On 30/08/16 00:03, Mukul Agrawal via shifter-users wrote: > I am running several instances of XPRA servers each listening to certain > display number on a remote Ubuntu machine. > Each instance is binding to different TCP port in the range of 1000 to > 1050.When I connect using web-browser on my local laptop to the > same-IP-address:different-ports, I can see the graphics being streamed on > these different display numbers. > > Now, I dont really want to server any other webpages. I just want to see XPRA > traffic on web browser on the client side -- nothing else. In fact, I would > prefer to stop/filter any request to access for non-xpra traffic. Do you have > any reccomendation on how to best set it up? By default, the built-in webserver only serves the web content required for using the HTML5 client and nothing more.
Each TCP port you listen on will handle xpra's protocol, optionally wrapped in websockets when "--html=on". Removing TCP support and keeping websockets only would not be very useful in securing anything as the websockets are just a wrapper layer around TCP. > Also what is the best choice for me to make it as secure and as authenticated > as possible? Specifically, which option flags should I use while starting the > server? Difficult question to answer without knowing the specific use case and how you intend to send the authentication credentials to your clients. > Considering my application (i.e. only xpra-traffic and no other web > applications being served) , do you see any pro/cons of using a standard > web-server (such as apache) instead of the server that comes with > web-sockify. Either from security point of view or any other? OTOH. Pros: a lot more flexibility: * you can configure your apache server with many more modules (ie: redirect, authentication, etc) * the websocket modules for apache might be more efficient than websockify * you could completely hide xpra's sockets (TCP bind it to 127.0.0.1 only, or even use unix domain sockets - this may require netcat) - this way only HTTP authenticated users can end up sending traffic to the xpra server running behind apache * enable SSL for websockets (work in progress for the builtin websockify handler) Cons: * much harder to setup as this will require manual configuration for everything > Thanks, greatly appreciate any pointers or advice. Cheers Antoine > > Regards, > Mukul > ( https://sites.google.com/site/mukulagrawal ) > _______________________________________________ > shifter-users mailing list > [email protected] > http://lists.devloop.org.uk/mailman/listinfo/shifter-users > _______________________________________________ shifter-users mailing list [email protected] http://lists.devloop.org.uk/mailman/listinfo/shifter-users
