Accessing Vms Access Vm Kvm

You can configure Nginx to serve as a reverse proxy server to facilitate access to the console of one or more virtual machines (VM) running on KVM-based hypervisors, without exposing the hypervisors to all cloud users. With the reverse proxy configuration, cloud users that do not have access to KVM-based hypervisors are able to access the console of the VMs running on such hypervisors.

The process broadly comprises the following steps.

Identify the physical machine or the node that would act as the reverse proxy node.
Create a DNS A record pointing to this host for host URL- to- IP address mapping. This is an optional step. This can be done if you do not wish to expose the host IP address.
Install Nginx on the reverse proxy node.
Edit the nginx.conf file to reverse proxy all the hostnames.
Log in to each host and configure noVNC to point to the reverse proxy node.

Let us look at the installation and host configuration steps in detail.

Install Nginx

Run the following commands on the node identified to serve as the reverse proxy, to install the Nginx web server.

yum install -y nginx
systemctl enable nginx
systemctl start nginx

Generate Diffie Hellman(DH) parameters for Nginx

Run the following commands on the reverse proxy node, to generate DH parameters for the Nginx server for a secure encrypted communication.

openssl dhparam 2048 -out /etc/ssl/dhparam.pem

Edit nginx.conf

Edit the nginx configuration file /etc/nginx/nginx.conf that is located on the reverse proxy node.

Add or modify the default server section in nginx.conf to force redirection to HTTPS.

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  server_name  _;
  # Add to force redirect to HTTPS
  return 301 https://$host$request_uri;
  add_header Strict-Transport-Security "max-age=86400";
}

Edit 01_Proxy.conf

For the purpose of this section, let us assume that we have five compute hosts and one glance host with the following host names and IP addresses.

compute01 - 192.0.2.2
compute02 - 192.0.2.3
compute03 - 192.0.2.4
compute04 - 192.0.2.5,
compute05 - 192.0.2.6
glance - 192.0.2.7

Platform9 4.X Proxy Config File

Edit the file /etc/nginx/conf.d/01_proxy.conf that is located on the reverse proxy node, to add the following information related to the hosts to access through the reverse proxy node, and information related to SSL communication.

map $http_upgrade $connection_upgrade {
  default upgrade;
  '' close;
}
upstream compute01 {
  server 192.0.2.2:6080;
}
upstream compute02 {
  server 192.0.2.3:6080;
}
upstream compute03 {
  server 192.0.2.4:6080;
}
upstream glance {
  server 192.0.2.5:9292;
}
server {
  client_max_body_size 214749m;
  server_name _;
  listen 443 default_server ssl;
  ssl on;
  ssl_certificate /etc/ssl/<certificate name>.pem;
  ssl_certificate_key /etc/ssl/<certificate name>.key;
  ssl_dhparam /etc/ssl/dhparam.pem;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCMSHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSAAES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSAAES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDHRSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
  ssl_prefer_server_ciphers on;
  # Redirect /glance to /glance/
  # Proxy to backend is handled in subsequent location
  location = /glance {
    return 301 $scheme://$host/glance/;
  }
  location ~* ^/(?<backend_host>.*)/(?P<partialuri>.*)$ {
    if ($arg_path ~ ^%3Ftoken%3D(.*)$) {
      # Add ?path=/websockify to query params if path contains vnc_auto.html
      set $arg_token $1;
      set $arg_path "$backend_host/websockify$arg_path";
      set $args path=$arg_path&instance=$arg_instance;
      rewrite ^/.*/vnc_auto.html$ $scheme://$host/$backend_host/vnc_auto.html last;
    }
    # Handle upstream errors as 404
    error_page 502 /404.html;
    proxy_pass http://$backend_host/$partialuri$is_args$args;
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_request_buffering off;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_set_header Origin https://$backend_host/$partialuri;
    proxy_read_timeout 1800s;
    proxy_send_timeout 1800s;
    client_max_body_size 0;
  }
}

Platform9 3.x Proxy Config File

For Platform9 releases older than 4.0, the above mentioned /etc/nginx/conf.d/01_proxy.conf file needs to be slightly different. The only section that differs from 4.x Proxy Config is the 'if' condition block in the last location regex above.

location ~* ^/(?<backend_host>.*)/(?P<partialuri>.*)$ {
    if ($arg_path = '') {
      # Add ?path=/websockify to query params if path contains vnc_auto.html
      rewrite ^/.*/vnc_auto.html$ $scheme://$host/$backend_host/vnc_auto.html?path=$backend_host/websockify last;
    }
    ... same as above ...
  }

Reload Nginx Configuration

Run the following command to reload Nginx configuration.

systemctl reload nginx

Configure noVNC on hosts

The noVNC client must be installed on each host machine. The cloud users can access the reverse proxy and access the VM consoles running on hypervisors that they might not, otherwise, have access to.

The noVNC on every host must be configured to point to the reverse proxy node.

domainSuffix='domain.example'
hostName=`hostname -s`
cat <<-EOF > /opt/pf9/etc/nova/conf.d/nova_override.conf
  [vnc] novncproxy_base_url = http://proxy.$domainSuffix/$hostName/vnc_auto.html
EOF
service pf9-ostackhost restart
systemctl restart pf9-novncproxy

</partialuri></backend_host></certificate></certificate>

PreviousIntroduction Benefits Of Pmo NextAccessing Vms Access Vm Vmware

Last updated 5 days ago

Was this helpful?

map $http_upgrade $connection_upgrade { default upgrade; '' close; } upstream compute01 { server 192.0.2.2:6080; } upstream compute02 { server 192.0.2.3:6080; } upstream compute03 { server 192.0.2.4:6080; } upstream glance { server 192.0.2.5:9292; } server { client_max_body_size 214749m; server_name _; listen 443 default_server ssl; ssl on; ssl_certificate /etc/ssl/<certificate name>.pem; ssl_certificate_key /etc/ssl/<certificate name>.key; ssl_dhparam /etc/ssl/dhparam.pem; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCMSHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSAAES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSAAES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDHRSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; ssl_prefer_server_ciphers on; # Redirect /glance to /glance/ # Proxy to backend is handled in subsequent location location = /glance { return 301 $scheme://$host/glance/; } location ~* ^/(?<backend_host>.*)/(?P<partialuri>.*)$ { if ($arg_path ~ ^%3Ftoken%3D(.*)$) { # Add ?path=/websockify to query params if path contains vnc_auto.html set $arg_token $1; set $arg_path "$backend_host/websockify$arg_path"; set $args path=$arg_path&instance=$arg_instance; rewrite ^/.*/vnc_auto.html$ $scheme://$host/$backend_host/vnc_auto.html last; } # Handle upstream errors as 404 error_page 502 /404.html; proxy_pass http://$backend_host/$partialuri$is_args$args; proxy_http_version 1.1; proxy_buffering off; proxy_request_buffering off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Origin https://$backend_host/$partialuri; proxy_read_timeout 1800s; proxy_send_timeout 1800s; client_max_body_size 0; } }

Good night

hashtagInstall Nginx

hashtagGenerate Diffie Hellman(DH) parameters for Nginx

hashtagEdit nginx.conf

hashtagEdit 01_Proxy.conf

hashtagPlatform9 4.X Proxy Config File

hashtagPlatform9 3.x Proxy Config File

hashtagReload Nginx Configuration

hashtagConfigure noVNC on hosts