access noVNC html5 console from external site / vncwebsocket via api?

xxyton

Member
Feb 25, 2013
25
0
21
Hi,

I have an (password protected, of course) external site which allows to access any VM console through the proxmox PVE-API by utilizing vncproxy command and loading the Java console applet.

I would like to update this site to the new noVNC html5 console as it is included in Proxmox 3.3.
Unfortunately http://pve.proxmox.com/pve2-api-doc/ does not list any documentation regarding the new vncwebsocket command yet.

Maybe someone has already done this and can provide an example how to access from noVNC to Proxmox vncwebsocket API command?

@proxmox team: Does the proxmox API specify headers for CORS? The Java applet is working fine cross-site. Not so sure if Javascript might complain...
 
Unfortunately http://pve.proxmox.com/pve2-api-doc/ does not list any documentation regarding the new vncwebsocket command yet.

I just updated the docs. so it list the new methods now (but there is not much text...)

Maybe someone has already done this and can provide an example how to access from noVNC to Proxmox vncwebsocket API command?

https://git.proxmox.com/?p=novnc-pv...701bc988479ec2aa217df291e9a90fb3b85b0;hb=HEAD

@proxmox team: Does the proxmox API specify headers for CORS? The Java applet is working fine cross-site. Not so sure if Javascript might complain...

No.
 
Hi dietmar,

thanks for the insight.

What does vncwebsocket return? The acutal socket or the socket url and ticket for authentication?
pveui.js looks highly customized and won't work outside of pve-manager environment. Besides that the xhr requests wouldn't work cross-site.
Would the default noVNC ui.js work if one passes the correct wss url and ticket?
 
Sorry guys for my invasion, but i think you can help me. I need solution for access to VM directly thru web-browser using noVNC without admin portal auth for customers. I think it's possible, can your explain how?
 
Hi dietmar,

vncwebsocket returns just a port number, that's correct?

And one minor thing: pvesh help does not list vncwebsocket call yet.

@timur: that's exactly what we are trying to figure out here, please have a look at dietmar's post and links provided.
 
Last edited:
Alright, vncwebsocket returns a port number and the actual socket.

I'm now able to connect from an external only slightly modified noVNC to the Proxmox vncwebsocket API call.
However once RFB encrypt is set to true, I get following error: "Unsupported Security Types: 19"

@Dietmar, does the noVNC package supplied with Proxmox contain any security / encryption patches? Any idea why encryption is not working with unpatched noVNC?
 
@Dietmar, does the noVNC package supplied with Proxmox contain any security / encryption patches? Any idea why encryption is not working with unpatched noVNC?

No. But that strange error is reported by several users. So far I have no idea why. Maybe try another browser.
 
The error message occurs only with the original noVNC, the patched noVNC within Proxmox is working fine.

I noticed in the GIT tree that there has been a previous version that opened external access without the need to connect through an api call.
Could you reintroduce this behavior through an optional argument?
This would avoid those encryption issues and also make external access a lot easier and more secure (no submittal or Proxmox login credentias or CSRF prevention token required).
 
Last edited:
@dietmar: any thoughts about my proposal?

@timur: wss://nodeIP:8006/api2/json/nodes/nodeName/qemu/VMID/vncwebsocket?port=5900&vncticket=PVEVNC-TicketID...
 
I have found another issue.
When user is not logged in to the proxmox panel, the connection is failed.
The following URL requires PVE ticket:
wss://nodeIP:8006/api2/json/nodes/nodeName/qemu/VMID/vncwebsocket?port=5900&vncticket=PVEVNC-TicketID

Does somebody have an idea how to send cookie using websocket?
Screenshot attached.
noVNC.PNG
 
Last edited:
You can modify the JS to perform a login in advance, I did so for testing. But this exposes the login credentials to the browser, therefore it's not a viable solution if you want to offer direct console access to customers.
This is exactly why I asked Dietmar to allow "external access without the need to connect through an api call".
If you have a look at the GIT history you will notice that there has been a previous version that allowed such external access. It's quite easy to alter Proxmox' perl files in that way.
But I would prefer an "official" solution rather than patching Proxmox files on every node.
 
hi,

i was using a server with apache as reverse proxy. first because the proxmox servers have no internet ip and second because of security.
but novnc does not work (javs vnc works)

i installed apache 2.4 which has support for webproxies... but with the url:
wss://nodeIP:8006/api2/json/nodes/nodeName/qemu/VMID/vncwebsocket?port=5900&vncticket=PVEVNC-TicketID

i have the same path like normal proxmox api. and it is impossible to have websockets and normal proxy traffic withhin the same port and path.
any ideas how to get this working?
 
hi,

i was using a server with apache as reverse proxy. first because the proxmox servers have no internet ip and second because of security.
but novnc does not work (javs vnc works)

i installed apache 2.4 which has support for webproxies... but with the url:
wss://nodeIP:8006/api2/json/nodes/nodeName/qemu/VMID/vncwebsocket?port=5900&vncticket=PVEVNC-TicketID

i have the same path like normal proxmox api. and it is impossible to have websockets and normal proxy traffic withhin the same port and path.
any ideas how to get this working?

Hi, your reverse proxy need to support websockets.

they are an example with nginx here:
https://bugzilla.proxmox.com/show_bug.cgi?id=562
 
find any other solution or still wait of feedback from @dietmar ?

My solution is a patched Proxmox Perl file right now that offers direct wss access with ticket auth (no Proxmox login required).
However, I would highly appreciate feedback from dietmar. :(
 
My solution is a patched Proxmox Perl file right now that offers direct wss access with ticket auth (no Proxmox login required).
However, I would highly appreciate feedback from dietmar. :(

could you share the patch you done ?
thanks
 
My solution is a patched Proxmox Perl file right now that offers direct wss access with ticket auth (no Proxmox login required).
However, I would highly appreciate feedback from dietmar. :(

Could you share what perl file you're editing?
 
Sorry to dig up an old thread, but I have found a solution when receiving "Unsupported Security Types: 19" while trying to proxy the VNC outside the proxmox web UI.

You must simply pass websocket=1 to the /vncproxy call. No need to edit the perl files.

Happy hacking!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!