VNC issues using SSL

I’m having difficulty launching VNC from the Sunstone web UI. When I attempt to launch VNC, the following error is displayed:
VNC noVNC ready: native WebSockets, canvas rendering.

Here is an overview of my configuration:

• OpenNebula version used: 5.4.1
• Public DNS resolves mydomain.biz to my assigned public IP
• My assigned public IP —> Static NAT —> 192.168.100.12
• Nginx is runnig on server 192.168.100.12
• OpenNebula is running on server 192.168.100.10

Here is the relevant snippet from my nginx conf file

    upstream sunstone  {
            server 192.168.100.10:9869;
    }

    server {

            listen       443 ssl;
            server_name  one.mydomain.biz;

            ssl on;
            ssl_certificate      /etc/pki/public/mydomain.bundle.biz.crt;
            ssl_certificate_key  /etc/pki/private/mydomain.biz.pem;

            ssl_session_cache    shared:SSL:1m;
            ssl_session_timeout  5m;

            ssl_ciphers  HIGH:!aNULL:!MD5;
            ssl_prefer_server_ciphers  on;

            #access_log  /var/log/nginx/opennebula-sunstone-access.log;
            #error_log  /var/log/nginx/opennebula-sunstone-error.log;
            location / {
                proxy_set_header        Host $host;
                proxy_set_header        X-Real-IP $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header        X-Forwarded-Proto $scheme;

                proxy_pass http://192.168.100.10:9869/;
            }
    }

Here is the relevant snippet from my sunstone-server.conf file

    :vnc_proxy_port: 29876
    :vnc_proxy_support_wss: yes
    :vnc_proxy_cert: /etc/one/ssl/mydomain.bundle.biz.crt
    :vnc_proxy_key: /etc/one/ssl/mydomain.biz.pem
    :vnc_proxy_ipv6: false
    :vnc_request_password: false

From the Sunstone web UI → Settings tab I set the VNC_WSS attribute to yes.
On server 192.168.100.10 I opened port 29876/tcp

Results:
All other Sunstone web UI functinality works as expected when accessing using https://one.mydomain.biz.
VNC will not work with the above configuration
VNC will work however if I set . vnc_proxy_support_wss: no in the sunstone-server.conf file and access the Sunstone web UI using http://192.168.100.10:9869

Anybody have any idea what I am missing?

Thanks

Hello, certificates are valid or selfsigned? What google chrome developer console says?

The cert is not self-signed. It was issued by a commercial CA authority. I’m not sure if it’s related but the cert is a wildcard cert for my domain.

Chrome developer just shows the same error message I described in my post.

Thanks

It is generally no error, but just message. So it stuck on canvas rendering. When it is working without wss and not working with wss, them there is probably problem with certificate.

I’m pretty confident about the cert since I’m using the same cert for
accessing https://one.mydomain.biz with no problem.

I’m unsure if I’m answering your follow-up question but . . .

With wss enabled Chrome developer shows:

· *Request URL: *wss://
one.mydomain.biz:29876/?token=v6gb7gy5afxv7nwmj1lq

· The webpage at wss://
one.mydomain.biz:29876/?token=v6gb7gy5afxv7nwmj1lq might be temporarily
down or it may have moved permanently to a new web address.

· ERR_DISALLOWED_URL_SCHEME

Thanks

Did you open and forward that port on NAT? Can you connect to it by telnet?

telnet one.mydomain.biz 29876

Yes, port 29876 is open in the NAT configuration.

In the meantime:

• I loaded nginx onto the same server that OpenNebula is running
  (192.168.100.10)
• I configured this instance of nginx with the same ssl block used in my
  nginx server (192.168.100.12)
• I updated my public DNS configuration to point one.mydomain.biz
  to the OpenNebula server
  (192.168.100.10)

With this configuration I can initiate an encrypted VNC session with no
problem.

I can use it this way but ideally I would prefer to handle all proxy
forwarding from my nginx server. Any other thoughts?

Thanks

So you want have nginx on dedicated 192.168.100.12 server, right? On that server you setup proxy_pass to opennebula. But when you open VNC, it try to connect to 192.168.100.12:29876, whci is not running on that server but on nebula one (192.168.100.10).

