zyclonite / nassh-relay Goto Github PK

View Code? Open in Web Editor NEW

140.0 140.0 22.0 6.6 MB

Relay Server for the Secure Shell Chromium plugin

License: GNU General Public License v2.0

Java 93.06% Shell 0.17% HTML 5.51% Dockerfile 1.25%

bastion-host chromium-plugin docker java microservice nassh proxy relay-server ssh vertx websocket zero-trust

nassh-relay's People

Contributors

Stargazers

Watchers

nassh-relay's Issues

Quick way to support SSL?

Is is possible to quickly support SSL on the server?

Thanks.

using an upstream proxy (nginx) has issues, the relay likes to bypass the proxy

I tried to use nginx to terminate the ssl connections to nassh-relay.
that didn't work.

what I found out:
the extention first connects to the nginx but after the initial requests it tries to connect to the relay directly.
this doesn't give an error while using http (unless port 8022 is firewalled) because the relay does understand http.

but when https is used, the extention tries to talk https with the relay without using the proxy but the relay doesn't understand that.
somehow it gets the port from the initial requests or it just assumes the default. I haven't found 8022 somewhere in the http tcpdump.

can we talk directly via some IM service? I think that would be more efficient to share the research.

Please show how to run nassh-relay without docker

Thanks for nassh-relay!

The current Manual does not show how to run the nassh-relay without docker. Also i cant seem to find the Dockerfile (which presumably contains this information).

oAuth in new window?

Is there a way to have the relay option in Secure Shell pop open a new window/tab for authentication?

My relay server for Secure Shell is behind an oAuth portal on my system. If I haven't SSHd somewhere through the relay server in the last 24 hours, it prompts for my oAuth credentials. However SecureShell just sees the oAuth portal as a lack of a relay server and fails. I have to go to my SSH Relay URL directly in a new tab, complete to oAuth flow and then I'm good for another 24 hours.

Option to re-issue certain cookies with `samesite=none`

Chrome 85 broke our ability to use the nassh-relay. Here's how:

We must first authenticate to an "inbound HTTPS proxy", which sets a domain-wide cookie

Because the Chrome SSH proxy is an extension, WebSocket requests originating from the extension are prevented by the new (as of Chrome 85) same-site cookie policy. The "inbound HTTPS proxy" then posts a 302 redirect to the authentication page: 302 causes the WebSocket request to fail (the user is not presented the login page).

I was able to work around this by posting a static HTML page that re-issues the cookie with samesite=none, and this fixes the problem. Users must visit a magic web page after authenticating but before trying to SSH.

It might be possible to have nassh-relay also re-issue the cookie, which would be a nicer user experience. I would be happy to provide the name of the cookie in an argument to the program. This would probably have to show up in JavaScript, in case the "inbound HTTPS proxy" strips the cookie from the request before passing it along.

This would probably require some way to provide nassh-relay with the cookie to be re-issued, and may require the /cookie handler to reply with JavaScript which reissues the cookie performs a redirect, if it is currently sending an HTTP redirect.

If this sounds like a reasonable approach, I will attempt to dust off my Java knowledge enough to submit a patch.

Disconnects when sitting unused for some time

I'm getting disconnected when the SSH session goes unused for some amount of time. I can't determine a specific amount of time, or other conditions, but it seems to be when the connection sits unused for 3-5 min (this is anecdotal, I have not actually tested it). I've only seen this after the connection is idle for some amount of time, I've not seen this happen to an active connection.

Generally what will happen is:

I login to my system using secure shell extension through nassh-relay
I do some stuff through GNU Screen
I go away to either browse the web for something, or away from the computer altogether
I come back to the SSH session and start typing

The client will generally show the first 1 or 2 chars I type, then will hang for a sec and then disconnect. When I reconnect and restart GNU Screen the 1 or 2 chars above plus 1 or 2 more chars will be shown in the console.

So based on what I see as it disconnects and the error message from the client, it seems like something is going wrong on the server. Either with nassh-relay or with my nginx reverse proxy config.

The secure shell client gives me the following error message:

Bad packet length 286636368.
ssh_dispatch_run_fatal: Connection to UNKNOWN port -1: Connection corrupted
NaCl plugin exited with status code 255.

This is the stack trace output by nassh-relay:

