Serve noVNC over https

[Primajin]

Hey there, do you think it's possible to run some certbot / let's encrypt so that we can serve the noVNC also via https - when running the script in the cloud it would be better to have https.

[KairuByte]

Can’t help but agree. Very odd to be serving full account access on multiple stores… over http.

[vogler]

Not sure if this is out of scope.

Most people will run this in their small local network with a firewall on the router that has ports closed by default and where there's no danger of eavesdropping (e.g. wifi client in promiscuous mode (still needs to be inside the network)).
MITM only becomes a problem when you open the port to the internet (and only for VNC, HTTPS is still used for all browser requests incl. auth). If you do that or run it on some VPS, you probably have other HTTP services and run some reverse-proxy for HTTPS anyway.

I use Caddy which makes this very easy. You just need to run

caddy reverse-proxy --from example.com --to localhost:6080

So, intuitively my feeling is 'no, this goes against the Unix philosophy', but not sure how much this still applies here.
I can check how much caddy or nginx would increase the image size and add some HTTPS_DOMAIN option.

[Primajin]

Maybe also a first iteration could be a wiki page how someone could set it up themselves - e.g. when they followed the page of setting up their own environment in Oracle Cloud - how can they then serve the thing via https while it's running?

[vogler]

Yea, that sounds reasonable.