xpra icon
Bug tracker and wiki

Changes between Version 33 and Version 34 of ProxyServer


Ignore:
Timestamp:
06/05/18 15:00:12 (2 months ago)
Author:
Antoine Martin
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • ProxyServer

    v33 v34  
    1919This proxy server can also be used as a system-wide proxy server so that sessions are started with enough privileges to register as logind sessions (#1105), allowing them to outlive the user's session. ({{{KillUserProcesses=yes}}})
    2020
    21 Another important use-case is servers with hardware accelerated encoding devices (via [/wiki/Encodings/nvenc NVENC]), the proxy server can be used to share this device with many servers: the proxy does the video encoding, the real servers just forward raw RGB data to it. (see #504)
     21Another important use-case is servers with hardware accelerated encoding devices (via [/wiki/Encodings/nvenc NVENC]), the proxy server can be used to share this device with many servers: the proxy does the video encoding, the real servers just forward raw uncompressed pixel data to it. (see #504)
    2222
    2323[[BR]]
    24 It can also be combined with the [/wiki/TCPSocketSharing TCP Socket Sharing] option to share the same TCP port with another server (ie: a web server), it can also use SSL encryption (see [/wiki/Encryption/SSL]).
     24It can also be combined with the [/wiki/TCPSocketSharing TCP Socket Sharing] option to share the same TCP port with another server (ie: a web server), it can also use SSL encryption (see [/wiki/Encryption/SSL]). The proxy server can also provide access to the HTML5 client, for all sessions.
    2525[[BR]]
    2626
     
    5555* if only one session exists for this user, you can connect via the proxy with:
    5656{{{
    57 xpra attach tcp://:foo@PROXYHOST:14501/
     57xpra attach tcp://foo:bar@PROXYHOST:14501/
    5858}}}
    5959
    6060If there is more than one existing session accessible for this user, the client also needs to specify which display it wishes to connect to using the extended attach syntax: "{{{tcp/USERNAME:PASSWORD@SERVER:PORT/DISPLAY}}}":
    6161{{{
    62 xpra attach tcp://:foo@PROXYHOST:14501/100
     62xpra attach tcp://foo:bar@PROXYHOST:14501/100
    6363}}}
    6464[[BR]]
     
    6666Notes:
    6767* this example uses tcp, but the proxy works equally well with all other transports ({{{ssl}}}, {{{wss}}} etc)
     68* the username "foo" and password "bar" can be replaced with anything since the {{{allow}}} authentication module does not check the credentials
    6869* if you run this command as root, all the user sessions will be exposed!
    6970* if you run it a normal user, only this user's session will be exposed
    70 * once authenticated, the proxy server spawns a new process and no longer runs as root
     71* when running the proxy server as root, once authenticated, the proxy server spawns a new process and no longer runs as root
    7172* the display number chosen for the proxy server is only used for identifying the proxy server and interacting with it using the regular tools ("{{{xpra info}}}", etc)
    72 * to use ports lower than 1024 either use {{{--min-port}}} and run as root and or see [https://superuser.com/questions/710253/ allow non-root process to bind to port 80 and 443]
     73* to use ports lower than 1024 either use {{{--min-port}}} and run as root or see [https://superuser.com/questions/710253/ allow non-root process to bind to port 80 and 443]
    7374}}}
    7475
     
