tg123 / websockify-nginx-module Goto Github PK

View Code? Open in Web Editor NEW

139.0 14.0 59.0 105 KB

Embed websockify into Nginx (convert any tcp connection into websocket)

License: MIT License

C 75.94% Perl 12.04% Dockerfile 12.02%

novnc websockify nginx websocket websocket-proxy

websockify-nginx-module's Introduction

Websockify port for Nginx

Embed the Websockify into Nginx

Installation

git clone https://github.com/tg123/websockify-nginx-module.git

cd path/to/nginx_source

./configure --add-module=/path/to/websockify-nginx-module/

make
make install

Uasge

Single noVNC websockify proxy

in your nginx.conf

location /websockify {
    websockify_pass yourvncip:port
}

visit http://kanaka.github.io/noVNC/noVNC/vnc.html in your browser,
Host is your nginx server's ip
port is your nginx server's listening port
Click connect

Quick start with Docker

Proxy 192.168.188.42:5901 to your localhost/websockify.

Note: 5901 is hardcoded in nginx.vh.default.conf

docker run -d --add-host vnchost:192.168.188.42 -p 80:80 farmer1992/nginx-websockify

Dynamic vnc upstream with help of ngx-lua

an example script read ip and port from url params and verify them by md5

SECURITY VULNERABILITY WARNING

this is only an exmaple for you to understand how to work together with ngx-lua do NOT use this script in production.

anyone who know your private key can connect any machine behind your nginx proxy, you should restrict target ip and port in a whitelist.

in your nginx.conf

location /websockify {

    set $vnc_addr '';
    access_by_lua '

        -- your private key here
        local key = "CHANGE_ME_!!!!"
        
        -- read from url params
        local args = ngx.req.get_uri_args()
        local ip = args["ip"] or "127.0.0.1"
        local port = args["port"] or  "5900"
        local sign = args["sign"]
        local t = tonumber(args["t"]) or 0
        local elapse = ngx.time() - t

        -- make sure the signature are generated within 30 seconds
        if elapse > 30 or elapse < 0  then
            ngx.exit(ngx.HTTP_FORBIDDEN)
        end

        local addr = ip .. ":" .. port

        -- verify the signature
        if ngx.md5(key .. t .. addr .. key) ~= sign then
            ngx.exit(ngx.HTTP_FORBIDDEN)
        end

        ngx.var.vnc_addr = addr
    ';

    websockify_pass $vnc_addr;
}

use ajax call to vnc_url.php to retrieve the websockify url, then let noVNC connect to it.

<?php

// query you vnc ip and port from somewhere, e.g. mysql.
//

// query result
$addr = '127.0.0.1';
$port = 5900;

// same as private key in nginx.conf
$key = "CHANGE_ME_!!!!";

$t = time();

echo '/websockify/?' . http_build_query(array(
    't' =>  $t,
    'sign' => md5($key . $t . "$addr:$port" . $key),
    'ip' => $addr,
    'port' => $port,
));

Directives

websockify_buffer_size: Default: 65543 = 65535 + 4 + 4 (websocket max frame size + header + mask)

The buffer size used to store the encode/decode data. each websockify connection will cost websockify_buffer_size * 2 ( 1 upstream + 1 downstream ) addational memory
websockify_read_timeout: Default 60s

proxy_read_timeout of websockify upstream
websockify_connect_timeout: Default 60s

proxy_connect_timeout of websockify upstream
websockify_send_timeout: Default 60s

proxy_send_timeout of websockify upstream

Nginx Compatibility

v0.02 - v0.0.3
- 1.7.x (Tested on 1.7.9)
- 1.6.x (Tested on 1.6.2)
v0.0.1
- 1.5.x (Tested on 1.5.9)
- 1.4.x (Tested on 1.4.4)

websockify-nginx-module's People

Contributors

Stargazers

Watchers

websockify-nginx-module's Issues

Build fails with nginx 1.6.3 and 1.8.1

Hello.
I'm trying to build nginx source with this module included. Tried nginx 1.6.3 and 1.8.1.
For both versions, configure fails with message:

adding module in /tmp/nginx/websockify-nginx-module-master/
/tmp/nginx/websockify-nginx-module-master//config: line 7: auto/module: No such file or directory

(the double backslash makes no difference)
I'm using Docker image of CentOS 7 with upstream gcc and make.
I can successfully include other modules (ngx_http_auth_pam, nginx-sticky-module-ng) without trouble.

