[Kimchi-devel] [PATCH] Configure nginx to proxy connections to the websocket server so that browsers don't need to connect to port 64667. This helps in networks with restrictive firewalls.
Rob Lemley
rob.lemley at rochester.edu
Mon Oct 5 21:07:20 UTC 2015
Signed-off-by: Rob Lemley <rob.lemley at rochester.edu>
---
src/kimchi/config.py.in | 8 ++++++++
src/kimchi/model/config.py | 2 ++
src/kimchi/proxy.py | 1 +
src/kimchi/vnc.py | 4 ++--
src/kimchid.in | 1 +
src/nginx/kimchi.conf.in | 15 +++++++++++++++
ui/js/src/kimchi.api.js | 14 +++++++-------
ui/spice-html5/pages/spice_auto.html | 2 +-
8 files changed, 37 insertions(+), 10 deletions(-)
diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in
index 7ca1a1f..1d81db2 100644
--- a/src/kimchi/config.py.in
+++ b/src/kimchi/config.py.in
@@ -98,6 +98,8 @@ class Paths(object):
self.ui_dir = self.add_prefix('ui')
self.spice_file = os.path.join(self.ui_dir,
'spice-html5/pages/spice_auto.html')
+ self.console_file = os.path.join(self.ui_dir,
+ 'pages/websockify/console.html')
if __with_spice__ == 'yes':
self.spice_dir = self.add_prefix('ui/spice-html5')
@@ -207,6 +209,12 @@ class KimchiConfig(dict):
'tools.sessions.timeout': SESSIONSTIMEOUT,
'tools.kimchiauth.on': False
},
+ '/console.html': {
+ 'tools.staticfile.on': True,
+ 'tools.staticfile.filename': paths.console_file,
+ 'tools.nocache.on': True,
+ 'tools.kimchiauth.on': True
+ },
'/novnc': {
'tools.staticdir.on': True,
'tools.staticdir.dir': paths.novnc_dir,
diff --git a/src/kimchi/model/config.py b/src/kimchi/model/config.py
index fe2a529..85d7092 100644
--- a/src/kimchi/model/config.py
+++ b/src/kimchi/model/config.py
@@ -41,7 +41,9 @@ class ConfigModel(object):
def lookup(self, name):
proxy_port = kconfig.get('display', 'display_proxy_port')
+ ssl_port = kconfig.get('server', 'ssl_port')
return {'display_proxy_port': proxy_port,
+ 'ssl_port': ssl_port,
'version': get_version()}
diff --git a/src/kimchi/proxy.py b/src/kimchi/proxy.py
index 5dcca65..bc26981 100644
--- a/src/kimchi/proxy.py
+++ b/src/kimchi/proxy.py
@@ -80,6 +80,7 @@ def _create_proxy_config(options):
proxy_port=options.port,
kimchid_port=options.cherrypy_port,
proxy_ssl_port=options.ssl_port,
+ display_proxy_port=options.display_proxy_port,
cert_pem=cert, cert_key=key,
max_body_size=eval(options.max_body_size),
dhparams_pem=dhparams_pem)
diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py
index b4194b1..ae04b81 100644
--- a/src/kimchi/vnc.py
+++ b/src/kimchi/vnc.py
@@ -44,10 +44,10 @@ def new_ws_proxy():
cert = '%s/kimchi-cert.pem' % paths.conf_dir
key = '%s/kimchi-key.pem' % paths.conf_dir
- params = {'web': os.path.join(paths.ui_dir, 'pages/websockify'),
+ params = {'listen_host': '127.0.0.1',
'listen_port': config.get('display', 'display_proxy_port'),
'target_cfg': WS_TOKENS_DIR,
- 'key': key, 'cert': cert, 'ssl_only': True}
+ 'ssl_only': False}
def start_proxy():
server = WebSocketProxy(**params)
diff --git a/src/kimchid.in b/src/kimchid.in
index 4ea7a42..de6eec2 100644
--- a/src/kimchid.in
+++ b/src/kimchid.in
@@ -92,6 +92,7 @@ def main(options):
setattr(options, 'ssl_key', config.config.get('server', 'ssl_key'))
setattr(options, 'max_body_size',
config.config.get('server', 'max_body_size'))