03:24:31.964 [vert.x-eventloop-thread-0]      ERROR i.v.c.i.ContextImpl - Unhandled exception
java.lang.IllegalStateException: Response is closed
        at io.vertx.core.http.impl.HttpServerResponseImpl.checkValid(HttpServerResponseImpl.java:548)
        at io.vertx.core.http.impl.HttpServerResponseImpl.end0(HttpServerResponseImpl.java:401)
        at io.vertx.core.http.impl.HttpServerResponseImpl.end(HttpServerResponseImpl.java:319)
        at io.vertx.core.http.impl.HttpServerResponseImpl.end(HttpServerResponseImpl.java:308)
        at net.zyclonite.nassh.util.TransferObserver.update(TransferObserver.java:46)
        at java.base/java.util.Observable.notifyObservers(Observable.java:173)
        at java.base/java.util.Observable.notifyObservers(Observable.java:129)
        at net.zyclonite.nassh.util.TransferQueue.add(TransferQueue.java:36)
        at net.zyclonite.nassh.handler.ProxyHandler.lambda$connectTcpEndpoint$5(ProxyHandler.java:137)
        at io.vertx.core.net.impl.NetSocketImpl$DataMessageHandler.handle(NetSocketImpl.java:384)
        at io.vertx.core.net.impl.NetSocketImpl.handleMessageReceived(NetSocketImpl.java:351)
        at io.vertx.core.net.impl.NetClientImpl$1.handleMessage(NetClientImpl.java:242)
        at io.vertx.core.net.impl.NetClientImpl$1.handleMessage(NetClientImpl.java:239)
        at io.vertx.core.net.impl.VertxHandler.lambda$channelRead$1(VertxHandler.java:146)
        at io.vertx.core.impl.ContextImpl.lambda$wrapTask$2(ContextImpl.java:337)
        at io.vertx.core.impl.ContextImpl.executeFromIO(ContextImpl.java:195)
        at io.vertx.core.net.impl.VertxHandler.channelRead(VertxHandler.java:144)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935)
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:141)
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:545)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459)
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:886)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:844)
03:24:31.965 [vert.x-eventloop-thread-0]      ERROR i.v.c.i.ContextImpl - Unhandled exception
java.lang.IllegalStateException: Response is closed
        at io.vertx.core.http.impl.HttpServerResponseImpl.checkValid(HttpServerResponseImpl.java:548)
        at io.vertx.core.http.impl.HttpServerResponseImpl.end0(HttpServerResponseImpl.java:401)
        at io.vertx.core.http.impl.HttpServerResponseImpl.end(HttpServerResponseImpl.java:319)
        at io.vertx.core.http.impl.HttpServerResponseImpl.end(HttpServerResponseImpl.java:308)
        at net.zyclonite.nassh.util.TransferObserver.update(TransferObserver.java:46)
        at java.base/java.util.Observable.notifyObservers(Observable.java:173)
        at java.base/java.util.Observable.notifyObservers(Observable.java:129)
        at net.zyclonite.nassh.util.TransferQueue.add(TransferQueue.java:36)
        at net.zyclonite.nassh.handler.ProxyHandler.lambda$connectTcpEndpoint$5(ProxyHandler.java:137)
        at io.vertx.core.net.impl.NetSocketImpl$DataMessageHandler.handle(NetSocketImpl.java:384)
        at io.vertx.core.net.impl.NetSocketImpl.handleMessageReceived(NetSocketImpl.java:351)
        at io.vertx.core.net.impl.NetClientImpl$1.handleMessage(NetClientImpl.java:242)
        at io.vertx.core.net.impl.NetClientImpl$1.handleMessage(NetClientImpl.java:239)
        at io.vertx.core.net.impl.VertxHandler.lambda$channelRead$1(VertxHandler.java:146)
        at io.vertx.core.impl.ContextImpl.lambda$wrapTask$2(ContextImpl.java:337)
        at io.vertx.core.impl.ContextImpl.executeFromIO(ContextImpl.java:195)
        at io.vertx.core.net.impl.VertxHandler.channelRead(VertxHandler.java:144)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935)
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:141)
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:545)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459)
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:886)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:844)
03:24:31.965 [vert.x-eventloop-thread-0]      ERROR i.v.c.i.ContextImpl - Unhandled exception
java.lang.IllegalStateException: Response is closed
        at io.vertx.core.http.impl.HttpServerResponseImpl.checkValid(HttpServerResponseImpl.java:548)
        at io.vertx.core.http.impl.HttpServerResponseImpl.end0(HttpServerResponseImpl.java:401)
        at io.vertx.core.http.impl.HttpServerResponseImpl.end(HttpServerResponseImpl.java:319)
        at io.vertx.core.http.impl.HttpServerResponseImpl.end(HttpServerResponseImpl.java:308)
        at net.zyclonite.nassh.util.TransferObserver.update(TransferObserver.java:46)
        at java.base/java.util.Observable.notifyObservers(Observable.java:173)
        at java.base/java.util.Observable.notifyObservers(Observable.java:129)
        at net.zyclonite.nassh.util.TransferQueue.add(TransferQueue.java:36)
        at net.zyclonite.nassh.handler.ProxyHandler.lambda$connectTcpEndpoint$5(ProxyHandler.java:137)
        at io.vertx.core.net.impl.NetSocketImpl$DataMessageHandler.handle(NetSocketImpl.java:384)
        at io.vertx.core.net.impl.NetSocketImpl.handleMessageReceived(NetSocketImpl.java:351)
        at io.vertx.core.net.impl.NetClientImpl$1.handleMessage(NetClientImpl.java:242)
        at io.vertx.core.net.impl.NetClientImpl$1.handleMessage(NetClientImpl.java:239)
        at io.vertx.core.net.impl.VertxHandler.lambda$channelRead$1(VertxHandler.java:146)
        at io.vertx.core.impl.ContextImpl.lambda$wrapTask$2(ContextImpl.java:337)
        at io.vertx.core.impl.ContextImpl.executeFromIO(ContextImpl.java:195)
        at io.vertx.core.net.impl.VertxHandler.channelRead(VertxHandler.java:144)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935)
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:141)
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:545)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459)
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:886)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:844)
03:24:31.966 [vert.x-eventloop-thread-0]      ERROR i.v.c.i.ContextImpl - Unhandled exception
java.lang.IllegalStateException: Response is closed
        at io.vertx.core.http.impl.HttpServerResponseImpl.checkValid(HttpServerResponseImpl.java:548)
        at io.vertx.core.http.impl.HttpServerResponseImpl.end0(HttpServerResponseImpl.java:401)
        at io.vertx.core.http.impl.HttpServerResponseImpl.end(HttpServerResponseImpl.java:319)
        at io.vertx.core.http.impl.HttpServerResponseImpl.end(HttpServerResponseImpl.java:308)
        at net.zyclonite.nassh.util.TransferObserver.update(TransferObserver.java:46)
        at java.base/java.util.Observable.notifyObservers(Observable.java:173)
        at java.base/java.util.Observable.notifyObservers(Observable.java:129)
        at net.zyclonite.nassh.util.TransferQueue.add(TransferQueue.java:36)
        at net.zyclonite.nassh.handler.ProxyHandler.lambda$connectTcpEndpoint$5(ProxyHandler.java:137)
        at io.vertx.core.net.impl.NetSocketImpl$DataMessageHandler.handle(NetSocketImpl.java:384)
        at io.vertx.core.net.impl.NetSocketImpl.handleMessageReceived(NetSocketImpl.java:351)
        at io.vertx.core.net.impl.NetClientImpl$1.handleMessage(NetClientImpl.java:242)
        at io.vertx.core.net.impl.NetClientImpl$1.handleMessage(NetClientImpl.java:239)
        at io.vertx.core.net.impl.VertxHandler.lambda$channelRead$1(VertxHandler.java:146)
        at io.vertx.core.impl.ContextImpl.lambda$wrapTask$2(ContextImpl.java:337)
        at io.vertx.core.impl.ContextImpl.executeFromIO(ContextImpl.java:195)
        at io.vertx.core.net.impl.VertxHandler.channelRead(VertxHandler.java:144)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935)
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:141)
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:545)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459)
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:886)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:844)

