summaryrefslogtreecommitdiffstats
path: root/classes/ssl/proxy.vnc
blob: a1d6d760308dcc4cf11c22dd90a26d34031a80df (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
<!-- 
     index.vnc - default HTML page for TightVNC Java viewer applet, to be
     used with Xvnc. On any file ending in .vnc, the HTTP server embedded in
     Xvnc will substitute the following variables when preceded by a dollar:
     USER, DESKTOP, DISPLAY, APPLETWIDTH, APPLETHEIGHT, WIDTH, HEIGHT, PORT,
     PARAMS. Use two dollar signs ($$) to get a dollar sign in the generated
     HTML page.

     NOTE: the $PARAMS variable is not supported by the standard VNC, so
     make sure you have TightVNC on the server side, if you're using this
     variable.
-->

<!--
The idea behind using the signed applet in SignedVncViewer.jar for
firewall proxies:

Java socket applets and http proxies do not get along well.

Java security allows the applet to connect back via a socket to the
originating host, but the browser/plugin Proxy settings are not used for
socket connections (only http and the like).  So the socket connection
fails in the proxy environment.

The applet is not allowed to open a socket connection to the proxy (since
that would let it connect to just about any host, e.g. CONNECT method).

This is indpendent of SSL but of course fails for that socket connection
as well.  I.e. this is a problem for non-SSL VNC Viewers as well.

Solution?  Sign the applet and have the user click on "Yes" that they
fully trust the applet.  Then the applet can connect to any host via
sockets, in particular the proxy.  It next issues the request

	CONNECT host:port HTTP/1.1
	Host: host:port

and if the proxy supports the CONNECT method we are finally connected to
the VNC server.

For SSL connections, SSL is layered on top of this socket.  However note
this scheme will work for non-SSL applet proxy tunnelling as well.

It should be able to get non-SSL VNC connections to work via GET
command but that has not been done yet.

Note that some proxies only allow CONNECT to only these the ports 443
(HTTPS) and 563 (SNEWS).  So you would have to run the VNC server on
those ports.

SignedVncViewer.jar is just a signed version of VncViewer.jar

The URL to use for this file:  https://host:port/proxy.vnc

Note VNCSERVERPORT, we assume $PARAMS will have the correct PORT setting
(e.g. 563), not the one libvncserver puts in....

-->


<HTML>
<TITLE>
$USER's $DESKTOP desktop ($DISPLAY)
</TITLE>
<APPLET CODE=VncViewer.class ARCHIVE=SignedVncViewer.jar
        WIDTH=$APPLETWIDTH HEIGHT=$APPLETHEIGHT>
<param name=VNCSERVERPORT value=$PORT>
<param name="Open New Window" value=yes>
$PARAMS
</APPLET>
<BR>
<A href="http://www.tightvnc.com/">TightVNC site</A>
</HTML>