[Kimchi-devel] [PATCH] Configure nginx to proxy connections to the websocket server so that browsers don't need to connect to port 64667. This helps in networks with restrictive firewalls.

5 Oct 2015

Signed-off-by: Rob Lemley <rob.lemley@rochester.edu>
---
 src/kimchi/config.py.in              |  8 ++++++++
 src/kimchi/model/config.py           |  2 ++
 src/kimchi/proxy.py                  |  1 +
 src/kimchi/vnc.py                    |  4 ++--
 src/kimchid.in                       |  1 +
 src/nginx/kimchi.conf.in             | 15 +++++++++++++++
 ui/js/src/kimchi.api.js              | 14 +++++++-------
 ui/spice-html5/pages/spice_auto.html |  2 +-
 8 files changed, 37 insertions(+), 10 deletions(-)

diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in
index 7ca1a1f..1d81db2 100644
--- a/src/kimchi/config.py.in
+++ b/src/kimchi/config.py.in
@@ -98,6 +98,8 @@ class Paths(object):
         self.ui_dir = self.add_prefix('ui')
         self.spice_file = os.path.join(self.ui_dir,
                                        'spice-html5/pages/spice_auto.html')
+        self.console_file = os.path.join(self.ui_dir,
+                                       'pages/websockify/console.html')
 
         if __with_spice__ == 'yes':
             self.spice_dir = self.add_prefix('ui/spice-html5')
@@ -207,6 +209,12 @@ class KimchiConfig(dict):
             'tools.sessions.timeout': SESSIONSTIMEOUT,
             'tools.kimchiauth.on': False
         },
+        '/console.html': {
+            'tools.staticfile.on': True,
+            'tools.staticfile.filename': paths.console_file,
+            'tools.nocache.on': True,
+            'tools.kimchiauth.on': True
+        },
         '/novnc': {
             'tools.staticdir.on': True,
             'tools.staticdir.dir': paths.novnc_dir,
diff --git a/src/kimchi/model/config.py b/src/kimchi/model/config.py
index fe2a529..85d7092 100644
--- a/src/kimchi/model/config.py
+++ b/src/kimchi/model/config.py
@@ -41,7 +41,9 @@ class ConfigModel(object):
 
     def lookup(self, name):
         proxy_port = kconfig.get('display', 'display_proxy_port')
+        ssl_port = kconfig.get('server', 'ssl_port')
         return {'display_proxy_port': proxy_port,
+                'ssl_port': ssl_port,
                 'version': get_version()}
 
 
diff --git a/src/kimchi/proxy.py b/src/kimchi/proxy.py
index 5dcca65..bc26981 100644
--- a/src/kimchi/proxy.py
+++ b/src/kimchi/proxy.py
@@ -80,6 +80,7 @@ def _create_proxy_config(options):
                                 proxy_port=options.port,
                                 kimchid_port=options.cherrypy_port,
                                 proxy_ssl_port=options.ssl_port,
+                                display_proxy_port=options.display_proxy_port,
                                 cert_pem=cert, cert_key=key,
                                 max_body_size=eval(options.max_body_size),
                                 dhparams_pem=dhparams_pem)
diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py
index b4194b1..ae04b81 100644
--- a/src/kimchi/vnc.py
+++ b/src/kimchi/vnc.py
@@ -44,10 +44,10 @@ def new_ws_proxy():
         cert = '%s/kimchi-cert.pem' % paths.conf_dir
         key = '%s/kimchi-key.pem' % paths.conf_dir
 
-    params = {'web': os.path.join(paths.ui_dir, 'pages/websockify'),
+    params = {'listen_host': '127.0.0.1',
               'listen_port': config.get('display', 'display_proxy_port'),
               'target_cfg': WS_TOKENS_DIR,
-              'key': key, 'cert': cert, 'ssl_only': True}
+              'ssl_only': False}
 