Here is my nassh-relay config:

{
  "webservice": {
    "hostname": "0.0.0.0",
    "port": 8022
  },

  "application": {
    "authentication": false,
    "max-sessions": 100,
    "tcp-session-timeout": 1200,
    "auth-session-timeout": 600
  },

  "accesslist": [{
    "email": "<redacted>",
    "access": [
      {"network": "0.0.0.0/0"}
    ]
  }],

  "whitelist": [
    {"network": "192.168.0.0/16"}
  ],

  "blacklist": [
    {"network": "169.254.0.0/16"},
    {"network": "172.16.0.0/12"},
    {"network": "10.0.0.0/8"},
    {"network": "0.0.0.0/8"},
    {"network": "fe80::10"},
    {"network": "127.0.0.1"}
  ],

  "google-sso": {
    "title": "Not used",
    "client-id": "",
    "client-secret": ""
  }
}

My nginx config for this vhost:

server {
  listen [::]:8022 ssl http2 ipv6only=off;
  server_name ssh-relay.<redacted>;

  access_log /var/log/nginx/ssh_relay_ssl.access.log;
  error_log /var/log/nginx/ssh_relay_ssl.error.log;

  include configlets/ssl-with-client-cert.conf;

  set $ssh_relay_backend "http://ssh-relay:8022";

  location / {
    proxy_set_header Host $server_name:$server_port;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_max_temp_file_size 0;
    proxy_buffering off;
    proxy_pass $ssh_relay_backend;
  }

  location /connect {
    proxy_pass $ssh_relay_backend;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $server_name:$server_port;
    proxy_set_header Connection "upgrade";
    proxy_read_timeout 10m;
    proxy_set_header Host $server_name:$server_port;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_max_temp_file_size 0;
    proxy_buffering off;
  }
}

google auth urls still use google plus (which was shut down yesterday)

auth urls starting with https://plus.google.com/ result in a 404

Support X-Forwarded-Host header

I'm using https://github.com/pomerium/pomerium as reverse proxy, and it by default add X-Forwarded-Host header.

me -> https://ssh-relay.example.com (Pomerium) -> http://nassh-relay:8022 (in docker)

It looks like nassh-relay will give out nassh-relay as the relay server (because Pomerium will act as an HTTP client and send HTTP request to nassh-relay with Host: nassh-relay, as well as X-Forwarded-Host: ssh-relay.example.com:

Found relay server: https://nassh-relay:8022/

Is it possible to support X-Forwarded-Host header as well? It looks like this is the de-facto standard per https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host.

Getting 404 when using nginx, works fine without it.

