Client: By default the Abiquo client UI has an integrated noVNC viewer. The noVNC viewer is an HTML5 VNC viewer. You can brand the noVNC viewer for your platform. See Branding noVNC. As part of each Abiquo upgrade process, check your noVNC branding.noVNC does not support user specified keyboard mappings, so settings in the UI client will not be taken into account. You must configure the noVNC settings for the Abiquo client UI to connect to the proxy. See Configure Remote Access to Virtual Machines
Proxy: noVNC requires a proxy to forward websocket requests to traditional sockets. The proxy should be installed on a separate machine from any other Abiquo service. Every VNC connection will be to the same IP and port on the proxy, but Abiquo will provide a unique token for each VM that will tell the proxy where to connect. A script is run with a cron job to obtain VM information from the Abiquo API and update the tokens and configure the proxy.
Hypervisor: For ESXi, you must define the VNC ports. And you must define a password for VMs in ESXi in order to be able to connect.
Load balancing: If you require more than one websockify proxy for a large environment, you can use a load balancer. See Load balance websockify proxy
Because noVNC uses websockets to establish connections, instead of traditional sockets, we will need to set up software that will forward these requests. Moreover, this software can also act as a proxy for VNC connections, so you only need to expose one IP/Port to the Internet, and through this, you can connect to any VM on your Abiquo platform.
Note that the diagrams on this page do not show the firewall or DMZ because their use depends on your security policy.
In the Abiquo user interface, the noVNC default remote access application requires the following new properties that were added to client-config-default.json.
You can customize these values in client-config-custom.json to point to your proxy server or a load balancer, for example.
Make sure you have cron installed and crond service is running
On the websockify server, install abiquo repositories
This installs base and update repositories. Please locate the abiquo-release-ee package of your destination version and install it with the following command. This example is for the latest Abiquo major version of 3.8.
Update yum cache
Install the Abiquo websockify package
The package contains a script to create tokens for each VM proxy connection. The script that obtains the VM information from Abiquo and creates the tokens is called novnc_tokens.rb
The package will create a cron task in /etc/cron.d/novnc_tokens to keep the token list up to date:
The script outputs a file that is used to configure the websockify daemon. This file will contain one line for each VM with the format "HASH: DST_IP:DST_PORT":
If you are using SSL on your platform, then you must also configure the websockify server with SSL.
Browsers do not allow you to open an unencrypted websocket connection from a page that is accessed using SSL for security reasons. Hence, if you set up SSL to access your Abiquo GUI, you must set up websockify to use SSL.
For that, you will need an SSL certificate and its private key. Note that this certificate needs to be accepted by the client browser, so they should be emitted by a trusted entity. Also check that the hostname that noVNC connects to matches the hostname in the certificate used. If you are testing a test environment which lacks a trusted certificate, you may need to manually open a connection to the IP and port the proxy is running in using your browser, and accept the provided certificate.
NOTE: Certificate must be a bundled certificate that contains all intermediate certificates from the server certificate to the CA root certificate.
Edit the script /etc/init.d/websockify and set the proper cert and key file by modifying the lines, to point to your cert and key files.:
To start the proxy, use the following command.
Websockify should now be listening for VM connections on port 41337.