Which version of Nova are you running? Are we talking about TLS from the user to the proxy, from the proxy to the hypervisor, or both? TLS from the user to the proxy has been supported for a long time. The SPICE implementation added TLS support for traffic between the proxy and the hypervisor relatively recently on the hypervisor side, but I would be surprised [1] if the HTML5 proxy supported it. https://review.opendev.org/c/openstack/nova/+/922544 is the specific patch I am referring to, which landed in 2024.2. Michael 1: my reading of the proxy code is that it does not, but I look forward to being surprised by some subtleties I've missed. On Tue, Mar 18, 2025 at 2:39 AM Jani Heikkinen <jani.heikkinen@bfh.ch> wrote:
Dear Openstack community,
I would be happy to hear if anybody has configured Spice or noVNC console with TLS.
Is this possible with using spicehtml5proxy?
As far I know, it is easy to set up the TLS until the server running spiche5html(or noVNC).
And according to Websockets documentation, it will only establish itself over existing http connection.
How the proxy actually forms this connection? Is it possible to pass TLS certificates to it?
My requirement would also be, that self-signed certificates are no-go.
Best, and thanks, Jani
-- Berner Fachhochschule / Bern University of Applied Sciences IT-Services / Team Linux & Infrastructure Services Jani Heikkinen IT Linux Engineer ___________________________________________________________ Dammweg 3, CH-3013 Bern Telefon direkt +41 31 848 68 14 Telefon Servicedesk +41 31 848 48 48 jani.heikkinen@bfh.ch