Use port 80 instead 9869

Hello, i would like to open opennebula web gui using: http://cloud.mydomain.com instead http://cloud.mydomain.com:9869

somebody know how to do and can help me ?
Thanks

You can do it by setup reverse proxy, example Nginx > opennebula.

thanks… there’s any guide (how-to) ?
thanks

You can edit the port in /etc/one/sunstone-server.conf .

i tried already to edit /etc/one/sunstone-server.conf i set

:host: 0.0.0.0
:port: 80

but not working…

Did you restart the sunstone server? If yes, do you have another server listening on port 80? Or a portscan detection tool that is observing port 80?

yes i restarted sunstone server but do not working… i checked no service bind already to port 80

netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1766/mysqld
tcp 0 0 127.0.0.1:2474 0.0.0.0:* LISTEN 1278/ruby
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 0.0.0.0:29876 0.0.0.0:* LISTEN 2019/python2
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1311/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1978/master
tcp 0 0 0.0.0.0:2633 0.0.0.0:* LISTEN 52767/oned
tcp6 0 0 :::111 :::* LISTEN 1/systemd
tcp6 0 0 :::22 :::* LISTEN 1311/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1978/master

Ah, I see, that is because opening port 80 requires root privilege.

You can try to change user and maybe group in /lib/systemd/system/opennebula-sunstone.service and/or /etc/init.d/opennebula-sunstone .

Hello, you should use Nginx as reverse proxy also with SSL termination.

So set host back to 127.0.0.1 in /etc/one/sunstone-server.conf

:host: 127.0.0.1
:port: 9869

and put this to /etc/nginx/nginx.conf + generate dhparams

openssl dhparam -out /etc/nginx/dhparams.pem 2048

server {
    listen       80 default_server;
    server_name  _;
	return       301 https://$host$request_uri;
}
server {
    listen 443;
    server_name  _;

    ssl on;
    ssl_certificate /etc/nginx/nginx.crt;
    ssl_certificate_key /etc/nginx/nginx.key;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	ssl_dhparam /etc/nginx/dhparams.pem;

	# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;

	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
	add_header Strict-Transport-Security max-age=15768000;


    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    location / {
    	proxy_set_header   Host             $host;
		proxy_set_header   X-Real-IP        $remote_addr;
		proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
		proxy_pass http://127.0.0.1:9869;
    }
}

also you shoud enable wss in vnc config in /etc/one/sunstone-server.conf

:vnc_proxy_port: 29876
:vnc_proxy_support_wss: only
:vnc_proxy_cert: /etc/nginx/nginx.crt
:vnc_proxy_key: /etc/nginx/nginx.key
:vnc_proxy_ipv6: false
:vnc_request_password: false

Great feldsam
is ok but i now VNC not working anymore… im getting this error:

VNC Server disconnected (code: 1006)

from chrome dev tools i can see this error:
WebSocket connection to ‘wss://10.10.100.100:29876/?token=nvevi5lr93d0i1b11lcv’ failed: Error in connection establishment: net::ERR_CONNECTION_RESE

the certificate is valid… infact from browser i can see the green lock: https://10.10.100.100

thanks

Did you also add certs to vnc setup? Did you have valid certs (not selfsigned)? Did you restarted sunstone?

yes i added the certs to vnc setup and my SSL certs are valid not selfsigned…
anyway from novnc.log i can se this error:

handler exception: [Errno 13] Permission denied
handler exception: [Errno 13] Permission denied

I have separated certs for nginx and for sunstone, so try to duplicate it and chgrp to oneadmin group

Great it worked… just a certificate owner :wink:
thank you so much

Since you already found a working solution I am not sure if it is still of any interest for you but in the official documentation you can find information on how to run sunstone in another webserver (e.g. apache):

http://docs.opennebula.org/5.2/deployment/sunstone_setup/suns_advance.html#running-sunstone-inside-another-webserver

… the reverse proxy with nginx is also described there