<div dir="ltr">Hi all<div><br></div><div>I've logged case 01662585 with GSS.</div><div><br></div><div>I see that RHEV 4.0 beta is in the customer support portal, I'm going to see if we can upgrade our current DEV RHEV environment to 4.0 BETA so we can start testing early.</div><div><br></div><div>Thanks</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jul 4, 2016 at 5:39 PM, Martin Perina <span dir="ltr"><<a href="mailto:mperina@redhat.com" target="_blank">mperina@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Hi,<br><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">first let me explain more thoroughly how things works in 4.0. Here's a bit simplified login flow:<br><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">1. Let's assume that <a href="http://ovirt.example.com" target="_blank">ovirt.example.com</a> was set as FQDN during engine-setup<br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">2. User tries to access <a href="http://ovirt.example.com/ovirt-engine/webadmin" target="_blank">http://ovirt.example.com/ovirt-engine/webadmin</a><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">3. SSO authentication filters checks if user is authenticated and if not, user is redirected to <a href="https://ovirt.example.com/ovirt-engine/sso/login.html" target="_blank">https://ovirt.example.com/ovirt-engine/sso/login.html</a><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">4. User enters its username/password and if successfully authenticated, user is redirected back to original URL: <a href="http://ovirt.example.com/ovirt-engine/webadmin" target="_blank">http://ovirt.example.com/ovirt-engine/webadmin</a><br><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Here are installation use cases which we assumed to be mostly used for oVirt (let's assume that engine is installed at <a href="http://host1.example.com" target="_blank">host1.example.com</a>, your proxy host is <a href="http://proxy1.example.com" target="_blank">proxy1.example.com</a> and you want you oVirt instance to accessed using alias <a href="http://ovirt.example.com" target="_blank">ovirt.example.com</a>):<br><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">1. Most users don't use any proxy, so the easiest method is to setup DNS alias <a href="http://ovirt.example.com" target="_blank">ovirt.example.com</a> pointing to <a href="http://host1.example.com" target="_blank">host1.example.com</a> and after that use <a href="http://ovirt.example.com" target="_blank">ovirt.example.com</a> during engine-setup as engine FQDN<br><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">2. If <a href="http://host1.example.com" target="_blank">host1.example.com</a> is in your internal network and you want <a href="http://ovirt.example.com" target="_blank">ovirt.example.com</a> to be accessible from both internal network and Internet you need to do the following:<br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"> - For you internal clients you need to do the same steps as in 1. in your internal DNS server<br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"> - For your external (Internet) clients you need to create another DNS alias <a href="http://ovirt.example.com" target="_blank">ovirt.example.com</a> pointing to your firewall (for example to host <a href="http://firewall.example.com" target="_blank">firewall.example.com</a>) in your external DNS server and setup proper port forwarding from <a href="http://firewall.example.com" target="_blank">firewall.example.com</a> to <a href="http://host1.example.com" target="_blank">host1.example.com</a><br><br>3. If you need to use different FQDN for engine (for example you want to use proxy <a href="http://proxy1.example.com" target="_blank">proxy1.example.com</a>), then some manual config is required:<br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"> - Execute engine-setup and use <a href="http://host1.example.com" target="_blank">host1.example.com</a> as engine FQDN<br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"> - Setup you proxy in <a href="http://proxy1.example.com" target="_blank">proxy1.example.com</a> as in previous versions<br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"> - Setup your DNS and add DNS alias <a href="http://ovirt.example.com" target="_blank">ovirt.example.com</a> pointing to <a href="http://proxy1.example.com" target="_blank">proxy1.example.com</a><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"> - Go