On Po, 2014-01-27 at 11:21 -0800, David Li wrote:
Do I need to generate and install a x509 key pair for the squid
proxy? How can I find out if the key pair has already been done?
No. Spice channels are encrypted end-to-end so if you configure squid to
forward the connections just to the display network range of the hosts,
you anly allow connections that are encrypted anyway - so the TLS would
be here quite redundant.
Have you made sure that you have opened port 3128 in iptables? If the
box doesn't use firewalld (which is the case on RHEL/CentOS, Fedora must
be configured to disable firewalld but I presume that engine-setup does
that), add the port definition among other opened ports
in /etc/sysconfig/iptables.
David
PS: I'm mangling reply-to: header for a reason. Please don't hog my
inbox, I can very well read your messages on-list. Thank you.
----- Original Message -----
> From: Gianluca Cecchi <gianluca.cecchi(a)gmail.com>
> To: David Li <david_li(a)sbcglobal.net>
> Cc: "users(a)ovirt.org" <users(a)ovirt.org>;
"djasa(a)redhat.com" <djasa(a)redhat.com>
> Sent: Friday, January 24, 2014 2:25 PM
> Subject: Re: [Users] Spice-proxy questions
>
> On Fri, Jan 24, 2014 at 8:45 PM, David Li wrote:
>> David
>>
>> I set up the squid proxy on the same machine as ovirt-engine. I have this
> in squid.conf:
>>
>>
>>
>> -------------------
>> acl localhost src 10.10.2.143/32 # for the machine running the browser
>>
>>
>> #safe ports
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports <---------- will
> this allow connections to spice port range (5900-6144 IIRC).???
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>>
>>
>>
>> # Squid normally listens to port 3128
>> http_port 3128
>>
>> # Deny requests to certain unsafe ports
>> http_access deny !Safe_ports
>>
>> -------------------------
>>
>> and set my SpiceProxyDefault=http://10.10.2.143:3128
>>
>>
>>
>> So far, this is still not working. The Spice popup window still fails to
> connect to the graphics server and html5 browser window remains blank.
>> Are there any log files that can be used to debug this?
>>
>> Thanks.
>>
>>
>
> There is something I don't understand or that you are doing incorrectly.
>
> From what you write it seems that:
>
> - your engine has ip 10.10.2.143
>
> - From which ip do you run your browser?
>
> - Can this ip connect to engine on port 3128? Perhaps your engine
> setup already configured iptables (or firewalld) and it is blocking
> you?
> You can easily verify at runtime by putting this line on engine:
>
> iptables -I INPUT -s xxx.yyy.www.zzz -j ACCEPT
> where xxx.yyy.www.zzz is the ip of the client from where you run the browser
> so that you put this accept rule on top of INPUT chain and retry to
> connect to VM console
>
> - Which ip have the hosts where VMs are running?
> - Is engine (so your proxy in your configuration) capable to reach ip
> of your hosts on spice ports (5900-..)?
>
> ALso see my previous thread here:
>
http://lists.ovirt.org/pipermail/users/2013-December/018554.html
>
> and the useful answers.
>
> I cannot test your config, because I have no control on my network and
> network admins only allow 80 and 443 so that they are already taken by
> engine itself and I can't test putting the proxy on engine itself...
>
> HIH anyway,
> Gianluca
>