Sunstone with Nginx Proxy - Working Configuration

Community Support GUI - Sunstone
1

Hi,

I thought to assist others I would share our configuration that is working with Sunstone and Nginx proxy ( with SSL ) and noVNC to assist others having issues with setup.

Nginx config - Nginx Server block. Please replace fields marked xxxxxx with your own environment. Make sure you chown the SSL certificate files to oneadmin.

upstream sunstone  {
        server xxxxxxxxxxxxxxx:9869;
}


upstream vnc_proxy {
        server localhost:29876; 
}

server {
        listen 80;
        server_name xxxxxxxxxxxxxxxxxx;

        ### Permanent redirect to HTTPS (optional)
        return 301 https://xxxxxxxxxxxxxxxx:443;
}


server {
        listen 443 ssl;
        server_name xxxxxxxxxxxxxxx;
        ssl_certificate /etc/ssl/new/ssl-bundle.crt;
        ssl_certificate_key /etc/ssl/new/private.key;

        ### Proxy requests to upstream
        location / {
                 proxy_pass http://localhost:9869;
        }
  

  location /websockify {
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-Host $host;
          proxy_set_header X-Forwarded-Server $host;
          proxy_set_header x-forwarded-proto  $scheme;
          proxy_set_header Host $host;
          proxy_http_version 1.1;
          proxy_read_timeout 86400;
          proxy_pass https://localhost:29876;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
        }
}

Sunstone config file. /etc/one/sunstone-server.conf

The only changes we made in the sunstone-server.conf file was for encrypted VNC connections. Take note of the VNC configuration with the same SSL certificate locations as the Nginx opennebula.conf file above.

:vnc_proxy_port: 29876
:vnc_proxy_support_wss: yes
:vnc_proxy_cert: /etc/ssl/new/ssl-bundle.crt
:vnc_proxy_key: /etc/ssl/new/private.key
:vnc_proxy_ipv6: false
:vnc_request_password: false
:allow_vnc_federation: no

It is important to restart opennebula and also the opennebula-novnc service. For CentOS
systemctl restart opennebula-novnc

I have attached the configuration files for easier viewing and copying. I will be happy to assist with questions if others run into problems.

nginx.conf (2.4 KB) sunstone-server.conf (8.9 KB)opennebula.conf (1.1 KB)

2

Hi @Ben_McGuire,

Please let me add some comments and improvements on the shared nginx configuration.

Although there is SSL encryption configured on both sunstone and noVNC the web browser is bypassing the nginx(port 443) and connects directly the noVNC proxy on port 29876 instead…
My guess is that you’d like to pass everything via nginx port 443, right?

If so, let’s start with the sunstone-server.conf first:

  • let bind the VNC websocket proxy to the localhost. This way there is no need to set a firewall rule to protect the port(also you could use locally generated “snakes oil” certificate for the communication between the noVNC proxy and the nginx so no need to set ownership of the “public” SSL keys…):
:vnc_proxy_port: 127.0.0.1:29876
  • allow encrypted WebSockets only (WSS)
:vnc_proxy_support_wss: only
  • Tell the browser’s noVNC javascript to make the connection to nginx (443)
:vnc_client_port: 443

Next, there are some changes needed to the nginx configuration too.

  • There are three redirects to noVNC in sunstone - the VMs overview page, the VM info page and the option to expand the vnc session in a separate browser tab/window. Most of them redirect to /websockify but one of them was redirecting to the page root. I am sorry but don’t remember which one, it is possible that this is fixed but the following check&rewrite is sitting in place in my nginx conf in the root location from a long time:
    location / {
        if ($args ~* "host=.+&port=.+&token=.+&encrypt=.+") {
            rewrite ^/$ /websockify/ last;
        }
         ...
  • The following is cosmetic but let’s use the upstream definitions and set some headers :wink: 
       ...
       proxy_pass http://sunstone;
       proxy_redirect off;
       proxy_set_header   X-Real-IP $remote_addr;
       proxy_set_header   Host $http_host;
       proxy_set_header   X-Forwarded-FOR $proxy_add_x_forwarded_for;
  • in location /websockify I’d change proxy_pass to use the upstream definition from the top of the file…
    location /websockify {
        proxy_pass https://vnc_proxy;
        ...

With the above changes both sunstone and noVNC will be working proxied via nginx on https port 443 only.

Hope this helps.

Best Regards,
Anton Todorov

1 Like
3

Hi @atodorov_storpool

Thank you for your tips. I shall review and implement them today and update you. Should your tips work I will update the post so as to assist others as I couldn’t find a straight forward guide and after a lot of trial and error I was able to get it working. Hopefully after your advise I will further improve my knowledge and we both can ensure we assist others in their configuration.

Ill update soon.
Thank you.

4

Hi @atodorov_storpool

I tried your config yesterday and while Sunstone worked, it was VNC that failed to connect. In saying that, Sunstone was very slow to the point where it took more than 20 seconds to browse between pages.

Further, the location block did not work as Nginx stated there was a missing } on the line where the if statement is and even though i tried multiple ways of adding it there was no way i could get it to work.

It may be beneficial if you could share your config files ( removing the identifiers of course ) and this way I can ensure I am adding the correct configurations. I am looking forward to having your more secure setup so I can update my post so others have a go to guide to setup Sunstone and Nginx proxy.

5

Hi Ben,

You can find a complete configuration example here. Well slightly more extended but the sunstone and noVNC parts are complete

Best Regards,
Anton Todorov

1 Like
6

Hi @atodorov_storpool

Hats off to you and your advice. I can now confirm that your config is working and I shall update my post with your additional secure configurations.

Thanks again Anton!!!

7

--------Update -------

A big thanks to @atodorov_storpool for his additional advice. I have attached the working configuration including the additional config for a more secure Opennebula and noVNC.

sunstone-server.conf (8.9 KB) opennebula.conf (2.7 KB)

8

Hi Ben,
Thanks for your post, it’s really helping me to configure ssl certificat on my Sunstone website for OpenNebula.
I’ve tried to use your conf file while changing the url for my config
but when I start ngnix to use the conf file, I got this message

nginx -c /etc/nginx/opennebula.conf
nginx: [emerg] “server_tokens” directive is not allowed here in /etc/nginx/opennebula.conf:2

It is something that I miss in my config ?
Thanks for your help

Best Regards
Matt