Re: [Kimchi-devel] [v3] Enable encryption in vm VNC console connection

From: Mark Wu <wudxw(a)linux.vnet.ibm.com&gt; The current vm VNC console connection is unencrypted. This patch enables encrypted vm VNC console connection. But browsers doesn't support well for the usage self-signed certs in the ssl websocket connection. For details, please see: https://github.com/kanaka/websockify/wiki/Encrypted-Connections For chrome browser, the encrypted console connection should work after you login with ssl connection. But for firefox, it does not show a confirmation page for the user the accept the self-signed cert when the HTTPs connection is started from a websocket. So this patch makes use of the Web server in the websockify. The mini Web server in the websockify can serve static contents like html, css and js. This patch moves all novnc related html, css, font and js files to ui/novnc, and have the websockify serve those files. When the user clicks the VNC icon, Kimchi brings the user to https://host:64667/vnc.html, which is served by websockify. Then firefox would prompt a confirmation page for the self-signed cert. After the user accept the cert, HTTPs connection started from the websocket would succeed. v3: Make use of the mini Web server in the websockify. Signed-off-by: Mark Wu <wudxw(a)linux.vnet.ibm.com&gt; Signed-off-by: Zhou Zheng Sheng <zhshzhou(a)linux.vnet.ibm.com&gt; --- configure.ac | 8 ++++---- contrib/kimchi.spec.fedora.in | 13 +++++++------ contrib/kimchi.spec.suse.in | 13 +++++++------ src/kimchi/vnc.py | 11 +++++++++-- ui/Makefile.am | 2 +- ui/css/Makefile.am | 2 +- ui/css/fonts/Makefile.am | 2 -- ui/js/Makefile.am | 2 +- ui/js/src/kimchi.api.js | 7 ++++--- ui/{css => }/novnc/Makefile.am | 8 +++++--- ui/{css/fonts/novnc => novnc/css}/Makefile.am | 4 ++-- ui/{css/fonts/novnc => novnc/css}/Orbitron700.ttf | Bin ui/{css/fonts/novnc => novnc/css}/Orbitron700.woff | Bin ui/{css/novnc => novnc/css}/base.css | 0 ui/{js/novnc => novnc/js}/Makefile.am | 2 +- ui/{js/novnc => novnc/js}/base64.js | 0 ui/{js/novnc => novnc/js}/des.js | 0 ui/{js/novnc => novnc/js}/display.js | 0 ui/{js/novnc => novnc/js}/input.js | 0 ui/{js/novnc => novnc/js}/jsunzip.js | 0 ui/{js/novnc => novnc/js}/main.js | 0 ui/{js/novnc => novnc/js}/rfb.js | 0 ui/{js/novnc => novnc/js}/util.js | 0 ui/{js/novnc => novnc/js}/web-socket-js/Makefile.am | 2 +- ui/{js/novnc => novnc/js}/web-socket-js/README.txt | 0 ui/{js/novnc => novnc/js}/web-socket-js/WebSocketMain.swf | Bin ui/{js/novnc => novnc/js}/web-socket-js/swfobject.js | 0 ui/{js/novnc => novnc/js}/web-socket-js/web_socket.js | 0 ui/{js/novnc => novnc/js}/websock.js | 0 ui/{js/novnc => novnc/js}/webutil.js | 0 ui/{pages/vnc_auto.html.tmpl => novnc/vnc.html} | 9 ++++----- 31 files changed, 47 insertions(+), 38 deletions(-) rename ui/{css => }/novnc/Makefile.am (82%) rename ui/{css/fonts/novnc => novnc/css}/Makefile.am (88%) rename ui/{css/fonts/novnc => novnc/css}/Orbitron700.ttf (100%) rename ui/{css/fonts/novnc => novnc/css}/Orbitron700.woff (100%) rename ui/{css/novnc => novnc/css}/base.css (100%) rename ui/{js/novnc => novnc/js}/Makefile.am (94%) rename ui/{js/novnc => novnc/js}/base64.js (100%) rename ui/{js/novnc => novnc/js}/des.js (100%) rename ui/{js/novnc => novnc/js}/display.js (100%) rename ui/{js/novnc => novnc/js}/input.js (100%) rename ui/{js/novnc => novnc/js}/jsunzip.js (100%) rename ui/{js/novnc => novnc/js}/main.js (100%) rename ui/{js/novnc => novnc/js}/rfb.js (100%) rename ui/{js/novnc => novnc/js}/util.js (100%) rename ui/{js/novnc => novnc/js}/web-socket-js/Makefile.am (91%) rename ui/{js/novnc => novnc/js}/web-socket-js/README.txt (100%) rename ui/{js/novnc => novnc/js}/web-socket-js/WebSocketMain.swf (100%) rename ui/{js/novnc => novnc/js}/web-socket-js/swfobject.js (100%) rename ui/{js/novnc => novnc/js}/web-socket-js/web_socket.js (100%) rename ui/{js/novnc => novnc/js}/websock.js (100%) rename ui/{js/novnc => novnc/js}/webutil.js (100%) rename ui/{pages/vnc_auto.html.tmpl => novnc/vnc.html} (83%) diff --git a/configure.ac b/configure.ac index 7d76f97..bc3f93e 100644 --- a/configure.ac +++ b/configure.ac @@ -66,19 +66,19 @@ AC_CONFIG_FILES([ plugins/sample/ui/config/Makefile ui/Makefile ui/css/Makefile - ui/css/novnc/Makefile ui/css/fonts/Makefile - ui/css/fonts/novnc/Makefile ui/images/Makefile ui/images/theme-default/Makefile ui/js/Makefile - ui/js/novnc/Makefile ui/js/spice/Makefile - ui/js/novnc/web-socket-js/Makefile ui/libs/Makefile ui/libs/themes/Makefile ui/libs/themes/base/Makefile ui/libs/themes/base/images/Makefile + ui/novnc/Makefile + ui/novnc/css/Makefile + ui/novnc/js/Makefile + ui/novnc/js/web-socket-js/Makefile ui/pages/Makefile ui/pages/help/Makefile ui/pages/help/en_US/Makefile diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in index 104c114..dd2fba7 100644 --- a/contrib/kimchi.spec.fedora.in +++ b/contrib/kimchi.spec.fedora.in @@ -154,8 +154,6 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/kimchi/mo/*/LC_MESSAGES/kimchi.mo %{_datadir}/kimchi/config/ui/*.xml %{_datadir}/kimchi/ui/css/fonts/fontawesome-webfont.* -%{_datadir}/kimchi/ui/css/fonts/novnc/Orbitron700.* -%{_datadir}/kimchi/ui/css/novnc/base.css %{_datadir}/kimchi/ui/css/theme-default.min.css %{_datadir}/kimchi/ui/images/*.png %{_datadir}/kimchi/ui/images/*.ico @@ -165,11 +163,7 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/kimchi/ui/js/jquery-ui.js %{_datadir}/kimchi/ui/js/jquery.min.js %{_datadir}/kimchi/ui/js/modernizr.custom.2.6.2.min.js -%{_datadir}/kimchi/ui/js/novnc/*.js %{_datadir}/kimchi/ui/js/spice/*.js -%{_datadir}/kimchi/ui/js/novnc/web-socket-js/WebSocketMain.swf -%{_datadir}/kimchi/ui/js/novnc/web-socket-js/swfobject.js -%{_datadir}/kimchi/ui/js/novnc/web-socket-js/web_socket.js %{_datadir}/kimchi/ui/libs/jquery-ui-i18n.min.js %{_datadir}/kimchi/ui/libs/jquery-ui.min.js %{_datadir}/kimchi/ui/libs/jquery-1.10.0.min.js @@ -177,6 +171,13 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/kimchi/ui/libs/themes/base/images/*.png %{_datadir}/kimchi/ui/libs/themes/base/images/*.gif %{_datadir}/kimchi/ui/libs/themes/base/jquery-ui.min.css +%{_datadir}/kimchi/ui/novnc/css/Orbitron700.* +%{_datadir}/kimchi/ui/novnc/css/base.css +%{_datadir}/kimchi/ui/novnc/js/*.js +%{_datadir}/kimchi/ui/novnc/js/web-socket-js/WebSocketMain.swf +%{_datadir}/kimchi/ui/novnc/js/web-socket-js/swfobject.js +%{_datadir}/kimchi/ui/novnc/js/web-socket-js/web_socket.js +%{_datadir}/kimchi/ui/novnc/vnc.html %{_datadir}/kimchi/ui/pages/*.html.tmpl %{_datadir}/kimchi/ui/pages/help/*/*.html %{_datadir}/kimchi/ui/pages/tabs/*.html.tmpl diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in index 7704822..73c59a0 100644 --- a/contrib/kimchi.spec.suse.in +++ b/contrib/kimchi.spec.suse.in @@ -76,8 +76,6 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/kimchi/mo/*/LC_MESSAGES/kimchi.mo %{_datadir}/kimchi/config/ui/*.xml %{_datadir}/kimchi/ui/css/fonts/fontawesome-webfont.* -%{_datadir}/kimchi/ui/css/fonts/novnc/Orbitron700.