Hello, all. I'm a new Proxmox user and thus far, setting up and getting everything going has been a great experience. However, I was curious about using portals to access VMs simply in an effort to shift end-users away from having to navigate through the Web GUI.
What I have built works fantastic, other than you must first navigate to the Web GUI and login... This is not the intended effect, as earlier stated we do not want our end users to access this at all.
I've performed a hacky method in building an HTML/JS portal that exists on one of our two nodes in the /usr/share/pve-docs location (since this seems to be the only way I could find to display an HTML file using the server IP, and could be accessed outside of logging into the Web GUI) and can be accessed at https://{nodeIP}:8006/pve-docs/portal.html, which didn't seem like the most awful solution since end users will be auto-redirected to this address on their end.
There is also a required Chrome extension that handles the API calls. When a VM is selected, a message is passed to the extension with that VM's vmid and nodename so that the extension can handle the XHR requests. This method was chosen because the nodes have different IPs, and since XHRs executed within Chrome Extensions bypass CORS, this seemed to be the best solution, while at the same time retaining sensitive data and not exposing it to the webpage itself.
And like magic, the virt-viewer .vv file is downloaded, and upon opening it, the requested VM is displayed.... assuming you're logged into the Web GUI of both nodes. This is where things get difficult.
I've done a lot of research and found a lot of interesting information across the forum and Google searches. However, nothing I try seems to stick. No matter what, you must be logged into the Web GUI, otherwise you get a 401 No ticket error when making the call to /qemu/{vmid}/spiceproxy . I've tried setting the cookie in the XHR ( xhr.setRequestHeader('Cookie', 'PVEAuthCookie=' + data.ticket); ), but as I'm sure others know who have jumped down this rabbit hole, Chrome does not let you do this, instead "refusing to set unsafe header Cookie."
All of that said, my question is: is there any way to get around this or maybe perform the request differently so that the cookie can be set without the end user logging into the Web GUI?
EDIT: Forgot to mention, I am running on Proxmox v6.0-4.
Other threads I've scoured for answers (some pertain to noVNC, but thought I may find an answer still):
https://forum.proxmox.com/threads/accessing-vms-novnc-from-another-website.21200/
https://forum.proxmox.com/threads/remote-spice-access-without-using-web-manager.16561/page-3
https://forum.proxmox.com/threads/proxmox-vncwebsocket.43825/
https://forum.proxmox.com/threads/use-api-from-js-xhr.22943/
https://forum.proxmox.com/threads/connection-problem-novnc-api.40751/
https://forum.proxmox.com/threads/novnc-remote-and-api-hopefully-this-helps-someone.47491/
What I have built works fantastic, other than you must first navigate to the Web GUI and login... This is not the intended effect, as earlier stated we do not want our end users to access this at all.
I've performed a hacky method in building an HTML/JS portal that exists on one of our two nodes in the /usr/share/pve-docs location (since this seems to be the only way I could find to display an HTML file using the server IP, and could be accessed outside of logging into the Web GUI) and can be accessed at https://{nodeIP}:8006/pve-docs/portal.html, which didn't seem like the most awful solution since end users will be auto-redirected to this address on their end.
There is also a required Chrome extension that handles the API calls. When a VM is selected, a message is passed to the extension with that VM's vmid and nodename so that the extension can handle the XHR requests. This method was chosen because the nodes have different IPs, and since XHRs executed within Chrome Extensions bypass CORS, this seemed to be the best solution, while at the same time retaining sensitive data and not exposing it to the webpage itself.
And like magic, the virt-viewer .vv file is downloaded, and upon opening it, the requested VM is displayed.... assuming you're logged into the Web GUI of both nodes. This is where things get difficult.
I've done a lot of research and found a lot of interesting information across the forum and Google searches. However, nothing I try seems to stick. No matter what, you must be logged into the Web GUI, otherwise you get a 401 No ticket error when making the call to /qemu/{vmid}/spiceproxy . I've tried setting the cookie in the XHR ( xhr.setRequestHeader('Cookie', 'PVEAuthCookie=' + data.ticket); ), but as I'm sure others know who have jumped down this rabbit hole, Chrome does not let you do this, instead "refusing to set unsafe header Cookie."
All of that said, my question is: is there any way to get around this or maybe perform the request differently so that the cookie can be set without the end user logging into the Web GUI?
EDIT: Forgot to mention, I am running on Proxmox v6.0-4.
Other threads I've scoured for answers (some pertain to noVNC, but thought I may find an answer still):
https://forum.proxmox.com/threads/accessing-vms-novnc-from-another-website.21200/
https://forum.proxmox.com/threads/remote-spice-access-without-using-web-manager.16561/page-3
https://forum.proxmox.com/threads/proxmox-vncwebsocket.43825/
https://forum.proxmox.com/threads/use-api-from-js-xhr.22943/
https://forum.proxmox.com/threads/connection-problem-novnc-api.40751/
https://forum.proxmox.com/threads/novnc-remote-and-api-hopefully-this-helps-someone.47491/
Attachments
Last edited:
