Nginx proxy only for noVNC, not for GUI/api

Dragoshi

New Member
Apr 25, 2019
7
1
1
34
Hello,

I need to setup a nginx reverse proxy only for the noVNC console, not the whole proxmox. My proxmox servers are on my private network and I want someone on the Internet to be able to access the console of a VM but i don't want them to access proxmox itself (gui or api).
Has anyone done such a thing? Is it evan possible? My problem is that both gui and noVNC work on the same port.
 
that is not really possible when you want to use our bundled novnc, since it accesses the api to start the websocket process etc. (also it checks the ticket)

you would have to build your own apiclient/novnc site that does all this in a backend and not in the browser
 
  • Like
Reactions: Moayad
that is not really possible when you want to use our bundled novnc, since it accesses the api to start the websocket process etc. (also it checks the ticket)

you would have to build your own apiclient/novnc site that does all this in a backend and not in the browser

Well maybe i can somehow allow it (through nginx) only to access the api in order to start the websocket process but not anything else?

How could i build my own apiclient/novnc? What would it need to do?
 
Well maybe i can somehow allow it (through nginx) only to access the api in order to start the websocket process but not anything else?
i don't know, you'd have to allow access to at least /access/ticket and /nodes/NODENAME/qemu/VMID/{status,vncwebsocket} etc...
the list will get long quite fast

How could i build my own apiclient/novnc? What would it need to do?
you would have to build some kind of 'proxy' that queries the api and opens and relays the webocket connection and build a client
website with novnc
 
i don't know, you'd have to allow access to at least /access/ticket and /nodes/NODENAME/qemu/VMID/{status,vncwebsocket} etc...
the list will get long quite fast


you would have to build some kind of 'proxy' that queries the api and opens and relays the webocket connection and build a client
website with novnc


Well, actually i use WHMCS and also ProxmoxVPS from ModulesGarden. They have some kind of noVNC addon, i'll upload it here, maybe you can make sense of what this module does (usr.zip). This module allows a client to access the console only if the proxmox server has a public IP. Each VM has it's own proxmox "PVEVMUser" user. Also, the console button from the WHMCS client area that opens the console for clients looks like this:

Code:
https://domain.com:8006/novnc/mgnovnc.html?novnc=1&token=PVE%3AproxmoxVPS_65rnyxlvtz%40pve%3A5E72094C%3A<rest_of_the_token>&CSRFPreventionToken=<prevention_token>&console=qemu&virtualization=qemu&node=<node_name>&vmid=<vm_id>

I think this is some kind of apiclient/novnc you were talking about. Maybe i can modify it somehow?

My problem is that my proxmox servers only have private IP. I've setup an nginx server with public ip and i want to forward requests only for noVNC to the proxmox servers.
Now if i configure all the proxmox servers as backend in nginx, i can get to the proxmox GUI and i don't want that.
 

Attachments

  • usr.zip
    16.7 KB · Views: 31
you can also check this wiki entry[0]. this allows you to temporarily enable the vnc connection on a chosen port (with a password if you like)

if you already have NAT setup then this might be the easiest way to allow someone accessing vnc. but they will need a vnc client

[0]: https://pve.proxmox.com/wiki/VNC_Client_Access
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!