noVNC access via third-party web service

[xsash]

Hello!

I develop an internal web service for my team, where each user can create a VM from templates.

The panel is hosted on a domain panel.example.com
Also we have 3+ proxmox servers, each of them has a domain name like pr-N.panel.example.com

Well. I created a user vnc with permissions VM.Audit VM.Console VM.PowerMgmt

My script get a ticket for this user and save it as cookie => POST to /access/ticket

PVE:vnc@pve:653EA581::dxh+tfxaF4E6HxGS4VP96jA7i2mxtO6etVADObsv1WWOeAUd3nxEbFWoybPfedrFu38JQoO9T8HpZCywWX+bWM25yrq1EcbQ4/FWgT0a7MzNEwVJVkWCIV7TiNknIalILnX5xFSdnMX9XyRCHgA5K8SDJAfFNG4Hnyy6xyNfmhbur8nonG6W1XMyeS+MQMLFfBr7z7I4s7Di+YYdHMgvMkm1U6w3H9m4NvUdy/Ptn9vvpR+v5iRvYireFxJI1X5lU3aGBEZ0sqQ15L+eFDdTzG3HgIbimPzmid+7h1CvY+Z95EF9LnPOwFUEMZSb3zyEUWFC/Gf+eBRAWE75+JdBDg==

Then the script sends => POST /nodes/{node}/qemu/{vm_id}/vncproxy, GET /nodes/{node}/qemu/{vm_id}/vncwebsocket?vncticket=xxxx&port=xxxxx
And as a result the script create an iframe

https://pr-0.panel.example.com/?console=kvm&novnc=1&node={node}&resize=1&vmid={vm_id}&path=api2/json/nodes/{node}/qemu/{vm_id}/vncwebsocket?port={vnc_port}&vncticket={vnc_ticket}

Well, everything is ok. It works.

But. I can't understand some things.

1) We can't use only vncticket, we have to create and set a cookie. Is it right?

2) If we set a cookie, an user can open proxmox domain and he/she will be logined there (because his browser stil has a cookie)

3) Why do we need use vncticket? I checked some links and each of them give me access to the VM via noVNC

https://pr-0.panel.example.com/?console=kvm&novnc=1&node=node0&resize=1&vmid=11192&path=api2%2Fjson%2Fnodes%2Fnode0%2Fqemu%2F11192%2Fvncwebsocket%3Fvncwebsocket%3Fport%3D5900%26vncticket%3DK%2F%60%5E4%29K%2B
https://pr-0.panel.example.com/?console=kvm&novnc=1&node=node0&resize=1&vmid=11192&path=api2%2Fjson%2Fnodes%2Fnode0%2Fqemu%2F11192%2Fvncwebsocket%3Fvncwebsocket%3Fport%3D5900%26
https://pr-0.panel.example.com/?console=kvm&novnc=1&node=node0&resize=1&vmid=11192&path=

4) Proxmox can't generate a secret for vmid, can it? I changed vmid in url and get access to other VM

https://pr-0.panel.example.com/?console=kvm&novnc=1&node=node0&resize=1&vmid=11192&path=api2%2Fjson%2Fnodes%2Fnode0%2Fqemu%2F11192%2Fvncwebsocket%3Fvncwebsocket%3Fport%3D5900%26vncticket%3DK%2F%60%5E4%29K%2B
https://pr-0.panel.example.com/?console=kvm&novnc=1&node=node0&resize=1&vmid=11193&path=api2%2Fjson%2Fnodes%2Fnode0%2Fqemu%2F11192%2Fvncwebsocket%3Fvncwebsocket%3Fport%3D5900%26vncticket%3DK%2F%60%5E4%29K%2B
https://pr-0.panel.example.com/?console=kvm&novnc=1&node=node0&resize=1&vmid=11194&path=api2%2Fjson%2Fnodes%2Fnode0%2Fqemu%2F11192%2Fvncwebsocket%3Fvncwebsocket%3Fport%3D5900%26vncticket%3DK%2F%60%5E4%29K%2B

I'd like to have a unique url for VM

I suspect the last two things are because I'm set cookies on the first step

 

[dcsapak]

1) We can't use only vncticket, we have to create and set a cookie. Is it right?

yes

2) If we set a cookie, an user can open proxmox domain and he/she will be logined there (because his browser stil has a cookie)

yes

3) Why do we need use vncticket? I checked some links and each of them give me access to the VM via noVNC

our custom novnc client (see https://git.proxmox.com/?p=novnc-pve.git;a=summary ) creates a vncticket via the api and uses that as an argument for the websocket
the vncticket does not have to be in the url there at all for that to happen

4) Proxmox can't generate a secret for vmid, can it? I changed vmid in url and get access to other VM

again that is done by the novnc client code. when the user (that is set in the cookie) has the permissions to view other vms, it can generate the vncticket for that

I'd like to have a unique url for VM

that you would have to implement with a custom client that does that which is using the api and proxies the websocket, etc...