xpra icon
Bug tracker and wiki

Changes between Version 33 and Version 34 of ProxyServer


Ignore:
Timestamp:
05/08/18 17:31:51 (2 weeks ago)
Author:
Antoine Martin
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • ProxyServer

    v33 v34  
    105105
    106106{{{#!div class="box"
    107 == Detailed Example ==
     107== Remote Hosts ==
    108108
    109 * Start a proxy server on port 14501 using the "{{{multifile}}}" authentication module (we will call this server {{{PROXYHOST}}}):
     109This example uses a sqlite database to expose two remote server accessible from the proxy server via tcp.
     110
     111* Start two sessions we wish to access via the {{{PROXYHOST}}} (we call this {{{TARGETHOST}}} - for testing, this can be the same host as {{{PROXYHOST}}}):
    110112{{{
    111 xpra proxy :100 --bind-tcp=0.0.0.0:14501 --auth=multifile:filename=./xpra-auth
     113xpra start :100 --bind-tcp=0.0.0.0:10100 --start=xterm
     114xpra start :101 --bind-tcp=0.0.0.0:10101 --start=xterm
    112115}}}
    113 * Start the session we wish to access via the {{{PROXYHOST}}} (we call this {{{TARGETHOST}}} - for testing, this can be the same host as {{{PROXYHOST}}}):
     116* Start a proxy server on port 14501 using the "{{{sqlite}}}" authentication module (we will call this server {{{PROXYHOST}}}):
    114117{{{
    115 xpra start :10 --bind-tcp=0.0.0.0:10000
     118xpra proxy :100 --bind-tcp=0.0.0.0:14501 --auth=sqlite,filename=./xpra-auth.sdb
    116119}}}
    117 * on {{{PROXYHOST}}}, add a user to the auth file pointing to {{{TARGETHOST}}} (ie: {{{192.168.1.200}}} should be {{{TARGETHOST}}}'s IP):
     120and add user entries (ie: {{{foo}}} with password {{{bar}}}), pointing to the  {{{TARGETHOST}}} session (ie: {{{192.168.1.200}}} is the {{{TARGETHOST}}}'s IP):
    118121{{{
    119 echo "foo|secretpassword|1000|1000|tcp:192.168.1.200:10000|EXAMPLE_ENV=VALUE|compression=0" >> ./xpra-auth
     122SQLITE_AUTH_PY=/usr/lib64/python2.7/site-packages/Xrv/server/auth/sqlite_auth.py
     123python $SQLITE_AUTH_PY ./xpra-auth.sdb create
     124python $SQLITE_AUTH_PY ./xpra-auth.sdb add foo bar nobody nobody tcp://192.168.1.200:10100/
     125python $SQLITE_AUTH_PY ./xpra-auth.sdb add moo cow nobody nobody tcp://192.168.1.200:10100/ "" "compression=0"
    120126}}}
    121 * connect the client through the proxy server:
    122 xpra attach tcp://foo:secretpassword@$PROXYHOST:14501/
     127* connect the client through the proxy server to the first session:
     128{{{
     129xpra attach tcp://foo:bar@$PROXYHOST:14501/
     130}}}
     131or for the second session:
     132{{{
     133xpra attach tcp://moo:cow@$PROXYHOST:14501/
     134}}}
    123135
    124 To hide the password from command line history and process list, use a password file:
     136To hide the password from the command line history and process list, you can use a password file:
    125137{{{
    126 echo -n "secretpassword" > password.txt
     138echo -n "bar" > ./password.txt
    127139xpra attach --password-file=./password.txt tcp://foo@$PROXYHOST:14501/
    128140}}}
     
    136148* the proxy server creates a new connection to the real server ({{{TARGETHOST}}}), applying any options specified (ie: "{{{compression=0}}}" will disable compression between the proxy and server)
    137149* the proxy server spawns a new process
    138 * the new proxy process changes its uid and gid to non-root (if needed)
     150* the new proxy process changes its uid and gid to 'nobody' / 'nobody' (if the proxy server runs as root only, otherwise unchanged)
    139151* the packets should now flow through between the client and the real server
    140152
    141153Further notes:
    142 * see also [ticket:1264#comment:3] for authentication between proxy and server
    143 * in version 1.0 with multifile, you can omit the uid and gid and the special user / group "nobody" will be used (posix servers only)
    144 * in version 1.0 with multifile, you can specify the uid and gid using their names (ie: uid="joe", gid="users", posix servers only)
     154* see also [ticket:1264#comment:3] for authentication between proxy and server, just specify the username and password in the connection string
     155* you can omit the uid and gid and the special user / group "nobody" will be used (posix servers only)
     156* you can specify the uid and gid using their names (ie: uid="joe", gid="users", posix servers only) or numerical values (ie: 1000)
    145157* see #1319 for starting new sessions via the proxy (posix servers only)
     158* you can specify more than one remote session string for each username and password pair using CSV format - but the client will then have to specify which one it wants on the connection URL
    146159}}}