[winswitch] Properly setting XPRA HTML5

Antoine Martin antoine at nagafix.co.uk
Tue Aug 30 09:29:36 BST 2016 

On 30/08/16 00:03, Mukul Agrawal via shifter-users wrote:
> I am running several instances of XPRA servers each listening to certain display number on a remote Ubuntu machine.
> Each instance is binding to different TCP port in the range of 1000 to 1050.When I connect using web-browser on my local laptop to the same-IP-address:different-ports, I can see the graphics being streamed on these different display numbers.
> 
> Now, I dont really want to server any other webpages. I just want to see XPRA traffic on web browser on the client side -- nothing else. In fact, I would prefer to stop/filter any request to access for non-xpra traffic. Do you have any reccomendation on how to best set it up? 
By default, the built-in webserver only serves the web content required
for using the HTML5 client and nothing more.

Each TCP port you listen on will handle xpra's protocol, optionally
wrapped in websockets when "--html=on".

Removing TCP support and keeping websockets only would not be very
useful in securing anything as the websockets are just a wrapper layer
around TCP.

> Also what is the best choice for me to make it as secure and as authenticated as possible? Specifically, which option flags should I use while starting the server?
Difficult question to answer without knowing the specific use case and
how you intend to send the authentication credentials to your clients.

> Considering my application (i.e. only xpra-traffic and no other web applications being served) , do you see any pro/cons of using a standard web-server (such as apache) instead of the server that comes with web-sockify. Either from security point of view or any other?
OTOH.

Pros: a lot more flexibility:
* you can configure your apache server with many more modules (ie:
redirect, authentication, etc)
* the websocket modules for apache might be more efficient than websockify
* you could completely hide xpra's sockets (TCP bind it to 127.0.0.1
only, or even use unix domain sockets - this may require netcat) - this
way only HTTP authenticated users can end up sending traffic to the xpra
server running behind apache
* enable SSL for websockets (work in progress for the builtin websockify
handler)

Cons:
* much harder to setup as this will require manual configuration for
everything

> Thanks, greatly appreciate any pointers or advice.

Cheers
Antoine

> 
>  Regards, 
> Mukul 
> ( https://sites.google.com/site/mukulagrawal )
> _______________________________________________
> shifter-users mailing list
> shifter-users at lists.devloop.org.uk
> http://lists.devloop.org.uk/mailman/listinfo/shifter-users
>

More information about the shifter-users mailing list