Bug tracker and wiki

/dev/loop.org.uk

This bug tracker and wiki are being discontinued
please use https://github.com/Xpra-org/xpra instead.

Context Navigation

Changes between Version 5 and Version 6 of ProxyServer

Timestamp:: 11/07/13 05:26:25 (7 years ago)
Author:: Antoine Martin
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

ProxyServer

-                      v5
+                      v6
 xpra proxy :20 --auth=sys --bind-tcp=0.0.0.0:443
 }}}
+Note: if you run this command as root, all the user sessions will be exposed. If you run it a normal user, only this user's session will be exposed.
+Once authenticated, the proxy server spawns a new process and no longer runs as root.
+Notes:
+* if you run this command as root, all the user sessions will be exposed
+* if you run it a normal user, only this user's session will be exposed
+* once authenticated, the proxy server spawns a new process and no longer runs as root
+* the display number chosen for the proxy server is only used for identifying the proxy server and interacting with it using the regular tools ("{{{xpra info}}}", etc)
 [[BR]]
 …
 {{{#!div class="box"
 == File Authentication Extras ==
+== File Authentication ==
 When used with the proxy server, the password file (see [/wiki/Authentication#Modules Authentication Modules]) should contain one user per line using the format:
 …
 * {{{SESSION_OPTIONS}}} is an optional attribute which can contain ";" separated name-value pairs which will override the client's connection settings and apply to the connection between the proxy and the real server only.
 }}}
+{{{#!div class="box"
+== File Authentication Example ==
+* Start a proxy server on port 443 using {{{file}}} authentication (we will call this server {{{PROXYHOST}}}):
+{{{
+xpra proxy :100 --bind-tcp=0.0.0.0:443 --auth=file --password-file=./xpra-auth
+}}}
+* Start the session we wish to access via the {{{PROXYHOST}}} (we call this {{{TARGETHOST}}} - for testing, this can be the same host as {{{PROXYHOST}}}):
+{{{
+xpra start :10 --bind-tcp=0.0.0.0:10000
+}}}
+* on {{{PROXYHOST}}}, add a user to the auth file pointing to {{{TARGETHOST}}} (ie: {{{192.168.1.200}}} should be {{{TARGETHOST}}}'s IP):
+{{{
+echo "john|secretpassword|1000|1000|tcp:192.168.1.200:10000|EXAMPLE_ENV=VALUE|compression=0" >> ./xpra-auth
+}}}
+* create the password file on the client:
+{{{
+echo "secretpassword" >> password.txt
+}}}
+* connect from the client:
+{{{
+xpra attach --username=myusername --password-file=./password.txt $PROXYHOST:20000
+}}}
+What happens:
+* the client connects to the proxy server
+* the proxy server asks the client to authenticate and sends it a challenge
+* the client responds to the challenge (see [/wiki/Authentication])
+* the proxy server verifies the challenge (and disconnects the user if needed)
+* the proxy server identifies the session desired (ie: the one on {{{TARGETHOST}}})
+* the proxy server creates a new connection to the real server ({{{TARGETHOST}}}), applying any options specified (ie: "{{{compression=0}}}" will disable compression between the proxy and server)
+* the proxy server spawns a new process
+* the new proxy process changes its uid and gid to non-root (if needed)
+* the packets should now flow through between the client and the real server
+}}}