If you need dedicated setup, I can recommend you move novnc websocket service to nginx server 192.168.100.12 and leave remaining opennebula services on 192.168.100.10.

Or try to setup nginx websocket proxy https://www.nginx.com/blog/websocket-nginx/

I actually tried setting up an nginx websocket proxy last night by adding
this server block to by nginx config file . .

server {
listen 29876;
server_name one.mydomain.biz;
location / {
proxy_pass http://192.168.100.10:29876;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}

. . but still no success.

At this point I have decided to just use nginx on my opennebula-sunstone
server and redirect my public DNS to it (192.168.100.10).

Thanks for all your help!

Why you pass to http port of sunstone? VNC is on 29876, or did you change vnc port?

Oops . . . typo on my part. I corrected my previous post to show:

proxy_pass http://192.168.100.10:29876;

Thanks

still not working?

Correct . . . still not working.

You have to setup SSL on nginx proxy too if you want use WSS.

Good catch . . . After updating the server block as shown below and opening
up port 29876 in firewalld it ‘kind of’ works now.

With the Edge browser it appears to work consistently no problem. With
Chrome the VNC window opens but most of the time it disconnects after a few
seconds and displays: VNC Server disconnected (code: 1006).

server {
    listen 29876;
    server_name  one.mydomain.biz;

        ssl on;
        ssl_certificate      /etc/pki/public/mydomain.bundle.biz.crt;
        ssl_certificate_key  /etc/pki/private/mydomain.biz.pem;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

    location /  {
        proxy_pass http://192.168.100.10:29876;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

try to proxy_pass https://

This issue is now solved.

To recap . . . My configuration has an nginx ssl proxy redirect running on a different host from the opennebula-sunstone host. With this configuration the Sunstone web UI loaded with no issues. However I was unable to initiate a VNC session.

The ultimate solution was to add a separate ssl proxy redirect for VNC connections in my nginx conf file and to open port 29876 on the nginx host. This solution assumes use of a cert from a commercial certificate authority (CA) although it does also work with a self-signed cert. The relevant configurations are shown below.

In final testing I ran into a problem opening the Sunstone web UI using Chrome. Intermittently when initiating a VNC session, a VNC Server disconnected (code: 1006) response would be displayed. In looking at the Chrome console I learned that I was not allowing enough time for a previously opened VNC session to completely disconnect. In other words, this message would be displayed if I closed one VNC session and immediately opened another VNC session. With that in mind I ended up having no problems opening a VNC session as long as I allowed at least a few seconds following the closing of a previous opened VNC session.

Thanks

Here is the relevant snippet from my nginx conf file

# proxy for OpenNebula Sunstone UI
server {

        listen       443 ssl;
        server_name  one.mydomain.biz;

        ssl on;
        ssl_certificate      /etc/pki/public/mydomain.bundle.biz.crt;
        ssl_certificate_key  /etc/pki/private/mydomain.biz.pem;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        #access_log  /var/log/nginx/opennebula-sunstone-access.log;
        #error_log  /var/log/nginx/opennebula-sunstone-error.log;
        location / {
            proxy_set_header        Host $host;
            proxy_set_header        X-Real-IP $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Proto $scheme;

            proxy_pass http://192.168.100.10:9869/;

        }
}

# proxy for OpenNebula VNC connection
# Also remember to open port 29876 on this server
server {
    listen 29876;
    server_name  one.mydomain.biz;

        ssl on;
        ssl_certificate      /etc/pki/public/mydomain.bundle.biz.crt;
        ssl_certificate_key  /etc/pki/private/mydomain.biz.pem;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;


    location /  {
        proxy_pass https://192.168.100.10:29876;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        # VNC connection timeout
        proxy_read_timeout 61s;

        # Disable cache
        proxy_buffering off;
    }
} 

Here is the relevant snippet from my sunstone-server.conf file

:vnc_proxy_port: 29876
:vnc_proxy_support_wss: yes
:vnc_proxy_cert: /etc/one/ssl/mydomain.bundle.biz.crt
:vnc_proxy_key: /etc/one/ssl/mydomain.biz.pem
:vnc_proxy_ipv6: false
:vnc_request_password: false