     def start_proxy():
         server = WebSocketProxy(**params)
diff --git a/src/kimchid.in b/src/kimchid.in
index 4ea7a42..de6eec2 100644
--- a/src/kimchid.in
+++ b/src/kimchid.in
@@ -92,6 +92,7 @@ def main(options):
     setattr(options, 'ssl_key', config.config.get('server', 'ssl_key'))
     setattr(options, 'max_body_size',
             config.config.get('server', 'max_body_size'))
+    setattr(options, 'display_proxy_port', config.config.get('display', 'display_proxy_port'))
 
     kimchi.server.main(options)
 
diff --git a/src/nginx/kimchi.conf.in b/src/nginx/kimchi.conf.in
index b0faea3..7d75329 100644
--- a/src/nginx/kimchi.conf.in
+++ b/src/nginx/kimchi.conf.in
@@ -47,6 +47,15 @@ http {
     proxy_read_timeout          600;
     send_timeout                600;
 
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
+
+    upstream websocket {
+        server 127.0.0.1:${display_proxy_port};
+    }
+
     server {
         listen ${proxy_ssl_port} ssl;
 
@@ -69,6 +78,12 @@ http {
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_redirect http://127.0.0.1:${kimchid_port}/ https://$host:${proxy_ssl_port}/;
         }
+        location /websockify {
+            proxy_pass http://websocket;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+        }
     }
 
     server {
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js
index 44f58d1..2c4636a 100644
--- a/ui/js/src/kimchi.api.js
+++ b/ui/js/src/kimchi.api.js
@@ -368,15 +368,15 @@ var kimchi = {
             type : 'GET',
             dataType : 'json'
         }).done(function(data, textStatus, xhr) {
-            proxy_port = data['display_proxy_port'];
+            ssl_port = data['ssl_port'];
             kimchi.requestJSON({
                 url : "vms/" + encodeURIComponent(vm) + "/connect",
                 type : "POST",
                 dataType : "json"
             }).done(function() {
-                url = 'https://' + location.hostname + ':' + proxy_port;
+                url = 'https://' + location.hostname + ':' + ssl_port;
                 url += "/console.html?url=" + encodeURIComponent("novnc/vnc_auto.html");
-                url += "&port=" + proxy_port;
+                url += "&port=" + ssl_port;
                 /*
                  * From python documentation base64.urlsafe_b64encode(s)
                  * substitutes - instead of + and _ instead of / in the
@@ -384,7 +384,7 @@ var kimchi = {
                  * contain = which is not safe in a URL query component.
                  * So remove it when needed as base64 can work well without it.
                  * */
-                url += "&path=?token=" + kimchi.urlSafeB64Encode(vm).replace(/=*$/g, "");
+                url += "&path=websockify?token=" + kimchi.urlSafeB64Encode(vm).replace(/=*$/g, "");
                 url += "&kimchi=" + location.port;
                 url += '&encrypt=1';
                 window.open(url);
@@ -400,14 +400,14 @@ var kimchi = {
             type : 'GET',
             dataType : 'json'
         }).done(function(data, textStatus, xhr) {
-            proxy_port = data['display_proxy_port'];
+            ssl_port = data['ssl_port'];
             kimchi.requestJSON({
                 url : "vms/" + encodeURIComponent(vm) + "/connect",
                 type : "POST",
                 dataType : "json"
             }).done(function(data, textStatus, xhr) {
-                url = 'https://' + location.hostname + ':' + proxy_port;
-                url += "/console.html?url=spice_auto.html&port=" + proxy_port;
+                url = 'https://' + location.hostname + ':' + ssl_port;
+                url += "/console.html?url=spice_auto.html&port=" + ssl_port;
                 url += "&listen=" + location.hostname;
                 /*
                  * From python documentation base64.urlsafe_b64encode(s)
diff --git a/ui/spice-html5/pages/spice_auto.html b/ui/spice-html5/pages/spice_auto.html
index 40afea4..6ef90b9 100644
--- a/ui/spice-html5/pages/spice_auto.html
+++ b/ui/spice-html5/pages/spice_auto.html
@@ -143,7 +143,7 @@
                  * to point Kimchi user to a specific console represented by
                  * token value.
                  */
-                uri = scheme + host + ":" + port + "/?token=" + token;
+                uri = scheme + host + ":" + port + "/websockify?token=" + token;
 
                 try
                 {
-- 
1.8.3.1

    