From 5a97f16651d67b2bcd57a88ae5bbfede8ddf1079 Mon Sep 17 00:00:00 2001 From: blitztide Date: Fri, 1 Aug 2025 13:32:43 +0100 Subject: [PATCH 1/2] Feature: Enable self-signed certificates This will use OpenSSL and generate a new certificate, then start the server in SSL-Only mode --- utils/novnc_proxy | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/utils/novnc_proxy b/utils/novnc_proxy index 6b55504a..0f42d7ae 100755 --- a/utils/novnc_proxy +++ b/utils/novnc_proxy @@ -17,6 +17,8 @@ usage() { echo " Default: 6080 (on all interfaces)" echo " --vnc VNC_HOST:PORT VNC server host:port proxy target" echo " Default: localhost:5900" + echo " --self-sign hostname Generate self-signed certificates for hostname" + echo " Requires OpenSSL to be installed" echo " --cert CERT Path to combined cert/key file, or just" echo " the cert file if used with --key" echo " Default: self.pem" @@ -51,6 +53,7 @@ HOST="" PORT="6080" LISTEN="$PORT" VNC_DEST="localhost:5900" +SELF_SIGN="" CERT="" KEY="" WEB="" @@ -90,6 +93,7 @@ while [ "$*" ]; do case $param in --listen) LISTEN="${OPTARG}"; shift ;; --vnc) VNC_DEST="${OPTARG}"; shift ;; + --self-sign) SELF_SIGN="${OPTARG}"; shift ;; --cert) CERT="${OPTARG}"; shift ;; --key) KEY="${OPTARG}"; shift ;; --web) WEB="${OPTARG}"; shift ;; @@ -147,6 +151,18 @@ else die "Could not find vnc.html" fi +# Create self-signed certificates +if [ -n "${SELF_SIGN}" ]; then + if [ ! -f $(pwd)/self.pem ]; then + echo "Generating Certificate for: ${SELF_SIGN}" + openssl req -x509 -newkey rsa:4096 -keyout key.pem -out self.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=NoVNC/L=NoVNC/O=NoVNC/OU=NoVNC/CN=${SELF_SIGN}" + fi + CERT=$(pwd)/self.pem + KEY=$(pwd)/key.pem + echo "Forcing SSL" + SSLONLY="--ssl-only" +fi + # Find self.pem if [ -n "${CERT}" ]; then if [ ! -e "${CERT}" ]; then From c7cf101f2605d8cd84a47658d2cca052546f7269 Mon Sep 17 00:00:00 2001 From: David Date: Sat, 6 Sep 2025 22:43:08 +0100 Subject: [PATCH 2/2] Bugfix: extra checks and removing forced SSL --- utils/novnc_proxy | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/utils/novnc_proxy b/utils/novnc_proxy index 0f42d7ae..34c425a1 100755 --- a/utils/novnc_proxy +++ b/utils/novnc_proxy @@ -132,6 +132,14 @@ if [ -z "${HOST}" ]; then fi fi +# Check if (cert | key) & self-sign are set, as they are incompatible +if [ -n "$CERT" ] || [ -n "$KEY" ] && [ -n "$SELF_SIGN" ]; then + echo "Arguments --cert and --key and incompatible with --self-sign" + echo "" + usage + exit 1 +fi + trap "cleanup" TERM QUIT INT EXIT # Find vnc.html @@ -153,14 +161,25 @@ fi # Create self-signed certificates if [ -n "${SELF_SIGN}" ]; then - if [ ! -f $(pwd)/self.pem ]; then - echo "Generating Certificate for: ${SELF_SIGN}" - openssl req -x509 -newkey rsa:4096 -keyout key.pem -out self.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=NoVNC/L=NoVNC/O=NoVNC/OU=NoVNC/CN=${SELF_SIGN}" - fi + # Check if OpenSSL is installed + which openssl > /dev/null + if [ $? != 0 ]; then + echo "Unable to find OpenSSL, please ensure you have OpenSSL installed and available in \$PATH" + exit 1 + fi + # Check that the file doesn't already exist + if [ -f $(pwd)/self.pem ]; then + read -p "$(pwd)/self.pem aleady exists, overwrite? (Y/N) " overwrite + if [ "$overwrite" != "Y" ]; then + echo "Not overwriting $(pwd)/self.pem" + exit 1 + fi + fi + echo "Generating Certificate for: ${SELF_SIGN}" + openssl req -x509 -newkey rsa:4096 -keyout key.pem -out self.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=NoVNC/L=NoVNC/O=NoVNC/OU=NoVNC/CN=${SELF_SIGN}" + CERT=$(pwd)/self.pem KEY=$(pwd)/key.pem - echo "Forcing SSL" - SSLONLY="--ssl-only" fi # Find self.pem