首页 > 编程语言 >使用 Python WebSSH 从浏览器连接到SSH终端

使用 Python WebSSH 从浏览器连接到SSH终端

时间:2023-06-29 21:23:26浏览次数:43  
标签:Python WebSSH server Nginx SSH configuration your

Introduction

Ordinarily, you connect to an SSH server using a command line app in a terminal, or terminal emulator software that includes an SSH client. Some tools, like Python’s WebSSH, make it possible to connect over SSH and run a terminal directly in your web browser.

This can be useful in a number of situations. It is particularly helpful for giving live presentations or demos, when it would be challenging to share a regular terminal window in a way that makes visual sense. It can also be helpful in educational settings when granting access to command line novices, as it avoids them needing to install software on their machines (especially on Windows, where the default options come with caveats). Finally, Python’s WebSSH in particular is very portable and requires no dependencies other than Python to get up and running. Other web-based terminal stacks can be much more complicated, and specific to Linux.

In this tutorial, you will set up WebSSH and connect over SSH in your browser. You will then optionally secure it with an SSL certificate and run it behind an Nginx reverse proxy for a production deployment.

Prerequisites

  • A Windows, Mac, or Linux environment with a running SSH service. It can be useful to run WebSSH locally, but if you don’t have an SSH service running on a local machine, you can use a remote Linux server by following our initial server setup guide for Ubuntu 22.04.

  • The Python programming language installed along with pip, its package manager. You can install Python and pip on Ubuntu by following Step 1 of this tutorial.

  • Optionally, to enable HTTPS in the browser, you will need SSL certificates and your own domain name. You can obtain them by following How To Use Certbot Standalone Mode to Retrieve Let’s Encrypt SSL Certificates. If you do not have your own domain name, you can use an IP address for the first two steps of this tutorial.

Step 1 – Installing WebSSH

If you’ve already installed Python and pip, you should be able to install Python packages from PyPI, the Python software repository. WebSSH is designed to be installed and run directly from the command line, so you won’t need to set up another virtual environment as discussed in the How To Install Python 3 and Set Up a Programming Environment. Virtual environments are more useful when working on your own projects, not when installing system-wide tools.

Use pip install to install the WebSSH package:

Output…
Successfully built webssh
Installing collected packages: tornado, pycparser, cffi, pynacl, paramiko, webssh
Successfully installed cffi-1.15.1 paramiko-2.11.0 pycparser-2.21 pynacl-1.5.0 tornado-6.2 webssh-1.6.0

Installing via sudo will install the wssh command globally. You can verify this by using which wssh:

Output/usr/local/bin/wssh

You’ve now installed WebSSH. In the next step, you’ll run and connect to it. First, though, you’ll need to add a firewall rule. WebSSH runs on port 8888 by default. If you are using ufw as a firewall, allow that port through ufw:

You’ll revisit that firewall rule later in this tutorial.

Step 2 – Running and Connecting to WebSSH

If you’re running WebSSH on a local machine, you can run wssh by itself with no additional arguments to start. If you’re running WebSSH on a remote server, you’ll need to add the --fbidhttp=False flag to allow remote connections over regular HTTP. This is not secure if you are connecting over an unprotected network, but it is useful for a demo, and you will secure WebSSH later in this tutorial.

Now you can connect to WebSSH and log in. Navigate to your_domain:8888 in a web browser (using localhost in place of your_domain if you are running locally). You will see the WebSSH login page:

WebSSH login page

Provide your regular SSH credentials. If you followed DigitalOcean’s initial server setup guide, you will be using key-based authentication rather than a password. That means you should only need to specify the Hostname of the server you’re connecting to, your Username for the server, and your SSH key, which should be located in the .ssh/ folder within your local home directory (usually named id_rsa).

Note: As you might guess from having to manually specify a Hostname, WebSSH can also be used to connect to servers other than the one it is running on. For this tutorial, it is being run on the same server you are connecting to.

