[TUTORIAL] noVNC remote and API hopefully this helps someone

Craig St George

Well-Known Member
Jul 31, 2018
113
14
58
61
I have a provisioning system that creates VMS gives the users access to shutdown start see the graphs set firewall rules etc. I also want to give them a VNC console . I did not want to give them access to the Proxmox or create users for them as all if through the remote system ( But it was not to be because of the noVNC and web sockets )

Anyway after much trying I got it to work use stock noVNC from
the wss:// url is a link to the API in VNC you set

host your proxmox host
port the promox port eg 8006
path the API url like api2/json//nodes/promox1/qemu/279/vncwebsocket?port=5900&vncticket=ticket from previous call

First you call api2/json//nodes/promox1/qemu/279/vncproxy

This will give you a ticket that ticket is the Password for VNC ( non url encoded ) in the wss call it needs to be URL encoded

Now the problem comes you need a cookie and I found that is I created that ticket via my API call and that API logon user was not the same user and the one used in the wss link I would get a http auth error.

So finally this is what i did first I created a user@pve with PVEVMUser permissions and added the VM's that was theirs against that user.

Then on my remote app I called the API to get the ticket using that user I also set a cookie in the browser based on the /access/ticket results

Then I displayed the novnc page and set the path host etc as above and it now works
One thing when you create the call to vncproxy you need to set websocket = true else you get error code 19.

The second major problem was the cookie lucky this is my development system so I set the proxmox hosts with a subdomain eg like node1.mydomain.com node2.mydomain.com and my provisioning system in the same domain like remote.mydomain.com that way I can set the PVEAuthCookie to work on the same domain.

So if they do go to the proxmox URL they are logged on but can only access their own VM's .
But I plan to create a proxy for websock to only allow access for noVNC

I was disappointed that I had to create the users in Proxmox though as I had hoped not to have to do that as they only have remote access through our control panel and all the other API calls all work find.

I had thought that the ticket from vncproxy would have been enough to AUTH them for the VNC proxy It would be nice if that could be done then I would not need to mess about with these cookies and create users in Proxmox ( I m doing all via the API and it works but its just more code to create )

Anyway I hope this helps someone the next challenge is the xterm.js but it should be easy now I know how things work
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!