[Users] Spice-proxy questions

David Li david_li at sbcglobal.net
Mon Jan 27 19:21:34 UTC 2014


Do I need to generate and install a x509 key pair for the squid proxy?  How can I find out if the key pair has already been done? 


----- Original Message -----
> From: Gianluca Cecchi <gianluca.cecchi at gmail.com>
> To: David Li <david_li at sbcglobal.net>
> Cc: "users at ovirt.org" <users at ovirt.org>; "djasa at redhat.com" <djasa at redhat.com>
> Sent: Friday, January 24, 2014 2:25 PM
> Subject: Re: [Users] Spice-proxy questions
> 
> On Fri, Jan 24, 2014 at 8:45 PM, David Li  wrote:
>>  David
>> 
>>  I set up the squid proxy on the same machine as ovirt-engine. I have this 
> in squid.conf:
>> 
>> 
>> 
>>  -------------------
>>  acl localhost src 10.10.2.143/32 # for the machine running the browser
>> 
>> 
>>  #safe ports
>>  acl SSL_ports port 443
>>  acl Safe_ports port 80          # http
>>  acl Safe_ports port 21          # ftp
>>  acl Safe_ports port 443         # https
>>  acl Safe_ports port 70          # gopher
>>  acl Safe_ports port 210         # wais
>>  acl Safe_ports port 1025-65535  # unregistered ports <---------- will 
> this allow connections to spice port range (5900-6144 IIRC).???
>>  acl Safe_ports port 280         # http-mgmt
>>  acl Safe_ports port 488         # gss-http
>>  acl Safe_ports port 591         # filemaker
>>  acl Safe_ports port 777         # multiling http
>> 
>> 
>> 
>>  # Squid normally listens to port 3128
>>  http_port 3128
>> 
>>  # Deny requests to certain unsafe ports
>>  http_access deny !Safe_ports
>> 
>>  -------------------------
>> 
>>  and set my SpiceProxyDefault=http://10.10.2.143:3128
>> 
>> 
>> 
>>  So far, this is still not working. The Spice popup window still fails to 
> connect to the graphics server and html5 browser window remains blank.
>>  Are there any log files that can be used to debug this?
>> 
>>  Thanks.
>> 
>> 
> 
> There is something I don't understand or that you are doing incorrectly.
> 
> From what you write it seems that:
> 
> - your engine has ip 10.10.2.143
> 
> - From which ip do you run your browser?
> 
> - Can this ip connect to engine on port 3128? Perhaps your engine
> setup already configured iptables (or firewalld) and it is blocking
> you?
> You can easily verify at runtime by putting this line on engine:
> 
> iptables -I INPUT -s xxx.yyy.www.zzz -j ACCEPT
> where xxx.yyy.www.zzz is the ip of the client from where you run the browser
> so that you put this accept rule on top of INPUT chain and retry to
> connect to VM console
> 
> - Which ip have the hosts where VMs are running?
> - Is engine (so your proxy in your configuration) capable to reach ip
> of your hosts on spice ports (5900-..)?
> 
> ALso see my previous thread here:
> http://lists.ovirt.org/pipermail/users/2013-December/018554.html
> 
> and the useful answers.
> 
> I cannot test your config, because I have no control on my network and
> network admins only allow 80 and 443 so that they are already taken by
> engine itself and I can't test putting the proxy on engine itself...
> 
> HIH anyway,
> Gianluca
> 



More information about the Users mailing list