Comments (6)
MagnusSvendsen
commented on June 26, 2024
1
@mmcclaskey No issue at all with the late part. You hit the nail on the head here! Created a new ingress with the annontation nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header Authorization $http_authorization; and it works flawlessly!
from kasmvnc.
commented on June 26, 2024
Can we see your NGINX config? We use NGINX in the full Kasm Server stack (www.kasmweb.com) and it works great. The current release of Kasm Server is using a different fork of KasmVNC, but our pre-release is on the most recent version of KasmVNC.
from kasmvnc.
MagnusSvendsen
commented on June 26, 2024
Sure!
`http {
tcp_nopush on;
tcp_nodelay on;
log_subrequest on;
reset_timedout_connection on;
keepalive_timeout 75s;
keepalive_requests 100;
client_body_temp_path /tmp/client-body;
fastcgi_temp_path /tmp/fastcgi-temp;
proxy_temp_path /tmp/proxy-temp;
ajp_temp_path /tmp/ajp-temp;
client_header_buffer_size 1k;
client_header_timeout 60s;
large_client_header_buffers 4 8k;
client_body_buffer_size 8k;
client_body_timeout 60s;
http2_max_field_size 4k;
http2_max_header_size 16k;
http2_max_requests 1000;
http2_max_concurrent_streams 128;
types_hash_max_size 2048;
server_names_hash_max_size 1024;
server_names_hash_bucket_size 64;
map_hash_bucket_size 64;
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 64;
variables_hash_bucket_size 256;
variables_hash_max_size 2048;
underscores_in_headers off;
ignore_invalid_headers on;
limit_req_status 503;
limit_conn_status 503;
include /etc/nginx/mime.types;
default_type text/html;
server {
server_name as2-client.iedi.net ;
listen 80 proxy_protocol ;
listen 442 proxy_protocol ssl http2 ;
set $proxy_upstream_name "-";
ssl_certificate_by_lua_block {
certificate.call()
}
location / {
set $namespace "iedi3api";
set $ingress_name "iedi3api";
set $service_name "as2-vnc-client";
set $service_port "8443";
set $location_path "/";
rewrite_by_lua_block {
lua_ingress.rewrite({
force_ssl_redirect = false,
ssl_redirect = false,
force_no_ssl_redirect = false,
use_port_in_redirects = false,
})
balancer.rewrite()
plugins.run()
}
# be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
# will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
# other authentication method such as basic auth or external auth useless - all requests will be allowed.
#access_by_lua_block {
#}
header_filter_by_lua_block {
lua_ingress.header()
plugins.run()
}
body_filter_by_lua_block {
}
log_by_lua_block {
balancer.log()
monitor.call()
plugins.run()
}
port_in_redirect off;
set $balancer_ewma_score -1;
set $proxy_host $proxy_upstream_name;
set $pass_access_scheme $scheme;
set $pass_server_port $proxy_protocol_server_port;
set $best_http_host $http_host;
set $pass_port $pass_server_port;
set $proxy_alternative_upstream_name "";
proxy_set_header Host $best_http_host;
# Pass the extracted client certificate to the backend
# Allow websocket connections
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Request-ID $req_id;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $best_http_host;
proxy_set_header X-Forwarded-Port $pass_port;
proxy_set_header X-Forwarded-Proto $pass_access_scheme;
proxy_set_header X-Scheme $pass_access_scheme;
# Pass the original X-Forwarded-For
proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
# mitigate HTTPoxy Vulnerability
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
proxy_set_header Proxy "";
# Custom headers to proxied server
proxy_connect_timeout 5s;
proxy_send_timeout 100s;
proxy_read_timeout 100s;
proxy_buffering "off";
proxy_buffer_size 4k;
proxy_buffers 4 4k;
proxy_max_temp_file_size 1024m;
proxy_request_buffering "off";
proxy_http_version 1.1;
proxy_cookie_domain off;
proxy_cookie_path off;
# In case of errors try the next upstream server before returning an error
proxy_next_upstream error timeout;
proxy_next_upstream_timeout 0;
proxy_next_upstream_tries 3;
proxy_pass http://upstream_balancer;
proxy_redirect off;
}
}
}`
I believe this is the relevant part. I've managed to reach the login page, but whenever i type in my login, it just reappears. When accessing the host directly, it works though.
from kasmvnc.
commented on June 26, 2024
Wow, you are doing a lot of stuff there. Looks like you are proxy passing to http, but should be https :) Hoping it is that easy.
from kasmvnc.
MagnusSvendsen
commented on June 26, 2024
Wish it was that easy, sadly that doesn't do it, perhaps because my https passthrough doesn't seem to work.
Could i start kasmvnc on http? Considering it's behind nginx, there shouldn't be any security issues with it.
from kasmvnc.
mmcclaskey
commented on June 26, 2024
@MagnusSvendsen , sorry for the very late response. Another thing might be the authorization header. KasmVNC uses basic auth and if I am not mistaken you have to pass that through on the NGINX config. You can confirm by opening up dev tools and check the response codes being returned, Kasm VNC will return a 401 unathorized if it does not receive the authorization header in the request.
from kasmvnc.
Related Issues (20)
- Mouse tracking not working in android chrome. HOT 2
- screen.html HOT 2
- Support "inetd mode" with websocket HOT 3
- Mousewheel ends up beeing translated as text on secondary monitor HOT 2
- KDE installed but not recognised as such HOT 1
- Upgrade kasmvnc from 0.94 to 1.3.0; It can be connected remotely, but as long as the mouse moves in the interface, the cable is disconnected and an error is reported HOT 9
- Specifies whether Kasmvnc supports 16-bit color depth HOT 2
- Frequent 100% CPU spikes from shell script HOT 2
- full disable auth HOT 2
- Black blocks when displayed in an iframe. HOT 1
- Call developer API while disableBasicAuth
- Embedding KasmVNC in another application HOT 1
- Alt key not recognized on system
- How to disable brute force protection
- Feature: Add Ubuntu Noble HOT 2
- Instructions to add your user to the ssl-cert group on Debian
- [BUG]: Cannot access VNC after set concurrent_connections_prompt
- Keyboard shortcuts (Ctrl + C / Ctrl + v) Not Working in any other language in the KASM workspace than English HOT 2
- FR: Hide Cursor Option HOT 1
- Can we disable password for the kasmweb/debian-bookworm-desktop image? HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kasmvnc.