[ovirt-users] IPv6 Functionality for WebSocket Proxy
Donny Davis
donny at cloudspin.me
Thu Dec 18 11:09:26 EST 2014
I would also like to note that if nginx and websocket proxy are on the same
machine you cannot have both nginx and websocket proxy listening on 6100. it
would be best to change the websocket proxy listening port and then proxy
both ipv4 and 6 with nginx :)
From: users-bounces at ovirt.org [mailto:users-bounces at ovirt.org] On Behalf Of
Donny Davis
Sent: Thursday, December 18, 2014 9:06 AM
To: users at ovirt.org
Subject: [ovirt-users] IPv6 Functionality for WebSocket Proxy
I just realized this morning that my noVNC connections were not working for
IPv6 only on cloudspin.me
For those who want to deploy dual stack functionality for
ovirt-websocket-proxy here is a very simple and elegant fix.
NGINX is a useful tool :)
You will need nginx to proxy the connection between your IPv6 customers, and
the IPv4 listening only websocket proxy(however that can be changed in
/usr/share/ovirt-engine/services/ovirt-websocket-proxy/ovirt-websocket-proxy
.conf but you can't have your cake and eat it too. one or the other ipv4 or
ipv6)
Anyways, here is the fix
Install nginx on your websocket proxy server - Why Nginx, because I like it
better than apache. The default config for Ovirt could be setup to do this
with the web server that is already running :) just sayin
For my configuration I am running the websocket proxy on a different host,
but I imagine you could use this config in a full deployment and use
websocket proxy on the engine host
server {
server_name web.cloudspin.me; # this is the hostname that you told
the engine that the websocket proxy would be listening on
#listen 6100; #Commented because I am using this for
ipv6 only, but you could use nginx to proxy both and only open one port in
the firewall
listen [::]:6100 ssl; #NOTE this needs to listen on the same
port you told the engine the websocket proxy would be listening on
ssl_certificate /physical/path/to/ssl/cert; #I used the
same cert that my websocket proxy is using
ssl_certificate_key /physical/path/to/ssl/key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers
HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/websocket.cloudspin.me-access.log;
error_log /var/log/nginx/websocket.cloudspin.me-error.log;
location / {
proxy_pass https://ip_address_of_websocket_proxy:6100;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Too easy to fix the many problems I have had getting websocket proxy to
work. If you have a commerical cert and key, this would be a great place to
put it, so your users don't have to bother with trusting your CA, it will
just work
Cheers and I hope this helps
If anyone needs any help getting this to work give me a shout
Donny D
cloudspin.me
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20141218/8d0d8905/attachment-0001.html>
More information about the Users
mailing list