I received a question from a customer who wanted, for security reasons, to remove the ESXi web welcome screen. This is the screen that enables you to download the vSphere Client and RCLI and even browse datastores.
I’ve tested it and removing (or renaming) the following file will lead to a blank page when the ESXi host is accessed via http(s):
/usr/lib/vmware/hostd/docroot/index.html
<edit>
William Lam created another work around which is definitely a more elegant solution: Remove the ESXi web welcome screen.
</edit>
Or customize the heck out of it? But, and I haven’t tested this, won’t just renaming or removing files just obscure things? If you know the urls you need to browse the datastore, removing the index.html file won’t hinder someone from accessing it?
You could put an auto redirect to my Blog? Or a security notice maybe?
Simon
I know it won’t. but that’s a risk they are willing to take. still looking into how I can fully disable the web access. haven’t found it yet.
Disabling it would make a lot more sense. Security through obscurity just won’t cut it. I might have fun with customizing the index page though. 😉
Hey I just played around with this on one of my hosts and it worked just fine. I have a follow up question. I am looking for a way to change the welcome screen on the service console of an vSphere ESX host. I would like to remove the host name and IP address and maybe even put a banner on there. Is there a way to do this. You used to be able to control this in the Vi3 world with vmkstatus.pl but that’s no longer there. It appears to be under direct control of the kernel. Any help would be greatly appreciated.
Duncan,
I have not checked yet to see if the index.html file is still the same, but I wrote a post a little over a year ago describing how to modify the default vCenter or ESX web page so that you can remove the client download access or any other section you desire.
http://vmetc.com/2008/10/15/modify-virtualcenter-and-esx-web-interface-to-prevent-vi-client-downloads/
I’ll have to check the code when I get a chance to see if it’s changed much.
Hi Duncan,
I just wrote a blog post on how you can change the port that the page is published on that effectively hide the page completely
http://technodrone.blogspot.com/2010/01/disabling-services-in-esxi.html
I think that should satisfy your customers needs
@Christian, @Duncan: i haven’t tried this yet, but as a workaround if you change the permissions on the docroot directory to 000, the web server process shouldn’t be able to read it or anything beneath it. so even if someone can remember a URL beneath the main page, they wouldn’t be able to access it.
@Chris: I would be very hesitant to do that as it might break future patches and updates in unpredictable ways.
I have used this in the past with earlier versions of ESX.
However, I just tried it with ESXi 5 and, after reboot, the index.html file is restored!
Chris