----- Original Message -----
From: "Ewoud Kohl van Wijngaarden" <ewoud+ovirt@kohlvanwijngaarden.nl> To: engine-devel@ovirt.org Sent: Tuesday, July 31, 2012 1:00:43 PM Subject: Re: [Engine-devel] Adding VNC support
On Tue, Jul 31, 2012 at 10:09:26AM +0100, Daniel P. Berrange wrote:
On Tue, Jul 31, 2012 at 09:18:50AM +0300, Itamar Heim wrote:
On 07/26/2012 05:36 PM, snmishra@linux.vnet.ibm.com wrote: 5.2 novnc websocket server - i see three options
5.2.1 extend qemu to do this, so novnc can connect to it directly like we do today for vnc/spice
I don't think this is a desirable approach. One of the nice benefits you gain from using a websocket proxy is that you only need to have one single TCP port exposed to the internet now. If you put websockets in QEMU itself, you'd be stuck with having to open your firewall to allow 100's of ports. With a separate web proxy, you can even make each QEMU server now use a local UNIX socket for their VNC server, since only the proxy needs to be able to connect. This means that the VNC server would no longer be exposed to random local user access too.
Another benefit of a proxy is that you can run it in a DMZ and not have to expose all your virtualization hosts to the internet.
But this way you do expose them :) Alon.