Force SSL/TLS (HSTS) breaks spice-html5 / noVNC web access

[DerDreschner]

I use self-signed certificates for all my network services and deploy the corresponding CA cert on all my machines. As this includes OMV, I installed the necessary cert files and enabled the Force SSL/TLS setting under System >> Workbench. This setting activates a 301 Moved Permanenly redirect for all http requests served by nginx as well as adding the following response header: strict-transport-security: max-age=15768000; includeSubDomains (HSTS).

This is considered best-practice and works quite well. The problem here is that all services offered over the OMV domain now must be available via https as the browser automatically upgrades all http calls for this domain to https due to the HSTS header set by Force SSL/TLS. This isn't the case for the spice-html5 / noVNC web interface served by - as far as I understand - the python3-websockify package. It's only available over http. Therefore, I can't access my virtual machines with spice-html5 nor noVNC out of the box. I must use a browser which hasn't seen the HSTS header for the OMV domain before in order to access my virtual machines via browser.

I'm not sure what would be the best workaround / fix for that problem. I guess it would be best if both services were handled by nginx instead of python3-websockify to make it available with the same TLS settings as well? But I'm not that confident with the infrastructure behind that functionality enough to just open a PR without settling on the fix beforehand to avoid a waste of time. That's why I'm opening this issue right now.

Thanks for any input in advance!

[ryecoaaron]

Moving away from websockify is very large change. Using OMV's instance would also be a non-trivial change because I would need to maintain the nginx config and web pages allowing access to the web socket(s) of each VM.

You don't have to use a different browser. You could change the https to http once the new tab was opened. HSTS doesn't actually affect the other pages. Personally I use virt-manager instead of the spice/novnc web interfaces. These consoles really should only be used for setup though.

I will see if I can come up with something else but it will not appear in the OMV 6.x version of the plugin for sure.

[ryecoaaron]

Another option would just have websockify use the same cert that the OMV web interface is using if https is enabled. This would be a much easier change. I will look into this.

[ryecoaaron]

websockify's cert option only applies to encrypted web sockets not the port it is serving the page on. So, that idea does not work.

[ryecoaaron]

This is fixed in https://github.com/OpenMediaVault-Plugin-Developers/openmediavault-kvm/commit/77eab1dfeae5af12357a3b957740ab16789151ea

This will be an OMV 7.x change only though.

[DerDreschner]

Thanks for the quick fix for OMV 7! Looks good as far as I understand the changes. Really appreciate it. :100:

And unfortunately, HSTS affects the spice/noVNC web interfaces as they run on the same domain as the OMV web interface which sends the HSTS header. It's being remembered by the browser that all requests to "server.[domain]" (in my case) within the specified period must be encrypted. Due to the includeSubDomains, this applies for xxx.server.[domain], too. That's the only reason I reported it anyway. Although I would bet someone without proper knowledge on how to work around the issue wouldn't use TLS encryption altogether :+1:

[ryecoaaron]

And unfortunately, HSTS affects the spice/noVNC web interfaces as they run on the same domain as the OMV web interface which sends the HSTS header. It's being remembered by the browser that all requests to "server.[domain]" (in my case) within the specified period must be encrypted. Due to the includeSubDomains, this applies for xxx.server.[domain], too. That's the only reason I reported it anyway. Although I would bet someone without proper knowledge on how to work around the issue wouldn't use TLS encryption altogether

The plugin should use encryption - https and wss - if https is enabled at the OMV level (forced or not). Are you saying something still isn't being done correctly?

[taneharre]

If it helps, I think what he is saying is when running a vitual machine on OMV 7 - (7.0-29) with Force SSL ticked (under Workbench/Secure Connection) then you get no "spice-html5 URL" or "noVNC URL" for the VM after starting the Console. With Force SSL not ticked the URL's appear.

[ryecoaaron]

This has been fixed since the last post. I did test with forcessl ticked and the code accounts for that. https://github.com/OpenMediaVault-Plugin-Developers/openmediavault-kvm/blob/main/usr/share/openmediavault/engined/rpc/kvm.inc#L678