[ovirt-users] [oVirt 4.0] Is it possible to access oVirt through a reverse proxy

Colin Coe colin.coe at gmail.com
Tue Jul 5 04:55:47 UTC 2016 

Hi all

I've logged case 01662585 with GSS.

I see that RHEV 4.0 beta is in the customer support portal, I'm going to
see if we can upgrade our current DEV RHEV environment to 4.0 BETA so we
can start testing early.

Thanks



On Mon, Jul 4, 2016 at 5:39 PM, Martin Perina <mperina at redhat.com> wrote:

> Hi,
>
> first let me explain more thoroughly how things works in 4.0. Here's a bit
> simplified login flow:
>
> 1. Let's assume that ovirt.example.com was set as FQDN during engine-setup
> 2. User tries to access http://ovirt.example.com/ovirt-engine/webadmin
> 3. SSO authentication filters checks if user is authenticated and if not,
> user is redirected to
> https://ovirt.example.com/ovirt-engine/sso/login.html
> 4. User enters its username/password and if successfully authenticated,
> user is redirected back to original URL:
> http://ovirt.example.com/ovirt-engine/webadmin
>
> Here are installation use cases which we assumed to be mostly used for
> oVirt (let's assume that engine is installed at host1.example.com, your
> proxy host is proxy1.example.com and you want you oVirt instance to
> accessed using alias ovirt.example.com):
>
> 1. Most users don't use any proxy, so the easiest method is to setup DNS
> alias ovirt.example.com pointing to host1.example.com and after that use
> ovirt.example.com during engine-setup as engine FQDN
>
> 2. If host1.example.com is in your internal network and you want
> ovirt.example.com to be accessible from both internal network and
> Internet you need to do the following:
>       - For you internal clients you need to do the same steps as in 1. in
> your internal DNS server
>       - For your external (Internet) clients you need to create another
> DNS alias ovirt.example.com pointing to your firewall (for example to
> host firewall.example.com) in your external DNS server and setup proper
> port forwarding from firewall.example.com to host1.example.com
>
> 3. If you need to use different FQDN for engine (for example you want to
> use proxy proxy1.example.com), then some manual config is required:
>       - Execute engine-setup and use host1.example.com as engine FQDN
>       - Setup you proxy in proxy1.example.com as in previous versions
>       - Setup your DNS and add DNS alias ovirt.example.com pointing to
> proxy1.example.com
>       - Go to host1.example.com and create new file
> /etc/ovirt-engine/engine.conf.d/99-setup-http-proxy.conf with following
> content
>                ENGINE_SSO_AUTH_URL="
> https://ovirt.example.com:443/ovirt-engine/sso"
>                SSO_CALLBACK_PREFIX_CHECK=false
>
>       - Restart ovirt-engine service
>
>     After above steps your oVirt instance can be accessed using
> http://ovirt.example.com, but all traffic to it will be redirected
> through your proxy at proxy1.example.com.
>
>
> If none of above scenarios are usable for you, then please describe
> thoroughly your current setup. We may be help you with additional manual
> configuration or we will need to create an RFE bug for oVirt.
>
> Thanks
>
> Martin Perina
>
>
>
> On Mon, Jul 4, 2016 at 1:36 AM, Colin Coe <colin.coe at gmail.com> wrote:
>
>> Hi all
>>
>> If this is correct, it is a massive problem for us.  We're still on RHEV
>> v3.5 ATM but have plans to move to RHEV v4 when it looks production ready.
>>
>> Many of our users are external parties that access the RHEV user portal
>> externally via a (Juniper) reverse proxy appliance.  The RHEV user
>> portal URL gets rewritten to the URL of the Juniper appliance.
>>
>> Should I file a bug on this, or an RFE?
>>
>> Thanks
>>
>> On Sun, Jul 3, 2016 at 5:16 PM, Martin Perina <mperina at redhat.com> wrote:
>>
>>> Hi,
>>> In 4.0 you can access oVirt engine only with the same FQDN that was
>>> specified during engine-setup. If you have used different FQDN, you may
>>> change it using ovirt-engine-rename tool.
>>>
>>> Martin Perina
>>>
>>>
>>> On Sunday, July 3, 2016, Yaniv Dary <ydary at redhat.com> wrote:
>>> >
>>> > Yaniv Dary
>>> > Technical Product Manager
>>> > Red Hat Israel Ltd.
>>> > 34 Jerusalem Road
>>> > Building A, 4th floor
>>> > Ra'anana, Israel 4350109
>>> >
>>> > Tel : +972 (9) 7692306
>>> > 8272306
>>> > Email: ydary at redhat.com
>>> > IRC : ydary
>>>
>>> >
>>> > ---------- Forwarded message ----------
>>> > From: COUSIN Kevin <kevin at famillecousin.fr>
>>> > Date: Thu, Jun 30, 2016 at 5:31 PM
>>> > Subject: [ovirt-users] [oVirt 4.0] Is it possible to access oVirt
>>> through a reverse proxy
>>> > To: users at ovirt.org
>>> >
>>> >
>>> > Hi list,
>>> >
>>> > I upgraded to oVirt 4.0 and it works fine. However, I used HAProxy to
>>> > access oVirt outside my LAN. It doesn't work anymore since I upgraded
>>> > to 4.0. It seems the oVirt Manager URL is rewritten by the SSO engine.
>>> > eg: ovirt.externaldomain.tld -> ovirtmanager.internaldomain.tld.
>>> >
>>> > Is it possible to disable this  behaviour and stay with
>>> > ovirt.externaldomain.tld ?
>>> >
>>> > Regards
>>> >
>>> > --
>>> > COUSIN Kevin <kevin at famillecousin.fr>
>>> >
>>> > _______________________________________________
>>> > Users mailing list
>>> > Users at ovirt.org
>>> > http://lists.ovirt.org/mailman/listinfo/users
>>> >
>>> >
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20160705/2e7d066c/attachment-0001.html>

More information about the Users mailing list