Re: [Users] Spice-proxy questions
On Fri, Jan 24, 2014 at 8:45 PM, David Li wrote:
David
I set up the squid proxy on the same machine as ovirt-engine. I have this in squid.conf:
-------------------
acl localhost src 10.10.2.143/32 # for the machine running the browser
#safe ports
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports <---------- will this allow
connections to spice port range (5900-6144 IIRC).???
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
# Squid normally listens to port 3128
http_port 3128
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
-------------------------
and set my SpiceProxyDefault=http://10.10.2.143:3128
So far, this is still not working. The Spice popup window still fails to connect to the
graphics server and html5 browser window remains blank.
Are there any log files that can be used to debug this?
Thanks.
There is something I don't understand or that you are doing incorrectly.
From what you write it seems that:
- your engine has ip 10.10.2.143
- From which ip do you run your browser?
- Can this ip connect to engine on port 3128? Perhaps your engine
setup already configured iptables (or firewalld) and it is blocking
you?
You can easily verify at runtime by putting this line on engine:
iptables -I INPUT -s xxx.yyy.www.zzz -j ACCEPT
where xxx.yyy.www.zzz is the ip of the client from where you run the browser
so that you put this accept rule on top of INPUT chain and retry to
connect to VM console
- Which ip have the hosts where VMs are running?
- Is engine (so your proxy in your configuration) capable to reach ip
of your hosts on spice ports (5900-..)?
ALso see my previous thread here:
http://lists.ovirt.org/pipermail/users/2013-December/018554.html
and the useful answers.
I cannot test your config, because I have no control on my network and
network admins only allow 80 and 443 so that they are already taken by
engine itself and I can't test putting the proxy on engine itself...
HIH anyway,
Gianluca