Click the Connect button, and you should be greeted with your default terminal welcome prompt:

WebSSH command line

At this point, you can use your terminal as normal, exactly as if you’d connected over SSH. Multiple users can also connect through the same WebSSH instance simultaneously. If you are running WebSSH on a local machine solely for the purpose of streaming or capturing video, this may be all you need. You can enter Ctrl+C in the terminal that you launched WebSSH from (not the WebSSH terminal) to stop the WebSSH server when finished.

If you are running on a remote server, you will not want to use WebSSH in production behind an unsecured HTTP connection. Although you would still be protected by your SSH service’s authentication mechanism, using an SSH connection over HTTP poses a significant security risk, and will likely allow others to steal your SSH credentials. In the next steps, you’ll secure your WebSSH instance so that it is no less safe than a regular SSH connection.

Step 3 – (Optional) Securing WebSSH with an SSL Certificate

To complete this step, you should have already obtained your own domain name and SSL certificates. One way to do that is by using LetsEncrypt in standalone mode.

When LetsEncrypt retrieves certificates, by default, it stores them in /etc/letsencrypt/live/your_domain. Check to make sure that you have them:

OutputREADME  cert.pem  chain.pem  fullchain.pem  privkey.pem

To run WebSSH with HTTPS support, you’ll need to provide a path to a cert, and a path to a key. These are fullchain.pem and privkey.pem. By default, WebSSH provides HTTPS access on port 4433, so open that port in your firewall as well:

Next, you’ll need to allow

Then, run WebSSH with the paths to your cert and your key:

In a web browser, navigate to https://your_domain:4433, and you should see the same interface as in the prior step, now with HTTPS support. This is now enough setup for a safe production configuration. However, you’re still running the wssh app directly from your terminal, and you’re accessing it in the browser from an unusual port. In the last two steps of this tutorial, you will remove both of these limitations.

Step 4 – (Optional) Running WebSSH Behind an Nginx Reverse Proxy

Putting a web server such as Nginx in front of other web-facing applications can improve performance and make it much more straightforward to secure a site. You’ll install Nginx and configure it to reverse proxy requests to WebSSH, meaning it will take care of handling requests from your users to WebSSH and back again.

Refresh your package list, then install Nginx using apt:

If you are using a ufw firewall, you should make some changes to your firewall configuration at this point, to enable access to the default HTTP/HTTPS ports, 80 and 443. ufw has a stock configuration called “Nginx Full” which provides access to both of these ports:

Nginx allows you to add per-site configurations to individual files in a subdirectory called sites-available/. Using nano or your favorite text editor, create a new Nginx configuration at /etc/nginx/sites-available/webssh:

Paste the following into the new configuration file, being sure to replace your_domain with your domain name.

/etc/nginx/sites-available/webssh

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name your_domain www.your_domain
    root /var/www/html;

    access_log /var/log/nginx/webssh.access.log;
    error_log /var/log/nginx/webssh.error.log;

    location / {
        proxy_pass http://127.0.0.1:8888;
        proxy_http_version 1.1;
        proxy_read_timeout 300;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Real-PORT $remote_port;
    }

    listen 443 ssl;
    # RSA certificate
    ssl_certificate /etc/letsencrypt/live/your_domain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your_domain/privkey.pem;

    # Redirect non-https traffic to https
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    }
}

You can read this configuration as having three main “blocks” to it. The first block, coming before the location / line, contains a boilerplate Nginx configuration for serving a website on the default HTTP port, 80. The location / block contains a configuration for proxying incoming connections to WebSSH, running on port 8888 internally, while preserving SSL. The configuration at the end of the file, after the location / block, loads your LetsEncrypt SSL keypairs and redirects HTTP connections to HTTPS.

Save and close the file. If you are using nano, press Ctrl+X, then when prompted, Y and then Enter.

Next, you’ll need to activate this new configuration. Nginx’s convention is to create symbolic links (like shortcuts) from files in sites-available/ to another folder called sites-enabled/ as you decide to enable or disable them. Using full paths for clarity, make that link:

By default, Nginx includes another configuration file at /etc/nginx/sites-available/default, linked to /etc/nginx/sites-enabled/default, which also serves its default index page. You’ll want to disable that rule by removing it from /sites-enabled, because it conflicts with your new WebSSH configuration:

Note: The Nginx configuration in this tutorial is designed to serve a single application, WebSSH. You could expand this Nginx configuration to serve multiple applications on the same server by following the Nginx documentation.

Next, run nginx -t to verify your configuration before restarting Nginx:

Outputnginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Now you can restart your Nginx service, so it will reflect your new configuration:

Finally, you can remove the firewall rules you created earlier for accessing WebSSH directly, since all traffic will now be handled by Nginx over the standard HTTP/HTTPS ports:

Restart webssh on the command line:

You do not need to provide the cert and key paths this time, since Nginx is handling that. Then navigate to your_domain in a web browser.

Notice that the WebSSH is now being served over HTTPS via Nginx without needing to specify a port. At this point, you have automated everything except launching wssh itself. You will do that in the final step.

Step 5 – (Optional) Creating a Systemd Service for WebSSH

Deploying server-side applications that do not automatically run in the background can be unintuitive at first, since you’d need to start them directly from the command line every time. The solution to this is to set up your own background service.

To do this, you’ll create a unit file that can be used by your server’s init system. On nearly all modern Linux distros, the init system is called Systemd, and you can interact with it by using the systemctl command.

If WebSSH is still running in your terminal, press Ctrl+C to stop it. Then, using nano or your favorite text editor, open a new file called /etc/systemd/system/webssh.service:

Your unit file needs, at minimum, a [Unit] section, a [Service] section, and an [Install] section:

/etc/systemd/system/webssh.service

[Unit]
Description=WebSSH terminal interface
After=network.target

[Service]
User=www-data
Group=www-data
ExecStart=wssh

[Install]
WantedBy=multi-user.target

This file can be broken down as follows:

  • The [Unit] section contains a plaintext description of your new service, as well as an After hook that specifies when it should be run at system startup, in this case after your server’s networking interfaces have come up.

  • The [Service] section specifies which command should actually be run, as well as which user should be running it. In this case, www-data is the default Nginx user on a Ubuntu server, and wssh is the command itself.

  • The [Install] section contains only the WantedBy=multi-user.target line, which works together with the After line in the [Unit] section to ensure that the service is started when the server is ready to accept user logins.

Save and close the file. You can now start your new WebSSH service, and enable it to run on boot automatically:

Use systemctl status webssh to verify that it started successfully. You should receive similar output to when you first ran the command in a terminal.

Output● webssh.service - WebSSH terminal interface
     Loaded: loaded (/etc/systemd/system/webssh.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2022-08-11 22:08:25 UTC; 2s ago
   Main PID: 15678 (wssh)
      Tasks: 1 (limit: 1119)
     Memory: 20.2M
        CPU: 300ms
     CGroup: /system.slice/webssh.service
             └─15678 /usr/bin/python3 /usr/local/bin/wssh

Aug 11 22:08:25 webssh22 systemd[1]: Started WebSSH terminal interface.
Aug 11 22:08:26 webssh22 wssh[15678]: [I 220811 22:08:26 settings:125] WarningPolicy
Aug 11 22:08:26 webssh22 wssh[15678]: [I 220811 22:08:26 main:38] Listening on :8888 (http)

You can now reload https://your_domain in your browser, and you should once again get the WebSSH interface. From now on, WebSSH and Nginx will automatically restart with your server and run in the background.

Conclusion

In this tutorial, you installed WebSSH, a portable solution for providing a command line interface in a web browser. You improved your deployment by adding SSL, then by adding an Nginx reverse proxy, and finally by creating a system service for WebSSH. This is a good model for deploying small server-side web applications in general, and particularly important for SSH, which relies on key pairs for security.

Next, you may want to learn about other connection options for SSH.

