SSL-ing websockify?

Hi All,

I have made some Desktops and Interactive apps working. But It seems that python3-websockify does not enable any SSL, which is understandable as we have no FQDN for compute nodes, and no host certs for them.

Would it be advisable/possible to enable SSL for whatever security it gives, using as self signed cert for each node? Where in the OOD do I specify the cert name for websockify to find it? Thanks!

Grigory Shamov
University of Manitoba

Specifically, I see in the session’s output:

Launching desktop ‘fluffbox’…
unable to find device ‘0’
/usr/lib/python3.6/site-packages/websockify/websocket.py:30: UserWarning: no ‘numpy’ module, HyBi protocol will be slower
warnings.warn(“no ‘numpy’ module, HyBi protocol will be slower”)
WebSocket server settings:

  • Listen on :10275
    - No SSL/TLS support (no cert file)
  • Backgrounding (daemon)

Where does it look for the file, on CentOS 7? I do have a self.pem in /etc/pki/tls/certs ( which seems to be a default name , according to websockify man page).

Hi - I don’t know if we support this yet, though you may try. You may be able add the flag in the websockify_cmd configuration.

Though I don’t know if it’ll work as we assume it’s ws and not wss and typically do SSL offloading in apache. I’m fairly certain we do and this won’t work, but I don’t know it for a fact and would have to look up the appropriate code that does the proxying.

https://osc.github.io/ood-documentation/latest/reference/files/submit-yml/vnc-bc-options.html

That said - even if this could work - you’d likely need actual certificates and not self signed ones.

Ok, I have added --cert and --key parameters for the nodes’ selfsigned certs explicitly to the websockify command. It did remove the warning: Now I see instead.

  • Listen on :5012
  • SSL/TLS support
  • Backgrounding (daemon)

May be it works, or thinks it works. I am using the latest python3-websockify 0.10. The command is no longer “run” (as in OOD documentation) but “websockify”.