shellinabox With Apache Authentication Over HTTPS 443

By | 2010/12/15

shellinabox is an amazing web-based SSH client. It is very handy if you are not on a machine with a good terminal app, are filtered to not having port 22 available, or other uses such as a good web based shell to use while on the ChromeOS notebook.

This guide shows how to setup and install shellinabox on Ubuntu or Debian over a secure port (standard HTTPS 443) and also require a login prompt to first get to the shellinabox interface as a layer of security.


1. Grab the latest deb from the project page.

2. Install the deb:

sudo dpkg -i shellinabox*.deb

3. Edit the shellinabox init file for localhost only:

sudo nano /etc/init.d/shellinabox

Add this line under ‘Set some default values’

SHELLINABOX_ARGS="--localhost-only"

Mine looks like this now:

# Set some default values
SHELLINABOX_DATADIR="${SHELLINABOX_DATADIR:-/var/lib/shellinabox}"
SHELLINABOX_PORT="${SHELLINABOX_PORT:-4200}"
SHELLINABOX_USER="${SHELLINABOX_USER:-shellinabox}"
SHELLINABOX_GROUP="${SHELLINABOX_GROUP:-shellinabox}"
SHELLINABOX_ARGS="--localhost-only"

Now enable some apache proxy modules:

4. sudo a2enmod proxy

5. sudo a2enmod proxy_http


[If you do not want apache authentication, skip steps 6 and 7!]


6. Create an apache authenticated user (Example here creates a username admin).

sudo htpasswd -c /etc/apache2/.htpasswd admin

password:
repeat password:

7. Edit the apache2 proxy module config file to require this authenticated user for this proxy.

sudo nano /etc/apache2/mods-available/proxy.conf

  ProxyRequests Off
<Proxy *>
AddDefaultCharset off
AuthUserFile /etc/apache2/.htpasswd
AuthName EnterPassword
AuthType Basic
require user admin
Order deny,allow
Allow from all
#Allow from .example.com
</Proxy>

8. Edit the default-ssl apache2 config file as described below.

sudo nano /etc/apache2/sites-available/default-ssl

AFTER the VirtualHost listing, but before the end of IfModule put something like this:

</VirtualHost>

<Location /shell>
ProxyPass http://localhost:4200/
</Location>

</IfModule>

9. Restart shellinabox and then restart apache.

sudo /etc/init.d/shellinabox restart

sudo /etc/init.d/apache2 restart

10. Browse to https://yourservername.com/shell

You should then be first prompted for the apache htpasswd authentication. Once you then supply that, you are brought to your shellinabox session, prompting for a local ssh login. All over https and port 443.

shellinabox_auth shellinabox_screen

Sweet!

20 thoughts on “shellinabox With Apache Authentication Over HTTPS 443

  1. Andy

    I get a blank page when I try this, any guesses?

    Reply
    1. Brian

      What does your Apache ssl error log have to say?

      Reply
  2. Kromm

    Thanks for the detailed instructions.
    I managed to entangle myself anyways but working fine now.
    Cheers.

    Reply
  3. Otto

    I have literally just struggled hours to get ajaxterm working until I saw this, Thank you so much! This work better thatn ever imagined!!!

    Reply
  4. chris

    i changed to this from ajaxterm .. .ajaxterm is good but too many limitations and timeouts that cant be changed

    Reply
  5. James

    Awesome, flawless guide you have, I will ensure I have this bookmarked.

    Reply
  6. Leonardo Marino-Ramirez

    Great post on configuring shellinabox. I would like to add the following on apache authentication:

    One could use libapache2-mod-authn-sasl instead of creating an apache authenticated user with htpasswd. Here after installing the module using:
    apt-get install libapache2-mod-authn-sasl
    proxy.com will look like:

    AddDefaultCharset off
    AuthName “Enter Username and Password”
    AuthType Basic
    AuthBasicProvider sasl
    AuthBasicAuthoritative On
    AuthSaslPwcheckMethod saslauthd
    Require user *** list of authorized users ***
    Order deny,allow
    Allow from all

    Reply
  7. Mads Vering

    Have been trying to make this work for a VERY long time. I have not yet succeed, not even with this tutorial. If I setup shellinabox to listen to port 443 and disables the defaul_ssl.conf for apache, I can successfully log into shellinabox from a remote computer.

