Reverse Proxying and the VNC web console

F

fatzopilot

New Member
Oct 6, 2011
22
0
1
Hi,

I've setup proxmox and all VMs behind a firewall and have the webGUI and all other webservers proxied on http(s) by nginx. Everything works fine except the browser based VNC console. Because it is very handy, I try to get it working again.
The firewall forwards port 5900 directly to the proxmox server (NAT), the web traffic is forwarded to nginx (443, SSL endpoint) which then forwards the web requests (on port 80) to proxmox.
In short, the "web portion" (i.e. the request that starts the java console on the client) is routed like this
(1) client -> firewall -> nginx -> proxmox (http(s); NAT+ReverseProxy)
the "VNC portion" (i.e. the request of the java VNC client running in the browser) is routed like this
(2) client -> firewall -> proxmox (VNC; NAT)
Hence, Proxmox gets the two requests (Web + VNC) from different servers. Is this a problem?
From monitoring the outputs of netstat and related tools, it seems promox gets a request on port 5900 (from the firewall, NAT) but does not accept it.
Can this be solved on proxmox's side?

Thanks
fatzopilot
 
I know, but this should be a problem only when multiple VNC clients are opened. I can see that the VNC web console tries to connect on port 5900 but fails. I'd be happy if it worked on 5900. Just to be sure, I also NATed 5900-6000 to promox with unchanged results...
 
What would be good to know is if the VNC endpoint is only established on demand and onyl for the IP from which the request came. This would explain the observed behaviour.
 
OK, and if it is established, is it bound only to the IP that requested the connection and can this be changed?

Thanks
 
No. If im not wrong, its secured and warantied by random OTP passed to vnc applet through html code, and master node is the unique vnc 'broker'.

Jesús Feliz.
 
Thanks Jesús,

secured and warantied by random OTP passed to vnc applet through html code
Click to expand...
This sounds that it ought to work as the client is always the same and the html and vnc traffic just take different routes.
Is there a way to pull out some more debug information (more than is already written in the popup window) from the client VNC applet?

fatzopilot
 
fatzopilot said:
Thanks Jesús,


This sounds that it ought to work as the client is always the same and the html and vnc traffic just take different routes.
Is there a way to pull out some more debug information (more than is already written in the popup window) from the client VNC applet?

fatzopilot
Click to expand...

Yes, different protocol and port, of course. So what you want to do isn't so simple. I see two options:

- Reverse proxy only for http, and map range port 5900-6000 to master cluster. Assuming you have a router, of course, otherwise we wouldnt taking about this.
- Try to search some type of vnc over http protocol in reverse proxy. I know vnc servers have somethink like a web server inside... (dont remember)

Regards,
 
Reverse proxy only for http, and map range port 5900-6000 to master cluster
Click to expand...

This is what I am doing now (I think) and what doesn't work. Did somebody got this working? Maybe I've just some weird arp or forwarding settings in sysctl.conf or some other subtle setting that prevents this from working...
Try to search some type of vnc over http protocol in reverse proxy
Click to expand...
Hm, thing is, it needs to work with the webbased client that ships with proxmox. I am not sure whether it accepted a connection tunneled over http. Setting up some arbitrary VNC client to work with the VMs should not be such a problem in general, but I'd like the built-in VNC to work as it is quite handy for "ad-hoc operations".

Cheers
fazopilot
 
Webbased client is more less the original TightVncViewer client. You can play and divide the problem, its simple to simulate the 'console' web click.

Over the master node, create a vnc OTP session for a supossed VM 106 with vnc pass 'janzun' which is running in slave node '192.168.100.105'

master # /bin/nc -l -p 5900 -w 30 -c "/usr/bin/ssh -T -o BatchMode=yes 192.168.100.105 /usr/sbin/qm vncproxy 106 janzun"

In the client hand, two options:

- Use any vnc compliant client, MasterIP:5900 and put the pass when required (janzun)
- If you want to use the shipped VncViewer.jar or the TightVNC.jar, exec the apple from a static local html web, you need to put the IP, port and pass in applet params. In TightVNC package you have a clear example.

Regards,
 
Hi,

thanks, that was helpful. I was able to reproduce the behaviour using
nc -l -p 5900 -c "qm vncproxy 101 janzun" (master)
and
java -jar VncViewer.jar HOST promox.myserver.org PORT 5900 (client, NATed, timeout)
and
java -jar VncViewer.jar HOST IPADDRESS PORT 5900 (client, direct IP address, works)
respectively, but still have no idea why the NATed connection does not work :(
Maybe VNC does not like to be NATed...
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back