Feature Request - Authentication

[Masong19hippows]

Might be a cool thing to add - authentication so that you have to type a username/password into the webUI in order to access noVNC

[slaygirlz]

disable the port the web access should not be used only rdp

[kroese]

Hi,

Thanks for the suggestion. However adding password authentication via nginx would not really help, because all that viewer does is to connect to the VNC port of QEMU which has no password. And yes, it is possible to also set a password on the VNC port, but its not very useful:

The VNC protocol has limited support for password based authentication. Since the protocol limits passwords to 8 characters it should not be considered to provide high security. The password can be fairly easily brute-forced by a client making repeat connections.

Also, you can connect via RDP without password, so the issue is not exclusive to VNC. I did this to keep the container easy to use and because I do not expect people to use this container for anything really important except for some short experiments.

If anyone wants to make it more secure, the simple solution is that they change the Windows password for the Docker user. This will also prevent mis-use of the VNC port as you would not be able to use the viewer without logging in to Windows.

[Masong19hippows]

I completely understand if you don't want to implement this, however I do want to correct a couple of things because I don't think you quite understand the feature request in regards to a setup like mine.

The VNC port does not have a password on it, but it is only limited to localhost being able to access it. So, you would need terminal/gui access to the server in order for this to actually matter. On my system where I recently installed this using the default docker compose file, port 5900 is limited to 127.0.0.1. This means that for any other device connecting to the server over the network, they won't actually be able to connect to the VNC port. So, it would make sense to provide authentication via ngnix instead of the VNC server because I like the VNC server port, the webUI is available to anyone on the network to connect to.

I wasn't really concerned about rdp since I don't use it. I actually removed the port forward in the docker compose file for it because I would rather use the webUI.

If anyone wants to make it more secure, the simple solution is that they change the Windows password for the Docker user. This will also prevent mis-use of the VNC port as you would not be able to use the viewer without logging in to Windows.

Does this make it so that the windows part doesn't auto-login? I have not tried it, so I would not know.

@progamer562

disable the port the web access should not be used only rdp

lol no. This is literally the feature/reason I am using this project.

[kroese]

Yes, you are right that in the example compose file port 5900 is not included. But if you include it, it allows VNC access without a password, so it would bypass any nginx authentication in that case. It is only limited to localhost because the port is not forwarded in the compose file.

You are also right about the auto-login. I guess that changing the password will still keep the auto-login, so you would need to create a new user account and remove the user called Docker to prevent it.

I will see if I can find time to add this feature. But it's a bit complicated because right now I use a fixed nginx.conf file ( https://github.com/qemus/qemu-docker/blob/master/web/nginx.conf ) that is not dynamicly generated at run-time. To include a password there, means that I would need to have code that modifies that config file while the container starts.

If you are familar with nginx, you can already provide a custom config file yourself by modifying the above file and then overriding it in the compose file by adding:

volumes:
  - /example/custom.conf:/etc/nginx/sites-enabled/web.conf

That way you can set basic authentication yourself.

[Masong19hippows]

I gotcha. Thanks, I will try that out!!!

[kroese]

If you create a config file that works, please post it here so that other people can use it when they want authentication.

[Masong19hippows]

So I just did this. Here is how I did it.

In my docker compose file, I have the windows storage mounted to a local path and then I just copied the default nginx config from the container to this windows storage. I edited the file and then specified in volumes that the nginx config point to the path that the windows storage was locally mounted. Here is the docker compose file.

volumes: - /home/user/windows:/storage - /home/user/windows/web.conf:/etc/nginx/sites-enabled/web.conf

In the nginx file, I just added 2 lines at the beginning of the file that added the auth module and specified where the authentication file is. Then, I added the authentication file to the local windows path so that I could easily edit it without opening the container.

Command to create auth file.
sudo htpasswd -c /home/user/windows/.htpasswd user

web.conf file
` server {

**auth_basic           "Administrator’s Area";
auth_basic_user_file /storage/.htpasswd;**

listen 80;
listen [::]:80;
listen 8006 default_server;
listen [::]:8006 default_server;

autoindex on;
tcp_nodelay on;
server_tokens off;
absolute_redirect off;

error_log /dev/null;
access_log /dev/null;

include /etc/nginx/mime.types;

gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_min_length 500;
gzip_disable "msie6";
gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;

add_header Cache-Control "no-cache";

location / {

  root /run/shm;

  if ( -f /run/shm/index.html) {
    break;
  }

  try_files /index.html @vnc;
}`

[kroese]

Great! Im sure your guide will come in handy for somebody else in the future!

[MuMu360121]

So I just did this. Here is how I did it.

In my docker compose file, I have the windows storage mounted to a local path and then I just copied the default nginx config from the container to this windows storage. I edited the file and then specified in volumes that the nginx config point to the path that the windows storage was locally mounted. Here is the docker compose file.

volumes: - /home/user/windows:/storage - /home/user/windows/web.conf:/etc/nginx/sites-enabled/web.conf

In the nginx file, I just added 2 lines at the beginning of the file that added the auth module and specified where the authentication file is. Then, I added the authentication file to the local windows path so that I could easily edit it without opening the container.

Command to create auth file. sudo htpasswd -c /home/user/windows/.htpasswd user

web.conf file ` server {

**auth_basic           "Administrator’s Area";
auth_basic_user_file /storage/.htpasswd;**

listen 80;
listen [::]:80;
listen 8006 default_server;
listen [::]:8006 default_server;

autoindex on;
tcp_nodelay on;
server_tokens off;
absolute_redirect off;

error_log /dev/null;
access_log /dev/null;

include /etc/nginx/mime.types;

gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_min_length 500;
gzip_disable "msie6";
gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;

add_header Cache-Control "no-cache";

location / {

  root /run/shm;

  if ( -f /run/shm/index.html) {
    break;
  }

  try_files /index.html @vnc;
}`

can you just give a detail guide about this so I can do like you