Single port binding

[discofever]

In the situation of having multiple vnc servers listening each to a different port (5900, 5901, ..., 5910) I'm wondering if it "woul"d be possible to tell noVNC to connect to a single port (wsproxy) like 80 or 443 (SSL) and redirect all communication to the right port ? Something like a parameter ('connect', 'host:port').

That would be awesome !

[kanaka]

It's certainly possible and actually quite easy by passing the host and port as query string variables appended to the end of the WebSocket path requested. However, I won't pull that into noVNC or websockify because it creates a significant security issue. Once the browser can ask websockify/wsproxy to connect to an arbitrary host and port then you have given the browser raw socket ability to connect to any server and port accessible from that instance of websockify.

One approach that I (and others) use to make the system more automatic is to start/stop websockify with the correct options from the web management framework. Ganeti Web Manager also uses this approach. In other words, the noVNC web component is integrated into a larger web based management framework and that management framework is protected with authentication has the ability to start the WebSockets proxy on a server with the right parameters. Once this is started the framework then creates an RFB object with the host and port where the proxy is running.

Another option is to modify websockify to allow the noVNC client to chose the host and port but add some other type of token based authentication that must happen to authorize that the given instance of noVNC is allowed to make the connection. In fact, just recently somebody forked noVNC and made a change like that:

https://github.com/sleepsonthefloor/noVNC/commit/b23063ec5fcae11a60336d30b0e894e6733eec85

If you really want this without additional server side authentication, you could probably modify sleepsonthefloor's changes to remove the token authentication which would give you what you want. But before you do that imagine the following situation:

You are running your modified proxy inside your network and it is not directly visible to the internet. You are using a modified noVNC to connect to your proxy and then connect to a VNC server either in your network or on the Internet somewhere. So far so good. One day you stumble across a malicious site (or malicious advertisement on a legitimate site) that scans your history, sees that you are using this special type of proxy. The page now opens a different connection to the cracker's home system. He now has full control to connect to anything on your network via the combination of the Javascript he sent you and the proxy that you are running that allows connections to arbitrary hosts and ports.

[discofever]

Thank you for the very complete answer ! Right, using without a kind of token would open a potential issue; i'd rather not do that, since my applications behind this proxy are really sensitive.

I'll try using sleepsonthefloor fork and maybe publish my full results in a new fork.

[kanaka]

Sounds good.

[discofever]

Sorry for my very 'poor' python skills i'm trying to figure out a way to remove the use of the nova framework; I tried to 'hardcode' the host/port in the 'nova-vnc-proxy' but even with that i'm getting 'connect' error 'server disconnected' but the server (proxy) is up and running and listens to port 80; i'm able to telnet but with novnc i can't. Any idea on where to start the troubleshooting ?

[kanaka]

I would suggest adding the host and port processing from the nova fork to plain websockify. Make sure that works, then begin adding token support in the form that you want.

[discofever]

ok did some testings; when opening vnc.html from the server which is running both vncserver and websockify : works; when running on other server (same network) it gives me the 'server disconnected'. Is this a security feature ?

[kanaka]

Are you getting a connection to websockify? You can run it with --verbose to get detailed output of everything that is happening. Note that by default websockify listens on localhost (loopback). If you want it to listen for external network connections then you need to specify hostname:port where hostname is a hostname that resolves to an network visible IP or the IP itself.

[discofever]

of course; ran ./websockify :80 127.0.0.1:9000 (my vnc server)

i can telnet port 80, i can open browser to (which gives 'Normal web request received but disallowed' as expected). But trying with vnc_auto.html (the one from sleepsonthefloor) like : vnc_auto.html?host=&port=9000 or even vnc_auto.html?host=127.0.0.1&port=9000.

Removed all the 'nova' related stuff from the nova-vnc-proxy and hardcoded the host-port settings. In both case i have 'server disconnected' and nothing in logs.

[kanaka]

You need to provide the host and port where websockify is listening. I.e. vnc_auto.html?host=&port=80 (rather than port 9000).

[discofever]

ok start from scratch; using sleep's fork :

./websockify :80 127.0.0.1:9000

On other webserver : vnc.html using port 80 : no connection vnc_auto.html&host=&port=80 : no connection

Using your original package; works.

[discofever]

ok i'm giving up; i tried to remove all the 'token' related stuff from the nova-vnc-proxy without success; maybe if someone can do it that would be great and open a new path for integrating noVnc.

[kanaka]

I created a quick and dirty patch that allows only the port to be specified in the path of the WebSockets handshake. It also restricts ports to 5900-5999. It's still enough of a security issue that I'm not pushing it into the tree, but it might work for you: https://gist.github.com/928289

[discofever]

Excellent ! I'll take a look at it.