-
Notifications
You must be signed in to change notification settings - Fork 825
Token based target selection
Joel Martin edited this page Sep 28, 2015
·
3 revisions
Allowing websockify connections to select arbitrary host and port targets is a large security issue and will not be supported by websockify. However, it is possible to configure websockify with a list of allowed host:port targets which are selected by a opaque token provided by the websockify request line.
The token based target configuration in websockify can be activated like this:
./run ... --token-plugin TokenFile --token-source /path/to/target.config.d/
In this case target.config.d is a directory containing configuration files. Each configuration file contains one or more lines like this:
token1: host1:port1
Now consider a new connection to websockify with the following request line:
GET /path?token=token1
...
Given the above config file and request line, websockify will attempt to connect to the target host:port1.
- The
--token-sourceoption can refer to a single file, in which case only that file is used for the configuration. - The
TokenFileplugin scans and reads the configuration file(s) for every new connection. Alternately you can use theReadOnlyTokenFileplugin which will only read the configuration once for the first new connection. Using theTokenFileplugin allows the administrator to dynamically add and remove configuration for websockify. One common pattern is to use a file per token/target pair which allows removal of that target without the need to parse a config file containing multiple token/targets. - If you are using websockify with noVNC, the token is passed via the path value. In other words, passing token=FOO as a noVNC URL query parameter directly will not work (unless you have a modified noVNC application page that supports this directly). For example, if you are using the included
vnc.html, then the path value in the settings menu should be set to something like "websockify?token=token1".