noVNC 仅使用 HTTPS 连接到专用 LAN 上的 VNCServer
不确定我是否真的是最新的,但我正在寻找一种将现有项目转换为使用 HTML5 websockets 的方法。
这是我的情况:
- Client runs a modified java vnc applet with extra parameter (CONNECT).
- Modified stunnel listenin on webserver (with both public, private IP) port 443
- Client connects to 443 and sends (prior to RFB) a HTTP packet like :
'CONNECT 10.0.0.1:4001'
- Stunnel opens a new stream to 10.0.0.1:4001 using SSL wrapper
- VNC Server (@10.0.0.1:4001) responds, connection is established.
现在我想摆脱 Java Applet 并使用 NoVNC 切换到 Websocket。
我希望能够:
- Open a single port on the webserver (HTTPS preferably)
- Have client connect using HTML5 only (no more java applet)
我无法改变:
- VNCServer will still be listening on private LAN only.
- VNCServer will still listen to a bunch of ports, each corresponding to
a virtual server
问题是:
- How to give NoVNC the notion of target HOST:PORT ?
- Is stunnel still be usable ? Or should I change to websocket proxy ?
如果有人有一个起点,我真的很感激!
Not sure if i'm really up-to-date, but i'm looking in a way to convert my existing project to use HTML5 websockets.
Here's my situation :
- Client runs a modified java vnc applet with extra parameter (CONNECT).
- Modified stunnel listenin on webserver (with both public, private IP) port 443
- Client connects to 443 and sends (prior to RFB) a HTTP packet like :
'CONNECT 10.0.0.1:4001'
- Stunnel opens a new stream to 10.0.0.1:4001 using SSL wrapper
- VNC Server (@10.0.0.1:4001) responds, connection is established.
Now I want to get rid of the Java Applet and switch to Websocket using NoVNC.
I want to be able to :
- Open a single port on the webserver (HTTPS preferably)
- Have client connect using HTML5 only (no more java applet)
I cannot change :
- VNCServer will still be listening on private LAN only.
- VNCServer will still listen to a bunch of ports, each corresponding to
a virtual server
Questions are :
- How to give NoVNC the notion of target HOST:PORT ?
- Is stunnel still be usable ? Or should I change to websocket proxy ?
If anyone has a starting point, i'd really appreciate !
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
免责声明:我创建了 noVNC,所以我的答案可能有很大的偏见;-)
我首先回答你第二个问题:
noVNC 不能直接使用 stunnel。问题在于 WebSockets 协议具有类似 HTTP 的初始握手,并且消息是成帧的。此外,在 WebSockets 添加二进制有效负载支持之前,有效负载由 websockets 代理 (websockify) 进行 base64 编码。为 stunnel 添加必要的支持并非易事,但肯定是可行的。事实上,noVNC issues #37 是将这种支持添加到 stunnel 的一个理想功能。
第一个问题:
noVNC 已经通过
RFB.connect(host, port,password)方法有了 HOST:PORT 的概念。顶层文件vnc_auto.html显示了如何让 noVNC 在页面加载时根据指定为 URL 查询字符串参数的主机、端口和密码自动连接。但是,我认为您真正要问的是如何让 noVNC 连接到后端的备用 VNC 服务器端口。 noVNC 和 websockify 并没有直接解决这个问题。有多种方法可以解决这个问题,通常涉及带外设置/授权机制,以便代理不能被任意主机用来发起攻击。例如,在我的公司,我们有一个基于 Web 的管理框架,集成了 noVNC,当用户想要连接到控制台时,将使用经过身份验证的 AJAX 调用来为该特定用户及其想要连接的系统配置代理。我们的网络管理界面仅供内部使用。
Ganeti Web Manager 使用类似的模型,并且源代码可用。他们有一个支持 WebSockets 的 VNCAuthProxy 分支。他们使用从 Web 界面到 VNCAuthProxy 的控制通道来设置与特定 VNC 服务器主机:端口关联的临时密码。
OpenStack (Nova) 还集成了 noVNC,使用类似的基于带外令牌的模型来允许使用其 nova-vncproxy 进行访问。
一些链接:
Disclaimer: I created noVNC so my answer may be heavily biased ;-)
I'll answer you second question first:
stunnel cannot be used directly by noVNC. The issue is that the WebSockets protocol has an HTTP-like initial handshake and the messages are framed. In addition, until binary payload support is added to WebSockets, the payload is base64 encoded by the websockets proxy (websockify). Adding the necessary support to stunnel would be non-trivial but certainly doable. In fact noVNC issue #37 is an aspirational feature to add this support to stunnel.
First question:
noVNC already has a concept of HOST:PORT via the
RFB.connect(host, port, password)method. The filevnc_auto.htmlat the top level shows how to get noVNC to automatically connect on page load based on the host, port and password specified as URL query string parameters.However, I think what you are really asking is how do you get noVNC to connect to alternate VNC server ports on the backend. This problem is not directly addressed by noVNC and websockify. There are several ways to solve this and it usually involves an out-of-band setup/authorization mechanism so that the proxy can't be used to launch attacks by arbitrary hosts. For example, at my company we have a web based management framework that integrates noVNC and when the user wants to connect to the console, an authenticated AJAX call is used to configure the proxy for that particular user and the system they want to connect to. Our web management interface is internal only.
Ganeti Web Manager uses a similar model and the source is available. They have a fork of VNCAuthProxy that has WebSockets support. They use a control channel from the web interface to the VNCAuthProxy to setup a temporary password associated with a specific VNC server host:port.
Also OpenStack (Nova) integrates noVNC uses a similar out-of-band token based model to allow access with their nova-vncproxy.
Some links: