If you run a webserver on the Incus node it’s no big deal. You just need “websockify” and “spice-html5” and something that launches the websockify process. Either on request or permanently.
Example Apache configuration:
# Enable necessary modules
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule ssl_module modules/mod_ssl.so
# Handle insecure certificates (self-signed)
SSLProxyEngine on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
# spice-html5 is a Javascript SPICE client used to manage VMs:
Alias /spice /usr/share/spice-html5
<Directory /usr/share/spice-html5>
Allow from all
Satisfy Any
DirectoryIndex spice.html
</Directory>
# Dynamic proxy pass based on the port query parameter
RewriteCond %{QUERY_STRING} port=(.*)
RewriteRule ^/spice_proxy/(.*) ws://127.0.0.1:%1/$1 [P]
# Fallback if no port parameter is provided (optional)
ProxyPass /spice_proxy/ ws://127.0.0.1:5901/
ProxyPassReverse /spice_proxy/ ws://127.0.0.1:5901/
Run websockify with the proper options:
/usr/bin/websockify --web /usr/share/spice-html5 5949 --unix-target=/home/incus/run/<instance-name>/qemu.spice --cert=/usr/sausalito/license/self.pem --timeout=900 --idle-timeout=900 --heartbeat=15
5949 is the port I chose to use here.
–unix-target=/home/incus/run/instance-name/qemu.spice
That ought to be the path to the running VM’s qemu.spice socket. Your path will certainly be different than mine.
–cert=/usr/sausalito/license/self.pem
The PEM file with an SSL certificate and key. Can be self signed.
–timeout=900 --idle-timeout=900 --heartbeat=15
The heartbeat is periodically sent to keep the session alive and after the timeouts expire websockify will shutdown. So you may want to adjust these as needed or set them to not expire depending on your usage case. I launch websockify from a GUI as needed and want it to shut down by itself after a period of inactivity.
Given the above Apache config the sample URL to access this would then be:
https://:443/spice/spice_auto.html?host=&port=443&path=/spice_proxy/?port=5949
You don’t have to open up port 5949 in this example, as everything is proxied through the regular Apache ports (443 for HTTPS in this case).
If you have another VM using another websockify instance on a different port? Just change the port in the above URL to access it.
The certificate related SSLProxyCheckPeer* options in the config make sure that Apache’s mod_proxy doesn’t complain about the self signed certificate used for the proxy connection between Apache and websockify.