On 30/08/16 21:44, Mukul Agrawal via shifter-users wrote: > Thanks. Just one more clraification. > Any chance, I can get end-to-end AES encryption in this setup (i.e. several Xpra server and Xpra Proxy with several clients connected)? > Meaning, can I have encryption from server1 to client1 and server2 to client2? The encryption is from client to proxy only.
> Can multifile contain AES keys? Not at present. You can use different authentication credentials from proxy to server: http://xpra.org/trac/ticket/1264#comment:3 With the current trunk version you may be able to use an SSL encryption layer: http://xpra.org/trac/ticket/1252#comment:3 by specifying an SSL display string of the form: ssl:HOST:PORT in your multifile. (I have not tested this particular combination) > Instead of passwords can proxy resolve the users based on AES keys? No Cheers Antoine > Regards, > Mukul > ( https://sites.google.com/site/mukulagrawal ) > > On Tuesday, August 30, 2016 1:40 AM, Antoine Martin via shifter-users > <[email protected]> wrote: > > > On 30/08/16 14:04, Mukul Agrawal via shifter-users wrote: >> I have a couple more questions. >> >> >> I would like to modify your detailed example at :- >> https://xpra.org/trac/wiki/ProxyServer >> >> 1. Can I use AES encryption with xpra proxy? (AES key transport is not an >> issue for me.) > Yes. > >> I am guessing I will still need to use multifile to figure which user has >> access to which proxied sesssion? > Correct. > >> Something like following :- >> >> xpra proxy :100 --bind-tcp=0.0.0.0:443 --tcp-encryption=AES >> --tcp-encryption-keyfile=key.txt --auth=multifile:filename=./xpra-auth >> xpra attach tcp:$PROXYHOST:443 --tcp-encryption=AES >> --tcp-encryption-keyfile=./key.txt >> --username=myusername --password-file=./password.txt >> >> 2. In my case, several Xpra servers are running on the same machine with >> different display numbers. Xpra proxy will also run on the same machine. I >> do not like to open so many ports for xpra server instance to the external >> world. Any alternative suggestion? > SSH mode only requires the SSH port, but then you would also have to > restrict the user accounts to only be able to execute the xpra command. > >> Can these servers be attached to unix domain sockets instead and can > still be proxied? >> xpra start :10 --bind=socket1 >> xpra start :11 --bind=socket2 > The multifile can contain display information in the same format as the > client connection string. ie: > :DISPLAY > ssh/username:password@host:SSHPORT/DISPLAY > tcp/host:port/ > ssl/host:port/ > > PS: not tested recently, but this re-uses the same code as the client. > > Cheers > Antoine > >> >> Regards, >> Mukul ( https://sites.google.com/site/mukulagrawal ) >> >> On Monday, August 29, 2016 10:06 AM, Mukul Agrawal via shifter-users >> <[email protected]> wrote: >> >> >> I am running several instances of XPRA servers each listening to certain >> display number on a remote Ubuntu machine. >> Each instance is binding to different TCP port in the range of 1000 to >> 1050.When I connect using web-browser on my local laptop to the >> same-IP-address:different-ports, I can see the graphics being streamed on >> these different display numbers. >> >> Now, I dont really want to server any other webpages. I just want to see >> XPRA traffic on web browser on the client side -- nothing else. In fact, I >> would prefer to stop/filter any request to access for non-xpra traffic. Do >> you have any reccomendation on how to best set it up? >> >> Also what is the best choice for me to make it as secure and as >> authenticated as possible? Specifically, which option flags should I use >> while starting the server? >> >> Considering my application (i.e. only xpra-traffic and no other web >> applications being served) , do you see any pro/cons of using a standard >> web-server (such as apache) instead of the server that comes with >> web-sockify. Either from security point of view or any other? >> >> Thanks, greatly appreciate any pointers or advice. >> >> Regards, >> Mukul >> ( https://sites.google.com/site/mukulagrawal ) >> _______________________________________________ >> shifter-users mailing list >> [email protected] >> http://lists.devloop.org.uk/mailman/listinfo/shifter-users >> >> >> >> _______________________________________________ >> shifter-users mailing list >> [email protected] >> http://lists.devloop.org.uk/mailman/listinfo/shifter-users >> > > _______________________________________________ > shifter-users mailing list > [email protected] > http://lists.devloop.org.uk/mailman/listinfo/shifter-users > > > > _______________________________________________ > shifter-users mailing list > [email protected] > http://lists.devloop.org.uk/mailman/listinfo/shifter-users > _______________________________________________ shifter-users mailing list [email protected] http://lists.devloop.org.uk/mailman/listinfo/shifter-users
