[Users] Spice-proxy questions
Gianluca Cecchi
gianluca.cecchi at gmail.com
Tue Jan 28 17:21:46 UTC 2014
On Tue, Jan 28, 2014 at 9:49 AM, David Jaša wrote:
> On Po, 2014-01-27 at 11:21 -0800, David Li wrote:
>> Do I need to generate and install a x509 key pair for the squid proxy? How can I find out if the key pair has already been done?
>
> No. Spice channels are encrypted end-to-end so if you configure squid to
> forward the connections just to the display network range of the hosts,
> you anly allow connections that are encrypted anyway - so the TLS would
> be here quite redundant.
>
> Have you made sure that you have opened port 3128 in iptables? If the
> box doesn't use firewalld (which is the case on RHEL/CentOS, Fedora must
> be configured to disable firewalld but I presume that engine-setup does
> that), add the port definition among other opened ports
> in /etc/sysconfig/iptables.
>
> David
>
> PS: I'm mangling reply-to: header for a reason. Please don't hog my
> inbox, I can very well read your messages on-list. Thank you.
I made a test setting proxy on engine and it seems it is ok.
I have no other ports than 80 and 443 allowed so I have to use
environment with all the servers in 10.4.4.0 network
client 10.4.4.61
engine 10.4.4.60
test VM 10.4.4.63
host (where test VM is running on) 10.4.4.59
# engine-config -s SpiceProxyDefault="http://10.4.4.60:3128"
# systemctl restart ovirt-engine
configured squid on engine on its default port 3128
I have firewalld configured on engine, so that I have this in
/etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other
computers on networks to not harm your computer. Only selected
incoming connections are accepted.</description>
<service name="mdns"/>
<service name="ovirt-nfs"/>
<service name="ovirt-http"/>
<service name="dhcpv6-client"/>
<service name="ovirt-websocket-proxy"/>
<service name="ovirt-https"/>
<service name="ssh"/>
<service name="ovirt-postgres"/>
<port protocol="tcp" port="6100"/>
<port protocol="tcp" port="3128"/>
</zone>
On client CentOS 6.5 (10.4.4.61):
I run firefox and connect to webadmin gui of engine (https://10.4.4.60)
I have enabled spice proxy for the test VM
I select console and specify to run /usr/bin/remote-viewer at popup
window, enabling popups in firefox
I successfully get the console
$ ps -ef|grep remote
g.cecchi 23897 23726 0 15:50 pts/0 00:00:00 /usr/bin/remote-viewer
/tmp/console.vv
g.cecchi 23923 23704 0 15:52 pts/0 00:00:00 grep remote
$ sudo lsof -Pp 23897 | grep TCP
remote-vi 23897 g.cecchi 4u IPv6 498441 0t0 TCP
localhost:45817->localhost:6010 (ESTABLISHED)
remote-vi 23897 g.cecchi 14u IPv4 498447 0t0 TCP
10.4.4.61:36909->10.4.4.60:3128 (ESTABLISHED)
remote-vi 23897 g.cecchi 20u IPv4 498449 0t0 TCP
10.4.4.61:36910->10.4.4.60:3128 (ESTABLISHED)
remote-vi 23897 g.cecchi 24u IPv4 498451 0t0 TCP
10.4.4.61:36911->10.4.4.60:3128 (ESTABLISHED)
remote-vi 23897 g.cecchi 25u IPv4 498452 0t0 TCP
10.4.4.61:36912->10.4.4.60:3128 (ESTABLISHED)
remote-vi 23897 g.cecchi 60u IPv4 497799 0t0 TCP
10.4.4.61:44961->10.4.4.60:443 (ESTABLISHED)
On engine (10.4.4.60)
# netstat -an|grep 3128
tcp6 0 0 :::3128 :::* LISTEN
tcp6 0 0 10.4.4.60:3128 10.4.4.61:36912 ESTABLISHED
tcp6 0 0 10.4.4.60:3128 10.4.4.61:36911 ESTABLISHED
tcp6 0 0 10.4.4.60:3128 10.4.4.61:36910 ESTABLISHED
tcp6 0 0 10.4.4.60:3128 10.4.4.61:36909 ESTABLISHED
On hypervisor (10.4.4.59)
$ netstat -an|grep 5901
tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN
tcp 0 0 10.4.4.59:5901 10.4.4.60:38879 ESTABLISHED
tcp 0 0 10.4.4.59:5901 10.4.4.60:38881 ESTABLISHED
tcp 0 0 10.4.4.59:5901 10.4.4.60:38880 ESTABLISHED
tcp 0 0 10.4.4.59:5901 10.4.4.60:38882 ESTABLISHED
So all seems ok.
Gianluca
More information about the Users
mailing list