From: Aline Manera <alinefm(a)br.ibm.com>
Some browsers doesn't support well for the usage self-signed certs in the ssl
websocket connection. For details, please see:
https://github.com/kanaka/websockify/wiki/Encrypted-Connections
For chrome browser, the encrypted console connection should work after
you login with ssl connection. But for firefox, it does not show a
confirmation page for the user the accept the self-signed cert when
the HTTPs connection is started from a websocket.
So this patch makes use of the Web server in the websockify. The mini
Web server in the websockify can serve static contents like html, css
and js.
This patch add a simple HTMl file (console.html) to pages/websockify and have
websockify serve this file.
When the user clicks the console icon, Kimchi brings the user to
https://host:64667/console.html, which is served by websockify. Then
firefox would prompt a confirmation page for the self-signed cert. After
the user accept the cert, the user will be redirected to noVNC/SPICE page
provided by Kimchi server.
It is important to have Kimchi providing the noVNC/SPICE page to be able to
add authentication to console pages (vnc_auto.html and spice.html)
Signed-off-by: Aline Manera <alinefm(a)br.ibm.com>
Signed-off-by: Mark Wu <wudxw(a)linux.vnet.ibm.com>
Signed-off-by: Zhou Zheng Sheng <zhshzhou(a)linux.vnet.ibm.com>
---
configure.ac | 1 +
contrib/kimchi.spec.fedora.in | 1 +
contrib/kimchi.spec.suse.in | 1 +
src/kimchi/vnc.py | 3 ++-
ui/js/src/kimchi.api.js | 19 ++++++++-----------
ui/pages/Makefile.am | 2 +-
ui/pages/websockify/Makefile.am | 20 ++++++++++++++++++++
ui/pages/websockify/console.html | 25 +++++++++++++++++++++++++
8 files changed, 59 insertions(+), 13 deletions(-)
create mode 100644 ui/pages/websockify/Makefile.am
create mode 100644 ui/pages/websockify/console.html
diff --git a/configure.ac b/configure.ac
index 7d76f97..cc971e8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -85,6 +85,7 @@ AC_CONFIG_FILES([
ui/pages/help/pt_BR/Makefile
ui/pages/help/zh_CN/Makefile
ui/pages/tabs/Makefile
+ ui/pages/websockify/Makefile
contrib/Makefile
contrib/DEBIAN/Makefile
contrib/DEBIAN/control
diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in
index 104c114..2d4699b 100644
--- a/contrib/kimchi.spec.fedora.in
+++ b/contrib/kimchi.spec.fedora.in
@@ -180,6 +180,7 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/kimchi/ui/pages/*.html.tmpl
%{_datadir}/kimchi/ui/pages/help/*/*.html
%{_datadir}/kimchi/ui/pages/tabs/*.html.tmpl
+%{_datadir}/kimchi/ui/pages/websockify/*.html
%{_sysconfdir}/kimchi/kimchi.conf
%{_sysconfdir}/kimchi/nginx.conf.in
%{_sysconfdir}/kimchi/distros.d/debian.json
diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in
index 7704822..165f566 100644
--- a/contrib/kimchi.spec.suse.in
+++ b/contrib/kimchi.spec.suse.in
@@ -102,6 +102,7 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/kimchi/ui/pages/*.html.tmpl
%{_datadir}/kimchi/ui/pages/help/*/*.html
%{_datadir}/kimchi/ui/pages/tabs/*.html.tmpl
+%{_datadir}/kimchi/ui/pages/websockify/*.html
%{_sysconfdir}/kimchi/kimchi.conf
%{_sysconfdir}/kimchi/nginx.conf.in
%{_sysconfdir}/kimchi/distros.d/debian.json
diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py
index 3251f06..3339014 100644
--- a/src/kimchi/vnc.py
+++ b/src/kimchi/vnc.py
@@ -44,7 +44,8 @@ def new_ws_proxy():
cmd = os.path.join(os.path.dirname(__file__), 'websockify.py')
args = ['python', cmd, config.get('display',
'display_proxy_port'),
- '--target-config', WS_TOKENS_DIR, '--cert', cert,
'--key', key]