to <a href="http://host1.example.com" target="_blank">host1.example.com</a> and create new file /etc/ovirt-engine/engine.conf.d/99-setup-http-proxy.conf with following content<br></div> ENGINE_SSO_AUTH_URL="<a href="https://ovirt.example.com:443/ovirt-engine/sso" target="_blank">https://ovirt.example.com:443/ovirt-engine/sso</a>"<br><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"> SSO_CALLBACK_PREFIX_CHECK=false<br><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"> - Restart ovirt-engine service<br><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"> After above steps your oVirt instance can be accessed using <a href="http://ovirt.example.com" target="_blank">http://ovirt.example.com</a>, but all traffic to it will be redirected through your proxy at <a href="http://proxy1.example.com" target="_blank">proxy1.example.com</a>.<br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">If none of above scenarios are usable for you, then please describe thoroughly your current setup. We may be help you with additional manual configuration or we will need to create an RFE bug for oVirt.<br><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Thanks<span class="HOEnZb"><font color="#888888"><br><br></font></span></div><span class="HOEnZb"><font color="#888888"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Martin Perina<br></div></font></span><div><div class="h5"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jul 4, 2016 at 1:36 AM, Colin Coe <span dir="ltr"><<a href="mailto:colin.coe@gmail.com" target="_blank">colin.coe@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi all<div><br></div><div>If this is correct, it is a massive problem for us. We're still on RHEV v3.5 ATM but have plans to move to RHEV v4 when it looks production ready.</div><div><br></div><div>Many of our users are external parties that access the RHEV user portal externally via a (Juniper) reverse proxy appliance. The RHEV user portal URL gets rewritten to the URL of the Juniper appliance.</div><div><br></div><div>Should I file a bug on this, or an RFE?</div><div><br></div><div>Thanks</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Jul 3, 2016 at 5:16 PM, Martin Perina <span dir="ltr"><<a href="mailto:mperina@redhat.com" target="_blank">mperina@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi, <br>In 4.0 you can access oVirt engine only with the same FQDN that was specified during engine-setup. If you have used different FQDN, you may change it using ovirt-engine-rename tool. <br><br>Martin Perina <br><br><br>On Sunday, July 3, 2016, Yaniv Dary <<a href="mailto:ydary@redhat.com" target="_blank">ydary@redhat.com</a>> wrote:<br>><br>> Yaniv Dary<br>> Technical Product Manager<br>> Red Hat Israel Ltd.<br>> 34 Jerusalem Road<br>> Building A, 4th floor<br>> Ra'anana, Israel 4350109<br>><br>> Tel : <a href="tel:%2B972%20%289%29%207692306" value="+97297692306" target="_blank">+972 (9) 7692306</a><br>> 8272306<br>> Email: <a href="mailto:ydary@redhat.com" target="_blank">ydary@redhat.com</a><br>> IRC : ydary<div><div><br>><br>> ---------- Forwarded message ----------<br>> From: COUSIN Kevin <<a href="mailto:kevin@famillecousin.fr" target="_blank">kevin@famillecousin.fr</a>><br>> Date: Thu, Jun 30, 2016 at 5:31 PM<br>> Subject: [ovirt-users] [oVirt 4.0] Is it possible to access oVirt through a reverse proxy<br>> To: <a href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a><br>><br>><br>> Hi list,<br>><br>> I upgraded to oVirt 4.0 and it works fine. However, I used HAProxy to<br>> access oVirt outside my LAN. It doesn't work anymore since I upgraded<br>> to 4.0. It seems the oVirt Manager URL is rewritten by the SSO engine.<br>> eg: ovirt.externaldomain.tld -> ovirtmanager.internaldomain.tld. <br>><br>> Is it possible to disable this behaviour and stay with<br>> ovirt.externaldomain.tld ?<br>><br>> Regards<br>><br>> -- <br>> COUSIN Kevin <<a href="mailto:kevin@famillecousin.fr" target="_blank">kevin@famillecousin.fr</a>><br>><br>> _______________________________________________<br>> Users mailing list<br>> <a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>> <a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>><br>>
</div></div><br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
<br></blockquote></div><br></div>
</blockquote></div><br></div></div></div></div>
</blockquote></div><br></div>