saint
July 1, 2019, 8:41pm
1
So here is my issue.
internet <- AudioCodes SBC -> OpenNebula 5.8.2 <-> Nodes
A the beginning, everything worked correctly.
root@boson:/etc> more nginx/conf.d/default.conf
#### OpenNebula Sunstone Upstream
upstream sunstone {
server 127.0.0.1:9869;
}
server {
listen 443 ssl;
server_name xyz.com;
### SSL Parameters
#ssl on;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
### Proxy requests to upstream
location / {
proxy_pass http://sunstone;
}
}
And my sunstone-server vnc configuration:
Is there anything else to do ?
I can connect to the Sunstone GUI, but if I request a VNC, all I get is this:##### VNC noVNC ready: native WebSockets, canvas rendering
ahuertas
July 2, 2019, 10:00am
2
Hello @saint
To use VNC with SSL, you need to add the following:
:vnc_proxy_support_wss: only
:vnc_proxy_cert: /etc/one/ssl/opennebula-certchain.pem
:vnc_proxy_key: /etc/one/ssl/opennebula-key.pem
saint
July 2, 2019, 3:00pm
3
Greetings Alejandro,
saint
July 2, 2019, 5:10pm
5
When I try to launch the VNC,
VNC Server disconnected (code: 1006)
saint
July 2, 2019, 5:27pm
6
Here is the new config I tried:
#### OpenNebula Sunstone Upstream
upstream sunstone {
server 127.0.0.1:9869;
}
upstream websocketproxy {
server 127.0.0.1:29876;
}
#### my.machine.com HTTPS host
server {
listen 443 ssl;
server_name machine.com;
### SSL Parameters
#ssl on;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
### Proxy requests to upstream
location / {
proxy_pass http://sunstone;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-FOR $proxy_add_x_forwarded_for;
}
location /websockify {
proxy_pass http://websocketproxy;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
add_header Access-Control-Allow-Origin *;
}
}
And in the sunstone-server:
I made sure the .crt, .key, and .pem belong to oneadmin:oneadmin
Still without success. Same error message as above.
ahuertas
July 3, 2019, 6:59am
7
What error do you see in /var/log/one/novnc.log?
Hi,
You have configured ssl only for the websockets so you should try
proxy_pass https://websocketproxy;
If I am not wrong it will work in a slightly weird way - it will show 1006 but if you click to open in separate window it will work. The final solution I came to is as follow - in nginx I am using ssl cert from letsencrypt and a self-signed certificate for the websocketsproxy. There is a separate port on nginx for websocketproxy 89:
# OpenNebula Sunstone upstream
upstream sunstone {
server 127.0.0.1:9869;
}
upstream websocketproxy {
server 127.0.0.1:29876;
}
# No squealing.
server_tokens off;
# To upload ISO files, increase for VMs images
client_max_body_size 4G;
server {
server_name public.host.com; # managed by Certbot
root /usr/share/nginx/html;
location / {
proxy_pass http://sunstone;
proxy_redirect off;
log_not_found off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-FOR $proxy_add_x_forwarded_for;
}
location /websockify {
proxy_http_version 1.1;
proxy_pass http://websocketproxy;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# VNC connection timeout
proxy_read_timeout 61s;
# Disable cache
proxy_buffering off;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/public.host.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/public.host.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 89 ssl;
listen [::]:89 ssl;
server_name public.host.com;
root /usr/share/nginx/html;
location / {
proxy_http_version 1.1;
proxy_pass https://websocketproxy;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# VNC connection timeout
proxy_read_timeout 61s;
# Disable cache
proxy_buffering off;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
ssl_certificate /etc/letsencrypt/live/public.host.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/public.host.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
The sunstone-server.conf is as follow:
:vnc_proxy_port: 127.0.0.1:29876
:vnc_proxy_support_wss: yes
:vnc_proxy_cert: /etc/pki/tls/certs/websockify.crt
:vnc_proxy_key: /etc/pki/tls/certs/websockify.key
:vnc_proxy_ipv6: false
:vnc_client_port: 89
:vnc_request_password: false
Not perfect but works for me …
Hope this helps
edit: just noticed that there are some configuration artifacts for websocket without ssl…
Best Regards,
saint
July 3, 2019, 1:00pm
9
Hey Anton,
I tried what you recommended, and still not working.
saint
July 8, 2019, 6:55pm
10
In the novice.log, all I have now is
handler exception: [Errno 13] Permission denied
saint
July 9, 2019, 3:12pm
11
I changed that with changing the rights to the private cert, but still get the VNC Diconnected: code 1006 now
You should try oeningn the dev console in the browser and look the logged errors. Usualy there are hints from the browser what is not working (connection refused, cert not valid, etc…)
saint
July 10, 2019, 1:44pm
13
Would you have a link ?
saint
July 11, 2019, 7:26pm
14
Issue resolved by redesigning part of our network.
