[SOLVED] Is there any way to autofill the vnc websocket password prompt?

[JVisi]

Hello
What I need to do, is basically autofill (or make the password not required) when getting the novnc console via websockets)

The setup is:
Browser- nodejs proxy - proxmox

In the browser I can't really do anything with it, because it's required before the pages render, and the vnc-ticket is not the same, so I can't save it and autofill with a plugin for example. so maybe something to add in the proxy?

The proxy in itself is only doing the forwarding, like this:

httpProxy.createServer({
    target:proxmox vncwebsocket url,
    ws:true,
    secure:false,
    changeOrigin:true,

    auth:"password:"+vnc_ticket,    //this here is not working
    headers:{
        'Cookie': pveCookie,
        'Password':vnc_ticket           //neither does this
    },
}).listen(5001)

Is there any way to pass the password beforehand, so it's not getting prompted in the browser?

 

[dcsapak]

i don't really get what you're trying to do. where do you need the password? what do you try to accomplish?
(maybe checking out our novnc code helps? https://git.proxmox.com/?p=novnc-pve.git;a=tree;h=refs/heads/master;hb=refs/heads/master )

 

[JVisi]

When connecting

i don't really get what you're trying to do. where do you need the password? what do you try to accomplish?
(maybe checking out our novnc code helps? https://git.proxmox.com/?p=novnc-pve.git;a=tree;h=refs/heads/master;hb=refs/heads/master )

The proxy forwards the incoming traffic from wss://ip:8006.... to ws://localhost: port. This is the vnc console. When my app tries to connect to ws://other-ip:5001, it prompts me for a password, and this password is the vnc-ticket. I would like to skip the need to manually enter the vnc-ticket, and if someone is trying to connect to ws://localhost: port it automatically shows the vnc-console

 

[Craig St George]

hard to explain but i kind of do this customer clicks a vnc terminal button in our control panel
In the backend i call "/access/ticket"; enpdoint with customers details then set set_cookie("PVEAuthCookie", based on token for a the customer

then i call /vncproxy' endpoint with $data['websocket'] = true; and finally display the console l html js etc

 

[JVisi]

hard to explain but i kind of do this customer clicks a vnc terminal button in our control panel
In the backend i call "/access/ticket"; enpdoint with customers details then set set_cookie("PVEAuthCookie", based on token for a the customer

then i call /vncproxy' endpoint with $data['websocket'] = true; and finally display the console l html js etc

Hmm, interesting, because I feel like I do the same.
In the backed, I call /access/ticket, get the pveauthcookie
next I call the /vncproxy like this:

const response = await this.instance.post(
                'https://ip:8006/api2/json/nodes/{node}/lxc/'+vmid+'/vncproxy',
                {
                    websocket: true
                }, {
                headers: {
                    'Cookie': pveCookie,
                    "CSRFPreventionToken": csrf
                },
                withCredentials: true
            })

and then I create a proxyserver that forwards this socket like

let url = "wss://ip:8006/api2/json/nodes/{node}/lxc/16150/vncwebsocket?port=" + response.data.data.port + "&" + qs.stringify({ vncticket: response.data.data.ticket })

            httpProxy.createServer({
                target: url,
                ws: true,
                secure: false,
                changeOrigin: true,
                headers: {
                    'Cookie': pveCookie,
                },
            }).listen(5001)

 

[JVisi]

Hmm, interesting, because I feel like I do the same.
In the backed, I call /access/ticket, get the pveauthcookie
next I call the /vncproxy like this:

const response = await this.instance.post(
                'https://ip:8006/api2/json/nodes/{node}/lxc/'+vmid+'/vncproxy',
                {
                    websocket: true
                }, {
                headers: {
                    'Cookie': pveCookie,
                    "CSRFPreventionToken": csrf
                },
                withCredentials: true
            })

and then I create a proxyserver that forwards this socket like

let url = "wss://ip:8006/api2/json/nodes/{node}/lxc/16150/vncwebsocket?port=" + response.data.data.port + "&" + qs.stringify({ vncticket: response.data.data.ticket })

            httpProxy.createServer({
                target: url,
                ws: true,
                secure: false,
                changeOrigin: true,
                headers: {
                    'Cookie': pveCookie,
                },
            }).listen(5001)

Maybe the problem is something with that proxmox provides a wss://.... link and I'm trying to connect with ws://... ?

 

[Craig St George]

maybe im using wss://

but i also had to url endcode the ticket
like api2/json/nodes/' . $hostname . '/' . $vtype . '/' . $username . '/vncwebsocket?port=' . urlencode($port) . '&vncticket=' . urlencode($ticket)

I rember it was hard to debug the wss call chrome did show the real reason firefox did and i also have problems with my certs and the domain of my poxy as i have a reverse proxy there also

 

[JVisi]

maybe im using wss://

but i also had to url endcode the ticket
like api2/json/nodes/' . $hostname . '/' . $vtype . '/' . $username . '/vncwebsocket?port=' . urlencode($port) . '&vncticket=' . urlencode($ticket)

I rember it was hard to debug the wss call chrome did show the real reason firefox did and i also have problems with my certs and the domain of my poxy as i have a reverse proxy there also

The ticket is url encoded

what I'm trying to achieve is that from an app running on http://ip:3000, I connect to ws://myproxy-ip:5001, and the proxy connects to the wss://proxmox-ip....
but this requires that 'password' authentication on the front-end. I figure it's an issue with certificates?
the /vncproxy call gives back a certificate, maybe I should be using that somehow?

 

[JVisi]

https://forum.proxmox.com/threads/proxmox-vncwebsocket.43825/

Achieved a similar thing that the guy at the end of this thread. My question is how can I fill it automatically, or make it not required at all

 

[dcsapak]

but that is not a password prompt from pve, but it seems a http basic auth prompt. i'd check your proxy if it's correctly configured...
also it says "localhost:3001" but you wrote 5001, maybe there is a typo somewhere?

 

[JVisi]

but that is not a password prompt from pve, but it seems a http basic auth prompt. i'd check your proxy if it's correctly configured...
also it says "localhost:3001" but you wrote 5001, maybe there is a typo somewhere?

Well, yes, it's a basic auth prompt. That's why I asked if there was any way to prevent this to be needed. I thought I'm getting prompted, because connecting to the proxmox websocket stream asks me to.

However, I have found a solution.
From the vnc client, on the onCredentialsRequired event one can get the RFB object, and on that theres a sendCredentials call, and in that we can provide then vnc-ticket

Thank you for your time, I mark this thread as solved