[pve-devel] idea for implementation of a spice http connect proxy, with pve authentification
Dietmar Maurer
dietmar at proxmox.com
Wed Jun 19 07:45:47 CEST 2013
> But the good news, is that I have succefully made a nodejs proxy,
> reimplementing verify_vnc_method (with rsa verify,ticket age verification,...).
>
>
> it's working like this:
>
> - call PVE::Qemu::spiceproxy api
> -generate a socat tunnel (randomunixsocket -> qemu spice socket)
> -return a spice_assemble_ticket
>
>
> ticket
> -------
> [virt-viewer]
> type=spice
> proxy=proxy:3128
> host=base32(vnc_assemble_ticket) #base32 needed because spice client
> lowercase the string
> port=randomunixsocket
>
>
>
> client----->proxy:3128---->randomunixsocket--->socat (ssh for remote)--->qemu
> spice.socket.
>
>
> So only 1 port is needed outside, and we have the socat for more security.
>
> Things to do:
> - add support for spice tls for unix socket. (need to hack spicelib server side)
> - find a way to add a connect timeout to socat. (If the client don't connect, the
> socat tunnel is running indefinitely)
> - implemented the proxy in perl. (But maybe you are better than me for this ;)
>
>
> I'll try to send patches for the end of the week.
Great - I am already curious ;-)
I can implement the proxy in perl if you want - that is no problem.
More information about the pve-devel
mailing list