Remote access w/ SPICE via HTML/JS file on server

notdan.swim

New Member
Aug 7, 2019
3
0
1
31
Hello, all. I'm a new Proxmox user and thus far, setting up and getting everything going has been a great experience. However, I was curious about using portals to access VMs simply in an effort to shift end-users away from having to navigate through the Web GUI.

What I have built works fantastic, other than you must first navigate to the Web GUI and login... This is not the intended effect, as earlier stated we do not want our end users to access this at all.

I've performed a hacky method in building an HTML/JS portal that exists on one of our two nodes in the /usr/share/pve-docs location (since this seems to be the only way I could find to display an HTML file using the server IP, and could be accessed outside of logging into the Web GUI) and can be accessed at https://{nodeIP}:8006/pve-docs/portal.html, which didn't seem like the most awful solution since end users will be auto-redirected to this address on their end.

There is also a required Chrome extension that handles the API calls. When a VM is selected, a message is passed to the extension with that VM's vmid and nodename so that the extension can handle the XHR requests. This method was chosen because the nodes have different IPs, and since XHRs executed within Chrome Extensions bypass CORS, this seemed to be the best solution, while at the same time retaining sensitive data and not exposing it to the webpage itself.

And like magic, the virt-viewer .vv file is downloaded, and upon opening it, the requested VM is displayed.... assuming you're logged into the Web GUI of both nodes. This is where things get difficult.

I've done a lot of research and found a lot of interesting information across the forum and Google searches. However, nothing I try seems to stick. No matter what, you must be logged into the Web GUI, otherwise you get a 401 No ticket error when making the call to /qemu/{vmid}/spiceproxy . I've tried setting the cookie in the XHR ( xhr.setRequestHeader('Cookie', 'PVEAuthCookie=' + data.ticket); ), but as I'm sure others know who have jumped down this rabbit hole, Chrome does not let you do this, instead "refusing to set unsafe header Cookie."

All of that said, my question is: is there any way to get around this or maybe perform the request differently so that the cookie can be set without the end user logging into the Web GUI?

EDIT: Forgot to mention, I am running on Proxmox v6.0-4.

Other threads I've scoured for answers (some pertain to noVNC, but thought I may find an answer still):
https://forum.proxmox.com/threads/accessing-vms-novnc-from-another-website.21200/
https://forum.proxmox.com/threads/remote-spice-access-without-using-web-manager.16561/page-3
https://forum.proxmox.com/threads/proxmox-vncwebsocket.43825/
https://forum.proxmox.com/threads/use-api-from-js-xhr.22943/
https://forum.proxmox.com/threads/connection-problem-novnc-api.40751/
https://forum.proxmox.com/threads/novnc-remote-and-api-hopefully-this-helps-someone.47491/
 

Attachments

  • vmportal.PNG
    vmportal.PNG
    28.4 KB · Views: 36
Last edited:
Sorry for double-posting. Tried to add these to my original post, but was apparently 'spam-like behavior'.
 

Attachments

  • iss1.png
    iss1.png
    79.6 KB · Views: 29
  • iss2.png
    iss2.png
    150.4 KB · Views: 24
is there any way to get around this or maybe perform the request differently so that the cookie can be set without the end user logging into the Web GUI?
no, the api needs a valid ticket in the pveauthcookie to access most api call, and this is one of them
 
no, the api needs a valid ticket in the pveauthcookie to access most api call, and this is one of them
Right, I wasn't asking if this portion could be skipped, rather asking if it can be done some other way within a browser. I posted many links to people obtaining this cookie without logging into the Web GUI, only difference is that they're not using a browser. I am able to achieve the ticket, I just can't set the cookie through a simple XHR, which is why I came here to consult other users/staff.

EDIT: I ended up figuring this out. Utilizing the Chrome Extension we aim to give to end users, we added a permission in mainfest.json for "cookies" ... following this, we changed the code in the background script for the spiceproxy API call. Instead of utilizing something like xhr.setRequestHeader('Cookie', 'PVEAuthCookie=' + data.ticket); we instead call the function setCookie(); which contains the following code.

Code:
function setCookie(){
    chrome.cookies.set({"name":"PVEAuthCookie","url":serverIP,"value":data.ticket},function (cookie){
        console.log(JSON.stringify(cookie));
        console.log(chrome.extension.lastError);
        console.log(chrome.runtime.lastError);
    });
}

This properly set the cookie for the browser without the user having to login, as the cookie data is still generated by the ticket API call, which still allows me to pass user credentials into it.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!