OpenNebula

EDIT: This happens when using HTTPS via an lighttpd proxy. noVNC then can't get a secure connection.

Hi Christian,

Did you enable the VNC Secure Websockets checkbox in the Conf tab of the User Settings?

Christian Hüning wrote:

Hi,
thanks, didn't have that set. But now I get a VNC Disconnect timeout

I had the same issue because the certificate was not recognize by my browser.

To install the self-signed certificate:

• I point my browser to https://sunstone:29876
• Accept the certificate permanently
• Close the tab as nothing will appear on that port

Regards.

Did you proxy port 29876 through lighttpd with SSL as well?

Johan Kooijman wrote:

Did you proxy port 29876 through lighttpd with SSL as well?

I'd say yes. I simply added a second line like" host : 127.0.0.1 , port : 29876" to the lighted config. But that doesn't solve it.

This is actually a bug in the Ruby for Sunstone. I confirmed it today, and am writing a patch that will be submitted (the bug is below, but to find out where these values breaking the conditional are coming from may take me time or maybe someone else can figure it out faster). All testing was done on CentOS 7 packages, both on 4.8 (found the bug while preparing for an update and getting really frustrated with some VNC admin only instances before migration), and on the current 4.10.

Error lies in the code that determines if the configuration is configured for wss in sunstone-server.conf.

There are three options: yes, no, and only. I found that there is a conditional in the sunstone interface that always returns in such a way that secure sockets is not the default. If it is not the default, even if supported, Firefox and Chrome will not partake in even displaying the fact the socket is there. noVNC is configured to only accept SSL connections via the config properly, and even with an SSL proxy it works just fine if you add a valid SSL cert to the vnc service (i just gave it perms to access my normal cert for now until I make a new one).
To verify that it is because the secure socket is not the default advertisement, even when set to only, do the following for firefox or chrome:
Firefox:
goto about:config and search for socket. There is a setting for allowing insecure https websockets. If you allow this then the window will at least popup, but there will be no session if you set wss support to "only". This is because noVNC will not allow non-ssl connections if you set to only. If you have it on yes or no, then it may render. However, if the connection ends up going over an insecure socket to the VNC server after the window pops up there will be a 1006 error. This can be fixed by clicking the blue square link by the error in the popup window, and in the resulting URL changing the encrypt parameter to "yes" and entering (which BTW, that URL is going to be another report as it puts the password and "session" token in a GET request, and the session token does not seem to reasonably expire with the user logging out). This is not an issue once the initial HTTPS websocket support is fixed, but due to a lack of a secure connection in the first place encryption does not get turned on automatically. If you do not want to use a valid SSL for noVNC, or simply want to use non-https for whatever reason, you can change a parameter to return an encrypt value of true always instead of depending on a conditional in /usr/lib/one/sunstone/public/vendor/noVNC/ui.js

I am trying to get all the details for the bugs to submit properly, or I can submit them here. But this is not really a documentation issue, as the SSL proxy should not make a difference as long as the bugs in the code are fixed.

-Jimb0

--- all findings were on a CentOS 7 server, running 4.10 but also confirmed on 4.8 before I upgraded----

error checking configuration conditional of noVNC script in /usr/lib/one/sunstone/sunstone-server.rb:
If you comment out the conditional then it works. Problem is that this is nowhere to set a secure websocket I could find in any template, but even worse is that the template can override the sunstone-server.conf setting of wss only, which a user should never be able to override. Period. "yes," perhaps since it is not strict. But an only case set by an admin should be enforced.
With the template conditional commented out, it actually checks the configuration setting defined for vnc in sunstone-server.conf

1. if user['TEMPLATE/VNC_WSS']
2. session[:vnc_wss] = user['TEMPLATE/VNC_WSS']
3. else
   wss = $conf[:vnc_proxy_support_wss]
   #limit to yes,no options
   session[:vnc_wss] = (wss true || wss "yes" || wss == "only" ?
   "yes" : "no")
4. end

If this conditional for the template, which I have no documentation for and frankly shouldn't exist, is fixed then the web based VNC will work with natively as long as a valid certificate is provided, with no issues for SSL proxy, native SSL, and no having to disable web sockets protections.

Forgot Chrome test instructions:

Attempt to load a VNC viewer in sunstone. when no popup appears other than the session notification in the bottom right, note that there is a lock icon on the top right in the URL bar. If you click it, there is a message that the page has insecure content. If you allow the insecure content the VNC sessions can open assuming you don't have a popup blocker enabled on the sunstone server.

Thx for the work!
Which version of ONE includes the fix? I am running on 4.12.1 and still am having this issue. Do I need to update to 4.14 ?