From: Mark Wu <wudxw@linux.vnet.ibm.com> The current vm ui console connection is unencrypted. This patch enables encrypted vm console connection. But browsers doesn't support well for the usage self-signed certs in the ssl websocket connection. For details, please see: https://github.com/kanaka/websockify/wiki/Encrypted-Connections For chrome browser, the encrypted console connection should work after you login with ssl connection. But for firefox, you have to connect to https://host-ip:64667/ and accept the self-signed cert. Signed-off-by: Mark Wu <wudxw@linux.vnet.ibm.com> --- src/kimchi/vnc.py | 10 ++++++++-- ui/js/src/kimchi.api.js | 2 ++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py index 1f36e9a..3251f06 100644 --- a/src/kimchi/vnc.py +++ b/src/kimchi/vnc.py @@ -23,7 +23,7 @@ import os import subprocess -from kimchi.config import config +from kimchi.config import config, paths WS_TOKENS_DIR = '/var/lib/kimchi/vnc-tokens' @@ -36,9 +36,15 @@ def new_ws_proxy(): if e.errno == errno.EEXIST: pass + cert = config.get('server', 'ssl_cert') + key = config.get('server', 'ssl_key') + if not (cert and key): + cert = '%s/kimchi-cert.pem' % paths.conf_dir + key = '%s/kimchi-key.pem' % paths.conf_dir + cmd = os.path.join(os.path.dirname(__file__), 'websockify.py') args = ['python', cmd, config.get('display', 'display_proxy_port'), - '--target-config', WS_TOKENS_DIR] + '--target-config', WS_TOKENS_DIR, '--cert', cert, '--key', key] p = subprocess.Popen(args, close_fds=True) return p diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index 1bde45c..9431624 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -332,6 +332,7 @@ var kimchi = { url = 'http://' + location.hostname + ':' + http_port; url += "/vnc_auto.html?port=" + proxy_port; url += "&path=?token=" + encodeURIComponent(vm); + url += '&encrypt=1'; window.open(url); }); }).error(function() { @@ -355,6 +356,7 @@ var kimchi = { url = 'http://' + location.hostname + ':' + http_port; url += "/spice.html?port=" + proxy_port + "&listen=" + data.graphics.listen + "&token=" + encodeURIComponent(vm); + url += '&encrypt=1'; window.open(url); }); }).error(function() { -- 1.7.10.4