Skip to content
Lukas Prettenthaler edited this page Nov 10, 2021 · 23 revisions

Pre-Requirements

  • install the Secure Shell extension to your browser
    or if you are using Chrome-OS install the app
  • source-links: nassh-source faq
  • usage: add --proxy-host=<your relay host/ip> [--proxy-port=8022] [--use-ssl] [--use-xhr] to your relay options

Requirements

  • Java 11+ runtime
  • (optional) reverse proxy (nginx, caddy, traefik)

Installation

  • download and unzip the installation package relay-1.1.12.zip
  • edit the config.json file to your needs
  • start the application with ./run.sh
  • or via docker with docker run -d --name nassh-relay -p 8022:8022 -v /<path>/config.json:/opt/config.json zyclonite/nassh-relay

Configuration

webservice

host - bind ip for the webservice listener (default: 0.0.0.0)

hostname - deprecated alias of host

port - port to listen on (default: 8022)

ssl - enable ssl (default: false)

pemKeyCertOptions.keyPath - private key (RSA or EC - PKCS12 encoded)

pemKeyCertOptions.cerPath - certificate (X509 endoded)

application

max-sessions - maximum allowed ssh client connections

tcp-session-timeout - timeout for the tcp tunnel to the ssh endpoint in seconds

auth-session-timeout - timeout for the google authenticated session in seconds

authentication - switches google authentication on or off (ssl recommended)

secure-cookie - secure cookies when authentication is turned on (default: true, turn it off if ssl is false)

blacklist

items - list of networks or hosts that are not allowed for ssh clients (use cidr notation for networks)

accesslist

items - requires fields (google plus userid), or and a list of networks or hosts similar to the blacklist (a host or network granted access for a user will override a blacklist entry)

google-sso

if you want to use authentication, you need to fill in client-id and client-secret from your api project (google cloud), to get this details follow these steps

  • goto api console
  • create a project
  • create Credentials -> OAuth client ID and add your relay url to Authorized JavaScript origins
  • copy/paste Client ID and Client Secret to your config.json
  • do not forget to switch authentication on

Nginx proxy config

if you run the application behind a webserver, you need to pass a X-Real-IP header to be able to log the client ip

example configuration

server {
    listen 80;
    listen [::]:80;

    server_name relay.wsn.at;

    location /cookie {
            proxy_pass http://localhost:8022/cookie;
            proxy_set_header Host $server_name:$server_port;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_max_temp_file_size 0;
            proxy_buffering off;
    }

    location /proxy {
            proxy_pass http://localhost:8022/proxy;
            proxy_set_header Host $server_name:$server_port;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_max_temp_file_size 0;
            proxy_buffering off;
    }

    location /read {
            proxy_pass http://localhost:8022/read;
            proxy_set_header Host $server_name:$server_port;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_max_temp_file_size 0;
            proxy_buffering off;
    }

    location /write {
            proxy_pass http://localhost:8022/write;
            proxy_set_header Host $server_name:$server_port;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_max_temp_file_size 0;
            proxy_buffering off;
    }

    location /connect {
            proxy_pass http://localhost:8022/connect;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $server_name:$server_port;
            proxy_set_header Connection "upgrade";
            proxy_read_timeout 10m;
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_max_temp_file_size 0;
            proxy_buffering off;
    }
}
Clone this wiki locally