Do I need to generate and install a x509 key pair for the squid proxy? How can I find out
if the key pair has already been done?
----- Original Message -----
From: Gianluca Cecchi <gianluca.cecchi(a)gmail.com>
To: David Li <david_li(a)sbcglobal.net>
Cc: "users(a)ovirt.org" <users(a)ovirt.org>; "djasa(a)redhat.com"
<djasa(a)redhat.com>
Sent: Friday, January 24, 2014 2:25 PM
Subject: Re: [Users] Spice-proxy questions
On Fri, Jan 24, 2014 at 8:45 PM, David Li wrote:
> David
>
> I set up the squid proxy on the same machine as ovirt-engine. I have this
in squid.conf:
>
>
>
> -------------------
> acl localhost src 10.10.2.143/32 # for the machine running the browser
>
>
> #safe ports
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports <---------- will
this allow connections to spice port range (5900-6144 IIRC).???
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
>
>
>
> # Squid normally listens to port 3128
> http_port 3128
>
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> -------------------------
>
> and set my SpiceProxyDefault=http://10.10.2.143:3128
>
>
>
> So far, this is still not working. The Spice popup window still fails to
connect to the graphics server and html5 browser window remains blank.
> Are there any log files that can be used to debug this?
>
> Thanks.
>
>
There is something I don't understand or that you are doing incorrectly.
From what you write it seems that:
- your engine has ip 10.10.2.143
- From which ip do you run your browser?
- Can this ip connect to engine on port 3128? Perhaps your engine
setup already configured iptables (or firewalld) and it is blocking
you?
You can easily verify at runtime by putting this line on engine:
iptables -I INPUT -s xxx.yyy.www.zzz -j ACCEPT
where xxx.yyy.www.zzz is the ip of the client from where you run the browser
so that you put this accept rule on top of INPUT chain and retry to
connect to VM console
- Which ip have the hosts where VMs are running?
- Is engine (so your proxy in your configuration) capable to reach ip
of your hosts on spice ports (5900-..)?
ALso see my previous thread here:
http://lists.ovirt.org/pipermail/users/2013-December/018554.html
and the useful answers.
I cannot test your config, because I have no control on my network and
network admins only allow 80 and 443 so that they are already taken by
engine itself and I can't test putting the proxy on engine itself...
HIH anyway,
Gianluca