Which version of Nova are you running? Are we talking about TLS from the user to the proxy, from the proxy to the hypervisor, or both?

TLS from the user to the proxy has been supported for a long time. The SPICE implementation added TLS support for traffic between the proxy and the hypervisor relatively recently on the hypervisor side, but I would be surprised [1] if the HTML5 proxy supported it.

https://review.opendev.org/c/openstack/nova/+/922544 is the specific patch I am referring to, which landed in 2024.2.

Michael

1: my reading of the proxy code is that it does not, but I look forward to being surprised by some subtleties I've missed.

On Tue, Mar 18, 2025 at 2:39 AM Jani Heikkinen <jani.heikkinen@bfh.ch> wrote:

Dear Openstack community,

I would be happy to hear if anybody has configured Spice or noVNC
console with TLS.

Is this possible with using spicehtml5proxy?

As far I know, it is easy to set up the TLS until the server running
spiche5html(or noVNC).

And according to Websockets documentation, it will only establish itself
over existing http connection.

How the proxy actually forms this connection? Is it possible to pass TLS
certificates to it?

My requirement would also be, that self-signed certificates are no-go.

Best, and thanks, Jani

--
Berner Fachhochschule / Bern University of Applied Sciences
IT-Services / Team Linux & Infrastructure Services
Jani Heikkinen
IT Linux Engineer
___________________________________________________________
Dammweg 3, CH-3013 Bern
Telefon direkt +41 31 848 68 14
Telefon Servicedesk +41 31 848 48 48
jani.heikkinen@bfh.ch