Abiquo 5.2

Skip to end of metadata
Go to start of metadata

The purpose of this proxy is to allow remote access to VMs in VCenter/ESXi architectures. This is done via Secure WebSocket protocol using the VMware VNC implementation over WSS (WebMKS). Basically we request a ticket to the vCenter API and with this ticket we can request VM remote access data to the ESXi host via WSS. The connection to the Abiquo Server is passed by the Apache proxy to an nginx proxy on the Remote Services.

Before you begin:

  1. Brand the WebMKS interface as required. See Branding WMKS.

To install the WebMKS Proxy:

  1. On the API server,

    1. If the mod_proxy_wstunnel module is not enabled in Apache, install and load it

    2. Edit the /etc/httpd/conf.d file and add one Location for each Remote services server. For example, for three servers:

      <Location /wsdata>
          ProxyPass wss://rs1.cloud.example.com:7070 ttl=20 timeout=20
          ProxyPassReverse wss://rs1.cloud.example.com:7070
          Require all granted
      </Location>
      <Location /wsdata2>
          ProxyPass wss://rs2.cloud.example.com:7070 ttl=20 timeout=20
          ProxyPassReverse wss://rs2.cloud.example.com:7070
          Require all granted
      </Location>
      <Location /wsdata3>
          ProxyPass wss://rs3.cloud.example.com:7070 ttl=20 timeout=20
          ProxyPassReverse wss://rs3.cloud.example.com:7070
          Require all granted
      </Location>
    3. Edit the /etc/httpd/conf.d/abiquo.conf file and add SSL Proxy Engine

      SSLProxyEngine On
    4. Check the DNS values in the /etc/resolv.conf

  2. On each Remote Services server of each DC where you will use a WebMKS proxy
    1. Install the package

      yum install abiquo-webmks-proxy

      This will install NGINX and its configuration files, and also enable it in systemctl. 

    2. Review and edit the configuration at /etc/nginx/nginx.conf

      1. The port to listen on is 7070 but you can change this

      2. It uses the SSL certificates from the UI to keep trust. Check that the nginx can reach the ssl_certificate and ssl_certificate_key file

      3. In case the ESXi returns a domain name, configure your DNS servers for the location with the resolver values
      4. If this is a distributed environment and api server has another IP, server_name should be "_"
       Click here to expand...
      worker_processes  1;
       
      events {
          worker_connections  1024;
      }
       
      
      http {
          include       mime.types;
          default_type  application/octet-stream;
       
          sendfile        on;
       
          keepalive_timeout  100;
       
          server {
              listen       7070 ssl;
              server_name  localhost;
              ssl_certificate      /etc/pki/abiquo/cloud.example.com.crt;
              ssl_certificate_key  /etc/pki/abiquo/cloud.example.com.key;
       
              ssl_session_cache    shared:SSL:1m;
              ssl_session_timeout  5m;
       
              ssl_ciphers  HIGH:!aNULL:!MD5;
              ssl_prefer_server_ciphers  on;
       
              location / {
                  proxy_pass https://$arg_ip:443;
                  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                  proxy_http_version 1.1;
                  proxy_set_header Upgrade $http_upgrade;
                  proxy_set_header Connection "Upgrade";
      			resolver 10.95.11.5 10.95.11.6;
              }
          }
      }
    3. If this is a distributed environment (api server has a different IP address), it will be necessary to add these two firewall rules on the RS:

      Firewall rules
      firewall-cmd --permanent --zone=public --add-port=7070/tcp
      firewall-cmd --permanent --zone=public --add-port=7070/udp
    4. Enable WebMKS for Remote access. 

      1. To switch from VNC to WebMKS, see Enable WebMKS for vCenter

      2. OR for an environment without VNC, see Configure WebMKS for vCenter

  • No labels