Accessing VM Console from Outside Your Network for Linux-KVM
You can configure Nginx to serve as a reverse proxy server to facilitate access to the console of one or more virtual machines (VM) running on KVM-based hypervisors, without exposing the hypervisors to all cloud users. With the reverse proxy configuration, cloud users that do not have access to KVM-based hypervisors are able to access the console of the VMs running on such hypervisors.
The process broadly comprises the following steps.
- Identify the physical machine or the node that would act as the reverse proxy node.
- Create a DNS A record pointing to this host for host URL- to- IP address mapping. This is an optional step. This can be done if you do not wish to expose the host IP address.
- Install Nginx on the reverse proxy node.
- Edit the nginx.conf file to reverse proxy all the hostnames.
- Log in to each host and configure noVNC to point to the reverse proxy node.
Let us look at the installation and host configuration steps in detail.
Install Nginx
Run the following commands on the node identified to serve as the reverse proxy, to install the Nginx web server.
yum install -y nginxsystemctl enable nginxsystemctl start nginxGenerate Diffie Hellman(DH) parameters for Nginx
Run the following commands on the reverse proxy node, to generate DH parameters for the Nginx server for a secure encrypted communication.
openssl dhparam 2048 -out /etc/ssl/dhparam.pemEdit nginx.conf
Edit the nginx configuration file /etc/nginx/nginx.conf that is located on the reverse proxy node.
Add or modify the default server section in nginx.conf to force redirection to HTTPS.
server { listen 80 default_server; listen [::]:80 default_server; server_name _; # Add to force redirect to HTTPS return 301 https://$host$request_uri; add_header Strict-Transport-Security "max-age=86400";}Edit 01_Proxy.conf
For the purpose of this section, let us assume that we have five compute hosts and one glance host with the following host names and IP addresses.
- compute01 - 192.0.2.2
- compute02 - 192.0.2.3
- compute03 - 192.0.2.4
- compute04 - 192.0.2.5,
- compute05 - 192.0.2.6
- glance - 192.0.2.7
Platform9 4.X Proxy Config File
Edit the file /etc/nginx/conf.d/01_proxy.conf that is located on the reverse proxy node, to add the following information related to the hosts to access through the reverse proxy node, and information related to SSL communication.
map $http_upgrade $connection_upgrade { default upgrade; '' close;}upstream compute01 { server 192.0.2.2:6080;}upstream compute02 { server 192.0.2.3:6080;}upstream compute03 { server 192.0.2.4:6080;}upstream glance { server 192.0.2.5:9292;}server { client_max_body_size 214749m; server_name _; listen 443 default_server ssl; ssl on; ssl_certificate /etc/ssl/<certificate name>.pem; ssl_certificate_key /etc/ssl/<certificate name>.key; ssl_dhparam /etc/ssl/dhparam.pem; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCMSHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSAAES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSAAES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDHRSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; ssl_prefer_server_ciphers on; # Redirect /glance to /glance/ # Proxy to backend is handled in subsequent location location = /glance { return 301 $scheme://$host/glance/; } location ~* ^/(?<backend_host>.*)/(?P<partialuri>.*)$ { if ($arg_path ~ ^%3Ftoken%3D(.*)$) { # Add ?path=/websockify to query params if path contains vnc_auto.html set $arg_token $1; set $arg_path "$backend_host/websockify$arg_path"; set $args path=$arg_path&instance=$arg_instance; rewrite ^/.*/vnc_auto.html$ $scheme://$host/$backend_host/vnc_auto.html last; } # Handle upstream errors as 404 error_page 502 /404.html; proxy_pass http://$backend_host/$partialuri$is_args$args; proxy_http_version 1.1; proxy_buffering off; proxy_request_buffering off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Origin https://$backend_host/$partialuri; proxy_read_timeout 1800s; proxy_send_timeout 1800s; client_max_body_size 0; }}Platform9 3.x Proxy Config File
For Platform9 releases older than 4.0, the above mentioned /etc/nginx/conf.d/01_proxy.conf file needs to be slightly different. The only section that differs from 4.x Proxy Config is the 'if' condition block in the last location regex above.
location ~* ^/(?<backend_host>.*)/(?P<partialuri>.*)$ { if ($arg_path = '') { # Add ?path=/websockify to query params if path contains vnc_auto.html rewrite ^/.*/vnc_auto.html$ $scheme://$host/$backend_host/vnc_auto.html?path=$backend_host/websockify last; } ... same as above ... }Reload Nginx Configuration
Run the following command to reload Nginx configuration.
systemctl reload nginxConfigure noVNC on hosts
The noVNC client must be installed on each host machine. The cloud users can access the reverse proxy and access the VM consoles running on hypervisors that they might not, otherwise, have access to.
The noVNC on every host must be configured to point to the reverse proxy node.
domainSuffix='domain.example'hostName=`hostname -s`cat <<-EOF > /opt/pf9/etc/nova/conf.d/nova_override.conf [vnc] novncproxy_base_url = http://proxy.$domainSuffix/$hostName/vnc_auto.htmlEOFservice pf9-ostackhost restartsystemctl restart pf9-novncproxy</partialuri></backend_host></certificate></certificate>