[pve-devel] Allow accessing novnc console without being logged in

Henry Spanka henry at myvirtualserver.de
Tue Dec 29 16:36:44 CET 2015


Hey,
When using an API it's impossible to use the novnc console.
This patch introduces a new API endpoint
(https://proxmoxurl.com:8006/api2/json/websocket) where we can connect
without being logged in. Authentication is done by validating the vnc
ticket.

Tested on Proxmox VE 4.

>From 0ca59236a4cdcc6e7479b982e8baec1466ac809d Mon Sep 17 00:00:00 2001
From: Henry Spanka <henry at myvirtualserver.de>
Date: Mon, 2 Nov 2015 21:45:46 +0100
Subject: [PATCH 1/1] Allow accessing novnc console when not logged in

---
 /PVE/HTTPServer.pm | 59 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)

diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
index 927abc0..f23d9e4 100755
--- a/PVE/HTTPServer.pm
+++ b/PVE/HTTPServer.pm
@@ -1221,6 +1221,65 @@ sub unshift_read_header {
 		    }
 		    $self->handle_spice_proxy_request($reqstate,
$connect_str, $vmid, $node, $port);
 		    return;
+        } elsif ($path =~ /^\/api2\/json\/websocket$/) {
+            my $upgrade = $r->header('upgrade');
+            $upgrade = lc($upgrade) if $upgrade;
+
+            my $vncticket = extract_params($r, $method)->{vncticket};
+
+            my $vmid = extract_params($r, $method)->{vmid};
+
+            my $user = extract_params($r, $method)->{user};
+
+            my $authpath = "/vms/$vmid";
+
+            if (!$upgrade || ($upgrade ne 'websocket')) {
+                $self->error($reqstate, HTTP_INTERNAL_SERVER_ERROR, "unable
to upgrade to protocol '$upgrade'\n");
+                return;
+            }
+
+            my $wsver = $r->header('sec-websocket-version');
+            if (!$wsver || ($wsver ne '13')) {
+                $self->error($reqstate, HTTP_INTERNAL_SERVER_ERROR,
"unsupported websocket-version '$wsver'\n");
+                return;
+            }
+
+            my $wsproto_str = $r->header('sec-websocket-protocol');
+            if (!$wsproto_str) {
+                $self->error($reqstate, HTTP_INTERNAL_SERVER_ERROR,
"missing websocket-protocol header");
+                return;
+            }
+
+            my $wsproto;
+
+            foreach my $p (PVE::Tools::split_list($wsproto_str)) {
+                $wsproto = $p if !$wsproto && $p eq 'base64';
+                $wsproto = $p if $p eq 'binary';
+            }
+
+            if (!$wsproto) {
+                $self->error($reqstate, HTTP_INTERNAL_SERVER_ERROR,
"unsupported websocket-protocol protocol '$wsproto_str'\n");
+                return;
+            }
+
+            my $wskey = $r->header('sec-websocket-key');
+
+            if (!$wskey) {
+                $self->error($reqstate, HTTP_INTERNAL_SERVER_ERROR,
"missing websocket-key\n");
+                return;
+            }
+
+            # Note: Digest::SHA::sha1_base64 has wrong padding
+            my $wsaccept =
Digest::SHA::sha1_base64("${wskey}258EAFA5-E914-47DA-95CA-C5AB0DC85B11") .
"=";
+
+            if(!PVE::AccessControl::verify_vnc_ticket($vncticket, $user,
$authpath, 1 )) {
+                $self->error($reqstate, HTTP_UNAUTHORIZED, "invalid
ticket");
+                return;
+            }
+            $self->websocket_proxy($reqstate, $wsaccept, $wsproto,
extract_params($r, $method));
+
+            return;
+
 		} elsif ($path =~ m!$baseuri!) {
 		    my $token = $r->header('CSRFPreventionToken');
 		    my $cookie = $r->header('Cookie');
-- 
2.1.4

----------------------------------------------------------------------------
-------------
If you have any further questions, please let us know.

Mit freundlichen Grüßen / With best regards 
Henry Spanka | myVirtualserver Development Team

-----Ursprüngliche Nachricht-----
Von: pve-devel [mailto:pve-devel-bounces at pve.proxmox.com] Im Auftrag von
pve-devel-request at pve.proxmox.com
Gesendet: 27 December 2015 12:00
An: pve-devel at pve.proxmox.com
Betreff: pve-devel Digest, Vol 67, Issue 43

Send pve-devel mailing list submissions to
	pve-devel at pve.proxmox.com

To subscribe or unsubscribe via the World Wide Web, visit
	http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
or, via email, send a message with subject or body 'help' to
	pve-devel-request at pve.proxmox.com

You can reach the person managing the list at
	pve-devel-owner at pve.proxmox.com

When replying, please edit your Subject line so it is more specific than
"Re: Contents of pve-devel digest..."


Today's Topics:

   1. vma_queue_write: write error - Broken pipe (Rick Wolthuis)


----------------------------------------------------------------------

Message: 1
Date: Sat, 26 Dec 2015 16:09:20 +0100
From: "Rick Wolthuis" <rick at rwolthuis.nl>
To: <pve-devel at pve.proxmox.com>
Subject: [pve-devel] vma_queue_write: write error - Broken pipe
Message-ID: <002501d13fef$65cca8a0$3165f9e0$@rwolthuis.nl>
Content-Type: text/plain; charset="us-ascii"

Somehow back upping is not working as is should (I think). Tried back upping
to a remote location resulting in three out of 5 with an error. Tried to
change backup location to the local disk (with enough space left), which
resulted in one or two failed out of 5.

[..]

100: Dec 25 03:13:01 INFO: status: 24% (25912344576/107374182400), sparse
18% (19691585536), duration 120, 2016/8 MB/s
100: Dec 25 03:13:18 INFO: status: 24% (26516389888/107374182400), sparse
18% (19692851200), duration 137, 35/35 MB/s
100: Dec 25 03:13:18 ERROR: vma_queue_write: write error - Broken pipe
100: Dec 25 03:13:18 INFO: aborting backup job
100: Dec 25 03:13:20 ERROR: Backup of VM 100 failed - vma_queue_write: write
error - Broken pipe

 

Is there anybody that can explain to me how I could fix this problem? I
prefer to backup to a remote location which is mounted to /mnt/remote with
WebDAV protocol. Remote location has more than enough storage space left
(~1TB free).



And of course, merry Christmas to everybody!

 

Thanks in advance!

 

Rick

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://pve.proxmox.com/pipermail/pve-devel/attachments/20151226/e136f415/at
tachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4801 bytes
Desc: not available
URL:
<http://pve.proxmox.com/pipermail/pve-devel/attachments/20151226/e136f415/at
tachment-0001.bin>

------------------------------

Subject: Digest Footer

_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


------------------------------

End of pve-devel Digest, Vol 67, Issue 43
*****************************************



More information about the pve-devel mailing list