* -%{_datadir}/kimchi/ui/css/novnc/base.css %{_datadir}/kimchi/ui/css/theme-default.min.css %{_datadir}/kimchi/ui/images/*.png %{_datadir}/kimchi/ui/images/*.ico @@ -87,11 +85,7 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/kimchi/ui/js/jquery-ui.js %{_datadir}/kimchi/ui/js/jquery.min.js %{_datadir}/kimchi/ui/js/modernizr.custom.2.6.2.min.js -%{_datadir}/kimchi/ui/js/novnc/*.js %{_datadir}/kimchi/ui/js/spice/*.js -%{_datadir}/kimchi/ui/js/novnc/web-socket-js/WebSocketMain.swf -%{_datadir}/kimchi/ui/js/novnc/web-socket-js/swfobject.js -%{_datadir}/kimchi/ui/js/novnc/web-socket-js/web_socket.js %{_datadir}/kimchi/ui/libs/jquery-ui-i18n.min.js %{_datadir}/kimchi/ui/libs/jquery-ui.min.js %{_datadir}/kimchi/ui/libs/jquery-1.10.0.min.js @@ -99,6 +93,13 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/kimchi/ui/libs/themes/base/images/*.png %{_datadir}/kimchi/ui/libs/themes/base/images/*.gif %{_datadir}/kimchi/ui/libs/themes/base/jquery-ui.min.css +%{_datadir}/kimchi/ui/novnc/css/Orbitron700.* +%{_datadir}/kimchi/ui/novnc/css/base.css +%{_datadir}/kimchi/ui/novnc/js/*.js +%{_datadir}/kimchi/ui/novnc/js/web-socket-js/WebSocketMain.swf +%{_datadir}/kimchi/ui/novnc/js/web-socket-js/swfobject.js +%{_datadir}/kimchi/ui/novnc/js/web-socket-js/web_socket.js +%{_datadir}/kimchi/ui/novnc/vnc.html %{_datadir}/kimchi/ui/pages/*.html.tmpl %{_datadir}/kimchi/ui/pages/help/*/*.html %{_datadir}/kimchi/ui/pages/tabs/*.html.tmpl diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py index 1f36e9a..61f9c15 100644 --- a/src/kimchi/vnc.py +++ b/src/kimchi/vnc.py @@ -23,7 +23,7 @@ import os import subprocess -from kimchi.config import config +from kimchi.config import config, paths WS_TOKENS_DIR = '/var/lib/kimchi/vnc-tokens' @@ -36,9 +36,16 @@ def new_ws_proxy(): if e.errno == errno.EEXIST: pass + cert = config.get('server', 'ssl_cert') + key = config.get('server', 'ssl_key') + if not (cert and key): + cert = '%s/kimchi-cert.pem' % paths.conf_dir + key = '%s/kimchi-key.pem' % paths.conf_dir + cmd = os.path.join(os.path.dirname(__file__), 'websockify.py') args = ['python', cmd, config.get('display', 'display_proxy_port'), - '--target-config', WS_TOKENS_DIR] + '--target-config', WS_TOKENS_DIR, '--cert', cert, '--key', key, + '--web', os.path.join(paths.ui_dir, 'novnc')] p = subprocess.Popen(args, close_fds=True) return p diff --git a/ui/Makefile.am b/ui/Makefile.am index b5366c5..4e0d57a 100644 --- a/ui/Makefile.am +++ b/ui/Makefile.am @@ -15,4 +15,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -SUBDIRS = css images js libs pages +SUBDIRS = css images js libs pages novnc diff --git a/ui/css/Makefile.am b/ui/css/Makefile.am index db65799..0922a9d 100644 --- a/ui/css/Makefile.am +++ b/ui/css/Makefile.am @@ -15,7 +15,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -SUBDIRS = novnc fonts +SUBDIRS = fonts EXTRA_DIST = theme-default diff --git a/ui/css/fonts/Makefile.am b/ui/css/fonts/Makefile.am index 63df038..d72bb6c 100644 --- a/ui/css/fonts/Makefile.am +++ b/ui/css/fonts/Makefile.am @@ -15,8 +15,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -SUBDIRS = novnc - fontdir = $(datadir)/kimchi/ui/css/fonts dist_font_DATA = fontawesome-webfont.