[one-users] SSL proxy
Hi all, I've installed an nginx proxy for SSL offloading in front of Sunstone. All works fine, except for opening a console. When clicking VNC, a small icon appears in my Chrome URL bar telling me I'm trying to load unsafe scripts. Javascript console tells me: [blocked] The page at 'https://theonepoc.cloud.nl/' was loaded over HTTPS, but ran insecure content from 'ws://localhost:17523/': this content should also be loaded over HTTPS. When I tick the VNC Secure websockets option in my user profile, I don't get that message, but the VNC layer displays VNC Server disconnected (code: 1006) immediatly. Is there something wrong with my setup? Or did I miss something? -- Met vriendelijke groeten / With kind regards, Johan Kooijman ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] SSL proxy
As a follow up: the connection can be made, telnet works. Firefox tells me: GET https://theonepoc.cloud.nl:29876/ [HTTP/1.0 403 Forbidden 35ms] New state 'loaded', was 'disconnected'. Msg: noVNC ready: native WebSockets, canvas rendering util.js:110 New state 'connect', was 'loaded'. util.js:110 Skipping unsupported WebSocket binary sub-protocol util.js:111 Firefox can't establish a connection to the server at wss:// theonepoc.cloud.nl:29876/?token=xbw7pps1nuzhxz5b9nds. websock.js:333 WebSocket on-error event util.js:110 WebSocket on-close event util.js:110 New state 'failed', was 'connect'. Msg: Server disconnected (code: 1006) util.js:111 New state 'disconnected', was 'failed'. util.js:110 New state 'disconnect', was 'failed'. Msg: Disconnecting util.js:110 New state 'failed', was 'disconnect'. Msg: Disconnect timeout util.js:111 New state 'disconnected', was 'failed'. On Fri, Aug 22, 2014 at 11:13 PM, Johan Kooijman m...@johankooijman.com wrote: Hi all, I've installed an nginx proxy for SSL offloading in front of Sunstone. All works fine, except for opening a console. When clicking VNC, a small icon appears in my Chrome URL bar telling me I'm trying to load unsafe scripts. Javascript console tells me: [blocked] The page at 'https://theonepoc.cloud.nl/' was loaded over HTTPS, but ran insecure content from 'ws://localhost:17523/': this content should also be loaded over HTTPS. When I tick the VNC Secure websockets option in my user profile, I don't get that message, but the VNC layer displays VNC Server disconnected (code: 1006) immediatly. Is there something wrong with my setup? Or did I miss something? -- Met vriendelijke groeten / With kind regards, Johan Kooijman -- Met vriendelijke groeten / With kind regards, Johan Kooijman ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] SSL proxy
Johan Kooijman m...@johankooijman.com writes: As a follow up: the connection can be made, telnet works. Firefox tells me: GET https://theonepoc.cloud.nl:29876/ [HTTP/1.0 403 Forbidden 35ms] New state 'loaded', was 'disconnected'. Msg: noVNC ready: native WebSockets, canvas rendering util.js:110 New state 'connect', was 'loaded'. util.js:110 Skipping unsupported WebSocket binary sub-protocol util.js:111 Firefox can't establish a connection to the server at wss:// theonepoc.cloud.nl:29876/?token=xbw7pps1nuzhxz5b9nds. websock.js:333 As far as I understand, theonepoc.cloud.nl:29876 is not managed by nginx but by the python-websocket, nginx just serve the javascript code which open the WSS connection. Maybe with nginx support[1] you can reverse proxy the WebSocket: 1) make python-websocket listen on 127.0.0.1 only 2) configure nginx to listen on theonepoc.cloud.nl:29876 with SSL and proxy_pass it to python-websocket on 127.0.0.1 I do not test it, but a simpler approach could be to configure wss in /etc/one/sunstone-server.conf to use the same certificate and key than nginx? Regards. Footnotes: [1] http://nginx.org/en/docs/http/websocket.html -- Daniel Dehennin Récupérer ma clef GPG: gpg --recv-keys 0xCC1E9E5B7A6FE2DF Fingerprint: 3E69 014E 5C23 50E8 9ED6 2AAD CC1E 9E5B 7A6F E2DF signature.asc Description: PGP signature ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] ssl proxy endpoint
Hi Sebastien, There is a ticket regarding this issue [1]. As Ulrich points out that patch should fix the problem. This functionality will be implemented as soon as possible for the econe service, so you can define this kind of parameters inside the econe.conf file. Cheers [1] http://dev.opennebula.org/issues/925 On 5 December 2011 22:14, Ulrich Schwickerath ulrich.schwicker...@cern.ch wrote: Hi, Sebastien, can you try if this patch helps ? --- checkout_orig/src/cloud/ec2/lib/EC2QueryServer.rb 2011-10-10 11:01:14.0 +0200 +++ checkout_patched/src/cloud/ec2/lib/EC2QueryServer.rb 2011-10-14 13:43:53.0 +0200 @@ -71,7 +71,7 @@ econe_port = @config[:port] - params.merge!({:econe_host = econe_host, :econe_port = econe_port}) + params.merge!