I copied the config example file you have, only change was the port number. Getting 404 on the connect request, cookie returns 302, proxy returns 200. Not sure what I'm doing wrong.
Debug nginx log
2017/05/25 08:16:43 [debug] 32488#32488: accept on 0.0.0.0:7654, ready: 0
2017/05/25 08:16:43 [debug] 32488#32488: posix_memalign: 000055FB97AB3CD0:512 @16
2017/05/25 08:16:43 [debug] 32488#32488: *15 accept: 172.3.140.188:45192 fd:12
2017/05/25 08:16:43 [debug] 32488#32488: *15 event timer add: 12: 60000:1495700263489
2017/05/25 08:16:43 [debug] 32488#32488: *15 reusable connection: 1
2017/05/25 08:16:43 [debug] 32488#32488: *15 epoll add event: fd:12 op:1 ev:80002001
2017/05/25 08:16:43 [debug] 32488#32488: *15 http wait request handler
2017/05/25 08:16:43 [debug] 32488#32488: *15 malloc: 000055FB97AB0F20:1024
2017/05/25 08:16:43 [debug] 32488#32488: *15 recv: fd:12 590 of 1024
2017/05/25 08:16:43 [debug] 32488#32488: *15 reusable connection: 0
2017/05/25 08:16:43 [debug] 32488#32488: *15 posix_memalign: 000055FB97AA3F70:4096 @16
2017/05/25 08:16:43 [debug] 32488#32488: *15 http process request line
2017/05/25 08:16:43 [debug] 32488#32488: *15 http request line: "GET /connect?sid=13311622-c8c7-48f2-958f-114f87f1558d&ack=0&pos=0 HTTP/1.1"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http uri: "/connect"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http args: "sid=13311622-c8c7-48f2-958f-114f87f1558d&ack=0&pos=0"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http exten: ""
2017/05/25 08:16:43 [debug] 32488#32488: *15 http process request header line
2017/05/25 08:16:43 [debug] 32488#32488: *15 http header: "Host: 52.201.235.17:7654"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http header: "Connection: Upgrade"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http header: "Pragma: no-cache"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http header: "Cache-Control: no-cache"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http header: "Upgrade: websocket"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http header: "Origin: chrome-extension://pnhechapfaindjhompbnflcldabbghjo"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http header: "Sec-WebSocket-Version: 13"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http header: "User-Agent: Mozilla/5.0 (X11; CrOS x86_64 9334.72.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.140 Safari/537.36"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http header: "Accept-Encoding: gzip, deflate, sdch"
2017/05/25 08:16:43 [debug] 32488#32488: *15 posix_memalign: 000055FB97A96BD0:4096 @16
2017/05/25 08:16:43 [debug] 32488#32488: *15 http header: "Accept-Language: en-US,en;q=0.8"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http header: "Sec-WebSocket-Key: /Ky6pmyqQECtC6Y1NgonZw=="
2017/05/25 08:16:43 [debug] 32488#32488: *15 http header: "Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http header done
2017/05/25 08:16:43 [debug] 32488#32488: *15 event timer del: 12: 1495700263489
2017/05/25 08:16:43 [debug] 32488#32488: *15 generic phase: 0
2017/05/25 08:16:43 [debug] 32488#32488: *15 rewrite phase: 1
2017/05/25 08:16:43 [debug] 32488#32488: *15 test location: "/proxy"
2017/05/25 08:16:43 [debug] 32488#32488: *15 test location: "/cookie"
2017/05/25 08:16:43 [debug] 32488#32488: *15 test location: "/connect"
2017/05/25 08:16:43 [debug] 32488#32488: *15 using configuration "/connect"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http cl:-1 max:1048576
2017/05/25 08:16:43 [debug] 32488#32488: *15 rewrite phase: 3
2017/05/25 08:16:43 [debug] 32488#32488: *15 post rewrite phase: 4
2017/05/25 08:16:43 [debug] 32488#32488: *15 generic phase: 5
2017/05/25 08:16:43 [debug] 32488#32488: *15 generic phase: 6
2017/05/25 08:16:43 [debug] 32488#32488: *15 generic phase: 7
2017/05/25 08:16:43 [debug] 32488#32488: *15 access phase: 8
2017/05/25 08:16:43 [debug] 32488#32488: *15 access phase: 9
2017/05/25 08:16:43 [debug] 32488#32488: *15 access phase: 10
2017/05/25 08:16:43 [debug] 32488#32488: *15 post access phase: 11
2017/05/25 08:16:43 [debug] 32488#32488: *15 http init upstream, client timer: 0
2017/05/25 08:16:43 [debug] 32488#32488: *15 epoll add event: fd:12 op:3 ev:80002005
2017/05/25 08:16:43 [debug] 32488#32488: *15 http script copy: "Host: "
2017/05/25 08:16:43 [debug] 32488#32488: *15 http script var: "52.201.235.17:7654"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http script copy: "
"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http script copy: "X-Real-IP: "
2017/05/25 08:16:43 [debug] 32488#32488: *15 http script var: "172.3.140.188"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http script copy: "
"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http script copy: "Connection: close
"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http script copy: ""
2017/05/25 08:16:43 [debug] 32488#32488: *15 http script copy: ""
2017/05/25 08:16:43 [debug] 32488#32488: *15 http script copy: ""
2017/05/25 08:16:43 [debug] 32488#32488: *15 http script copy: ""
2017/05/25 08:16:43 [debug] 32488#32488: *15 http proxy header: "Pragma: no-cache"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http proxy header: "Cache-Control: no-cache"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http proxy header: "Origin: chrome-extension://pnhechapfaindjhompbnflcldabbghjo"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http proxy header: "Sec-WebSocket-Version: 13"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http proxy header: "User-Agent: Mozilla/5.0 (X11; CrOS x86_64 9334.72.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.140 Safari/537.36"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http proxy header: "Accept-Encoding: gzip, deflate, sdch"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http proxy header: "Accept-Language: en-US,en;q=0.8"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http proxy header: "Sec-WebSocket-Key: /Ky6pmyqQECtC6Y1NgonZw=="
2017/05/25 08:16:43 [debug] 32488#32488: *15 http proxy header: "Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http proxy header:
"GET /connect?sid=13311622-c8c7-48f2-958f-114f87f1558d&ack=0&pos=0 HTTP/1.0
Host: 52.201.235.17:7654
X-Real-IP: 172.3.140.188
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Origin: chrome-extension://pnhechapfaindjhompbnflcldabbghjo
Sec-WebSocket-Version: 13
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 9334.72.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.140 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Sec-WebSocket-Key: /Ky6pmyqQECtC6Y1NgonZw==
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits

"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http cleanup add: 000055FB97A975A8
2017/05/25 08:16:43 [debug] 32488#32488: *15 get rr peer, try: 1
2017/05/25 08:16:43 [debug] 32488#32488: *15 stream socket 13
2017/05/25 08:16:43 [debug] 32488#32488: *15 epoll add connection: fd:13 ev:80002005
2017/05/25 08:16:43 [debug] 32488#32488: *15 connect to 127.0.0.1:8022, fd:13 #16
2017/05/25 08:16:43 [debug] 32488#32488: *15 http upstream connect: -2
2017/05/25 08:16:43 [debug] 32488#32488: *15 posix_memalign: 000055FB97A92980:128 @16
2017/05/25 08:16:43 [debug] 32488#32488: *15 event timer add: 13: 60000:1495700263489
2017/05/25 08:16:43 [debug] 32488#32488: *15 http finalize request: -4, "/connect?sid=13311622-c8c7-48f2-958f-114f87f1558d&ack=0&pos=0" a:1, c:2
2017/05/25 08:16:43 [debug] 32488#32488: *15 http request count:2 blk:0
2017/05/25 08:16:43 [debug] 32488#32488: *15 http run request: "/connect?sid=13311622-c8c7-48f2-958f-114f87f1558d&ack=0&pos=0"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http upstream check client, write event:1, "/connect"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http upstream recv(): -1 (11: Resource temporarily unavailable)
2017/05/25 08:16:43 [debug] 32488#32488: *15 http upstream request: "/connect?sid=13311622-c8c7-48f2-958f-114f87f1558d&ack=0&pos=0"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http upstream send request handler
2017/05/25 08:16:43 [debug] 32488#32488: *15 http upstream send request
2017/05/25 08:16:43 [debug] 32488#32488: *15 http upstream send request body
2017/05/25 08:16:43 [debug] 32488#32488: *15 chain writer buf fl:1 s:594
2017/05/25 08:16:43 [debug] 32488#32488: *15 chain writer in: 000055FB97A975E0
2017/05/25 08:16:43 [debug] 32488#32488: *15 writev: 594 of 594
2017/05/25 08:16:43 [debug] 32488#32488: *15 chain writer out: 0000000000000000
2017/05/25 08:16:43 [debug] 32488#32488: *15 event timer del: 13: 1495700263489
2017/05/25 08:16:43 [debug] 32488#32488: *15 event timer add: 13: 60000:1495700263489
2017/05/25 08:16:43 [debug] 32488#32488: *15 http upstream request: "/connect?sid=13311622-c8c7-48f2-958f-114f87f1558d&ack=0&pos=0"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http upstream process header
2017/05/25 08:16:43 [debug] 32488#32488: *15 malloc: 000055FB97A97BE0:4096
2017/05/25 08:16:43 [debug] 32488#32488: *15 recv: fd:13 139 of 4096
2017/05/25 08:16:43 [debug] 32488#32488: *15 http proxy status 404 "404 Not Found"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http proxy header: "content-type: text/html; charset=utf-8"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http proxy header: "Content-Length: 53"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http proxy header done
2017/05/25 08:16:43 [debug] 32488#32488: *15 xslt filter header
2017/05/25 08:16:43 [debug] 32488#32488: *15 HTTP/1.1 404 Not Found
Server: nginx/1.10.0 (Ubuntu)
Date: Thu, 25 May 2017 08:16:43 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip

