{"id":13777886,"url":"https://github.com/bwsw/webshell","last_synced_at":"2026-01-17T08:36:39.004Z","repository":{"id":78623407,"uuid":"89855312","full_name":"bwsw/webshell","owner":"bwsw","description":"Docker container which includes Shellinabox and enables SSH connections to arbitrary (not where installed) servers","archived":false,"fork":false,"pushed_at":"2017-08-12T12:06:46.000Z","size":24,"stargazers_count":55,"open_issues_count":2,"forks_count":16,"subscribers_count":7,"default_branch":"master","last_synced_at":"2024-08-03T18:12:04.880Z","etag":null,"topics":["proxy-server","shellinbox","ssh","web-ssh","webshell"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bwsw.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-04-30T14:22:14.000Z","updated_at":"2024-03-24T20:37:49.000Z","dependencies_parsed_at":"2024-01-15T08:06:50.741Z","dependency_job_id":null,"html_url":"https://github.com/bwsw/webshell","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bwsw%2Fwebshell","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bwsw%2Fwebshell/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bwsw%2Fwebshell/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bwsw%2Fwebshell/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bwsw","download_url":"https://codeload.github.com/bwsw/webshell/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225043243,"owners_count":17411952,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["proxy-server","shellinbox","ssh","web-ssh","webshell"],"created_at":"2024-08-03T18:00:49.539Z","updated_at":"2026-01-17T08:36:38.969Z","avatar_url":"https://github.com/bwsw.png","language":"Python","readme":"# CS-Umbrella / Webshell Plugin Server\n\nIt's a web ssh proxy. If deployed on certain server it can transform it to web ssh client. It is for remote ssh connections, not for the connection to the same server where it's deployed. See [Shellinabox](https://code.google.com/archive/p/shellinabox/) if you want to have just web ssh server on the same server you want connect to.\n\nIt is distributed in the form of Docker container which includes Shellinabox and python wrapper script and enables remote connections to arbitrary servers. It's based on the original [Shellinabox](https://code.google.com/archive/p/shellinabox/) and the [idea](https://blog.bartlweb.net/2013/10/ssh-web-gateway-mit-dem-opensource-tool-shellinabox/) of ssh client invocation.\n\nThe project includes next features (both IPv4 and IPv6 are OK):\n1. serverip/port/login of the host to connect in the URL\n2. serverip/port/login from the terminal (interactive in a browser)\n3. specify idle interval and terminate such clients (to protect from hung and broken terminals)\n4. specify the list of networks (in CIDR format) which are permitted to connect\n5. specify default serverip/port/login\n6. supports secret private keys storage in HashiCorp's [Vault](https://www.vaultproject.io)\n\nThe code doesn't support DNS names for servers because It involves ambiguity in name-to-ip resolution and it's not my case, basically. The container is as basic as can be and doesn't include extra authentication and limitations. For an open environment usage it is recommended to place nginx as a reverse proxy ahead of it and implement additional authentication and other restrictions (I believe that per-ip connection limit is the basic one).\n\n# Usage\n\nThe most basic usage involves to run docker container and specify allowed networks in CIDR format (use comma to separate them). By default gray networks are specified - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,fc00::/7)\n\n```bash\ndocker run -d --privileged --security-opt seccomp=unconfined --name webshell -p 8018:80 -e ALLOWED_NETWORKS=0.0.0.0/0 bwsw/webshell\n```\n\nNavigate to http://hostname.com:8018/ to specify server ip, port and login interactively or \n- http://hostname.com:8018/?serverip\n- http://hostname.com:8018/?serverip/port\n- http://hostname.com:8018/?serverip/port/login\n- http://hostname.com:8018/?serverip/port/login/vault-token/vault/secret/key\n\nto use URL-based and default values\n\n## Parameters\n\n1. **SSH_PORT** - default port to use (if not specified - 22)\n2. **USERNAME** - default login to use (if not specified - root)\n3. **DEFAULT_IP** - default ip to use (if not specified, both ipv4 and ipv6 are ok)\n4. **ALLOWED_NETWORKS** - comma-separated list of CIDRs (10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,fc00::/7, both ipv4 and ipv6 are ok)\n5. **INACTIVITY_INTERVAL** - amount of seconds of noIO between remote server and browser after which the monitor script must terminate the connection (default 60)\n6. **VAULT_ENABLED** - specifies either HashiCorp Vault enabled or not\n7. **VAULT_VALUE** - specifies value field name for secret key where to get private ssh key\n8. **VAULT_URL** - specifies where Vault is deployed (e.g. http(s)://somewhere.com:8200/v1).\n\n## HashiCorp's Vault integration notes\n\nPrivate SSH keys which are stored in Vault must be Base64-encoded, e.g.\n\n```bash\nbase64 ~/.ssh/id_rsa\n```\n\nCurrent implementation requires that for the Vault calling part either guarantees safety to show the token in URI or provides one time (limited) Vault token which doesn't fit for reuse.\n\nAlso, keep in mind, that the code **creates** temporary file for SSH identity file and removes it after SSH command invocation, so keep the docker container with bwsw/webshell secure. The feature involves potential security vulnerability, so the code must be audited properly by security engineers.\n\n## Author\n\nIvan Kudryavtsev @ [Bitworks Software, Ltd.](https://bitworks.software/)\n\n## License\n\nPublished under Apache v2.0\n","funding_links":[],"categories":["\u003ca id=\"faa91844951d2c29b7b571c6e8a3eb54\"\u003e\u003c/a\u003e新添加"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbwsw%2Fwebshell","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbwsw%2Fwebshell","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbwsw%2Fwebshell/lists"}