[pve-devel] idea for implementation of a spice http connect proxy, with pve authentification

Dietmar Maurer dietmar at proxmox.com
Wed Jun 19 07:45:47 CEST 2013


> But the good news, is that I have succefully made a nodejs proxy,
> reimplementing verify_vnc_method (with rsa verify,ticket age verification,...).
> 
> 
> it's working like this:
> 
> - call PVE::Qemu::spiceproxy api
>        -generate a socat tunnel (randomunixsocket -> qemu spice socket)
>        -return a spice_assemble_ticket
> 
> 
> ticket
> -------
> [virt-viewer]
> type=spice
> proxy=proxy:3128
> host=base32(vnc_assemble_ticket)      #base32 needed because spice client
> lowercase the string
> port=randomunixsocket
> 
> 
> 
> client----->proxy:3128---->randomunixsocket--->socat (ssh for remote)--->qemu
> spice.socket.
> 
> 
> So only 1 port is needed outside, and we have the socat for more security.
> 
> Things to do:
>  - add support for spice tls for unix socket. (need to hack spicelib server side)
>  - find a way to add a connect timeout to socat. (If the client don't connect, the
> socat tunnel is running indefinitely)
>  - implemented the proxy in perl. (But maybe you are better than me for this ;)
> 
> 
> I'll try to send patches for the end of the week.

Great - I am already curious ;-)

I can implement the proxy in perl if you want - that is no problem.


More information about the pve-devel mailing list