Instantly share code, notes, and snippets.
Share a read-only tmux session over HTTPS with password
#!/bin/bash | |
# SERVER: | |
# sudo apt-get install certbot socat tmux | |
# sudo ./shareterminal.sh | |
# Your stage: tmux new-session -As remote | |
# Your spectators: tmux lsc -t remote | |
# | |
# CLIENTS: | |
# curl -N https://tmux.example.com:1337 | |
# or curl -N https://tmux.example.com:1337 -H 'X-Pass: foobar' | |
_DOMAIN=tmux.example.com | |
_PORT=1337 # > 1023 | |
_PASS= # empty to disable | |
_LETSENCRYPT_MAIL=julien@example.com | |
_UNIX_USER=ju | |
_TMUX_WIDTH=128 | |
_TMUX_HEIGHT=32 | |
## SCRIPT | |
set -Efuo pipefail | |
if [ "${EUID}" -ne 0 ]; then | |
echo '[ERR] You must be root.' >&2 | |
exit 1 | |
fi | |
function reverse() { | |
trap - EXIT ERR INT | |
if [ ! -z "${net_device}" ]; then | |
iptables -D INPUT -p tcp -i "${net_device}" --dport "${_PORT}" -j ACCEPT | |
ip6tables -D INPUT -p tcp -i "${net_device}" --dport "${_PORT}" -j ACCEPT | |
iptables -D INPUT -p tcp -i "${net_device}" --dport 443 -j ACCEPT &> /dev/null || true | |
ip6tables -D INPUT -p tcp -i "${net_device}" --dport 443 -j ACCEPT &> /dev/null || true | |
fi | |
exit 0 | |
} | |
tmux_name=remote | |
net_device=$(ip r g 1.2.3.4 | awk '/via/ { print $5 }') | |
if [ -z "${net_device}" ]; then | |
echo '[ERR] Unable to guess your network device.' >&2 | |
exit 1 | |
fi | |
trap reverse EXIT ERR INT | |
ip6tables -I INPUT -p tcp -i "${net_device}" --dport 443 -j ACCEPT | |
iptables -I INPUT -p tcp -i "${net_device}" --dport 443 -j ACCEPT | |
certbot certonly -qn --standalone --preferred-challenges tls-sni --rsa-key-size 4096 --agree-tos -m "${_LETSENCRYPT_MAIL}" -d "${_DOMAIN}" | |
mkdir -p "/etc/ssl/${_DOMAIN}/" | |
cp "/etc/letsencrypt/live/${_DOMAIN}/privkey.pem" "/etc/ssl/${_DOMAIN}/" | |
cp "/etc/letsencrypt/live/${_DOMAIN}/cert.pem" "/etc/ssl/${_DOMAIN}/" | |
cp "/etc/letsencrypt/live/${_DOMAIN}/chain.pem" "/etc/ssl/${_DOMAIN}/" | |
ip6tables -D INPUT -p tcp -i "${net_device}" --dport 443 -j ACCEPT | |
iptables -D INPUT -p tcp -i "${net_device}" --dport 443 -j ACCEPT | |
ip6tables -I INPUT -p tcp -i "${net_device}" --dport "${_PORT}" -j ACCEPT | |
iptables -I INPUT -p tcp -i "${net_device}" --dport "${_PORT}" -j ACCEPT | |
echo -e "SERVER (${_UNIX_USER}):\n\t tmux new-session -As ${tmux_name}" | |
if [ -z "${_PASS}" ]; then | |
echo -e "CLIENTS:\n\t curl -N https://${_DOMAIN}:${_PORT}" | |
else | |
echo -e "CLIENTS:\n\t curl -N https://${_DOMAIN}:${_PORT} -H 'X-Pass: ${_PASS}'" | |
fi | |
echo -e "\nReady... ^C to stop\n" | |
sudo -Eu "${_UNIX_USER}" socat\ | |
"OPENSSL-LISTEN:${_PORT},pf=ip6,ipv6only=0,fork,reuseaddr,cert=/etc/ssl/${_DOMAIN}/cert.pem,key=/etc/ssl/${_DOMAIN}/privkey.pem,cafile=/etc/ssl/${_DOMAIN}/chain.pem,verify=0"\ | |
"SYSTEM:\ | |
( while [ -e /proc/\$PPID ]; do sleep 1; done; kill -TERM \$\$ ) &\ | |
if [ ! -z \"${_PASS}\" ]; then\ | |
while read -r i; do\ | |
if [ \"\$i\" != \"\${i##X-Pass:}\" ]; then\ | |
[ \"\$i\" = \"X-Pass: ${_PASS}\" ] && break; | |
echo Wrong password.;\ | |
exit 0;\ | |
fi;\ | |
done;\ | |
fi;\ | |
stty cols ${_TMUX_WIDTH};\ | |
stty rows ${_TMUX_HEIGHT};\ | |
exec tmux attach -r -t ${tmux_name}\ | |
",pty,stderr | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment