Backlog #3538

Enable path based NoVNC

Added by EOLE Team over 5 years ago. Updated about 3 years ago.

Status:NewStart date:01/30/2015
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Sunstone
Target version:Release 5.2

Description

Hello,

Actually we have the websocketproxy.py listening on the port 29876 and the NoVNC client open a WebSocket directly on that port.

I would like the client to only use the port 443 as I already have a nginx reverse proxy.

I setup a nginx location pointing to websocketproxy.py:

# /etc/nginx/sites-available/opennebula-sunstone
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

upstream sunstone {
    server 127.0.0.1:9869;
}

upstream websocketproxy {
    server 127.0.0.1:29876;
}

# Port 80 redirected to SSL
server {
    listen           80;
    server_name    nebula.example.net;

    location / {
        return 301 https://$host;
    }
}

server {
    listen 443 default_server;
    listen [::]:443 default_server ipv6only=on;

    ssl on;
    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;

    root /usr/share/nginx/html;
    index index.html index.htm;

    server_name nebula.example.net;

    access_log  /var/log/nginx/opennebula-sunstone-access.log;
    error_log  /var/log/nginx/opennebula-sunstone-error.log;

    # To upload ISO files, increase for VMs images
    client_max_body_size 1G;
    location / {
        include proxy_params;
        proxy_pass http://sunstone;
    }

    location /websockify {
        proxy_pass http://websocketproxy;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

In NoVNC:

  • if the port is not set(1), it use the same as the current connection
  • the path parameter(2) is used as the full path of the resource

For what I see, this would require:

  • add a vnc_proxy_path to customize the NoVNC path parameter if wanted
  • add a vnc_proxy_listen to customize the websocketproxy.py source_addr with default to 0.0.0.0
  • add a flag to disable passing the vnc_proxy_port as port= parameter to NoVNC

Regards.

(1) source:src/sunstone/public/bower_components/no-vnc/vnc_auto.html#L168
(2) source:src/sunstone/public/bower_components/no-vnc/vnc_auto.html#L185

opennebula-4.12.0-vncoversameport.diff Magnifier (4.09 KB) Roy Keene, 03/30/2015 06:33 PM

History

#1 Updated by Daniel Molina over 5 years ago

  • Tracker changed from Request to Feature
  • Status changed from Pending to New
  • Priority changed from Normal to High

#2 Updated by Ruben S. Montero over 5 years ago

  • Tracker changed from Feature to Backlog

#3 Updated by Nico Schottelius over 5 years ago

We are also very much interested in this feature, as we are running opennebula behind nginx for ssl encryption.

#4 Updated by Ruben S. Montero over 5 years ago

  • Tracker changed from Backlog to Feature
  • Target version set to Release 4.14

Moving this to 4.14, thanks for the feedback

#5 Updated by Roy Keene over 5 years ago

I currently do this with HAProxy.


    cat <<\_EOF_ > /etc/haproxy.cfg
global
    user    nobody
    maxconn 4096

    ssl-default-bind-options no-sslv3
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!SSLv3:!SSLv2
    ssl-default-server-options no-sslv3
    ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!SSLv3:!SSLv2

defaults
    mode http
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms
    option  http-server-close

frontend sunstone-vnc-in
    bind *:80
    acl is_websocket hdr(Upgrade) -i WebSocket
    use_backend vncwebsockets if is_websocket
    default_backend sunstone

frontend sunstone-vnc-tls-in
    bind *:443 ssl crt /dashboard/ssl/combined
    acl is_websocket hdr(Upgrade) -i WebSocket
    use_backend vncwebsockets if is_websocket
    default_backend sunstone

frontend oned-tls-in
    bind *:2634 ssl crt /dashboard/ssl/combined
    default_backend oned

backend sunstone
    server localhost-sunstone 127.0.0.1:9869 maxconn 128

backend vncwebsockets
    server localhost-vncwebsockets 127.0.0.1:29876

backend oned
    server localhost-oned 127.0.0.1:2633
_EOF_
    haproxy -f /etc/haproxy.cfg -dM &

Patch attached for using the same port and hostname (always)

#6 Updated by Nico Schottelius over 5 years ago

I've just checked which errors we actually get when trying to use nginx + ssl + sunstone. When pressing the vnc button, chromium shows the following errors:

Mixed Content: The page at 'https://our-hosting-server01.ungleich.ch/' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://localhost:17523/'. This request has been blocked; this endpoint must be available over WSS.
util.js:138 New state 'loaded', was 'disconnected'. Msg: noVNC ready: native WebSockets, canvas rendering
util.js:138 New state 'connect', was 'loaded'.
websock.js:285 Mixed Content: The page at 'https://our-hosting-server01.ungleich.ch/' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://localhost:17523/'. This request has been blocked; this endpoint must be available over WSS.
websock.js:285 Mixed Content: The page at 'https://our-hosting-server01.ungleich.ch/' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://localhost:17523/'. This request has been blocked; this endpoint must be available over WSS.
util.js:139 Skipping unsupported WebSocket binary sub-protocol
websock.js:333 Mixed Content: The page at 'https://our-hosting-server01.ungleich.ch/' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://our-hosting-server01.ungleich.ch:29876/?token=t8opcrssdsoyutpjnh0q'. This request has been blocked; this endpoint must be available over WSS.
websock.js:333 Uncaught SecurityError: Failed to construct 'WebSocket': An insecure WebSocket connection may not be initiated from a page loaded over HTTPS.

Is there any progress on supporting this?

#7 Updated by Daniel Molina about 5 years ago

  • Priority changed from High to Normal

#8 Updated by Tino Vázquez about 5 years ago

  • Tracker changed from Feature to Backlog

#9 Updated by Ruben S. Montero about 5 years ago

  • Status changed from New to Pending

#10 Updated by Ruben S. Montero about 5 years ago

  • Target version changed from Release 4.14 to Release 5.0

#11 Updated by Ruben S. Montero almost 5 years ago

  • Tracker changed from Backlog to Feature
  • Status changed from Pending to New

#12 Updated by Carlos Martín over 4 years ago

  • Tracker changed from Feature to Backlog

#13 Updated by Carlos Martín over 4 years ago

  • Target version changed from Release 5.0 to Release 5.2

#14 Updated by Perry Manuk almost 4 years ago

would like to add a +1 to this

#15 Updated by Arnaud Abélard about 3 years ago

5.4 is out and this still doesn't seem to be possible. We also would like this to be implemented.

Also available in: Atom PDF