want ttyd to listen on an IP or interface, do not forget to block direct requests to ttyd that you do not trust with your firewall (for example: iptables on linux).

ttyd -i /tmp/ttyd.sock -H X-WEBAUTH-USER bash

Running Proxy Server

sample configurations for apache and nginx proxy with basic auth.

• Apache

  <VirtualHost *:80>
      <Proxy *>
          AuthType Basic
          AuthName ttyd
          AuthBasicProvider file
          AuthUserFile /etc/apache2/ttyd_htpasswd
          Require valid-user
  
          RewriteEngine On
          RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
          RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e"
      </Proxy>
  
      RequestHeader unset Authorization
  
      ProxyRequests Off
      ProxyPass /ws unix:/tmp/ttyd.sock|ws://localhost/ws
      ProxyPass / unix:/tmp/ttyd.sock|http://localhost/
      ProxyPassReverse / unix:/tmp/ttyd.sock|http://localhost/
  </VirtualHost>

• Nginx

  location / {
      auth_basic "ttyd";
      auth_basic_user_file "/etc/apache2/ttyd_htpasswd";
      proxy_set_header X-WEBAUTH-USER $remote_user;
      proxy_set_header Authorization "";
  
      proxy_http_version 1.1;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      
      proxy_pass http://unix:/tmp/ttyd.sock;
  }

You may also need to allow the web server's user to access ttyd's unix domain socket file (typically www-user on linux):

sudo chown www-data:www-data /tmp/ttyd.sock