2017/05/25 08:16:43 [debug] 32488#32488: *15 write new buf t:1 f:0 000055FB97A97948, pos 000055FB97A97948, size: 210 file: 0, size: 0
2017/05/25 08:16:43 [debug] 32488#32488: *15 http write filter: l:0 f:0 s:210
2017/05/25 08:16:43 [debug] 32488#32488: *15 http proxy filter init s:404 h:0 c:0 l:53
2017/05/25 08:16:43 [debug] 32488#32488: *15 tcp_nodelay
2017/05/25 08:16:43 [debug] 32488#32488: *15 http upstream process non buffered downstream
2017/05/25 08:16:43 [debug] 32488#32488: *15 http output filter "/connect?sid=13311622-c8c7-48f2-958f-114f87f1558d&ack=0&pos=0"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http copy filter: "/connect?sid=13311622-c8c7-48f2-958f-114f87f1558d&ack=0&pos=0"
2017/05/25 08:16:43 [debug] 32488#32488: *15 image filter
2017/05/25 08:16:43 [debug] 32488#32488: *15 xslt filter body
2017/05/25 08:16:43 [debug] 32488#32488: *15 http postpone filter "/connect?sid=13311622-c8c7-48f2-958f-114f87f1558d&ack=0&pos=0" 000055FB97A97A20
2017/05/25 08:16:43 [debug] 32488#32488: *15 http gzip filter
2017/05/25 08:16:43 [debug] 32488#32488: *15 malloc: 000055FB97AEEA60:12288
2017/05/25 08:16:43 [debug] 32488#32488: *15 gzip alloc: n:1 s:5936 a:8192 p:000055FB97AEEA60
2017/05/25 08:16:43 [debug] 32488#32488: *15 gzip alloc: n:512 s:2 a:1024 p:000055FB97AF0A60
2017/05/25 08:16:43 [debug] 32488#32488: *15 gzip alloc: n:512 s:2 a:1024 p:000055FB97AF0E60
2017/05/25 08:16:43 [debug] 32488#32488: *15 gzip alloc: n:512 s:2 a:1024 p:000055FB97AF1260
2017/05/25 08:16:43 [debug] 32488#32488: *15 gzip alloc: n:256 s:4 a:1024 p:000055FB97AF1660
2017/05/25 08:16:43 [debug] 32488#32488: *15 gzip in: 000055FB97A97B08
2017/05/25 08:16:43 [debug] 32488#32488: *15 gzip in_buf:000055FB97A97A30 ni:000055FB97A97C36 ai:53
2017/05/25 08:16:43 [debug] 32488#32488: *15 malloc: 000055FB97A98BF0:4096
2017/05/25 08:16:43 [debug] 32488#32488: *15 deflate in: ni:000055FB97A97C36 no:000055FB97A98BF0 ai:53 ao:4096 fl:2 redo:0
2017/05/25 08:16:43 [debug] 32488#32488: *15 deflate out: ni:000055FB97A97C6B no:000055FB97A98C23 ai:0 ao:4045 rc:0
2017/05/25 08:16:43 [debug] 32488#32488: *15 gzip in_buf:000055FB97A97A30 pos:000055FB97A97C36
2017/05/25 08:16:43 [debug] 32488#32488: *15 posix_memalign: 000055FB97A99C00:4096 @16
2017/05/25 08:16:43 [debug] 32488#32488: *15 http chunk: 10
2017/05/25 08:16:43 [debug] 32488#32488: *15 http chunk: 51
2017/05/25 08:16:43 [debug] 32488#32488: *15 write old buf t:1 f:0 000055FB97A97948, pos 000055FB97A97948, size: 210 file: 0, size: 0
2017/05/25 08:16:43 [debug] 32488#32488: *15 write new buf t:1 f:0 000055FB97A99CC0, pos 000055FB97A99CC0, size: 4 file: 0, size: 0
2017/05/25 08:16:43 [debug] 32488#32488: *15 write new buf t:0 f:0 0000000000000000, pos 000055FB977519E0, size: 10 file: 0, size: 0
2017/05/25 08:16:43 [debug] 32488#32488: *15 write new buf t:1 f:0 000055FB97A98BF0, pos 000055FB97A98BF0, size: 51 file: 0, size: 0
2017/05/25 08:16:43 [debug] 32488#32488: *15 write new buf t:0 f:0 0000000000000000, pos 000055FB97520F26, size: 2 file: 0, size: 0
2017/05/25 08:16:43 [debug] 32488#32488: *15 http write filter: l:0 f:1 s:277
2017/05/25 08:16:43 [debug] 32488#32488: *15 http write filter limit 0
2017/05/25 08:16:43 [debug] 32488#32488: *15 writev: 277 of 277
2017/05/25 08:16:43 [debug] 32488#32488: *15 http write filter 0000000000000000
2017/05/25 08:16:43 [debug] 32488#32488: *15 gzip in: 0000000000000000
2017/05/25 08:16:43 [debug] 32488#32488: *15 http copy filter: 0 "/connect?sid=13311622-c8c7-48f2-958f-114f87f1558d&ack=0&pos=0"
2017/05/25 08:16:43 [debug] 32488#32488: *15 finalize http upstream request: 0
2017/05/25 08:16:43 [debug] 32488#32488: *15 finalize http proxy request
2017/05/25 08:16:43 [debug] 32488#32488: *15 free rr peer 1 0
2017/05/25 08:16:43 [debug] 32488#32488: *15 close http upstream connection: 13
2017/05/25 08:16:43 [debug] 32488#32488: *15 free: 000055FB97A92980, unused: 48
2017/05/25 08:16:43 [debug] 32488#32488: *15 event timer del: 13: 1495700263489
2017/05/25 08:16:43 [debug] 32488#32488: *15 reusable connection: 0
2017/05/25 08:16:43 [debug] 32488#32488: *15 http output filter "/connect?sid=13311622-c8c7-48f2-958f-114f87f1558d&ack=0&pos=0"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http copy filter: "/connect?sid=13311622-c8c7-48f2-958f-114f87f1558d&ack=0&pos=0"
