Misc access control enhancements

[abcbarryn]

Is your feature request related to a problem? Please describe.
There is no access control to restrict access to the proxy.
It would also be nice to be able to completely disable the web server portion and just enable the wss: proxy only.

Describe the solution you'd like
Maybe support for running the proxy from inetd/xinetd then TCP wrappers could be leveraged.

Describe alternatives you've considered
Or add built-in support to restrict the client IPs that are allowed to connect.

Additional context
I am trying to improve the security of this excellent software! :)

[CendioOssman]

websockify is a bit of a toy server, so it lacks many features you'd expect from a production server. Like this one.

It does support only doing WebSocket proxying, though. Simply don't include the --web argument.

[abcbarryn]

According to the help screen (and my experience) leaving out the --web argument does not disable the web server, it just defaults the directory to the current directory. I have worked around this for now by pointing it to an almost empty folder, but it requires vnc.html to exist, so I created an empty vnc.html file. That's not an ideal solution though.

    --web WEB             Path to web files (e.g. vnc.html)
                          Default: ./

[abcbarryn]

Running with these arguments definitely does NOT disable the web server. Note there is no --web.

novnc_proxy --vnc 127.0.0.1:5900 --ssl-only --listen 192.168.0.254:6080

[abcbarryn]

Here is some of the rather persistent code that insists on having a vnc.html and loading a web server...

# Find vnc.html
if [ -n "${WEB}" ]; then
    if [ ! -e "${WEB}/vnc.html" ]; then
        die "Could not find ${WEB}/vnc.html"
    fi
elif [ -e "$(pwd)/vnc.html" ]; then
    WEB=$(pwd)
elif [ -e "${HERE}/../vnc.html" ]; then
    WEB=${HERE}/../
elif [ -e "${HERE}/vnc.html" ]; then
    WEB=${HERE}
elif [ -e "${HERE}/../share/novnc/vnc.html" ]; then
    WEB=${HERE}/../share/novnc/
else
    die "Could not find vnc.html"
fi 

[abcbarryn]

Proposed patch...

--- noVNC-1.5.0/utils/novnc_proxy       2025-02-07 11:38:00.355963553 -0500
+++ noVNC-1.5.0/utils/novnc_proxy       2025-02-07 12:22:28.702594234 -0500
@@ -109,4 +109,16 @@
     esac
 done
+if [ -z "$WEB" ]
+then
+       WEB="`pwd`"
+       if [ ! -e "${WEB}/vnc.html" ]
+       then
+               WEB="$HERE/.."
+       fi
+fi
+if [ "$WEB" == "NONE" ]
+then
+       unset WEB
+fi

 if [ "$LISTEN" != "$PORT" ]; then
@@ -136,14 +148,4 @@
         die "Could not find ${WEB}/vnc.html"
     fi
-elif [ -e "$(pwd)/vnc.html" ]; then
-    WEB=$(pwd)
-elif [ -e "${HERE}/../vnc.html" ]; then
-    WEB=${HERE}/../
-elif [ -e "${HERE}/vnc.html" ]; then
-    WEB=${HERE}
-elif [ -e "${HERE}/../share/novnc/vnc.html" ]; then
-    WEB=${HERE}/../share/novnc/
-else
-    die "Could not find vnc.html"
 fi

@@ -204,11 +206,16 @@

 # Make all file paths absolute as websockify changes working directory
-WEB=`realpath "${WEB}"`
+[ -n "${WEB}" ] && WEB="--web `realpath ${WEB}`"
 [ -n "${CERT}" ] && CERT=`realpath "${CERT}"`
 [ -n "${KEY}" ] && KEY=`realpath "${KEY}"`
 [ -n "${RECORD}" ] && RECORD=`realpath "${RECORD}"`

-echo "Starting webserver and WebSockets proxy on${HOST:+ host ${HOST}} port ${PORT}"
-${WEBSOCKIFY} ${SYSLOG_ARG} ${SSLONLY} ${FILEONLY_ARG} --web ${WEB} ${CERT:+--cert ${CERT}} ${KEY:+--key ${KEY}} ${LISTEN} ${VNC_DEST} ${HEARTBEAT_ARG} ${IDLETIMEOUT_ARG} ${RECORD:+--record ${RECORD}} ${TIMEOUT_ARG} ${WEBAUTH_ARG} ${AUTHPLUGIN_ARG} ${AUTHSOURCE_ARG} &
+if [ -n "$WEB" ]
+then
+    echo "Starting webserver and WebSockets proxy on${HOST:+ host ${HOST}} port ${PORT}"
+else
+    echo "Starting WebSockets proxy on${HOST:+ host ${HOST}} port ${PORT}"
+fi
+${WEBSOCKIFY} ${SYSLOG_ARG} ${SSLONLY} ${FILEONLY_ARG} ${WEB} ${CERT:+--cert ${CERT}} ${KEY:+--key ${KEY}} ${LISTEN} ${VNC_DEST} ${HEARTBEAT_ARG} ${IDLETIMEOUT_ARG} ${RECORD:+--record ${RECORD}} ${TIMEOUT_ARG} ${WEBAUTH_ARG} ${AUTHPLUGIN_ARG} ${AUTHSOURCE_ARG} &
 proxy_pid="$!"
 sleep 1
@@ -223,9 +230,12 @@
 fi

-echo -e "\n\nNavigate to this URL:\n"
-if [ "x$SSLONLY" == "x" ]; then
+if [ -n "$WEB" ]
+then
+    echo -e "\n\nNavigate to this URL:\n"
+    if [ "x$SSLONLY" == "x" ]; then
     echo -e "    http://${HOST}:${PORT}/vnc.html?host=${HOST}&port=${PORT}\n"
-else
+    else
     echo -e "    https://${HOST}:${PORT}/vnc.html?host=${HOST}&port=${PORT}\n"
+    fi
 fi

[abcbarryn]

This adds the ability to set --web NONE to disable the web server, otherwise the web folder defaults to the folder where the software is installed as it does now. If you specify --web NONE it also alters the startup message.

[abcbarryn]

Now I just need to figure out (if I can) how to restrict access to a specific list of source IPs. For now I am just binding the server to a non-internet network interface.

[CendioOssman]

The novnc_proxy script is a helper to easily test noVNC. If you want more advanced usage, you will likely need to start websockify directly.

[abcbarryn]

I have already developed a patch to add the option not to start the web server to the novnc_proxy script and posted it here. As I did so I realized that I could probably have called the other script directly, but I already finished my changes. That however, still leaves the question specifying an access list.