Comment 5 for bug 1424797

You can have your loadbalancer/reverse_proxy do a SSL termination, then you forward content using traditional tcp to your consoles. This should be fine if you consider your cloud management network as secure.

However, you'll have an issue with novnc "Protocol mismatch". Your clients will see an https page, but the nova_console receives ws:// traffic (insecure form).

This could be easily fixed by editing your spice console in /usr/share/spice-html5/spice_auto.html:
               var default_port = window.location.port;
                if (window.location.protocol == 'http:') {
                    if (!default_port) { default_port = 80; }
                }
                else if (window.location.protocol == 'https:') {
                    if (!default_port) { default_port = 443; }
                    scheme = "wss://";
                }
The protocol mismatch error will disappear. It's better than nothing.
Keep in mind that it's not a fully secure end-to-end solution, but it prevents session snooping.