Use port 80 instead 9869

Hello, i would like to open opennebula web gui using: instead

somebody know how to do and can help me ?

You can do it by setup reverse proxy, example Nginx > opennebula.

thanks… there’s any guide (how-to) ?

You can edit the port in /etc/one/sunstone-server.conf .

i tried already to edit /etc/one/sunstone-server.conf i set

:port: 80

but not working…

Did you restart the sunstone server? If yes, do you have another server listening on port 80? Or a portscan detection tool that is observing port 80?

yes i restarted sunstone server but do not working… i checked no service bind already to port 80

netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0* LISTEN 1766/mysqld
tcp 0 0* LISTEN 1278/ruby
tcp 0 0* LISTEN 1/systemd
tcp 0 0* LISTEN 2019/python2
tcp 0 0* LISTEN 1311/sshd
tcp 0 0* LISTEN 1978/master
tcp 0 0* LISTEN 52767/oned
tcp6 0 0 :::111 :::* LISTEN 1/systemd
tcp6 0 0 :::22 :::* LISTEN 1311/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1978/master

Ah, I see, that is because opening port 80 requires root privilege.

You can try to change user and maybe group in /lib/systemd/system/opennebula-sunstone.service and/or /etc/init.d/opennebula-sunstone .

Hello, you should use Nginx as reverse proxy also with SSL termination.

So set host back to in /etc/one/sunstone-server.conf

:port: 9869

and put this to /etc/nginx/nginx.conf + generate dhparams

openssl dhparam -out /etc/nginx/dhparams.pem 2048

server {
    listen       80 default_server;
    server_name  _;
	return       301 https://$host$request_uri;
server {
    listen 443;
    server_name  _;

    ssl on;
    ssl_certificate /etc/nginx/nginx.crt;
    ssl_certificate_key /etc/nginx/nginx.key;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	ssl_dhparam /etc/nginx/dhparams.pem;

	# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
	add_header Strict-Transport-Security max-age=15768000;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    location / {
    	proxy_set_header   Host             $host;
		proxy_set_header   X-Real-IP        $remote_addr;
		proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

also you shoud enable wss in vnc config in /etc/one/sunstone-server.conf

:vnc_proxy_port: 29876
:vnc_proxy_support_wss: only
:vnc_proxy_cert: /etc/nginx/nginx.crt
:vnc_proxy_key: /etc/nginx/nginx.key
:vnc_proxy_ipv6: false
:vnc_request_password: false

Great feldsam
is ok but i now VNC not working anymore… im getting this error:

VNC Server disconnected (code: 1006)

from chrome dev tools i can see this error:
WebSocket connection to ‘wss://’ failed: Error in connection establishment: net::ERR_CONNECTION_RESE

the certificate is valid… infact from browser i can see the green lock:


Did you also add certs to vnc setup? Did you have valid certs (not selfsigned)? Did you restarted sunstone?

yes i added the certs to vnc setup and my SSL certs are valid not selfsigned…
anyway from novnc.log i can se this error:

handler exception: [Errno 13] Permission denied
handler exception: [Errno 13] Permission denied

I have separated certs for nginx and for sunstone, so try to duplicate it and chgrp to oneadmin group

Great it worked… just a certificate owner :wink:
thank you so much

Since you already found a working solution I am not sure if it is still of any interest for you but in the official documentation you can find information on how to run sunstone in another webserver (e.g. apache):

… the reverse proxy with nginx is also described there