[ovirt-users] IPv6 Functionality for WebSocket Proxy

Donny Davis donny at cloudspin.me
Thu Dec 18 11:09:26 EST 2014


I would also like to note that if nginx and websocket proxy are on the same
machine you cannot have both nginx and websocket proxy listening on 6100. it
would be best to change the websocket proxy listening port and then proxy
both ipv4 and 6 with nginx :)

 

From: users-bounces at ovirt.org [mailto:users-bounces at ovirt.org] On Behalf Of
Donny Davis
Sent: Thursday, December 18, 2014 9:06 AM
To: users at ovirt.org
Subject: [ovirt-users] IPv6 Functionality for WebSocket Proxy

 

I just realized this morning that my noVNC connections were not working for
IPv6 only on cloudspin.me

For those who want to deploy dual stack functionality for
ovirt-websocket-proxy here is a very simple and elegant fix. 

 

NGINX is a useful tool :)

 

You will need nginx to proxy the connection between your IPv6 customers, and
the IPv4 listening only websocket proxy(however that can be changed in
/usr/share/ovirt-engine/services/ovirt-websocket-proxy/ovirt-websocket-proxy
.conf but you can't have your cake and eat it too. one or the other ipv4 or
ipv6)

Anyways, here is the fix

 

Install nginx on your websocket proxy server - Why Nginx, because I like it
better than apache. The default config for Ovirt could be setup to do this
with the web server that is already running :) just sayin

For my configuration I am running the websocket proxy on a different host,
but I imagine you could use this config in a full deployment and use
websocket proxy on the engine host

 

server {

        server_name web.cloudspin.me; # this is the hostname that you told
the engine that the websocket proxy would be listening on

        #listen 6100;             #Commented because I am using this for
ipv6 only, but you could use nginx to proxy both and only open one port in
the firewall

        listen [::]:6100 ssl;     #NOTE this needs to listen on the same
port you told the engine the websocket proxy would be listening on   

        ssl_certificate           /physical/path/to/ssl/cert; #I used the
same cert that my websocket proxy is using

        ssl_certificate_key       /physical/path/to/ssl/key;

 

        ssl on;

        ssl_session_cache  builtin:1000  shared:SSL:10m;

        ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;

        ssl_ciphers
HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;

        ssl_prefer_server_ciphers on;

 

        access_log /var/log/nginx/websocket.cloudspin.me-access.log;

        error_log /var/log/nginx/websocket.cloudspin.me-error.log;

 

        location / {

            proxy_pass https://ip_address_of_websocket_proxy:6100;

          proxy_http_version 1.1;

          proxy_set_header Upgrade $http_upgrade;

          proxy_set_header Connection "upgrade";

               

        }

    }

 

 

Too easy to fix the many problems I have had getting websocket proxy to
work. If you have a commerical cert and key, this would be a great place to
put it, so your users don't have to bother with trusting your CA, it will
just work 

 

Cheers and I hope this helps

 

If anyone needs any help getting this to work give me a shout

 

Donny D

cloudspin.me

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20141218/8d0d8905/attachment-0001.html>


More information about the Users mailing list