* diff --git a/ui/js/Makefile.am b/ui/js/Makefile.am index f4d1e6b..a29c262 100644 --- a/ui/js/Makefile.am +++ b/ui/js/Makefile.am @@ -15,7 +15,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -SUBDIRS = novnc spice +SUBDIRS = spice EXTRA_DIST = src widgets diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index 1bde45c..c8c422d 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -318,7 +318,6 @@ var kimchi = { type : 'GET', dataType : 'json' }).done(function(data, textStatus, xhr) { - http_port = data['http_port']; proxy_port = data['display_proxy_port']; kimchi.requestJSON({ url : "/vms/" + encodeURIComponent(vm) + "/connect", @@ -329,9 +328,10 @@ var kimchi = { * Due to problems with web sockets and self-signed * certificates, for now we will always redirect to http */ - url = 'http://' + location.hostname + ':' + http_port; - url += "/vnc_auto.html?port=" + proxy_port; + url = 'https://' + location.hostname + ':' + proxy_port; + url += "/vnc.html?port=" + proxy_port; url += "&path=?token=" + encodeURIComponent(vm); + url += '&encrypt=1' window.open(url); }); }).error(function() { @@ -355,6 +355,7 @@ var kimchi = { url = 'http://' + location.hostname + ':' + http_port; url += "/spice.html?port=" + proxy_port + "&listen=" + data.graphics.listen + "&token=" + encodeURIComponent(vm); + url += '&encrypt=1' window.open(url); }); }).error(function() { diff --git a/ui/css/novnc/Makefile.am b/ui/novnc/Makefile.am similarity index 82% rename from ui/css/novnc/Makefile.am rename to ui/novnc/Makefile.am index 29703d6..d0aca93 100644 --- a/ui/css/novnc/Makefile.am +++ b/ui/novnc/Makefile.am @@ -1,7 +1,7 @@ # # Kimchi # -# Copyright IBM, Corp. 2013 +# Copyright IBM, Corp. 2014 # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,6 +15,8 @@ # See the License for the specific language governing permissions and # limitations under the License. -cssdir = $(datadir)/kimchi/ui/css/novnc +SUBDIRS = css js -dist_css_DATA = base.css +htmldir = $(datadir)/kimchi/ui/novnc + +dist_html_DATA = vnc.html $(NULL) diff --git a/ui/css/fonts/novnc/Makefile.am b/ui/novnc/css/Makefile.am similarity index 88% rename from ui/css/fonts/novnc/Makefile.am rename to ui/novnc/css/Makefile.am index 50f6050..23d178f 100644 --- a/ui/css/fonts/novnc/Makefile.am +++ b/ui/novnc/css/Makefile.am @@ -15,6 +15,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -fontdir = $(datadir)/kimchi/ui/css/fonts/novnc +cssdir = $(datadir)/kimchi/ui/novnc/css -dist_font_DATA = Orbitron700.* +dist_css_DATA = base.css Orbitron700.* diff --git a/ui/css/fonts/novnc/Orbitron700.ttf b/ui/novnc/css/Orbitron700.ttf similarity index 100% rename from ui/css/fonts/novnc/Orbitron700.ttf rename to ui/novnc/css/Orbitron700.ttf diff --git a/ui/css/fonts/novnc/Orbitron700.woff b/ui/novnc/css/Orbitron700.woff similarity index 100% rename from ui/css/fonts/novnc/Orbitron700.woff rename to ui/novnc/css/Orbitron700.woff diff --git a/ui/css/novnc/base.css b/ui/novnc/css/base.css similarity index 100% rename from ui/css/novnc/base.css rename to ui/novnc/css/base.css diff --git a/ui/js/novnc/Makefile.am b/ui/novnc/js/Makefile.am similarity index 94% rename from ui/js/novnc/Makefile.am rename to ui/novnc/js/Makefile.am index fefe6af..0c22fed 100644 --- a/ui/js/novnc/Makefile.am +++ b/ui/novnc/js/Makefile.am @@ -17,6 +17,6 @@ SUBDIRS = web-socket-js -jsdir = $(datadir)/kimchi/ui/js/novnc +jsdir = $(datadir)/kimchi/ui/novnc/js dist_js_DATA = $(wildcard *.js) $(NULL) diff --git a/ui/js/novnc/base64.js b/ui/novnc/js/base64.js similarity index 100% rename from ui/js/novnc/base64.js rename to ui/novnc/js/base64.js diff --git a/ui/js/novnc/des.js b/ui/novnc/js/des.js similarity index 100% rename from ui/js/novnc/des.js rename to ui/novnc/js/des.js diff --git a/ui/js/novnc/display.js b/ui/novnc/js/display.js similarity index 100% rename from ui/js/novnc/display.js rename to