-
Notifications
You must be signed in to change notification settings - Fork 22
Manual
- install the Secure Shell extension to your browser
or if you are using Chrome-OS install the app - source-links: nassh-source faq
- usage: add
--proxy-host=<your relay host/ip> [--proxy-port=8022] [--use-ssl] [--use-xhr]to your relay options
- Java 11+ runtime
- (optional) reverse proxy (nginx, caddy, traefik)
- download and unzip the installation package relay-1.1.12.zip
- edit the config.json file to your needs
- start the application with
./run.sh - or via docker with
docker run -d --name nassh-relay -p 8022:8022 -v /<path>/config.json:/opt/config.json zyclonite/nassh-relay
host - bind ip for the webservice listener (default: 0.0.0.0)
hostname - deprecated alias of host
port - port to listen on (default: 8022)
ssl - enable ssl (default: false)
pemKeyCertOptions.keyPath - private key (RSA or EC - PKCS12 encoded)
pemKeyCertOptions.cerPath - certificate (X509 endoded)
max-sessions - maximum allowed ssh client connections
tcp-session-timeout - timeout for the tcp tunnel to the ssh endpoint in seconds
auth-session-timeout - timeout for the google authenticated session in seconds
authentication - switches google authentication on or off (ssl recommended)
secure-cookie - secure cookies when authentication is turned on (default: true, turn it off if ssl is false)
items - list of networks or hosts that are not allowed for ssh clients (use cidr notation for networks)
items - requires fields (google plus userid), or and a list of networks or hosts similar to the blacklist (a host or network granted access for a user will override a blacklist entry)
if you want to use authentication, you need to fill in client-id and client-secret from your api project (google cloud), to get this details follow these steps
- goto api console
- create a project
- create Credentials -> OAuth client ID and add your relay url to Authorized JavaScript origins
- copy/paste Client ID and Client Secret to your config.json
- do not forget to switch authentication on
if you run the application behind a webserver, you need to pass a X-Real-IP header to be able to log the client ip
server {
listen 80;
listen [::]:80;
server_name relay.wsn.at;
location /cookie {
proxy_pass http://localhost:8022/cookie;
proxy_set_header Host $server_name:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_max_temp_file_size 0;
proxy_buffering off;
}
location /proxy {
proxy_pass http://localhost:8022/proxy;
proxy_set_header Host $server_name:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_max_temp_file_size 0;
proxy_buffering off;
}
location /read {
proxy_pass http://localhost:8022/read;
proxy_set_header Host $server_name:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_max_temp_file_size 0;
proxy_buffering off;
}
location /write {
proxy_pass http://localhost:8022/write;
proxy_set_header Host $server_name:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_max_temp_file_size 0;
proxy_buffering off;
}
location /connect {
proxy_pass http://localhost:8022/connect;
proxy_http_version 1.1;
proxy_set_header Upgrade $server_name:$server_port;
proxy_set_header Connection "upgrade";
proxy_read_timeout 10m;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_max_temp_file_size 0;
proxy_buffering off;
}
}