Removing the troublesome line 7 allows successful configuration (ngx 1.8.1), but I'm yet to see if the functionality is there.

can not work with http2 ssl enabled!

return 502 Bad Gateway, remove http2 from nginx listen work.

server send ping time duration!

need this options.

can i stream my rtsp over this

websocket_server_write_frame_header函数建议返回头部长度

websocket_server_write_frame_header函数建议返回头部长度，这样使用完这个函数可以得到dst应该偏移多少，比如如下

static ngx_inline int
websocket_server_write_frame_header(u_char *dst, u_char opcode,
size_t payload_length)
{
dst[0] = (u_char)((opcode & 0x0F) | 0x80);
if ( payload_length <= 125 ) {
dst[1] = (u_char)(payload_length);

return 2;

}

dst[1] = (u_char) 126;
*(u_short *)&(dst[2]) = htons((u_short)(payload_length));

return 4;
}

使用时：
...
int len = websocket_server_write_frame_header(dst, opcode, payload_length);
dst += len;
...

fails to work with spice-html5

spice-html5 + xSpice work together to provide a web based spice client similar to how noVNC + xVNC provide a web based VNC client.

The connection does not get passed through using the module. It does however pass through when using the standalone websockify.

Will this work as a Dynamic module for nginx?

The instructions for building are for a static module. Can it be built as a dynamic module

websockify 模块主动断开同前后端的连接

通过 websockfiy 模块连上后端机器，一段时间后会出现连接断开的问题。我们在nginx中进行 TCP 抓包，发现是nginx主动发送FIN包，断开了同前后端的连接，但是断开连接的原因尚不清楚。

以下是抓包的流量图，09:17:03 发送 FIN 包结束两端的连接。
10.0.x.x 是 NGINX 主机，106.52.x.x 是后端 vnc 服务器，172.16.x.x 是前端过来的流量

我们尝试过在upstream块中打开 nginx 的 keep-alive 配置，但是对这个情况没有影响。

单独使用websockify和nginx内置websockify的不同效果（代理转发失败）

单独使用websockify进行转发代理是成功的，使用nginx内置websockify模块，提示协议错误。

127.0.0.1:64738 是聊天服务器

单独使用的代码：
websockify 64737 127.0.0.1:64738 --ssl-target -v --traffic --cert ./self.pem --key .self.pem

nginx配置：
server {
listen 443 ssl;
server_name voice.example.com;
ssl_certificate /etc/letsencrypt/live/voice.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/voice.example.com/privkey.pem;

    location /chat{
            proxy_pass http://127.0.0.1:64737;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
    }

}

map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

以上是独立使用websockify是运行成功的。

下面是根据本模块的用的配置：

server {
listen 443 ssl;
server_name voice.example.com;
ssl_certificate /etc/letsencrypt/live/voice.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/voice.example.com/privkey.pem;

    location /chat {
            websockify_pass 127.0.0.1:64738;
    }

}

使用内置服务器提示错误：

2018-03-27 23:30:47.746 1 => <31:(-1)> New connection: 127.0.0.1:29758
2018-03-27 23:30:47.762 1 => <31:(-1)> Connection closed: Error during SSL handshake: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol [13]

这是啥原因呢？用内置模块就简单方便了很多，但是目前运行不起来。

nginx版本是 1.10.1,下面是编译配置：

--prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_v2_module --with-http_ssl_module --with-ipv6 --with-http_gzip_static_module --with-http_realip_module --with-http_flv_module --with-openssl=../openssl-1.0.2h --with-pcre=../pcre-8.38 --with-pcre-jit --with-ld-opt='-ljemalloc' --add-module=../websockify-nginx-module/

help me

How to save your log data entered in the terminal?
sniffing??

配置后不能用，返回400

location /websockify {
websockify_pass 10.58.93.148:5901;
}
websocket：
socket = new WebSocket("ws://10.127.96.195:80/websockify");
浏览器：
http://10.127.96.195/websockify
访问access.log里都是400

通过websockify-nginx能不能实现二次转发

|----------Internet-------------------|------------------intranet1-----------------------|--------------intranet2--------------|
1 2 3
client -----------------> server1(nginx-websockify) -----------------> server2(nginx-websockify) -----------------> Tcp server
<---------------- <---------------- <----------------
6 5 4

expose port 5901 if start with docker

Need to expose websocket port 5901 if start with docker?

unix socket

does it support unix domain sockets?

Dockerfile

Are you planning on making a Dockerfile, so one could easily use this with other services whose APIs have to be translated to a websocket API?

ngx_http_websockify_send_with_encode: encode error!

Hi,

I'm seeing this in my nginx error log:
2014/06/27 13:22:37 [error] 1651#0: *425 ngx_http_websockify_send_with_encode: encode error! while proxying upgraded connection, client: 10.10.10.10, server: name.server.com, request: "GET /vnc/5002 HTTP/1.1", upstream: "websockify://127.0.0.1:5002", host: "name.server.com"

And this in the firefox console:
New state 'failed', was 'normal'. Msg: Disconnected: illegal hextile subencoding 201

nginx 1.6.0
CentOS 6.5 x86_64
Fedora 20 x86_64

It doesn't happen always, but more frequently in CentOS than Fedora.

Can you help me??