7:21 p.m.
On Tue, Jan 28, 2014 at 9:49 AM, David Jaša wrote:
On Po, 2014-01-27 at 11:21 -0800, David Li wrote:
> Do I need to generate and install a x509 key pair for the squid proxy? How can I
find out if the key pair has already been done?
No. Spice channels are encrypted end-to-end so if you configure squid to
forward the connections just to the display network range of the hosts,
you anly allow connections that are encrypted anyway - so the TLS would
be here quite redundant.
Have you made sure that you have opened port 3128 in iptables? If the
box doesn't use firewalld (which is the case on RHEL/CentOS, Fedora must
be configured to disable firewalld but I presume that engine-setup does
that), add the port definition among other opened ports
in /etc/sysconfig/iptables.
David
PS: I'm mangling reply-to: header for a reason. Please don't hog my
inbox, I can very well read your messages on-list. Thank you.
I made a test setting proxy on engine and it seems it is ok.
I have no other ports than 80 and 443 allowed so I have to use
environment with all the servers in 10.4.4.0 network
client 10.4.4.61
engine 10.4.4.60
test VM 10.4.4.63
host (where test VM is running on) 10.4.4.59
# engine-config -s SpiceProxyDefault="http://10.4.4.60:3128"
# systemctl restart ovirt-engine
configured squid on engine on its default port 3128
I have firewalld configured on engine, so that I have this in
/etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other
computers on networks to not harm your computer. Only selected
incoming connections are accepted.</description>
<service name="mdns"/>
<service name="ovirt-nfs"/>
<service name="ovirt-http"/>
<service name="dhcpv6-client"/>
<service name="ovirt-websocket-proxy"/>
<service name="ovirt-https"/>
<service name="ssh"/>
<service name="ovirt-postgres"/>
<port protocol="tcp" port="6100"/>
<port protocol="tcp" port="3128"/>
</zone>
On client CentOS 6.5 (10.4.4.61):
I run firefox and connect to webadmin gui of engine (https://10.4.4.60)
I have enabled spice proxy for the test VM
I select console and specify to run /usr/bin/remote-viewer at popup
window, enabling popups in firefox
I successfully get the console
$ ps -ef|grep remote
g.cecchi 23897 23726 0 15:50 pts/0 00:00:00 /usr/bin/remote-viewer
/tmp/console.vv
g.cecchi 23923 23704 0 15:52 pts/0 00:00:00 grep remote
$ sudo lsof -Pp 23897 | grep TCP
remote-vi 23897 g.cecchi 4u IPv6 498441 0t0 TCP
localhost:45817->localhost:6010 (ESTABLISHED)
remote-vi 23897 g.cecchi 14u IPv4 498447 0t0 TCP
10.4.4.61:36909->10.4.4.60:3128 (ESTABLISHED)
remote-vi 23897 g.cecchi 20u IPv4 498449 0t0 TCP
10.4.4.61:36910->10.4.4.60:3128 (ESTABLISHED)
remote-vi 23897 g.cecchi 24u IPv4 498451 0t0 TCP
10.4.4.61:36911->10.4.4.60:3128 (ESTABLISHED)
remote-vi 23897 g.cecchi 25u IPv4 498452 0t0 TCP
10.4.4.61:36912->10.4.4.60:3128 (ESTABLISHED)
remote-vi 23897 g.cecchi 60u IPv4 497799 0t0 TCP
10.4.4.61:44961->10.4.4.60:443 (ESTABLISHED)
On engine (10.4.4.60)
# netstat -an|grep 3128
tcp6 0 0 :::3128 :::* LISTEN
tcp6 0 0 10.4.4.60:3128 10.4.4.61:36912 ESTABLISHED
tcp6 0 0 10.4.4.60:3128 10.4.4.61:36911 ESTABLISHED
tcp6 0 0 10.4.4.60:3128 10.4.4.61:36910 ESTABLISHED
tcp6 0 0 10.4.4.60:3128 10.4.4.61:36909 ESTABLISHED
On hypervisor (10.4.4.59)
$ netstat -an|grep 5901
tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN
tcp 0 0 10.4.4.59:5901 10.4.4.60:38879 ESTABLISHED
tcp 0 0 10.4.4.59:5901 10.4.4.60:38881 ESTABLISHED
tcp 0 0 10.4.4.59:5901 10.4.4.60:38880 ESTABLISHED
tcp 0 0 10.4.4.59:5901 10.4.4.60:38882 ESTABLISHED
So all seems ok.
Gianluca