[Spice-devel] [PATCH spice ] Add support for clients connecting with the WebSocket protocol.

Wed Nov 23 11:40:25 UTC 2016

On Mon, Nov 21, 2016 at 12:06:21PM -0500, Frediano Ziglio wrote:
> > 
> > On 11/03/2015 04:32 AM, Daniel P. Berrange wrote:
> > > On Fri, Oct 30, 2015 at 03:52:56PM -0500, Jeremy White wrote:
> > >> We do this by auto detecting the inbound http(s) 'GET' and probing
> > >> for a well formulated WebSocket binary connection, such as used
> > >> by the spice-html5 client.  If detected, we implement a set of
> > >> cover functions that abstract the read/write/writev functions,
> > >> in a fashion similar to the SASL implemented.
> > > 
> > > I'm not really a huge fan of overloading two protocols on the
> > > same socket in this way.
> > 
> > Yeah, I see your unease, but I still think the approach I've chosen is
> > the best option.
> > 
> > > 
> > > I'd be rather inclined to have a separate port open for the
> > > websockets protocol, in the same way that QEMU does the VNC
> > > server.
> > 
> > I think the more apt analogy is the SASL layer, which, afaik, is not
> > inherently a different protocol, but a layer on top of the core
> > protocol.  I believe my proposed implementation implements WebSocket
> > support the way we support SASL.
> > 
> > > 
> > > Admins should be able to choose which protocol is available
> > > to their clients. For example, they might launch QEMU with
> > > both protocols available, but only wish to make one of the
> > > protocols available to the public internet. By overloading
> > > both protocols on the same port, you prevent them from
> > > being able todo this in firewall rules.
> > 
> > I'm a fan of choice, although option overload becomes an issue.  But I
> > find myself hard pressed to imagine someone wanting to have the regular
> > protocol open but not the WebSocket protocol.  If the regular port is
> > open, an evil doer can easily use websockify to get in anyway.
> > 
> > Further, you start to get a combinatorial problem.  What you're
> > proposing would add a --websocket-port option, but then it also requires
> > a --websocket-secure-port.  And if we implement SASL over WebSocket...
> > 
> > Cheers,
> > 
> > Jeremy
> 
> I agree mostly with Jeremy, adding extra ports would be quite complicated.
> On the other way I understand that someone could want to disable
> WebSockets so I would add an option (default disabled) to enable websockets,
> something in Qemu like websocket=yes/no.

As Daniel mentioned, from a libvirt/QEMU point of view, VNC websockets
use a separate port, it would be odd if the SPICE configuration was very
different. However, both are not mutually exclusive, we can have
separate ports, and an option to have the 2 protocols on the same
socket.

Christophe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/spice-devel/attachments/20161123/fc0251b7/attachment-0001.sig>