VNC with Sunstone behind Nginx Proxy

hi all,

just sharing how we set things up with nginx ssl proxy for sunstone and encrypted vnc.
here is the nginx config we use:

# No squealing.
server_tokens off;

# OpenNebula Sunstone upstream
upstream sunstone {
    server 127.0.0.1:9869;
}

# HTTP virtual host, redirect to HTTPS
server {
    listen 80 default_server;

    return 301 https://$server_name:443;
}

# HTTPS virtual host, proxy to Sunstone
server {
    listen 443 ssl default_server;
    ssl_certificate /etc/ssl/certs/opennebula-certchain.pem;
    ssl_certificate_key /etc/ssl/private/opennebula-key.pem;
    ssl_stapling on;
    }

here is the relevant part of sunstone conf:

UI Settings

:vnc_proxy_port: 29876
:vnc_proxy_support_wss: only
:vnc_proxy_cert: /etc/one/ssl/opennebula-certchain.pem
:vnc_proxy_key: /etc/one/ssl/opennebula-key.pem
:vnc_proxy_ipv6: false

When this is set, reload sunstone. Then, go in web interface to “settings” > “info” and change VNC_WSS from no to yes (4.12.1) older versions have a checkmark under “conf” to set VNC to secure sockets.
NOTE: if using a selfsigned cert, the connection to VNC window in Sunstone will fail, either get a real cert, or manually accept the selfsigned cert in your browser before trying it with Sunstone.
Now, VNC sessions should show “encrypted” in the title.

Extra protection:

To better protect VNC we also change the default listen address in templates from “0.0.0.0” to the word “vnc-if”. Then on every host in the cluster we make sure “vnc-if” points to a local IP by editing /etc/hosts for every server in the cluster. (like localhost points to 127.0.0.1, vnc-if points to 10.0.0.1 on server 1, to 10.0.0.2 on server 2, etc etc), which is a non-public management network. This way the VNC listen port is only available for that secure network, and people cant view screens they shouldnt, without the need for a firewall.

This will change the VNC ports for running VMs on opennebula hypervisors from:

tcp 0 0 0.0.0.0:6102 0.0.0.0:* LISTEN 36021
tcp 0 0 0.0.0.0:6135 0.0.0.0:* LISTEN 35370
tcp 0 0 0.0.0.0:6109 0.0.0.0:* LISTEN 33822
tcp 0 0 0.0.0.0:6144 0.0.0.0:* LISTEN 7273
tcp 0 0 0.0.0.0:6145 0.0.0.0:* LISTEN 11997

into:

tcp 0 0 10.149.16.12:6102 0.0.0.0:* LISTEN 36021
tcp 0 0 10.149.16.12:6135 0.0.0.0:* LISTEN 35370
tcp 0 0 10.149.16.12:6109 0.0.0.0:* LISTEN 33822
tcp 0 0 10.149.16.12:6144 0.0.0.0:* LISTEN 7273
tcp 0 0 10.149.16.12:6145 0.0.0.0:* LISTEN 11997

Which makes it a LOT easier to secure VNC. With all hosts setup correctly with “vnc-if” pointing to their local IP, stuff like live migration still works, because “vnc-if” always points to the correct IP on any host in opennebula.

Hope this helps anyone, lots of good info in this thread :slight_smile:

EDIT: forgot to mention, with the above config, you only need to enable 443 (HTTPS) and 29876 (VNC proxy) in your (physical) firewall of Sunstone.