Feature #24884
Add option for VM VNC to listen on localhost only
Description
I'm using an SSH tunnel to securely connect to VNC from afar but I have concerns about VNC listening on all addresses. Could an option (default?) be added to have VNC listen on localhost?
Subtasks
Associated revisions
History
#1
Updated by Marcelo Araujo over 3 years ago
- Status changed from Unscreened to Screened
- Target version set to 11.1
#2
Updated by Marcelo Araujo over 3 years ago
- Status changed from Screened to Fix In Progress
#3
Updated by Marcelo Araujo over 3 years ago
- Priority changed from No priority to Important
#4
Updated by Marcelo Araujo over 3 years ago
Hi,
Thanks for the suggestion! Nice request!
So, it will appears in 11.1-RELEASE, now the feature is in Nightlies already.
Best,
#5
Updated by Marcelo Araujo over 3 years ago
- Status changed from Fix In Progress to Resolved
#6
Updated by Ross Morris over 3 years ago
Awesome - thanks!
#7
Updated by Dru Lavigne over 3 years ago
- Subject changed from VMs: Option for VNC to listen on localhost only to Add option for VM VNC to listen on localhost only
#8
Updated by Dru Lavigne over 3 years ago
- Target version changed from 11.1 to 11.1-BETA1
#9
Updated by Nick Wolff over 3 years ago
- QA Status Test Fails FreeNAS added
- QA Status deleted (
Not Tested)
There is no option for localhost in drop down list of ip addresses only 0.0.0.0 and interfaces on system currently
#10
Updated by Marcelo Araujo over 3 years ago
Nick Wolff wrote:
There is no option for localhost in drop down list of ip addresses only 0.0.0.0 and interfaces on system currently
You can't add VNC on localhost or otherwise external users can't access it.
So, the ticket title is a bit wrong, but before it was binding to all interfaces 0.0.0.0 and after these changes you can choose what IP you want to bind.
Best,
#11
Updated by Ross Morris over 3 years ago
Hey Marcelo,
I’m the one who opened the issue — I specifically wanted a localhost (127.0.0.1 and/or ::1) option for those of us using a SSH tunnel to securely connect to VNC from abroad instead of shuttling that VNC traffic over a non-secure connection. With SSH’s built-in tunneling option users (administrators) would still able to connect — even if bound to localhost. It also has the benefit of protecting the VNC instance from having its short (8 character maximum!) password bruteforced by the local network.
Marcelo Araujo wrote:
Nick Wolff wrote:
There is no option for localhost in drop down list of ip addresses only 0.0.0.0 and interfaces on system currently
You can't add VNC on localhost or otherwise external users can't access it.
So, the ticket title is a bit wrong, but before it was binding to all interfaces 0.0.0.0 and after these changes you can choose what IP you want to bind.Best,
#12
Updated by Nick Wolff over 3 years ago
With the case that was being requested he was doing ssh forwarding which is also included in many vnc clients which would would work with only binding to localhost.
Also after investigating this further this appears to only affect the web-vnc portion and not standard vnc binding and additionally when 0.0.0.0(wildcard) is set the web-vnc link leads to http://0.0.0.0:5801/vnc_auto.html which doesn't work.
Thanks for the quick responses and hard work on this.
#13
Updated by Marcelo Araujo over 3 years ago
Nick Wolff wrote:
With the case that was being requested he was doing ssh forwarding which is also included in many vnc clients which would would work with only binding to localhost.
Also after investigating this further this appears to only affect the web-vnc portion and not standard vnc binding and additionally when 0.0.0.0(wildcard) is set the web-vnc link leads to http://0.0.0.0:5801/vnc_auto.html which doesn't work.
Thanks for the quick responses and hard work on this.
For the case "http://0.0.0.0:5801/vnc_auto.html" seems a bug at django side (specifically at the link), it should point to NAS IP instead of 0.0.0.0.
If you don't mind, could you open a bug report about it?
Best,
Thanks,
#14
Updated by Ross Morris over 3 years ago
I see the ticket was updated to show resolved — was localhost added? I’m new to the FreeNAS workflow so not sure where I’d look for commits
#15
Updated by Marcelo Araujo over 3 years ago
- Status changed from Resolved to Screened
- Target version changed from 11.1-BETA1 to 11.1-RC1
OK, I'm reopen this ticket, because seems I misunderstood the request.
Thanks guys.
#16
Updated by Dru Lavigne over 3 years ago
- Target version changed from 11.1-RC1 to 11.1
#17
Updated by Kris Moore about 3 years ago
- Target version changed from 11.1 to 11.2-BETA1
#18
Updated by Marcelo Araujo about 3 years ago
- Status changed from Screened to Needs Developer Review
- Assignee changed from Marcelo Araujo to William Grzybowski
#19
Updated by William Grzybowski about 3 years ago
- Status changed from Needs Developer Review to Reviewed by Developer
- Assignee changed from William Grzybowski to Marcelo Araujo
#20
Updated by Dru Lavigne about 3 years ago
- Status changed from Reviewed by Developer to Ready For Release
#21
Updated by Ben Gadd about 3 years ago
- Status changed from Ready For Release to Done
#22
Updated by Dru Lavigne about 3 years ago
- Needs Merging changed from Yes to No
#23
Updated by Dru Lavigne almost 3 years ago
- Needs Doc changed from Yes to No
#24
Updated by Dru Lavigne almost 3 years ago
Bonnie: in the old UI, 127.0.0.1 is an option in the drop-down menu.
#25
Updated by Bonnie Follweiler almost 3 years ago
- Status changed from Done to Passed Testing
- Needs QA changed from Yes to No
- QA Status Test Passes FreeNAS added
- QA Status deleted (
Test Fails FreeNAS)
Test passed in FreeNAS-11-MASTER-201805010407
#26
Updated by Dru Lavigne over 2 years ago
- Severity set to New
Master PR: https://github.com/freenas/freenas/pull/568
#27
Updated by Dru Lavigne over 2 years ago
- Status changed from Passed Testing to Done