[winswitch] Properly setting XPRA HTML5

Mukul Agrawal mukulagrawal78 at yahoo.com
Tue Aug 30 15:44:26 BST 2016


Thanks. Just one more clraification.Any chance, I can get end-to-end AES encryption in this setup (i.e. several Xpra server and Xpra Proxy with several clients connected)? Meaning, can I have encryption from server1 to client1 and server2 to client2?Can multifile contain AES keys? Instead of passwords can proxy resolve the users based on AES keys?
 Regards, 
Mukul 
( https://sites.google.com/site/mukulagrawal ) 

    On Tuesday, August 30, 2016 1:40 AM, Antoine Martin via shifter-users <shifter-users at lists.devloop.org.uk> wrote:
 

 On 30/08/16 14:04, Mukul Agrawal via shifter-users wrote:
> I have a couple more questions.
> 
> 
>  I would like to modify your detailed example at :- 
> https://xpra.org/trac/wiki/ProxyServer
> 
> 1. Can I use AES encryption with xpra proxy? (AES key transport is not an issue for me.)
Yes.

> I am guessing I will still need to use multifile to figure which user has access to which proxied sesssion?
Correct.

> Something like following :-
> 
>  xpra proxy :100 --bind-tcp=0.0.0.0:443 --tcp-encryption=AES --tcp-encryption-keyfile=key.txt --auth=multifile:filename=./xpra-auth
> xpra attach tcp:$PROXYHOST:443 --tcp-encryption=AES --tcp-encryption-keyfile=./key.txt 
> --username=myusername --password-file=./password.txt
> 
> 2. In my case, several Xpra servers are running on the same machine with different display numbers. Xpra proxy will also run on the same machine. I do not like to open so many ports for xpra server instance to the external world. Any alternative suggestion?
SSH mode only requires the SSH port, but then you would also have to
restrict the user accounts to only be able to execute the xpra command.

> Can these servers be attached to unix domain sockets instead and can
still be proxied?
> xpra start :10 --bind=socket1
> xpra start :11 --bind=socket2
The multifile can contain display information in the same format as the
client connection string. ie:
:DISPLAY
ssh/username:password at host:SSHPORT/DISPLAY
tcp/host:port/
ssl/host:port/

PS: not tested recently, but this re-uses the same code as the client.

Cheers
Antoine

> 
>  Regards, 
> Mukul ( https://sites.google.com/site/mukulagrawal ) 
> 
>    On Monday, August 29, 2016 10:06 AM, Mukul Agrawal via shifter-users <shifter-users at lists.devloop.org.uk> wrote:
>  
> 
>  I am running several instances of XPRA servers each listening to certain display number on a remote Ubuntu machine.
> Each instance is binding to different TCP port in the range of 1000 to 1050.When I connect using web-browser on my local laptop to the same-IP-address:different-ports, I can see the graphics being streamed on these different display numbers.
> 
> Now, I dont really want to server any other webpages. I just want to see XPRA traffic on web browser on the client side -- nothing else. In fact, I would prefer to stop/filter any request to access for non-xpra traffic. Do you have any reccomendation on how to best set it up? 
> 
> Also what is the best choice for me to make it as secure and as authenticated as possible? Specifically, which option flags should I use while starting the server?
> 
> Considering my application (i.e. only xpra-traffic and no other web applications being served) , do you see any pro/cons of using a standard web-server (such as apache) instead of the server that comes with web-sockify. Either from security point of view or any other?
> 
> Thanks, greatly appreciate any pointers or advice.
> 
>  Regards, 
> Mukul 
> ( https://sites.google.com/site/mukulagrawal )
> _______________________________________________
> shifter-users mailing list
> shifter-users at lists.devloop.org.uk
> http://lists.devloop.org.uk/mailman/listinfo/shifter-users
> 
> 
>    
> _______________________________________________
> shifter-users mailing list
> shifter-users at lists.devloop.org.uk
> http://lists.devloop.org.uk/mailman/listinfo/shifter-users
> 

_______________________________________________
shifter-users mailing list
shifter-users at lists.devloop.org.uk
http://lists.devloop.org.uk/mailman/listinfo/shifter-users


   


More information about the shifter-users mailing list