[winswitch] Properly setting XPRA HTML5

Antoine Martin antoine at nagafix.co.uk
Wed Aug 31 04:56:42 BST 2016


On 30/08/16 21:44, Mukul Agrawal via shifter-users wrote:
> Thanks. Just one more clraification.
> Any chance, I can get end-to-end AES encryption in this setup (i.e.
several Xpra server and Xpra Proxy with several clients connected)?
> Meaning, can I have encryption from server1 to client1 and server2 to
client2?
The encryption is from client to proxy only.

> Can multifile contain AES keys?
Not at present.

You can use different authentication credentials from proxy to server:
http://xpra.org/trac/ticket/1264#comment:3

With the current trunk version you may be able to use an SSL encryption
layer:
http://xpra.org/trac/ticket/1252#comment:3
by specifying an SSL display string of the form:
ssl:HOST:PORT
in your multifile.
(I have not tested this particular combination)

> Instead of passwords can proxy resolve the users based on AES keys?
No

Cheers
Antoine


>  Regards, 
> Mukul 
> ( https://sites.google.com/site/mukulagrawal ) 
> 
>     On Tuesday, August 30, 2016 1:40 AM, Antoine Martin via shifter-users <shifter-users at lists.devloop.org.uk> wrote:
>  
> 
>  On 30/08/16 14:04, Mukul Agrawal via shifter-users wrote:
>> I have a couple more questions.
>>
>>
>>   I would like to modify your detailed example at :- 
>> https://xpra.org/trac/wiki/ProxyServer
>>
>> 1. Can I use AES encryption with xpra proxy? (AES key transport is not an issue for me.)
> Yes.
> 
>> I am guessing I will still need to use multifile to figure which user has access to which proxied sesssion?
> Correct.
> 
>> Something like following :-
>>
>>   xpra proxy :100 --bind-tcp=0.0.0.0:443 --tcp-encryption=AES --tcp-encryption-keyfile=key.txt --auth=multifile:filename=./xpra-auth
>> xpra attach tcp:$PROXYHOST:443 --tcp-encryption=AES --tcp-encryption-keyfile=./key.txt 
>> --username=myusername --password-file=./password.txt
>>
>> 2. In my case, several Xpra servers are running on the same machine with different display numbers. Xpra proxy will also run on the same machine. I do not like to open so many ports for xpra server instance to the external world. Any alternative suggestion?
> SSH mode only requires the SSH port, but then you would also have to
> restrict the user accounts to only be able to execute the xpra command.
> 
>> Can these servers be attached to unix domain sockets instead and can
> still be proxied?
>> xpra start :10 --bind=socket1
>> xpra start :11 --bind=socket2
> The multifile can contain display information in the same format as the
> client connection string. ie:
> :DISPLAY
> ssh/username:password at host:SSHPORT/DISPLAY
> tcp/host:port/
> ssl/host:port/
> 
> PS: not tested recently, but this re-uses the same code as the client.
> 
> Cheers
> Antoine
> 
>>
>>   Regards, 
>> Mukul ( https://sites.google.com/site/mukulagrawal ) 
>>
>>     On Monday, August 29, 2016 10:06 AM, Mukul Agrawal via shifter-users <shifter-users at lists.devloop.org.uk> wrote:
>>   
>>
>>   I am running several instances of XPRA servers each listening to certain display number on a remote Ubuntu machine.
>> Each instance is binding to different TCP port in the range of 1000 to 1050.When I connect using web-browser on my local laptop to the same-IP-address:different-ports, I can see the graphics being streamed on these different display numbers.
>>
>> Now, I dont really want to server any other webpages. I just want to see XPRA traffic on web browser on the client side -- nothing else. In fact, I would prefer to stop/filter any request to access for non-xpra traffic. Do you have any reccomendation on how to best set it up? 
>>
>> Also what is the best choice for me to make it as secure and as authenticated as possible? Specifically, which option flags should I use while starting the server?
>>
>> Considering my application (i.e. only xpra-traffic and no other web applications being served) , do you see any pro/cons of using a standard web-server (such as apache) instead of the server that comes with web-sockify. Either from security point of view or any other?
>>
>> Thanks, greatly appreciate any pointers or advice.
>>
>>   Regards, 
>> Mukul 
>> ( https://sites.google.com/site/mukulagrawal )
>> _______________________________________________
>> shifter-users mailing list
>> shifter-users at lists.devloop.org.uk
>> http://lists.devloop.org.uk/mailman/listinfo/shifter-users
>>
>>
>>     
>> _______________________________________________
>> shifter-users mailing list
>> shifter-users at lists.devloop.org.uk
>> http://lists.devloop.org.uk/mailman/listinfo/shifter-users
>>
> 
> _______________________________________________
> shifter-users mailing list
> shifter-users at lists.devloop.org.uk
> http://lists.devloop.org.uk/mailman/listinfo/shifter-users
> 
> 
>    
> _______________________________________________
> shifter-users mailing list
> shifter-users at lists.devloop.org.uk
> http://lists.devloop.org.uk/mailman/listinfo/shifter-users
> 




More information about the shifter-users mailing list