<div dir="ltr">Hi, Marc<div>Yes, we originally embed the openstack's console(spice-html5) page and it works, but has performance/screen size concern. </div><div>So we try to use native-client to connect through the proxy.</div><div>By the way, The spice source code did help. I am studying now. :).</div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-04-20 17:52 GMT+08:00 Marc-André Lureau <span dir="ltr"><<a href="mailto:mlureau@redhat.com" target="_blank">mlureau@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Dennis<br>
<span class=""><br>
----- Original Message -----<br>
> Hi, Christophe<br>
> Thanks for the reply. I will read the information that you shared.<br>
><br>
> We are developing a cloud solution, the back-end is openstack.<br>
> We tried spice-html5 console by embedding openstack console page and found<br>
> the performance is not good.<br>
> We think using the native client might be faster than html5 and has more<br>
> features, however, we can't find any secure way to let native client connect<br>
> to internal VM (spice server).<br>
</span>> (Say spice:// <a href="http://192.168.1.2:5900" target="_blank">192.168.1.2:5900</a> is a VM's internal connection url, 192.168.1.2<br>
<span class="">> is internal, should't be public, and 5900 is also too simple to be guessed<br>
> by another user that another VM is 5901, or 5902 )<br>
><br>
> I am trying to write a spice-proxy to provide client to connect with a<br>
> dynamic password (a token, with timeout, created by our system when user<br>
> acquires console connection ).<br>
</span>> Then by the valid password(token) , the spice-proxy gets the VM (spice<br>
<span class="">> server) connection host-port, and channeling between client and internal VM.<br>
<br>
</span>Have you looked at this openstack blueprint (with patches):<br>
<a href="https://blueprints.launchpad.net/nova/+spec/spice-http-proxy" target="_blank">https://blueprints.launchpad.net/nova/+spec/spice-http-proxy</a><br>
<br>
This is offering an http "connect" proxy for spice VM, validating the client<br>
tokens and proxying the connections (similar to vnc websocket proxy).<br>
It used to work, but it might need some refresh today.<br>
<br>
<br>
</blockquote></div><br></div>