ui/novnc/js/display.js diff --git a/ui/js/novnc/input.js b/ui/novnc/js/input.js similarity index 100% rename from ui/js/novnc/input.js rename to ui/novnc/js/input.js diff --git a/ui/js/novnc/jsunzip.js b/ui/novnc/js/jsunzip.js similarity index 100% rename from ui/js/novnc/jsunzip.js rename to ui/novnc/js/jsunzip.js diff --git a/ui/js/novnc/main.js b/ui/novnc/js/main.js similarity index 100% rename from ui/js/novnc/main.js rename to ui/novnc/js/main.js diff --git a/ui/js/novnc/rfb.js b/ui/novnc/js/rfb.js similarity index 100% rename from ui/js/novnc/rfb.js rename to ui/novnc/js/rfb.js diff --git a/ui/js/novnc/util.js b/ui/novnc/js/util.js similarity index 100% rename from ui/js/novnc/util.js rename to ui/novnc/js/util.js diff --git a/ui/js/novnc/web-socket-js/Makefile.am b/ui/novnc/js/web-socket-js/Makefile.am similarity index 91% rename from ui/js/novnc/web-socket-js/Makefile.am rename to ui/novnc/js/web-socket-js/Makefile.am index 7d685f5..26ba1c0 100644 --- a/ui/js/novnc/web-socket-js/Makefile.am +++ b/ui/novnc/js/web-socket-js/Makefile.am @@ -15,7 +15,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -websocketdir = $(datadir)/kimchi/ui/js/novnc/web-socket-js +websocketdir = $(datadir)/kimchi/ui/novnc/js/web-socket-js dist_websocket_DATA = \ swfobject.js \ diff --git a/ui/js/novnc/web-socket-js/README.txt b/ui/novnc/js/web-socket-js/README.txt similarity index 100% rename from ui/js/novnc/web-socket-js/README.txt rename to ui/novnc/js/web-socket-js/README.txt diff --git a/ui/js/novnc/web-socket-js/WebSocketMain.swf b/ui/novnc/js/web-socket-js/WebSocketMain.swf similarity index 100% rename from ui/js/novnc/web-socket-js/WebSocketMain.swf rename to ui/novnc/js/web-socket-js/WebSocketMain.swf diff --git a/ui/js/novnc/web-socket-js/swfobject.js b/ui/novnc/js/web-socket-js/swfobject.js similarity index 100% rename from ui/js/novnc/web-socket-js/swfobject.js rename to ui/novnc/js/web-socket-js/swfobject.js diff --git a/ui/js/novnc/web-socket-js/web_socket.js b/ui/novnc/js/web-socket-js/web_socket.js similarity index 100% rename from ui/js/novnc/web-socket-js/web_socket.js rename to ui/novnc/js/web-socket-js/web_socket.js diff --git a/ui/js/novnc/websock.js b/ui/novnc/js/websock.js similarity index 100% rename from ui/js/novnc/websock.js rename to ui/novnc/js/websock.js diff --git a/ui/js/novnc/webutil.js b/ui/novnc/js/webutil.js similarity index 100% rename from ui/js/novnc/webutil.js rename to ui/novnc/js/webutil.js diff --git a/ui/pages/vnc_auto.html.tmpl b/ui/novnc/vnc.html similarity index 83% rename from ui/pages/vnc_auto.html.tmpl rename to ui/novnc/vnc.html index 0078190..1f4355c 100644 --- a/ui/pages/vnc_auto.html.tmpl +++ b/ui/novnc/vnc.html @@ -1,4 +1,3 @@ -#from kimchi.cachebust import href <!DOCTYPE html> <html> <!-- @@ -13,15 +12,15 @@ <head> <title>noVNC</title> <meta http-equiv="X-UA-Compatible" content="chrome=1"> - <link rel="stylesheet" href="$href("/css/novnc/base.css")" title="plain"> + <link rel="stylesheet" href="css/base.css" title="plain"> <script type='text/javascript'> - var INCLUDE_URI = "/js/novnc/"; + var INCLUDE_URI = "js/"; </script> <!-- <script type='text/javascript' src='http://getfirebug.com/releases/lite/1.2/firebug-lite-compressed.... --> - <script src="$href("/js/novnc/util.js")"></script> + <script src="js/util.js"></script> </head> <body style="margin: 0px;"> @@ -39,6 +38,6 @@ Canvas not supported. </canvas> </div> - <script src="$href("/js/novnc/main.js")"></script> + <script src="js/main.js"></script> </body> </html>