I managed to get this working a few days ago.
Steps I followed:
- generate self-signed certificates (or get real ones)
- set the group on cert and key to oneadmin or the websocket proxy wont read them (check logs)
- configure nginx https and reverse proxy https to sunstone port 9869
- configure nginx to redirect http to https
- configure sunstone-server.conf to use wss only, setup certificate paths
- open firewall for http, https and wss/vnc (80,443,29876)
These are the things I had trouble with:
- check /var/log for VNC errors, certificates need the right permissions (oneadmin group).
- you need to restart the websocket proxy if you make changes, kill it, restart sunstone alone is not enough.
- if you are using a self-signed certificate you will need to add an exception (in your browser) for the VNC access port, you can point your browser to https://myone:29876 and add the exception.
- despite forum reports in 5.4.1 does not seem to be necessary to change user settings to enable WSS, it seems automatic now.
good luck, hope this helps