Skip to content

Auth Proxy

Jump to bottom Edit New page
Shuanglei Tao edited this page Aug 13, 2021 · 7 revisions

The --auth-header command-line flag will configure ttyd to let a HTTP reverse proxy handle authentication.

Here is an example to make Apache's basic auth work with ttyd's auth proxy:

Running ttyd

Security NOTICE: Since the auth proxy feature will make ttyd trust any request with none empty X-WEBAUTH-USER header value, you should always start ttyd on a unix domain socket. If you really want ttyd to listen on an IP or interface, do not forget to block direct requests to ttyd that you do not trust with your firewall (for example: iptables on linux).

ttyd -i /tmp/ttyd.sock -H X-WEBAUTH-USER bash

To make Apache work, the socket file also need to allow www-user to access:

sudo chown www-data:www-data /tmp/ttyd.sock

Running Apache

add the configuration to you apache conf:

<VirtualHost *:80>
    <Proxy *>
        AuthType Basic
        AuthName ttydAuthProxy
        AuthBasicProvider file
        AuthUserFile /etc/apache2/ttyd_htpasswd
        Require valid-user

        RewriteEngine On
        RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
        RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e"
    </Proxy>

    RequestHeader unset Authorization

    ProxyRequests Off
    ProxyPass /ws unix:/tmp/ttyd.sock|ws://localhost/ws
    ProxyPass / unix:/tmp/ttyd.sock|http://localhost/
    ProxyPassReverse / unix:/tmp/ttyd.sock|http://localhost/
</VirtualHost>
Add a custom footer
Add a custom sidebar
Clone this wiki locally