Secure TTYD with Let Encrypt TLS Certs

[mrzzy]

Motivation

TTYD currently exposes a unauthenticated web terminal which poses a security risk.

Proposal

Secure the TTYD web terminal with Let Encrypt TLS Certs:

• Configure TTYD to use provisioned TLS cert at /etc/ssl/certs/ttyd.pem & /etc/ssl/private/ttyd.key
• Enable Basic Authentication on TTYD using credentials built into WARP VM image.
• Run TTYD as the confgur devbox user instead of root.

[mrzzy]

Changes to Approach

Issues with Certbot Approach
Originally certbot was embedded into WARP VM certbot performed ACME within WARP VM to obtain a trusted TLS certificate from Lets Encrypt. This design posed several challenges:

• As there is a 50 per week rate limit on production certs that Lets Encrypt can issue, certs issued by certbot had to be cached somehow by the underlying infrastructure.
• certbot is designed for interactive users: It's snap contains boot hook that makes certbot run on startup to keep certificates up to date. This automatic behavior is undesired as we need to maintain ordering dependency between cloud-init & certbot when running on Cloud Providere VM's (cloud-init first as it sets up caching.
• Pulling the TLS cert within WARP VM makes it difficult to control whether we want to pull a staging or production Lets Encrypt cert at runtime from the underlying infastructure. In its current model, whether to pull a production is set at WARP VM build time via an Ansible Var.

Proposed New Approach
Apply dependency inversion to the TLS certificates:

• WARP VM expects TLS certificate & key to be configured by underlying infrastructure at /etc/ssl/certs/ttyd.pem & /etc/ssl/private/ttyd.key
• This pushes down responsibility of TLS certificate provisioning & caching down to the underlying infrastructure & decouples WARM VM from Lets Encrypt certificates.