x11vnc: Using Apache as an SSL Gateway (original configs)

Using Apache as an SSL Gateway to x11vnc servers inside a firewall (original config):

Please see the main notes on the Apache SSL VNC Portal for background and details.

This page contains some "simpler" apache configuration directives. They are the ones originally described on the main page, and so are moved here for reference if nothing else.

They require listing all of the allowed VNC servers in the httpd.conf and ssl.conf files (multiple times!). They do not use the RewriteMap external file containing the list of allowed VNC servers and display numbers.

They use the ProxyPass and ProxyRemoteMatch apache directives to limit host access instead of the RewriteMap, RewriteCond, RewriteRule method in the newer way.

For httpd.conf:

# In the global section you need to enable these modules.
#
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
<IfDefine SSL>
LoadModule ssl_module modules/mod_ssl.so
</IfDefine>

# Near the bottom of httpd.conf you put the port 563 virtual host:

Listen 563

<VirtualHost localhost:563>
   # This is a "bounce" failure from the ProxyRemoteMatch below.
   #
   ProxyRequests Off
</VirtualHost>

<VirtualHost *:563>
   # Allow incoming proxy CONNECT requests to port 5915 *only*
   # If the machines use different ports, e.g. 5916 list them here as well:
   #
   ProxyRequests On
   AllowCONNECT 5915

   RewriteEngine On

   # Convenience rules to expand applet parameters.  These do not have a trailing "/"
   #
   RewriteRule /vnc/([^/]*)$              /vnc/$1/index.vnc?CONNECT=$1+5915&PORT=563&urlPrefix=_2F_vnc_2F_$1 [R,NE]
   RewriteRule /vnc/proxy/([^/]*)$        /vnc/$1/proxy.vnc?CONNECT=$1+5915&PORT=563&urlPrefix=_2F_vnc_2F_$1&forceProxy=yes [R,NE]
   RewriteRule /vnc/trust/([^/]*)$        /vnc/$1/index.vnc?CONNECT=$1+5915&PORT=563&urlPrefix=_2F_vnc_2F_$1&trustAllVncCerts=yes [R,NE]
   RewriteRule /vnc/trust/proxy/([^/]*)$  /vnc/$1/proxy.vnc?CONNECT=$1+5915&PORT=563&urlPrefix=_2F_vnc_2F_$1&forceProxy=yes&trustAllVncCerts=yes [R,NE]

   # This will fetch the jar file from port 5815 via http (not https)
   # (list all allowed x11vnc servers, host1, etc., here)
   #
   ProxyPass /vnc/host1/        http://host1:5815/
   ProxyPass /vnc/host2/        http://host2:5815/
   ProxyPass /vnc/host3/        http://host3:5815/
   ProxyPass /vnc/host4/        http://host4:5815/

   # Force a reject for any CONNECT not to the known list of x11vnc servers: 
   # i.e. the viewer requests 'CONNECT host1:5915' so the "URL" starts with 'host1:'
   # we also allow in normal 'GET http://...' requests.
   # (list all allowed x11vnc servers here)
   #
   ProxyRemoteMatch ^(?!(host1|host2|host3|host4):)  http://localhost:563/

</VirtualHost>

Notice how the VNC server (x11vnc) hostnames, e.g. "host1", are listed in multiple places. You need to keep all in sync.

For ssl.conf:

   SSLProxyEngine  On
   
   RewriteEngine On

   # Convenience rules to expand applet parameters.  These do not have a trailing "/"
   #
   RewriteRule /vnc/([^/]*)$                /vnc/$1/index.vnc?CONNECT=$1+5915&PORT=563&httpsPort=443&GET=1&urlPrefix=_2F_vnc_2F_$1 [R,NE]
   RewriteRule /vnc/proxy/([^/]*)$          /vnc/$1/proxy.vnc?CONNECT=$1+5915&PORT=563&httpsPort=443&GET=1&urlPrefix=_2F_vnc_2F_$1&forceProxy=yes [R,NE]
   RewriteRule /vncs/([^/]*)$              /vncs/$1/index.vnc?CONNECT=$1+5915&PORT=563&httpsPort=443&GET=1&urlPrefix=_2F_vncs_2F_$1 [R,NE]
   RewriteRule /vncs/proxy/([^/]*)$        /vncs/$1/proxy.vnc?CONNECT=$1+5915&PORT=563&httpsPort=443&GET=1&urlPrefix=_2F_vncs_2F_$1&forceProxy=yes [R,NE]
   #
   # (we left out the "trust" ones with trustAllVncCerts=yes)
   
   # Fetch the jar file from port 5815 via http or port 5915 via https
   # inside the firewall (list all allowed x11vnc servers here)
   #
   ProxyPass /vnc/host1/       http://host1:5815/
   ProxyPass /vnc/host2/       http://host2:5815/
   ProxyPass /vnc/host3/       http://host3:5815/
   ProxyPass /vnc/host4/       http://host4:5815/

   # Single port VNC+HTTPS:
   #
   ProxyPass /vncs/host1/      https://host1:5915/
   ProxyPass /vncs/host2/      https://host2:5915/
   ProxyPass /vncs/host3/      https://host3:5915/
   ProxyPass /vncs/host4/      https://host4:5915/

This is all in the "<VirtualHost _default_:443>" section of ssl.conf.

Notice how the VNC server (x11vnc) hostnames, e.g. "host1", are listed in multiple places. You need to keep all in sync.