VNC sessions unable to connect through proxy portal

Hi all,

We run an OOD instance within our private network with no issue.

In order for OOD to be served externally to users, it has to be done through a proxy (a remote access portal in a Palo Alto firewall).

All sessions using http seem to work fine. Nevertheless, all VNC sessions fail to connect and can’t pinpoint exactly why (cannot see anything on the nginx logs and the reverse proxy is working with no issues when using netcat).

A thing to point out is when users access OOD through the portal, the URL gets modified from:

https://ondemand-dev.domain/pun/sys/dashboard/noVNC-1.1.0/vnc.html?utf8=✓&autoconnect=true&path=rnode%2Fnode%2FPORT%2Fwebsockify&resize=remote&password=XXXXXXX&compressionsetting=6&qualitysetting=2&commit=Launch+VNC+Desktop

https://remote-portal.domain/https/ondemand-dev.domain/pun/sys/dashboard/noVNC-1.1.0/vnc.html?utf8=✓&autoconnect=true&path=rnode%2Fnode%2FPORT%2Fwebsockify&resize=remote&password=XXXXXXX&compressionsetting=6&qualitysetting=2&commit=Launch+VNC+Desktop

Any ideas or advice are most appreciated.

Cheers.

Sorry for the issue.

Is it possible to see the ood_portal_generator.yml for the relevant sections of the config for the proxy?

That the http works but not https is sounding like something is off with the ssl configs being set correctly to handle the proxy requests.

Also, what version of OOD are you on and what OS?

Thank you for the reply. These are some relevant settings:

# The server name used for rewrites
# Example:
#     proxy_server: 'proxy.example.com'
# Default: The value of servername
#proxy_server: null

# The port specification for the Virtual Host
# Example:
#     port: 8080
#Default: null (use default port 80 or 443 if SSL enabled)
port: 443

# List of SSL Apache directives
# Example:
servername: ondemand-dev.domain
ssl:
  - 'SSLCertificateFile "/etc/ood/config/certs/ondemand-dev.crt"'
  - 'SSLCertificateKeyFile "/etc/ood/config/certs/ondemand-dev.key"'
  - 'SSLCertificateChainFile "/etc/ood/config/certs/ondemand-dev_chain.crt"'
# Default: null (no SSL support)
#ssl: null

#
# Reverse proxy to backend nodes
#

# Regular expression used for whitelisting allowed hostnames of nodes
# Example:
#     host_regex: '[\w.-]+\.example\.com'
# Default: '[^/]+' (allow reverse proxying to all hosts, this allows external
# hosts as well)
host_regex: '[^/]+'

# Sub-uri used to reverse proxy to backend web server running on node that
# knows the full URI path
# Example:
#     node_uri: '/node'
# Default: null (disable this feature)
#node_uri: null
node_uri: '/node'

# Sub-uri used to reverse proxy to backend web server running on node that
# ONLY uses *relative* URI paths
# Example:
#     rnode_uri: '/rnode'
# Default: null (disable this feature)
#rnode_uri: null
rnode_uri: '/rnode'

Worth to mention both Jupyter and Rstudio can connect fine, it is just noVNC that has the issue. Connecting directly from inside the firewall works fine, just not through the remote portal provided by the firewall. Tested the reverse proxy with netcat and the ports can be reached with no issues through the remote portal.

Currently running OOD 2.0.27 on the development server. CentOS 7.9.2009.

Does the shell app work through your proxy? My guess is you need to enable websockets on your proxy. Both the shell and VNC desktops need to websocket upgrade which may not be enabled on your proxy by default.

The shell connections into the login node and the hosts running the VNC sessions work properly when going through the remote portal. So far only the VNC connections seem to fail.

Going to:

https://remote-portal.domain/https/ondemand-dev.domain/pun/sys/shell/ssh/

and

https://ondemand-dev.domain/pun/sys/shell/ssh/ from an internal network.

Are working properly.

OOD and the hosts are running in the same subnet and all VNC works when connecting straight to OOD