2017/05/25 08:16:43 [debug] 32488#32488: *15 image filter
2017/05/25 08:16:43 [debug] 32488#32488: *15 xslt filter body
2017/05/25 08:16:43 [debug] 32488#32488: *15 http postpone filter "/connect?sid=13311622-c8c7-48f2-958f-114f87f1558d&ack=0&pos=0" 00007FFCB6E79FE0
2017/05/25 08:16:43 [debug] 32488#32488: *15 http gzip filter
2017/05/25 08:16:43 [debug] 32488#32488: *15 gzip in: 000055FB97A97B88
2017/05/25 08:16:43 [debug] 32488#32488: *15 gzip in_buf:000055FB97A99D78 ni:0000000000000000 ai:0
2017/05/25 08:16:43 [debug] 32488#32488: *15 deflate in: ni:0000000000000000 no:000055FB97A98BF0 ai:0 ao:4096 fl:4 redo:0
2017/05/25 08:16:43 [debug] 32488#32488: *15 deflate out: ni:0000000000000000 no:000055FB97A98BF2 ai:0 ao:4094 rc:1
2017/05/25 08:16:43 [debug] 32488#32488: *15 gzip in_buf:000055FB97A99D78 pos:0000000000000000
2017/05/25 08:16:43 [debug] 32488#32488: *15 free: 000055FB97AEEA60
2017/05/25 08:16:43 [debug] 32488#32488: *15 http chunk: 10
2017/05/25 08:16:43 [debug] 32488#32488: *15 write new buf t:1 f:0 000055FB97A99DC8, pos 000055FB97A99DC8, size: 3 file: 0, size: 0
2017/05/25 08:16:43 [debug] 32488#32488: *15 write new buf t:1 f:0 000055FB97A98BF0, pos 000055FB97A98BF0, size: 10 file: 0, size: 0
2017/05/25 08:16:43 [debug] 32488#32488: *15 write new buf t:0 f:0 000055FB97A99CC0, pos 000055FB97520F21, size: 7 file: 0, size: 0
2017/05/25 08:16:43 [debug] 32488#32488: *15 http write filter: l:1 f:1 s:20
2017/05/25 08:16:43 [debug] 32488#32488: *15 http write filter limit 0
2017/05/25 08:16:43 [debug] 32488#32488: *15 writev: 20 of 20
2017/05/25 08:16:43 [debug] 32488#32488: *15 http write filter 0000000000000000
2017/05/25 08:16:43 [debug] 32488#32488: *15 http copy filter: 0 "/connect?sid=13311622-c8c7-48f2-958f-114f87f1558d&ack=0&pos=0"
2017/05/25 08:16:43 [debug] 32488#32488: *15 http finalize request: 0, "/connect?sid=13311622-c8c7-48f2-958f-114f87f1558d&ack=0&pos=0" a:1, c:1
2017/05/25 08:16:43 [debug] 32488#32488: *15 set http keepalive handler
2017/05/25 08:16:43 [debug] 32488#32488: *15 http close request
2017/05/25 08:16:43 [debug] 32488#32488: *15 http log handler
2017/05/25 08:16:43 [debug] 32488#32488: *15 free: 000055FB97A98BF0
2017/05/25 08:16:43 [debug] 32488#32488: *15 free: 0000000000000000
2017/05/25 08:16:43 [debug] 32488#32488: *15 free: 000055FB97A97BE0
2017/05/25 08:16:43 [debug] 32488#32488: *15 free: 000055FB97AA3F70, unused: 3
2017/05/25 08:16:43 [debug] 32488#32488: *15 free: 000055FB97A96BD0, unused: 8
2017/05/25 08:16:43 [debug] 32488#32488: *15 free: 000055FB97A99C00, unused: 3335
2017/05/25 08:16:43 [debug] 32488#32488: *15 free: 000055FB97AB0F20
2017/05/25 08:16:43 [debug] 32488#32488: *15 hc free: 0000000000000000 0
2017/05/25 08:16:43 [debug] 32488#32488: *15 hc busy: 0000000000000000 0
2017/05/25 08:16:43 [debug] 32488#32488: *15 reusable connection: 1
2017/05/25 08:16:43 [debug] 32488#32488: *15 event timer add: 12: 65000:1495700268491
2017/05/25 08:16:43 [debug] 32488#32488: *15 post event 000055FB97ACAC20
2017/05/25 08:16:43 [debug] 32488#32488: *15 delete posted event 000055FB97ACAC20
2017/05/25 08:16:43 [debug] 32488#32488: *15 http keepalive handler
2017/05/25 08:16:43 [debug] 32488#32488: *15 malloc: 000055FB97AB0F20:1024
2017/05/25 08:16:43 [debug] 32488#32488: *15 recv: fd:12 -1 of 1024
2017/05/25 08:16:43 [debug] 32488#32488: *15 recv() not ready (11: Resource temporarily unavailable)
2017/05/25 08:16:43 [debug] 32488#32488: *15 free: 000055FB97AB0F20
2017/05/25 08:16:43 [debug] 32488#32488: *15 http keepalive handler
2017/05/25 08:16:43 [debug] 32488#32488: *15 malloc: 000055FB97AB0F20:1024
2017/05/25 08:16:43 [debug] 32488#32488: *15 recv: fd:12 -1 of 1024
2017/05/25 08:16:43 [info] 32488#32488: *15 client 172.3.140.188 closed keepalive connection (104: Connection reset by peer)
2017/05/25 08:16:43 [debug] 32488#32488: *15 close http connection: 12
2017/05/25 08:16:43 [debug] 32488#32488: *15 event timer del: 12: 1495700268491
2017/05/25 08:16:43 [debug] 32488#32488: *15 reusable connection: 0
2017/05/25 08:16:43 [debug] 32488#32488: *15 free: 000055FB97AB0F20