    But instead of the url being https://mydomain.com I want it to be https://mydomaint.com/shell

    I found this tutorial and was very happy, but I simply cannot make it work. When I do like described here, I simply get “This webpage is not available” from Chrome. In access.log and error.log there is just nothing regarding my request to https://mydomain.com/shell. There are some other things in the log:

    [Sat Oct 31 17:56:50.552729 2015] [mpm_prefork:notice] [pid 25904] AH00169: caught SIGTERM, shutting down
    [Sat Oct 31 17:56:51.993693 2015] [mpm_prefork:notice] [pid 26017] AH00163: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.14 configured — resuming normal operations
    [Sat Oct 31 17:56:51.993875 2015] [core:notice] [pid 26017] AH00094: Command line: ‘/usr/sbin/apache2’

    But as far as I can tell from searching the net, this should not be any issue.

    Reply
  8. Mads Vering

    OMG: I did not have SSL enabled on apache! For so long I have been struggling with this. I thought it was sort of default:

    netstat -anp | grep apache should give this
    tcp6 0 0 :::443 :::* LISTEN 2840/apache2
    tcp6 0 0 :::80 :::* LISTEN 2840/apache2

    and not only this
    tcp6 0 0 :::80 :::* LISTEN 2840/apache2

    Reply
  9. Domingo

    This is a great guide and it works flawlessly!
    However I have a question: You have ProxyPass pointing to http://localhost:4200/. So this is not https? Are you sure then that the whole traffic to shellinabox is encrypted?

    Reply
  10. John

    its hard to explain but yes its encrypted as https gets, it goes over HTTPS from your browser to apache2 server, and then a LOCAL connection is made on server via HTTP to LOCAL shellinabox, outside net will not see this.

    i hope i made myself clear.

    thanks
    john

    Reply
  11. John

    /\ _____________ _____________ _______________ ______________ ___ ___
    / \ | ___________ | | ________ | | ____________| | ___________| \ \ / /
    | | | | | | | | | | | \ \ / /
    | | |___________ | | | | | | | | \ \ __ / /
    | |___________ | | | | | | | | | \ _ _/
    | | | | | | | | | | | | |
    ___________| | | |________| | | | | | | |
    |______________| |_____________| |___| | __ | | ___ |

    should have been a reply…

    Reply
  12. Rohit Mukund

    Proxy Error

    The proxy server received an invalid response from an upstream server.
    The proxy server could not handle the request GET /shell.

    Reason: Error reading from remote server

    I cant get it right why

    Reply
  13. Mark Fischer

    To Rohit’s comment, I think the problem is that shellinabox now defaults to redirecting its own inbound requests to SSL, and unless your proxy is configured to handled the SSL certificate on the proxy, it fails. Since the connection between apache and shellinabox is local, as noted above, it is safe for it to happen without SSL. So, I solved it by making shellinabox disable SSL for its own interface. This is done with an additional argument follows:
    SHELLINABOX_ARGS=”–localhost-only –disable-ssl”

    I think the above does not change the fact that traffic to and from the server goes over https.

    As a side note, I think the location config above does not seem to prevent accessing the /shell path over plain http… maybe somebody can comment but it seems that path should be limited to port 443, maybe by including the location directive inside the VirtualHost? Maybe somebody with better apache experience can comment on this.

    Reply
    1. TerraRoot Lande

      Thanks Mark, that did something for me, now its:
      Service Unavailable

      The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

      Apache/2.4.25 (Debian) Server at mine.mine.com Port 443

      Reply
    2. Mark Fischer

      Answering my own question, I believe the block should be INSIDE the host for SSL to limit access to SSL connections. Tested and working on Ubuntu and RHEL. Otherwise, one a public facing server, it is all to easy to accidentally hit without HTTPS and have your SSH credentials sniffed.

      Reply
      1. Mark Fischer

        Apache would throw that error if a proxied service is not available. Make sure that your Apache config is pointing to to shellinabox on the port it’s running on and make sure shellinabox is running properly first. You can verify the latter by hitting shellinabox directly on localhost on your server if you have a GUI and a browser (or maybe with lynx from a shell). Or, ssh into your box with putty or similar and forward a port to the shellinabox port on the server then hit it with your desktop browser.

        Reply
        1. TerraRoot Lande

          Cheers i fixed it inthe end, –localhost-only seemed to break it. removed that and all was well again. probably caused more harm then good try to fix it on my phone over 3g, stupid work firewalls.

          Reply
  14. Codfish Scarf

    Rather than modifying /etc/apache2/sites-available/default-ssl , I had to modify the equivalent file in /etc/apache2/sites-enabled. This may have been an artifact of using letsencrypt. But nevertheless, thanks for this great article. Worked like a charm on my raspberry pi! 🙂

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.