Nginx-hash-lock/safe-terminal-app-old.yml at main · Yundera/Nginx-hash-lock · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
name: yunderaterminal

services:
  yunderaterminal:
    image: nginx:alpine
    container_name: yunderaterminal
    restart: unless-stopped
    expose:
      - "3000"
    user: "root"
    command: ["nginx", "-c", "/custom-config/nginx.conf", "-g", "daemon off;"]
    volumes:
      - type: bind
        source: /DATA/AppData/yunderaterminal/nginx
        target: /custom-config
        read_only: true
      - type: bind
        source: /DATA/AppData/yunderaterminal
        target: /DATA/AppData/yunderaterminal
    depends_on:
      - ttyd
    networks:
      - pcs
    privileged: true
    cap_add:
      - SYS_ADMIN
      - NET_ADMIN

  ttyd:
    image: tsl0922/ttyd:latest
    container_name: yunderaterminaltty
    restart: unless-stopped
    user: "root"
    command: ["ttyd", "--writable", "--client-option", "enableZmodem=true", "--client-option", "enableSixel=false", "--client-option", "enableTrzsz=false", "--terminal-type", "xterm-256color", "chroot", "/host", "bash"]
    volumes:
      - type: bind
        source: /
        target: /host
    networks:
      - pcs
    privileged: true
    cap_add:
      - SYS_ADMIN
      - NET_ADMIN

networks:
  pcs:
    external: true

x-casaos:
  architectures:
    - amd64
    - arm64
  main: yunderaterminal
  author: yundera
  developer: yundera
  icon: https://cdn-icons-png.flaticon.com/512/2933/2933245.png
  tagline:
    en_us: "Secure hash-locked terminal access"
  category: Utilities
  description:
    en_us: "A secure terminal with hash-based authentication using NGINX proxy"
  title:
    en_us: "Yundera Terminal"
  store_app_id: yunderaterminal
  is_uncontrolled: false
  index: /
  webui_port: 3000
  volumes:
    - /DATA/AppData/$AppID/nginx
  pre-install-cmd: |
    if command -v openssl >/dev/null 2>&1; then
      AUTH_HASH=$(openssl rand -hex 64)
    else
      AUTH_HASH=$(dd if=/dev/urandom bs=32 count=1 2>/dev/null | od -An -tx1 | tr -d ' \n')
    fi

    mkdir -p /DATA/AppData/yunderaterminal/nginx 2>/dev/null
    mkdir -p /DATA/AppData/yunderaterminal/nginx-cache/{client_temp,proxy_temp,fastcgi_temp,uwsgi_temp,scgi_temp} 2>/dev/null
    chown -R ubuntu:988 /DATA/AppData/yunderaterminal/ 2>/dev/null || true
    chmod -R 755 /DATA/AppData/yunderaterminal/ 2>/dev/null || true

    cat > /tmp/yundera-terminal-installer.sh << EOF
    #!/bin/bash
    COMPOSE_FILE="/DATA/AppData/casaos/apps/yunderaterminal/docker-compose.yml"
    sleep 2
    counter=0
    max_wait=120

    while [ \$counter -lt \$max_wait ]; do
      [ -f "\$COMPOSE_FILE" ] && break
      sleep 2
      counter=\$((counter + 2))
    done

    [ ! -f "\$COMPOSE_FILE" ] && exit 1

    NGINX_DIR="/DATA/AppData/yunderaterminal/nginx"
    cat > "\$NGINX_DIR/nginx.conf" << 'NGINX_MAIN_EOF'
    # Custom nginx.conf with proper permissions
    pid /DATA/AppData/yunderaterminal/nginx-cache/nginx.pid;
    error_log /DATA/AppData/yunderaterminal/nginx-cache/error.log;

    events {
        worker_connections 1024;
    }

    http {
        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        # Custom temp directories
        client_body_temp_path /DATA/AppData/yunderaterminal/nginx-cache/client_temp;
        proxy_temp_path /DATA/AppData/yunderaterminal/nginx-cache/proxy_temp;
        fastcgi_temp_path /DATA/AppData/yunderaterminal/nginx-cache/fastcgi_temp;
        uwsgi_temp_path /DATA/AppData/yunderaterminal/nginx-cache/uwsgi_temp;
        scgi_temp_path /DATA/AppData/yunderaterminal/nginx-cache/scgi_temp;

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;

        server {
            listen 3000;
            server_name _;

            location / {
                # Check for valid hash parameter
                if (\$arg_hash != "REPLACE_AUTH_HASH") {
                    return 403 "Access denied: Invalid or missing authentication hash. Please access through CasaOS dashboard.";
                }

                # Proxy to ttyd with optimizations
                proxy_pass http://yunderaterminaltty:7681;
                proxy_http_version 1.1;
                proxy_set_header Upgrade \$http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header Host \$host;
                proxy_set_header X-Real-IP \$remote_addr;
                proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto \$scheme;

                # Optimize for terminal responsiveness
                proxy_buffering off;
                proxy_cache off;
                proxy_read_timeout 86400;
                proxy_send_timeout 86400;
                proxy_connect_timeout 60s;

                # WebSocket optimizations
                proxy_set_header X-Forwarded-Host \$host;
                proxy_set_header X-Forwarded-Server \$host;
            }
        }
    }
    NGINX_MAIN_EOF

    sed -i "s/REPLACE_AUTH_HASH/${AUTH_HASH}/g" "\$NGINX_DIR/nginx.conf"
    cp "\$COMPOSE_FILE" "\$COMPOSE_FILE.backup"
    sed '/^[[:space:]]*pre-install-cmd:/,\$d' "\$COMPOSE_FILE.backup" > "\$COMPOSE_FILE.tmp"
    mv "\$COMPOSE_FILE.tmp" "\$COMPOSE_FILE"
    sed -i "s|index: /|index: /?hash=${AUTH_HASH}|" "\$COMPOSE_FILE"
    EOF

    chmod +x /tmp/yundera-terminal-installer.sh
    nohup /tmp/yundera-terminal-installer.sh >/dev/null 2>&1 &