({:econe_host = econe_host, :econe_port = 8443}) super(env, params) end It's more a hack than a patch but worked in our case. Cheers, Ulrich On 12/05/2011 09:52 PM, sebastien goasguen wrote: Hi, in One 3.0 it seems the econe configuration has changed a bit, reading: http://www.opennebula.org/documentation:rel3.0:ec2qcg There does not seem to be a ssl_server_port variable ? Does it default to 8443 ? In that case what endpoint should we use:fqdn orfdqn:port I have one client in perl (using the ec2 perl module) that works in one case (port no specified in econe.conf, but specified in endpoint in client configuration) and a boto client that works in the other (port needs to be specified in econe.conf and specified in client configuration) I am running amazon-ec2 gem 0.9.17 thanks -sebastien ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org -- Daniel Molina Project Engineer OpenNebula - The Open Source Toolkit for Data Center Virtualization www.OpenNebula.org | dmol...@opennebula.org | @OpenNebula ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] ssl proxy endpoint
Yes that worked. thanks -sebastien On Tue, Dec 13, 2011 at 8:59 AM, Daniel Molina dmol...@opennebula.org wrote: Hi Sebastien, There is a ticket regarding this issue [1]. As Ulrich points out that patch should fix the problem. This functionality will be implemented as soon as possible for the econe service, so you can define this kind of parameters inside the econe.conf file. Cheers [1] http://dev.opennebula.org/issues/925 On 5 December 2011 22:14, Ulrich Schwickerath ulrich.schwicker...@cern.ch wrote: Hi, Sebastien, can you try if this patch helps ? --- checkout_orig/src/cloud/ec2/lib/EC2QueryServer.rb 2011-10-10 11:01:14.0 +0200 +++ checkout_patched/src/cloud/ec2/lib/EC2QueryServer.rb 2011-10-14 13:43:53.0 +0200 @@ -71,7 +71,7 @@ econe_port = @config[:port] - params.merge!({:econe_host = econe_host, :econe_port = econe_port}) + params.merge!({:econe_host = econe_host, :econe_port = 8443}) super(env, params) end It's more a hack than a patch but worked in our case. Cheers, Ulrich On 12/05/2011 09:52 PM, sebastien goasguen wrote: Hi, in One 3.0 it seems the econe configuration has changed a bit, reading: http://www.opennebula.org/documentation:rel3.0:ec2qcg There does not seem to be a ssl_server_port variable ? Does it default to 8443 ? In that case what endpoint should we use:fqdn orfdqn:port I have one client in perl (using the ec2 perl module) that works in one case (port no specified in econe.conf, but specified in endpoint in client configuration) and a boto client that works in the other (port needs to be specified in econe.conf and specified in client configuration) I am running amazon-ec2 gem 0.9.17 thanks -sebastien ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org -- Daniel Molina Project Engineer OpenNebula - The Open Source Toolkit for Data Center Virtualization www.OpenNebula.org | dmol...@opennebula.org | @OpenNebula ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org -- --- Sebastien Goasguen, Associate Professor School of Computing Clemson University 864-553-4734. Google Voice: (864)-869-8683 http://sites.google.com/site/runseb/ ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
[one-users] ssl proxy endpoint
Hi, in One 3.0 it seems the econe configuration has changed a bit, reading: http://www.opennebula.org/documentation:rel3.0:ec2qcg There does not seem to be a ssl_server_port variable ? Does it default to 8443 ? In that case what endpoint should we use: fqdn or fdqn:port I have one client in perl (using the ec2 perl module) that works in one case (port no specified in econe.conf, but specified in endpoint in client configuration) and a boto client that works in the other (port needs to be specified in econe.conf and specified in client configuration) I am running amazon-ec2 gem 0.9.17 thanks -sebastien -- --- Sebastien Goasguen, Associate Professor School of Computing Clemson University 864-553-4734. Google Voice: (864)-869-8683 http://sites.google.com/site/runseb/ ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] ssl proxy endpoint
Hi, Sebastien, can you try if this patch helps ? --- checkout_orig/src/cloud/ec2/lib/EC2QueryServer.rb 2011-10-10 11:01:14.0 +0200 +++ checkout_patched/src/cloud/ec2/lib/EC2QueryServer.rb 2011-10-14 13:43:53.0 +0200 @@ -71,7 +71,7 @@ econe_port = @config[:port] -params.merge!({:econe_host = econe_host, :econe_port = econe_port}) +params.merge!({:econe_host = econe_host, :econe_port = 8443}) super(env, params) end It's more a hack than a patch but worked in our case. Cheers, Ulrich On 12/05/2011 09:52 PM, sebastien goasguen wrote: Hi, in One 3.0 it seems the econe configuration has changed a bit, reading: http://www.opennebula.org/documentation:rel3.0:ec2qcg There does not seem to be a ssl_server_port variable ? Does it default to 8443 ? In that case what endpoint should we use:fqdn orfdqn:port I have one client in perl (using the ec2 perl module) that works in one case (port no specified in econe.conf, but specified in endpoint in client configuration) and a boto client that works in the other (port needs to be specified in econe.conf and specified in client configuration) I am running amazon-ec2 gem 0.9.17 thanks -sebastien ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org