[SOLVED] Unable to VNC when going through Apache proxy

Community Support
1

Hello everyone, seems to be lots of info on this topic, but we are unable to use VNC when going through an Apache proxy. VNC works as expected if accessed directly from OpenNebula/Sunstone, and we are able to access and perform all other functions through the proxy, but when accessing VNC through proxy we get the " VNC Server disconnected (code: 1006)" so I assume it is related to websockets/ws_tunnel? Here are the details:

Ubuntu 16.04.3
OpenNebula 5.4 on single host (IP 192.168.1.71)
Apache 2.4.18 with wstunnel enabled (IP 192.168.1.90)
No firewalls between OpenNebula host and Apache host
ss -ntap |grep 29876
LISTEN 0 100 *:29876 :
SSL not used
sunstone-server.conf
:vnc_proxy_support_wss: no

Pretty sure this is where the issue is… just do not know how to resolve
apache config:
ProxyRequests off
RewriteEngine on
ProxyPreserveHost on
ProxyPass / http://192.168.1.71:9869/
ProxyPass / ws://192.168.1.71:9869/

apache log entry:
“POST /vm/11/startvnc HTTP/1.1” 200 568 “http://192.168.1.90/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0”

firefox console:
Firefox can’t establish a connection to the server at ws://192.168.1.90:29876/?token=blahblahblah - shouldn’t firefox try to connect to .71?

I am open to using nginx, and have tried briefly with basically the same result. I’m sure it is a ‘ws’ directive issue, just not sure what.

Thanks in advance.

2

Really could use some help, thoughts, suggestions, etc. I believe I have almost found the end of the internet looking for the solution…

Thanks in advance.

3

So i believe the issue appears to be related to this:

Firefox can’t establish a connection to the server at ws://192.168.1.90:29876/?token=blahblahblah

The .90 is the proxy, not the sunstone server. Any ideas/thoughts on why it is trying to access the proxy rather than sunstone?

4

I was able to resolve this using traefik as the proxy and configuring an additional entrypoing, frontend, and backend for port 29876. this proxied the traffic from the client machine to sunstone when it tried to access port 29876 on the proxy.

5

Can you post your apache configuration here please??

I have an apache using mod_proxy, i reverse in https the opennebula FE but when i try to open vm consoles under novnc or spice, nothing appear.

ATM the apache server configuration reverse proxying OpennebulaFE is:

<VirtualHost *:443>
ServerName localhost

ProxyPreserveHost Off

RewriteEngine on
RewriteRule ^(.*)+(nebula)$ %{REQUEST_URI}/ [R=301,L]

SSLEngine on
SSLCertificateFile /etc/pki/certs/xxxx.crt
SSLCertificateKeyFile /etc/pki/private/xxxxx.key
SSLCertificateChainFile /etc/pki/certs/xxxxxxxx.pem

<Location /nebula>
ProxyPass http://xx.xx.xx.xx:9869
ProxyPassReverse http://xx.xx.xx.xx:9869

Many thanks

Igor

6

Hi @mh_opennebula ,

I’m having the same issue setting up traefik v2 and sunstone/vnc.

Can you please share your traefik configuration?
I’ve tried different solutions but nothing worked.

Thanks
Jaime