标签:Python,WebSSH,server,Nginx,SSH,configuration,your
From: https://www.cnblogs.com/colinyang/p/17515232.html

相关文章

  • 软件测试|Python科学计算神器numpy教程(二)
    前言上一篇文章我们介绍了numpy的安装和ndarray的部分知识,本篇文章我们来介绍一下numpy的数组的常用属性以及创建数组相关内容。数组常用属性ndarray.shapeshape属性的返回值一个由数组维度构成的元组,比如2行3列的二维数组可以表示为(2,3),该属性可以用来调整数组维度的大小,示......
  • Python面向对象之元类
    Python面向对象之元类【一】前言引入千万不要被所谓“元类是99%的python程序员不会用到的特性”这类的说辞吓住。因为每个中国人,都是天生的元类使用者我们引用太极的思想道生一,一生二,二生三,三生万物即我是谁?我从哪里来?我到哪里去?我们拿到Python中type就相当于我们......
  • python使用 flask+vue 制作前后端分离图书信息管理系统
    哈喽兄弟们,今天咱们来用Python实现一个前后端分离的图书信息管理系统。制作前后端分离图书信息管理系统的思路:1、前端部分首先,我们可以使用VueJS作为前端框架,并通过VueCLI工具进行创建和管理项目。2、后端部分后端部分我们可以采用PythonFlask框架,这个框......
  • python 字符串前加f、r、b、u
    python字符串前加f、r、b、u一、字符串前加"f"%可以使用%格式化字符串。c=(250,250)#使用%格式化s1="坐标为:%s"%c#TypeError:notallargumentsconvertedduringstringformattings1="坐标为:%s"%(c,)#'坐标为:(250,250)'#使用format格式化......
  • python 中 fnmatch模块, textwrap 模块
    python中fnmatch模块,textwrap模块fnmatch模块查找文件使用fnmatch来查找特定的文件,大部分情况下,使用字符串匹配查找特定的文件就能满足需求,如果需要更加灵活的字符串匹配,可以使用标准库中的fnmatch库,这个库专门用来进行文件名匹配,支持使用通配符进行文件名的匹配1、fnmatc......
  • Centos7 集群SSH无密码用户免密登录配置
    例:配置集群1的A,B,C三台Centos7的test无密码用户免密登录1,在A机器执行ssh-kengen生成秘钥,一路回车[root@lmslms]#su-test[test@test~]#ssh-keygenGeneratingpublic/privatersakeypair.Enterfileinwhichtosavethekey(/root/.ssh/id_rsa):Enterpassphrase......
  • Python seaborn库绘图
    一直没搞清楚这个库到底是怎么工作的贴个链接在这里,及时整理!参考链接https://zhuanlan.zhihu.com/p/75477750https://zhuanlan.zhihu.com/p/158751106......
  • Python报错 | PermissionError: [Errno 13] Permission denied: 'xxx'
    报错信息使用python对模型进行输出文件的过程中,报如下错误:PermissionError:[Errno13]Permissiondenied:'xxx'错误原因报错翻译过来是:权限错误:[errno13]权限被拒绝:错误产生的原因是文件无法打开,可能产生的原因是文件找不到,或者被占用,或者无权限访问,或者打开的不是文......
  • 【python爬虫案例】用python爬豆瓣电影TOP250排行榜!
    一、爬虫对象-豆瓣电影TOP250前几天,我分享了一个python爬虫案例,爬取豆瓣读书TOP250数据:【python爬虫案例】用python爬豆瓣读书TOP250排行榜!今天,我再分享一期,python爬取豆瓣电影TOP250数据!爬虫大体流程和豆瓣读书TOP250类似,细节之处见逻辑。首先,打开豆瓣电影TOP250的页面:https......
  • python线程简单使用
    简单使用python定义多线程列子,供读者参考:在下面的示例中,我们定义了两个函数func1和func2,它们都将在新线程中运行。然后,我们使用threading.Thread构造函数创建了两个新线程,并将func1和func2函数作为目标。最后,我们启动了两个线程,并使用join方法等待它们结束。但需要注意的是,如......