Lets say you need to access your Ubuntu Linux PC at your home from the other PC behind very restrictive firewall. Lets also say that all you have access to is port 80 (http) and port 443 (https). Lets unlock this situation. Ill show you how to setup Shell In A Box with additional layer of security with Apache2 SSL. Prerequisite for the following guide is that you have fully working Apache 2 installation on you Ubuntu system. If you need instructions for this, you can find them on one of my older posts:
Ubuntu Netbeans and LAMP server with Xdebug as non-root user
In this post I'll mostly give you CLI commands without to much explanation so it is up to you to go trough the procedure and adjust it according to your own setup. Reason for this approach is that the procedure is a bit longer and there could be 10 pages explanation for all of this. Of course I'll give basic explanation for most important commands. So lets get down to business...
Basic HTTPS Shell In A Box
First we download and install Shell In A Box. You can download .deb file for your operating systems architecture here by visition Shell In A Box official page here.
Next thing is to install Shell In A Box:
sudo dpkg -i shellinabox*.deb |
Now we need to add a few options to Shell In A Box .conf file:
sudo gedit /etc/default/shellinabox |
You need to replace line:
SHELLINABOX_ARGS="--no-beep" |
with line:
SHELLINABOX_ARGS="--no-beep --localhost-only --disable-ssl" |
Lets enable necessary Apache2 modules:
sudo a2enmod proxy sudo a2enmod proxy_http sudo a2enmod ssl |
Now we need to copy default Apache 2 SSL virtual host and modify it for our purpose:
sudo cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/default-ssl-shellinabox sudo gedit /etc/apache2/sites-available/default-ssl-shellinabox |
We need to add following inside <VirtualHost> </VirtualHost> tags:
<Location /shell> ProxyPass http://localhost:4200/ Order allow,deny Allow from all </Location> |
Now we enable our new site and restart Shell In A Box and Apache2 services:
sudo a2ensite default-ssl-shellinabox sudo service shellinabox restart sudo service apache2 restart |
Custom self signed SSL certificate
You can already access your Ubuntu Linux PC shell on the location https://localhost/shell. If you also need additional layer of security using HTTP authentication besides you accounts user name and password, read on. Ubuntu comes with "default" SSL certificate so your https page is working, but the safe bet will be to create custom self signed SSL certificate. This process will require password (make up something complex) you'll need to remember or write down. When process asks you for things like country, name etc. feel free do leave it blank, I do. If you set "Common Name" field to say www.TechyTalk.info, certificate could only be used on www.TechyTalk.info so the best way is to leave everything blank for our "hobby" purpose.
openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt openssl rsa -in server.key -out server.key.insecure mv server.key server.key.secure mv server.key.insecure server.key sudo mkdir /etc/apache2/ssl sudo cp server.crt /etc/apache2/ssl sudo cp server.key /etc/apache2/ssl/ |
Now we will adjust our Apache2 virtual host and point it to the SSL certificate we have just created:
sudo gedit /etc/apache2/sites-enabled/default-ssl-shellinabox |
Adjust "SSLCertificateFile" and "SSLCertificateKeyFile" lines to the following:
SSLCertificateFile /etc/apache2/ssl/server.crt SSLCertificateKeyFile /etc/apache2/ssl/server.key |
If you don't plan to do HTTP authentication you should restart Apache2, else you can proceed.
sudo service apache2 restart |
HTTP authentication
So now our site is using our custom SSL certificate. Next thing is to set HTTP authentication. Intention is to use additional password besides your accounts password to access your PC (you can never be to safe). Here are the commands to make this happen with your additional user name (make sure to replace ##USERNAME## with your username):
sudo htpasswd -c /etc/apache2/.htpasswd ##USERNAME## |
Please remember the password you gave to htpasswd because this password will be used for HTTP authentication.
Now we need to modify Apache2 mod proxy .conf file to allow authenticating with ##USERNAME##. Make sure to replace ##USERNAME## with your username.
sudo gedit /etc/apache2/mods-available/proxy.conf |
We need to modify it like this:
ProxyRequests Off <Proxy *> AddDefaultCharset off AuthUserFile /etc/apache2/.htpasswd AuthName EnterPassword AuthType Basic require user ##USERNAME## Order allow,deny Allow from all </Proxy> |
Now we restart Apache2:
sudo service apache2 restart |
Thats it. Now you go to https://localhost/shell, enter HTTP user name and password, then Ubuntu Linux user name and password and do whatever you want to do on your PC remotely. In addition to this if you connect using ADSL or wireless broadband it is useful to setup something like DynDns so you could access your PC using user friendly doman name.
This post is a bit longer so there's a lot of room for mistakes on my part and yours. So please if something doesn't work comment here sou I could correct any eventual mistakes. Cheers!
DevGenii
Hi,
Thank you for this great tutorial. Worked flawlessly for me other than the part where we download and install the shell in a box. I downloaded/installed it with the deb file from the net search. But all the configurations commands worked without a hitch.
I was wondering if you have tried a webdav over https as a personal online storage solution, if so can you direct us about that ?
Hello Andy,
I’m glad you found it useful. About downloading issue, I’ve updated article to reflect some changes on Google Code that hosts the project in question.
Unfortunately I do not have much experience with webdav so I can’t be of any assistance to you.
hi,
very good sir..at least i solve my 1 week problem :). BTW can you email me howto access via https://localhost:4200? It said error 102 server refused the connection
And howto enable root login..currently shellinabox allow user login only.
I already enable root
hope you can help me sir…
Great tutorial, but I’m having an issue. I can’t reach my server from beyond my gateway. I’m fwding outside 443 to the inside server on 4200 but not getting a connection. Firefox is giving
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
whereas IE and Chrome just say they cannot connect.
I’m able to get there thru port 80, which is fine since I have the server in a DMZ and nothing important is happening yet but of course I’d prefer SSL now so i can use it later 🙂
I forgot to mention that I am able to hit https://localhost/shell, its only when I’m remote that I can’t hit it
Hello. this is to access a shell from the job to the home.
But if we need to reach a shell from home to job?
for home office porpuses.
Thank you
Hello,
Thanks for this tutorial, find it only who actually works (among dozen tested configurations ^_^ ) !!!!
Awesome !!!
Again, Thank you a lot.
Brilliant, many thanks for this tutorial!
Works exactly as I wanted!
~Mike
Thank you sooooo much! I have spent days trying to get a web terminal working and this worked without any problems at all!