Backlog #3538
Enable path based NoVNC
Status: | New | Start date: | 01/30/2015 | |
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 0% | |
Category: | Sunstone | |||
Target version: | Release 5.2 |
Description
Hello,
Actually we have the websocketproxy.py
listening on the port 29876
and the NoVNC client open a WebSocket directly on that port.
I would like the client to only use the port 443
as I already have a nginx reverse proxy.
I setup a nginx location pointing to websocketproxy.py
:
# /etc/nginx/sites-available/opennebula-sunstone # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. ## upstream sunstone { server 127.0.0.1:9869; } upstream websocketproxy { server 127.0.0.1:29876; } # Port 80 redirected to SSL server { listen 80; server_name nebula.example.net; location / { return 301 https://$host; } } server { listen 443 default_server; listen [::]:443 default_server ipv6only=on; ssl on; ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; root /usr/share/nginx/html; index index.html index.htm; server_name nebula.example.net; access_log /var/log/nginx/opennebula-sunstone-access.log; error_log /var/log/nginx/opennebula-sunstone-error.log; # To upload ISO files, increase for VMs images client_max_body_size 1G; location / { include proxy_params; proxy_pass http://sunstone; } location /websockify { proxy_pass http://websocketproxy; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }
In NoVNC:
- if the port is not set(1), it use the same as the current connection
- the
path
parameter(2) is used as the full path of the resource
For what I see, this would require:
- add a
vnc_proxy_path
to customize the NoVNCpath
parameter if wanted - add a
vnc_proxy_listen
to customize thewebsocketproxy.py
source_addr
with default to0.0.0.0
- add a flag to disable passing the
vnc_proxy_port
asport=
parameter to NoVNC
Regards.
(1) source:src/sunstone/public/bower_components/no-vnc/vnc_auto.html#L168
(2) source:src/sunstone/public/bower_components/no-vnc/vnc_auto.html#L185
History
#1 Updated by Daniel Molina over 6 years ago
- Tracker changed from Request to Feature
- Status changed from Pending to New
- Priority changed from Normal to High
#2 Updated by Ruben S. Montero over 6 years ago
- Tracker changed from Feature to Backlog
#3 Updated by Nico Schottelius over 6 years ago
We are also very much interested in this feature, as we are running opennebula behind nginx for ssl encryption.
#4 Updated by Ruben S. Montero over 6 years ago
- Tracker changed from Backlog to Feature
- Target version set to Release 4.14
Moving this to 4.14, thanks for the feedback
#5 Updated by Roy Keene over 6 years ago
- File opennebula-4.12.0-vncoversameport.diff added
I currently do this with HAProxy.
cat <<\_EOF_ > /etc/haproxy.cfg global user nobody maxconn 4096 ssl-default-bind-options no-sslv3 ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!SSLv3:!SSLv2 ssl-default-server-options no-sslv3 ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!SSLv3:!SSLv2 defaults mode http timeout connect 5000ms timeout client 50000ms timeout server 50000ms option http-server-close frontend sunstone-vnc-in bind *:80 acl is_websocket hdr(Upgrade) -i WebSocket use_backend vncwebsockets if is_websocket default_backend sunstone frontend sunstone-vnc-tls-in bind *:443 ssl crt /dashboard/ssl/combined acl is_websocket hdr(Upgrade) -i WebSocket use_backend vncwebsockets if is_websocket default_backend sunstone frontend oned-tls-in bind *:2634 ssl crt /dashboard/ssl/combined default_backend oned backend sunstone server localhost-sunstone 127.0.0.1:9869 maxconn 128 backend vncwebsockets server localhost-vncwebsockets 127.0.0.1:29876 backend oned server localhost-oned 127.0.0.1:2633 _EOF_ haproxy -f /etc/haproxy.cfg -dM &
Patch attached for using the same port and hostname (always)
#6 Updated by Nico Schottelius about 6 years ago
I've just checked which errors we actually get when trying to use nginx + ssl + sunstone. When pressing the vnc button, chromium shows the following errors:
Mixed Content: The page at 'https://our-hosting-server01.ungleich.ch/' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://localhost:17523/'. This request has been blocked; this endpoint must be available over WSS. util.js:138 New state 'loaded', was 'disconnected'. Msg: noVNC ready: native WebSockets, canvas rendering util.js:138 New state 'connect', was 'loaded'. websock.js:285 Mixed Content: The page at 'https://our-hosting-server01.ungleich.ch/' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://localhost:17523/'. This request has been blocked; this endpoint must be available over WSS. websock.js:285 Mixed Content: The page at 'https://our-hosting-server01.ungleich.ch/' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://localhost:17523/'. This request has been blocked; this endpoint must be available over WSS. util.js:139 Skipping unsupported WebSocket binary sub-protocol websock.js:333 Mixed Content: The page at 'https://our-hosting-server01.ungleich.ch/' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://our-hosting-server01.ungleich.ch:29876/?token=t8opcrssdsoyutpjnh0q'. This request has been blocked; this endpoint must be available over WSS. websock.js:333 Uncaught SecurityError: Failed to construct 'WebSocket': An insecure WebSocket connection may not be initiated from a page loaded over HTTPS.
Is there any progress on supporting this?
#7 Updated by Daniel Molina almost 6 years ago
- Priority changed from High to Normal
#8 Updated by Tino Vázquez almost 6 years ago
- Tracker changed from Feature to Backlog
#9 Updated by Ruben S. Montero almost 6 years ago
- Status changed from New to Pending
#10 Updated by Ruben S. Montero almost 6 years ago
- Target version changed from Release 4.14 to Release 5.0
#11 Updated by Ruben S. Montero over 5 years ago
- Tracker changed from Backlog to Feature
- Status changed from Pending to New
#12 Updated by Carlos Martín about 5 years ago
- Tracker changed from Feature to Backlog
#13 Updated by Carlos Martín about 5 years ago
- Target version changed from Release 5.0 to Release 5.2
#14 Updated by Perry Manuk over 4 years ago
would like to add a +1 to this
#15 Updated by Arnaud Abélard almost 4 years ago
5.4 is out and this still doesn't seem to be possible. We also would like this to be implemented.