    105106
    106107{{{#!div class="box"
    107 == Detailed Example ==
     108== Remote Hosts ==
    108109
    109 * Start a proxy server on port 14501 using the "{{{multifile}}}" authentication module (we will call this server {{{PROXYHOST}}}):
     110This example uses a sqlite database to expose two remote server instances accessible from the proxy server via tcp.
     111
     112* Start two sessions we wish to access via the {{{PROXYHOST}}} (we call this {{{TARGETHOST}}} - for testing, this can be the same host as {{{PROXYHOST}}}):
    110113{{{
    111 xpra proxy :100 --bind-tcp=0.0.0.0:14501 --auth=multifile:filename=./xpra-auth
     114xpra start :100 --bind-tcp=0.0.0.0:10100 --start=xterm
     115xpra start :101 --bind-tcp=0.0.0.0:10101 --start=xterm
    112116}}}
    113 * Start the session we wish to access via the {{{PROXYHOST}}} (we call this {{{TARGETHOST}}} - for testing, this can be the same host as {{{PROXYHOST}}}):
     117* Start a proxy server on port 14501 using the "{{{sqlite}}}" authentication module (we will call this server {{{PROXYHOST}}}):
    114118{{{
    115 xpra start :10 --bind-tcp=0.0.0.0:10000
     119xpra proxy :100 --bind-tcp=0.0.0.0:14501 --auth=sqlite,filename=./xpra-auth.sdb
    116120}}}
    117 * on {{{PROXYHOST}}}, add a user to the auth file pointing to {{{TARGETHOST}}} (ie: {{{192.168.1.200}}} should be {{{TARGETHOST}}}'s IP):
     121and add user entries (ie: {{{foo}}} with password {{{bar}}}), pointing to the  {{{TARGETHOST}}} session (ie: {{{192.168.1.200}}} is the {{{TARGETHOST}}}'s IP):
    118122{{{
    119 echo "foo|secretpassword|1000|1000|tcp:192.168.1.200:10000|EXAMPLE_ENV=VALUE|compression=0" >> ./xpra-auth
     123SQLITE_AUTH_PY=/usr/lib64/python2.7/site-packages/xpra/server/auth/sqlite_auth.py
     124python $SQLITE_AUTH_PY ./xpra-auth.sdb create
     125python $SQLITE_AUTH_PY ./xpra-auth.sdb add foo bar nobody nobody tcp://192.168.1.200:10100/
     126python $SQLITE_AUTH_PY ./xpra-auth.sdb add moo cow nobody nobody tcp://192.168.1.200:10100/ "" "compression=0"
    120127}}}
    121 * connect the client through the proxy server:
    122 xpra attach tcp://foo:secretpassword@$PROXYHOST:14501/
     128* connect the client through the proxy server to the first session:
     129{{{
     130xpra attach tcp://foo:bar@$PROXYHOST:14501/
     131}}}
     132or for the second session:
     133{{{
     134xpra attach tcp://moo:cow@$PROXYHOST:14501/
     135}}}
    123136
    124 To hide the password from command line history and process list, use a password file:
     137To hide the password from the command line history and process list, you can use a password file:
    125138{{{
    126 echo -n "secretpassword" > password.txt
     139echo -n "bar" > ./password.txt
    127140xpra attach --password-file=./password.txt tcp://foo@$PROXYHOST:14501/
    128141}}}
     
    136149* the proxy server creates a new connection to the real server ({{{TARGETHOST}}}), applying any options specified (ie: "{{{compression=0}}}" will disable compression between the proxy and server)
    137150* the proxy server spawns a new process
    138 * the new proxy process changes its uid and gid to non-root (if needed)
     151* the new proxy process changes its uid and gid to 'nobody' / 'nobody' (if the proxy server runs as root only, otherwise unchanged)
    139152* the packets should now flow through between the client and the real server
    140153
    141154Further notes:
    142 * see also [ticket:1264#comment:3] for authentication between proxy and server
    143 * in version 1.0 with multifile, you can omit the uid and gid and the special user / group "nobody" will be used (posix servers only)
    144 * in version 1.0 with multifile, you can specify the uid and gid using their names (ie: uid="joe", gid="users", posix servers only)
     155* see also [ticket:1264#comment:3] for authentication between proxy and server, just specify the username and password in the connection string
     156* you can omit the uid and gid and the special user / group "nobody" will be used (posix servers only)
     157* you can specify the uid and gid using their names (ie: uid="joe", gid="users", posix servers only) or numerical values (ie: 1000)
    145158* see #1319 for starting new sessions via the proxy (posix servers only)
     159* you can specify more than one remote session string for each username and password pair using CSV format - but the client will then have to specify which one it wants on the connection URL
    146160}}}
     161
     162
     163{{{#!div class="box"
     164== Username Matters ==
     165
     166The proxy server can also be used to expose all local sessions dynamically.
     167This is what the [/wiki/Service] (aka "system wide proxy server") does.
     168
     169In this case, the username, uid and gid are used to locate all the sessions for the user once it has authenticated, in the same way that a user can list sessions by running {{{xpra list}}}.
     170This type of proxy server usually runs as root to be able to access the sessions for multiple users.
     171
     172This mode of operation cannot be used with the {{{sqlite}}} or {{{multifile}}} authentication modules since those modules specify the list of sessions explicitly.
     173
     174For some authentication modules the uid and gid can be derived from the username automatically using the password database (ie: {{{pam}}}, others allow for it to be specified as a module option (ie: {{{--tcp-auth=ldap,uid=xpraproxy,gid=xpraproxy}}}) which makes it possible for non-local accounts to execute the proxy process instance as a non-root user.
     175The default value of "nobody" uid and "nobody" gid may or may not have sufficient privileges for executing a proxy process instance.
     176
     177You should not use the {{{file}}}, {{{env}}} or {{{exec}}} authentication modules, as those would allow access to all usernames with the same password value.
     178}}}