Running novnc from somewhere else

tuxis

Famous Member
Jan 3, 2014
233
195
108
Ede, NL
www.tuxis.nl
Hi,

We're working on a portal for our customers so they can order VM's (and other stuff) without having to login to our Proxmox GUI. All works well thanks to the API, but now we want to be able to show the user the console.

The API documentation tells us that we should do a POST on vncproxy first, and a GET on vncwebsocket afterwards, with the info we got from the first call.

Now here is where it get's trickey. Our portal has credentials to do API-calls, but the user that wants to see the console doesn't. So I created a script that gets the vncproxy-call and runs the vncproxy-call via the API on the actual cluster. This works, and I get a user, port and ticket in return, which I return to novnc.

When I try to 'just reverse proxy' the vncwebsocket-call, I always get a 401 No ticket. I assume that that is because the vncwebsocket-call also needs credentials, but that makes little sense to me, because we just created a ticket in the first call?

So my question is basically, does the vncwebsocket-call also need API-credentials, of the PVEAuth-Cookie, or did I miss something else that's causing this to not work?

Thanks!
 
Last edited:
So my question is basically, does the vncwebsocket-call also need API-credentials, of the PVEAuth-Cookie, or did I miss something else that's causing this to not work?
yes exactly, you need the pveauthcookie as well as the vncticket for it to work. you can use api tokens though, maybe with restricting just to VM.Console.
 
Hello, I am having the same scenario. How are we supposed to set a cookie for another domain? That's not possible in browsers.
 
I suggest Proxmox to set up a second webpage on PVE7-hosts, say on <host>:80, to show a selector for VMs and LXC Containers to be opened by a client.
 
I got it to work in a test-env using this nginx snippet:

Code:
location ~ /api2/json/nodes/.+/qemu/.+/vncwebsocket.* {
                proxy_pass https://demo.tuxis.cloud$request_uri;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "Upgrade";
                proxy_set_header Host demo.tuxis.cloud;
                proxy_set_header "Authorization" "PVEAPIToken=USER@REALM!TOKENNAME=TOKEN";
        }

Still some stuff to work out, but at least this gives me a screen for this one VM I was using for tests :)
 
Great job done, tuxis! I am looking for a way for clients to log to spice without logging in first the admin-gui-webpage. Best would be the possibility to send a link to a single VM/LXC-C and/or web-page on another port to select one VM/LXC-C and then login.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!