Output from nassh-relay
08:16:37.498 [vert.x-eventloop-thread-0] DEBUG n.z.n.h.CookieHandler - got request
08:16:38.646 [vert.x-eventloop-thread-0] DEBUG n.z.n.h.ProxyHandler - got request
08:16:38.650 [vert.x-eventloop-thread-0] INFO n.z.n.h.ProxyHandler - Connected to ssh server: 10.10.7.128:22 (redacted-ip)

question/request for documentation on accesslist configuration

suffering from issue #1 I was thinking to allow connections to everywhere if login via g+ works and restrict it to one single target ip if it doesn't.
the source ip doesn't matter in both cases.

how would I do that?

Other Authentication Methods

First of all, great work! I am really glad to see this project. Unfortunately, it's unusable for me at this time because my environment blocks any Google Plus URLs. And therefore, I can't authenticate with the relay. Given the nature of this tool, I suspect many other users are in similar environments where social media sites are blocked. It would be really great to see nassh-relay stand on it's own.

Might I suggest adding other authentication methods such as:

Other OAuth (non-social media) providers
HTTP Basic (with HTTPS of course)
HTTP Digest
A simple login form

SameSite and Secure flag not set for authentication cookies

First of all, thank you for providing and maintaining nassh-relay - it has been supremely useful to me individually.

I've encountered an issue with Opening stream socket failed: 410: resulting in Connection refused.

Expected result

Secure Shell App should successfully connect to the SSH server.

Actual result*

(* scrubbed for privacy)

Secure Shell App output

(with verbose logging, via -vvvv flag)

Welcome to Secure Shell App version 0.21.
Answers to Frequently Asked Questions: https://goo.gl/muppJj (ctrl+click on links to open)
ChangeLog/release notes: https://goo.gl/YnmXOs

Random Pro Tip #13: Display images inline: https://goo.gl/MnSysj

Looking up relay server using: relay.my.domain:443
Found relay server: https://relay.my.domain:443/
Loading NaCl plugin... done.
Connecting to [email protected]...
OpenSSH_8.1p1, OpenSSL 1.0.2k  26 Jan 2017
debug2: resolve_canonicalize: hostname 192.168.x.x is address
debug2: ssh_connect_direct
debug1: Connecting to 192.168.x.x [192.168.x.x] port 22.
Opening stream socket failed: 410: 
debug1: connect to address 192.168.x.x port 22: Connection refused
ssh: connect to host 192.168.x.x port 22: Connection refused
NaCl plugin exited with status code 255.
(R)econnect, (C)hoose another connection, or E(x)it?

Dev Console output

[Warning] A cookie associated with a cross-site resource at http://my.domain/ was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

[Error] GET https://relay.domain.com/proxy?host=192.168.x.x&port=22 410
nassh.Stream.GoogleRelay.asyncOpen @ nassh_stream_google_relay.js:83
nassh.StreamSet.openStream @ nassh_stream_set.js:37
nassh.GoogleRelay.openSocket @ nassh_google_relay.js:174
nassh.CommandInstance.onPlugin_.openSocket @ nassh_command_instance.js:1589
nassh.CommandInstance.dispatchMessage_ @ nassh_command_instance.js:1190
nassh.CommandInstance.onPluginMessage_ @ nassh_command_instance.js:1430

Workaround found

The issue can be worked around by:

Setting chrome://flags/#same-site-by-default-cookies to Disabled
Setting chrome://flags/#cookies-without-same-site-must-be-secure to Disabled
Relaunch/Restart Chrome browser/ChromeOS.

How to reproduce

If the above flags are not already enabled (and they eventually will be in Chrome), manually set the above flags to Enabled and (importantly) relaunch Chrome. Then try to connect using nassh-relay.

I'm currently on Chrome Version 81.0.4035.0 (Official Build) canary (64-bit), on Mac OS X 10.14.6.
Also (not sure if a factor), access to the the relay server is restricted via Cloudflare Access and Google SSO is configured on the relay server.

Null pointer exception when Google Authentication enabled

After enabling Google Authentication, I get a null pointer exception upon authentication with Google. This failure prevents me from connecting via the relay. Here's the output I receive from the console logs:

20:34:07.138 [vert.x-eventloop-thread-0]      INFO  n.z.n.MainVerticle - nassh-relay listening on port 8022                                    
20:34:07.149 [vert.x-eventloop-thread-1]      INFO  i.v.c.i.l.c.VertxIsolatedDeployer - Succeeded in deploying verticle                        
20:34:18.002 [vert.x-eventloop-thread-0]      INFO  n.z.n.h.CookiePostHandler - Google User: id: 104796568810369987670 email: null domain: null
logged in
20:34:19.105 [vert.x-eventloop-thread-0]      ERROR n.z.n.h.ProxyHandler - NULL                                                                
java.lang.NullPointerException: null
        at net.zyclonite.nassh.util.AccessHelper.checkAccess(AccessHelper.java:57)                                                             
        at net.zyclonite.nassh.util.AccessHelper.isHostAllowed(AccessHelper.java:37)                                                           
        at net.zyclonite.nassh.handler.ProxyHandler.lambda$handle$0(ProxyHandler.java:89)                                                      
        at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$1(ContextImpl.java:273)                                                       
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)                                                     
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)                                                     
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)                                               
        at java.lang.Thread.run(Thread.java:748)

Authentication fails to get an e-mail or domain, and the checkAccess looks like it's throwing a NullPointerException as a result. It looks like the code checks for null values, but there's still a failure happening somewhere in there. I've currently tried versions 1.0.6 and 1.0.5 of the relay.

