Accessing VM Console from Outside Your Network for KVM-based hypervisor

You can configure Nginx to serve as a reverse proxy server to facilitate access to the console of one or more virtual machines (VM) running on KVM-based hypervisors, without exposing the hypervisors to all cloud users. With the reverse proxy configuration, cloud users that do not have access to KVM-based hypervisors are able to access the console of the VMs running on such hypervisors.

The process broadly comprises the following steps.

  1. Identify the physical machine or the node that would act as the reverse proxy node.
  2. Create a DNS A record pointing to this host for host URL- to- IP address mapping. This is an optional step. This can be done if you do not wish to expose the host IP address.
  3. Install Nginx on the reverse proxy node.
  4. Edit the nginx.conf file to reverse proxy all the hostnames.
  5. Log in to each host and configure noVNC to point to the reverse proxy node.

Let us look at the installation and host configuration steps in detail.

Install Nginx

Run the following commands on the node identified to serve as the reverse proxy, to install the Nginx web server.

yum install -y nginx
systemctl enable nginx
systemctl start nginx

Generate Diffie Hellman(DH) parameters for Nginx

Run the following commands on the reverse proxy node, to generate DH parameters for the Nginx server for a secure encrypted communication.

openssl dhparam 2048 -out /etc/ssl/dhparam.pem

Edit nginx.conf

Edit the nginx configuration file /etc/nginx/nginx.conf that is located on the reverse proxy node.

Add or modify the default server section in nginx.conf to force redirection to HTTPS.

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  server_name  _;

  # Add to force redirect to HTTPS
  return 301 https://$host$request_uri;
  add_header Strict-Transport-Security "max-age=86400";
}

Edit 01_Proxy.conf

For the purpose of this section, let us assume that we have five compute hosts and one glance host with the following host names and IP addresses.

  • compute01 – 192.0.2.2
  • compute02 – 192.0.2.3
  • compute03 – 192.0.2.4
  • compute04 – 192.0.2.5,
  • compute05 – 192.0.2.6
  • glance – 192.0.2.7

Edit the file /etc/nginx/conf.d/01_proxy.conf that is located on the reverse proxy node, to add the following information related to the hosts to access through the reverse proxy node , and information related to SSL communication.

map $http_upgrade $connection_upgrade {
  default upgrade;
  '' close;
}
upstream compute01 {
  server 192.0.2.2:6080;
}
upstream compute02 {
  server 192.0.2.3:6080;
}
upstream compute03 {
  server 192.0.2.4:6080;
}
upstream glance {
  server 192.0.2.5:9292;
}

server {
  client_max_body_size 214749m;
  server_name _;
  listen 443 default_server ssl;
  ssl on;
  ssl_certificate /etc/ssl/<certificate name>.pem;
  ssl_certificate_key /etc/ssl/<certificate name>.key;
  ssl_dhparam /etc/ssl/dhparam.pem;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCMSHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSAAES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSAAES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDHRSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
  ssl_prefer_server_ciphers on;

  # Redirect /glance to /glance/
  # Proxy to backend is handled in subsequent location
  location = /glance {
    return 301 $scheme://$host/glance/;
  }

  location ~* ^/(?<backend_host>.*)/(?P<partialuri>.*)$ {
    if ($arg_path = '') {
      # Add ?path=/websockify to query params if path contains vnc_auto.html
      rewrite ^/.*/vnc_auto.html$       $scheme://$host/$backend_host/vnc_auto.html?
      path=$backend_host/websockify last;
    }

    # Handle upstream errors as 404
    error_page 502 /404.html;
    proxy_pass http://$backend_host/$partialuri;
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_request_buffering off;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_set_header Origin http://$backend_host/$partialuri;
    proxy_read_timeout 1800s;
    proxy_send_timeout 1800s;
    client_max_body_size 0;
  }
}

Reload Nginx Configuration

Run the following command to reload Nginx configuration.

systemctl reload nginx

Configure noVNC on hosts

The noVNC client must be installed on each host machine. The cloud users can access the reverse proxy and access the VM consoles running on hypervisors that they might not ,otherwise, have access to.

The noVNC on every host must be configured to point to the reverse proxy node.

domainSuffix='domain.example'
hostName=`hostname -s`

cat <<-EOF > /opt/pf9/etc/nova/conf.d/nova_override.conf
  [DEFAULT] novncproxy_base_url = http://proxy.$domainSuffix/$hostName/vnc_auto.html
EOF

service pf9-ostackhost restart
service pf9-novncproxy restart

The browser you are using is outdated. For the best experience please download or update your browser to one of the following: