VNC and Apache Reverse Proxy

Christopher Tesla christophert "at" cellulargenomics.com
Mon, 07 Jan 2002 15:12:15 +0000


Okay, here's a doozy:
 
I have several Windows 2000 servers all running VNC as a service.  I normally
invoke the viewer from my workstation to control the servers, but I want to
create a web-based system where I and other administrators can access the
servers remotely using the java client.
 
I am able to connect to all the servers via IE5.5sp2 while on the LAN by using
http://servername:5800.  I have also created static routes to the individual
servers in our Cisco router and can connect to each server from the outside by
browsing to http://externalstaticrouteaddress:5800.
 
What I am trying to do is eliminate the many static routes (or port mappings
as you may call them) and create a single path through the router to a web
page that then lists the available servers, and allow users to click on
specific links to the java client on specific servers.  I also want to do this
securely.
 
I am running a Windows 2000 server with Apache 1.3 and IIS 5.0.  I am using
SSL and Basic Windows Auth to control access to a web page that, based on the
user's login, shows a list of servers running VNC that the user is allowed to
access.  So when the user is at home they can browse to
https://externalstaticroute and make a secure connection to our server, where
they then see a list like vncserveralpha, vncserverbeta, etc.  Each of those
links points to http://vncserver:5800.
 
I am using the Reverse Proxy functions of Apache to allow the users access to
those servers.  The only problem is that when they click on the link they get
the standard gray window and "Applet vncviewer class vncviewer could not be
loaded" error.  This happens on the LAN as well as from the outside world.
What is interesting is that when working on the LAN if I browse to
http://apacheserver/vncserver (which should proxy forward to
http://vncserver:5800) I get the error, but if I browse directly to
http://vncserver:5800 it works just fine.  Obviously something is acting funny
in the Apache config.
 
Has anyone run the VNC java viewer through a reverse proxy situation before?
For those that are interested, here are the reverse proxy directives I am
using:
 
#
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
<IfModule mod_proxy.c>
   ProxyRequests On
 
    <Directory proxy:*>
        Order allow,deny
        Allow from all
        Deny from none
    </Directory>
 
    #
    # Enable/disable the handling of HTTP/1.1 "Via:" headers.
    # ("Full" adds the server version; "Block" removes all outgoing Via:
headers)
    # Set to one of: Off | On | Full | Block
    #
    ProxyVia Off
 
    AllowCONNECT 5800 5900 443
 
    ProxyPass   /vncserver    http://vncserver:5800
    ProxyPassReverse /vncserver    http://vncserver:5800
 

    #
    # To enable the cache as well, edit and uncomment the following lines:
    # (no cacheing without CacheRoot)
    #
#    CacheRoot "C:/Program Files/Apache Group/Apache/proxy"
#    CacheSize 5
#    CacheGcInterval 4
#    CacheMaxExpire 24
#    CacheLastModifiedFactor 0.1
#    CacheDefaultExpire 1
#    NoCache a_domain.com another_domain.edu joes.garage_sale.com
 
</IfModule>
# End of proxy directives.
 
 
It seems like the contact to the server on port 5800 is working fine, but
maybe info is not being passed back.  Has anyone every run into this kind of
problem before?
 
Thanks a lot, this is a great product and a great list!
 
C-ya
Chris T
---------------------------------------------------------------------
To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------