On Tue, Jul 31, 2012 at 10:09:26AM +0100, Daniel P. Berrange wrote:
On Tue, Jul 31, 2012 at 09:18:50AM +0300, Itamar Heim wrote:
> On 07/26/2012 05:36 PM, snmishra(a)linux.vnet.ibm.com wrote:
> 5.2 novnc websocket server - i see three options
>
> 5.2.1 extend qemu to do this, so novnc can connect to it directly
> like we do today for vnc/spice
I don't think this is a desirable approach. One of the nice benefits
you gain from using a websocket proxy is that you only need to have
one single TCP port exposed to the internet now. If you put websockets
in QEMU itself, you'd be stuck with having to open your firewall to
allow 100's of ports. With a separate web proxy, you can even make
each QEMU server now use a local UNIX socket for their VNC server,
since only the proxy needs to be able to connect. This means that
the VNC server would no longer be exposed to random local user
access too.
Another benefit of a proxy is that you can run it in a DMZ and not have
to expose all your virtualization hosts to the internet.