java.lang.IllegalStateException: CORS Rejected - Invalid origin

I'm trying to use nassh with Traefik for reverse proxy and ssl termination. When I try to connect I get the following error:

Sep 25, 2023 5:58:44 AM io.vertx.ext.web.RoutingContext
SEVERE: Unhandled exception in router
java.lang.IllegalStateException: CORS Rejected - Invalid origin
        at io.vertx.ext.web.handler.impl.CorsHandlerImpl.handle(CorsHandlerImpl.java:252)
        at io.vertx.ext.web.handler.impl.CorsHandlerImpl.handle(CorsHandlerImpl.java:41)
        at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1286)
        at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:177)
        at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:144)
        at io.vertx.ext.web.impl.RouterImpl.handle(RouterImpl.java:68)
        at io.vertx.ext.web.impl.RouterImpl.handle(RouterImpl.java:37)
        at io.vertx.core.http.impl.Http1xServerRequestHandler.handle(Http1xServerRequestHandler.java:57)
        at io.vertx.core.http.impl.Http1xServerRequestHandler.handle(Http1xServerRequestHandler.java:30)
        at io.vertx.core.impl.EventLoopContext.emit(EventLoopContext.java:55)
        at io.vertx.core.impl.DuplicatedContext.emit(DuplicatedContext.java:179)
        at io.vertx.core.http.impl.Http1xServerConnection.handleMessage(Http1xServerConnection.java:174)
        at io.vertx.core.net.impl.ConnectionBase.read(ConnectionBase.java:159)
        at io.vertx.core.net.impl.VertxHandler.channelRead(VertxHandler.java:153)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
        at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:93)
        at io.netty.handler.codec.http.websocketx.extensions.WebSocketServerExtensionHandler.onHttpRequestChannelRead(WebSocketServerExtensionHandler.java:160)
        at io.netty.handler.codec.http.websocketx.extensions.WebSocketServerExtensionHandler.channelRead(WebSocketServerExtensionHandler.java:83)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
        at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:346)
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:318)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:833)

I don't understand what kind of CORS validation is being done nor how to disable it. On the browser, requests receive a 403 error.

On /cookie, origin `chrome-untrusted://terminal` should be used verbatim

ChromeOS's "Terminal" app (not the Secure Shell App / Secure Shell Extension) seems to visit /cookie with GET argument ext=terminal, which results in a redirect to chrome-extension://terminal/html/....

This results in:

terminal is blocked
This page has been blocked by Chrome
ERR_BLOCKED_BY_CLIENT

Instead, I'm guessing chrome-untrusted://terminal/html/... is expected.

App itself: https://chromium.googlesource.com/apps/libapps/+/HEAD/terminal

[Container] java.lang.ClassNotFoundException: java.beans.PropertyChangeEvent

I just wanted to try the image docker.io/zyclonite/nassh-relay:1.1.29
1.1.28 works.

It results in:

Exception in thread "main" java.lang.NoClassDefFoundError: java/beans/PropertyChangeEvent
        at org.apache.logging.log4j.core.LoggerContext.updateLoggers(LoggerContext.java:747)
        at org.apache.logging.log4j.core.LoggerContext.updateLoggers(LoggerContext.java:734)
        at org.apache.logging.log4j.core.LoggerContext.setConfiguration(LoggerContext.java:628)
        at org.apache.logging.log4j.core.LoggerContext.reconfigure(LoggerContext.java:699)
        at org.apache.logging.log4j.core.LoggerContext.reconfigure(LoggerContext.java:716)
        at org.apache.logging.log4j.core.LoggerContext.start(LoggerContext.java:270)
        at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:155)
        at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:47)
        at org.apache.logging.log4j.LogManager.getContext(LogManager.java:196)
        at org.apache.logging.log4j.spi.AbstractLoggerAdapter.getContext(AbstractLoggerAdapter.java:137)
        at org.apache.logging.slf4j.Log4jLoggerFactory.getContext(Log4jLoggerFactory.java:55)
        at org.apache.logging.log4j.spi.AbstractLoggerAdapter.getLogger(AbstractLoggerAdapter.java:47)
        at org.apache.logging.slf4j.Log4jLoggerFactory.getLogger(Log4jLoggerFactory.java:33)
        at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:358)
        at io.vertx.core.logging.SLF4JLogDelegate.<init>(SLF4JLogDelegate.java:37)
        at io.vertx.core.logging.SLF4JLogDelegateFactory.createDelegate(SLF4JLogDelegateFactory.java:49)
        at io.vertx.core.logging.LoggerFactory.<clinit>(LoggerFactory.java:36)
        at io.vertx.core.impl.logging.LoggerFactory.getLogger(LoggerFactory.java:26)
        at io.vertx.core.impl.launcher.commands.ClasspathHandler.<init>(ClasspathHandler.java:46)
        at io.vertx.core.impl.launcher.commands.BareCommand.<init>(BareCommand.java:48)
        at io.vertx.core.impl.launcher.commands.RunCommand.<init>(RunCommand.java:36)
        at io.vertx.core.spi.launcher.DefaultCommandFactory.create(DefaultCommandFactory.java:60)
        at io.vertx.core.impl.launcher.VertxCommandLauncher.getNewCommandInstance(VertxCommandLauncher.java:179)
        at io.vertx.core.impl.launcher.VertxCommandLauncher.execute(VertxCommandLauncher.java:234)
        at io.vertx.core.impl.launcher.VertxCommandLauncher.dispatch(VertxCommandLauncher.java:402)
        at io.vertx.core.impl.launcher.VertxCommandLauncher.dispatch(VertxCommandLauncher.java:346)
        at io.vertx.core.Launcher.main(Launcher.java:45)
Caused by: java.lang.ClassNotFoundException: java.beans.PropertyChangeEvent
        at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641)
        at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)
        at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:520)
        ... 27 more

According to the internet it gets fixed by --add-modules java.xml,java.sql,java.prefs,java.desktop as vm arguments.
https://stackoverflow.com/questions/57955837/java-11-java-beans-propertychangelistener