[Spice-devel] [PATCH spice ] Add support for clients connecting with the WebSocket protocol.
Frediano Ziglio
fziglio at redhat.com
Mon Nov 21 17:06:21 UTC 2016
Looks weird to reply to an email after one year but I was pointed
out I miss this thread entirely.
>
> On 11/03/2015 04:32 AM, Daniel P. Berrange wrote:
> > On Fri, Oct 30, 2015 at 03:52:56PM -0500, Jeremy White wrote:
> >> We do this by auto detecting the inbound http(s) 'GET' and probing
> >> for a well formulated WebSocket binary connection, such as used
> >> by the spice-html5 client. If detected, we implement a set of
> >> cover functions that abstract the read/write/writev functions,
> >> in a fashion similar to the SASL implemented.
> >
> > I'm not really a huge fan of overloading two protocols on the
> > same socket in this way.
>
> Yeah, I see your unease, but I still think the approach I've chosen is
> the best option.
>
> >
> > I'd be rather inclined to have a separate port open for the
> > websockets protocol, in the same way that QEMU does the VNC
> > server.
>
> I think the more apt analogy is the SASL layer, which, afaik, is not
> inherently a different protocol, but a layer on top of the core
> protocol. I believe my proposed implementation implements WebSocket
> support the way we support SASL.
>
> >
> > Admins should be able to choose which protocol is available
> > to their clients. For example, they might launch QEMU with
> > both protocols available, but only wish to make one of the
> > protocols available to the public internet. By overloading
> > both protocols on the same port, you prevent them from
> > being able todo this in firewall rules.
>
> I'm a fan of choice, although option overload becomes an issue. But I
> find myself hard pressed to imagine someone wanting to have the regular
> protocol open but not the WebSocket protocol. If the regular port is
> open, an evil doer can easily use websockify to get in anyway.
>
> Further, you start to get a combinatorial problem. What you're
> proposing would add a --websocket-port option, but then it also requires
> a --websocket-secure-port. And if we implement SASL over WebSocket...
>
> Cheers,
>
> Jeremy
I agree mostly with Jeremy, adding extra ports would be quite complicated.
On the other way I understand that someone could want to disable
WebSockets so I would add an option (default disabled) to enable websockets,
something in Qemu like websocket=yes/no.
Frediano
More information about the Spice-devel
mailing list