+ '--target-config', WS_TOKENS_DIR, '--cert', cert,
'--key', key,
+ '--web', os.path.join(paths.ui_dir, 'pages/websockify')]
p = subprocess.Popen(args, close_fds=True)
return p
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js
index 9431624..2cea751 100644
--- a/ui/js/src/kimchi.api.js
+++ b/ui/js/src/kimchi.api.js
@@ -318,20 +318,16 @@ var kimchi = {
type : 'GET',
dataType : 'json'
}).done(function(data, textStatus, xhr) {
- http_port = data['http_port'];
proxy_port = data['display_proxy_port'];
kimchi.requestJSON({
url : "/vms/" + encodeURIComponent(vm) + "/connect",
type : "POST",
dataType : "json"
}).done(function() {
- /**
- * Due to problems with web sockets and self-signed
- * certificates, for now we will always redirect to http
- */
- url = 'http://' + location.hostname + ':' + http_port;
- url += "/vnc_auto.html?port=" + proxy_port;
+ url = 'https://' + location.hostname + ':' + proxy_port;
+ url += "/console.html?url=vnc_auto.html&port=" +
proxy_port;
url += "&path=?token=" + encodeURIComponent(vm);
+ url += "&kimchi=" + location.port;
url += '&encrypt=1';
window.open(url);
});
@@ -346,16 +342,17 @@ var kimchi = {
type : 'GET',
dataType : 'json'
}).done(function(data, textStatus, xhr) {
- http_port = data['http_port'];
proxy_port = data['display_proxy_port'];
kimchi.requestJSON({
url : "/vms/" + encodeURIComponent(vm) + "/connect",
type : "POST",
dataType : "json"
}).done(function(data, textStatus, xhr) {
- url = 'http://' + location.hostname + ':' + http_port;
- url += "/spice.html?port=" + proxy_port +
"&listen="
- + data.graphics.listen + "&token=" +
encodeURIComponent(vm);
+ url = 'https://' + location.hostname + ':' + proxy_port;
+ url += "/console.html?url=spice.html&port=" + proxy_port;
+ url += "&listen=" + data.graphics.listen;
+ url += "&token=" + encodeURIComponent(vm);
+ url += "&kimchi=" + location.port;
url += '&encrypt=1';
window.open(url);
});
diff --git a/ui/pages/Makefile.am b/ui/pages/Makefile.am
index 0c04a72..7f11555 100644
--- a/ui/pages/Makefile.am
+++ b/ui/pages/Makefile.am
@@ -15,7 +15,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-SUBDIRS = help tabs
+SUBDIRS = help tabs websockify
htmldir = $(datadir)/kimchi/ui/pages
diff --git a/ui/pages/websockify/Makefile.am b/ui/pages/websockify/Makefile.am
new file mode 100644
index 0000000..d498242
--- /dev/null
+++ b/ui/pages/websockify/Makefile.am
@@ -0,0 +1,20 @@
+#
+# Kimchi
+#
+# Copyright IBM, Corp. 2014
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#
http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+websockifyhtmldir = $(datadir)/kimchi/ui/pages/websockify
+
+dist_websockifyhtml_DATA = $(wildcard *.html) $(NULL)
diff --git a/ui/pages/websockify/console.html b/ui/pages/websockify/console.html
new file mode 100644
index 0000000..a536e38
--- /dev/null
+++ b/ui/pages/websockify/console.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <script type="text/javascript">
+ redirectToKimchi = function() {
+ var query = window.location.search;
+
+ var path = /.*url=(.*?)(&|$)/g.exec(query)[1];
+ query = query.replace("url=" + path + "&", "")
+ query = query.replace("url=" + path, "")
+
+ var kimchi_port = /.*kimchi=(.*?)(&|$)/g.exec(query)[1];
+ query = query.replace("kimchi=" + kimchi_port + "&",
"")
+ query = query.replace("kimchi=" + kimchi_port, "")
+
+ var url = "https://" + location.hostname + ":" + kimchi_port
+ "/";
+ url += path + query
+
+ window.location.replace(url)
+ }
+ </script>
+ </head>
+
+ <body onload="redirectToKimchi()"/>
+</html>
--
1.7.10.4