search

zalando / zalenium

A flexible and scalable container based Selenium Grid with video recording, live preview, basic auth & dashboard.
https://opensource.zalando.com/zalenium/
Other
2.39k stars 574 forks source link

vnc authentication seems to be not working #1231

Open h-bahrami opened 3 years ago

h-bahrami commented 3 years ago

Hi, I am trying to secure the VNC traffic by Nginx's secure_link_module or something like that, after finding it not working I tried to understand what's the problem then I see that VncAuthenticationServlet implemented to do the authentication, but it seems that it does not receive/check the requests.

So based on the Nginx config (below) all the requests to proxy/ip:port/websockify should be authenticated by VncAuthenticationServlet, I put a couple of LOGGER.info calls to see how can I customize it for my own purpose, but no logs were captured.

Please help me figure out if this part is not working at all or I'm missing something here. It worth mentioning that the Zalenium is hosted inside Kubernetes the noVNC client works perfectly through HTTPS (WSS).

location ~ ^{{contextPath}}/proxy/(.*):(\d+)/websockify$ {

            # secure_link_secret @mysecret;
            # if ($secure_link = "") { return 403; }

            auth_request {{contextPath}}/auth;
            proxy_http_version 1.1;
            proxy_pass http://$1:$2/;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";

            # VNC connection timeout
            proxy_read_timeout 61s;

            # Disable cache
            proxy_buffering off;
        }
        location {{contextPath}}/auth {
            internal;
            proxy_pass http://127.0.0.1:4445/vnc/auth;
            proxy_pass_request_body off;
            proxy_set_header        Content-Length "";
            proxy_set_header        X-Original-URI $request_uri;
        }
pearj commented 3 years ago

Zalenium already supports basic auth. You shouldn’t need to be modifying any nginx config. You just need to enable the basic auth support in Zalenium.

See https://opensource.zalando.com/zalenium/ Look for the “Enabling basic auth” section

h-bahrami commented 3 years ago

Zalenium already supports basic auth. You shouldn’t need to be modifying any nginx config. You just need to enable the basic auth support in Zalenium.

See https://opensource.zalando.com/zalenium/ Look for the “Enabling basic auth” section

That I've already enabled and it works Ok, but it does not protect /proxy/ip:port/websockify, I can send a test case to Zalenium (with basic auth of course) and then start noVNC client with no basic auth headers and receive traffic.

pearj commented 3 years ago

Oh that's interesting. Will leave this open then. I'm sure you are aware that development has stopped on this project, so it isn't going to be fixed on its own.

h-bahrami commented 3 years ago

Oh that's interesting. Will leave this open then. I'm sure you are aware that development has stopped on this project, so it isn't going to be fixed on its own.

Ok, I am aware of that, I was hoping that someone from the team or anyone who knows what's the problem can give me some hints perhaps I could fix it myself, I've already made a couple of small modifications in the Zalenium.