VNC webpage (and the VMs it connects to) is not behind web-ui authentication?

[ctag]

With the most recent Scale Bluefin upgrade VNC sessions are no longer on randomized ports, but are instead accessible by a path. I love this feature, it is very handy.. But I've noticed that I can open the path to VNC without being logged in, which means anyone who can guess or brute force the two-digit random number in the path can access my VMs too.

Since I'm not confident in that arrangement, is there a way to disable VNC for the time being? Or put some sort of authentication in front of it that doesn't depend on the VM?

Possibly related:
The VM VNC/SPICE console should have a default password
TrueNAS Scale VNC/SPICE virtual console should be using encryption
VNC Security concerns?

 

[AMiGAmann]

On Angelfish it is possible to edit the display device of a VM and to configure a VNC password to be used. Does that help you to increase your security needs?

 

[ctag]

On Angelfish it is possible to edit the display device of a VM and to configure a VNC password to be used. Does that help you to increase your security needs?

I appreciate the advice, but unless I'm mistaken this doesn't actually do anything.

In Bluefin I can set a password:

And when I try to open VNC from within Truenas, it dutifully prompts me for a password before redirecting to the VNC page:

But the VNC webpage itself is still available in the clear, no password required. Here I've loaded the URL directly in Tor, so there shouldn't be any cookies or session data set that would otherwise authenticate me:

 

[AMiGAmann]

Oh I am sorry, I did not try it as you did. I tried to connect with an external vnc viewer and had to input a password so I thought it was secure.

I can reproduce the behaviour you described. Even if a password is set, the vnc viewer can directly be opened in a browser without a password being entered.

For me this looks like unwanted behaviour/bug, doesn't it?

 

[ctag]

Jerry-rigged workaround using Traefik and basicAuth​

I recently came across this webpage about using basicAuth middleware with Traefik/ingress. I have my truenas web-ui exposed via Traefik and external-service so I decided to give basicAuth a try.

I edited Traefik's settings and added a basicAuth middleware, and then copied the name to add to the truenas external-service app's middleware section as well. Immediately afterward the URL for my Truenas UI started showing 404 responses, and didn't come back. I wound up loading the UI via the local IP and alternate port (81, if you follow the guide above) to click "start" again on the external-service app. Once it had re-loaded the web-ui began working again, so head's up I guess.

Traefik edit menu:

external-service for Truenas UI edit menu:

With basicAuth set up, the VNC pages are now locked behind it and not exposed-by-default like they were before.