+ setattr(options, 'display_proxy_port', config.config.get('display', 'display_proxy_port'))
kimchi.server.main(options)
diff --git a/src/nginx/kimchi.conf.in b/src/nginx/kimchi.conf.in
index b0faea3..7d75329 100644
--- a/src/nginx/kimchi.conf.in
+++ b/src/nginx/kimchi.conf.in
@@ -47,6 +47,15 @@ http {
proxy_read_timeout 600;
send_timeout 600;
+ map $http_upgrade $connection_upgrade {
+ default upgrade;
+ '' close;
+ }
+
+ upstream websocket {
+ server 127.0.0.1:${display_proxy_port};
+ }
+
server {
listen ${proxy_ssl_port} ssl;
@@ -69,6 +78,12 @@ http {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect http://127.0.0.1:${kimchid_port}/ https://$host:${proxy_ssl_port}/;
}
+ location /websockify {
+ proxy_pass http://websocket;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection $connection_upgrade;
+ }
}
server {
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js
index 44f58d1..2c4636a 100644
--- a/ui/js/src/kimchi.api.js
+++ b/ui/js/src/kimchi.api.js
@@ -368,15 +368,15 @@ var kimchi = {
type : 'GET',
dataType : 'json'
}).done(function(data, textStatus, xhr) {
- proxy_port = data['display_proxy_port'];
+ ssl_port = data['ssl_port'];
kimchi.requestJSON({
url : "vms/" + encodeURIComponent(vm) + "/connect",
type : "POST",
dataType : "json"
}).done(function() {
- url = 'https://' + location.hostname + ':' + proxy_port;
+ url = 'https://' + location.hostname + ':' + ssl_port;
url += "/console.html?url=" + encodeURIComponent("novnc/vnc_auto.html");
- url += "&port=" + proxy_port;
+ url += "&port=" + ssl_port;
/*
* From python documentation base64.urlsafe_b64encode(s)
* substitutes - instead of + and _ instead of / in the
@@ -384,7 +384,7 @@ var kimchi = {
* contain = which is not safe in a URL query component.
* So remove it when needed as base64 can work well without it.
* */
- url += "&path=?token=" + kimchi.urlSafeB64Encode(vm).replace(/=*$/g, "");
+ url += "&path=websockify?token=" + kimchi.urlSafeB64Encode(vm).replace(/=*$/g, "");
url += "&kimchi=" + location.port;
url += '&encrypt=1';
window.open(url);
@@ -400,14 +400,14 @@ var kimchi = {
type : 'GET',
dataType : 'json'
}).done(function(data, textStatus, xhr) {
- proxy_port = data['display_proxy_port'];
+ ssl_port = data['ssl_port'];
kimchi.requestJSON({
url : "vms/" + encodeURIComponent(vm) + "/connect",
type : "POST",
dataType : "json"
}).done(function(data, textStatus, xhr) {
- url = 'https://' + location.hostname + ':' + proxy_port;
- url += "/console.html?url=spice_auto.html&port=" + proxy_port;
+ url = 'https://' + location.hostname + ':' + ssl_port;
+ url += "/console.html?url=spice_auto.html&port=" + ssl_port;
url += "&listen=" + location.hostname;
/*
* From python documentation base64.urlsafe_b64encode(s)
diff --git a/ui/spice-html5/pages/spice_auto.html b/ui/spice-html5/pages/spice_auto.html
index 40afea4..6ef90b9 100644
--- a/ui/spice-html5/pages/spice_auto.html
+++ b/ui/spice-html5/pages/spice_auto.html
@@ -143,7 +143,7 @@
* to point Kimchi user to a specific console represented by
* token value.
*/
- uri = scheme + host + ":" + port + "/?token=" + token;
+ uri = scheme + host + ":" + port + "/websockify?token=" + token;
try
{
--
1.8.3.1
More information about the Kimchi-devel
mailing list