Hi,
>
> In my environment I have deployed two KVM hypervisors. I'd like to deploy
> in my DMZ a squid proxy host in order to hide hypervisor IPs and Ports
from
> the clients.
Why? What's the problem with the clients knowing the true values?
--> I want to publis VDI Desktops through Internet. If I have 10
hypervisors I don't want to publish 10 public IPs, I prefer just tu publish
a proxy server.
> Each virtual machine has a unique port but VMs can run on any hypervisor.
It doesn't sound to me like the VMs are actually part of what you're trying
to
do here? You're just talking about client connections to hypervisors; the
VMs
are not part of that.
--> The hypervisor has a specific port for each VM. If you connect to the
hypervisor by that port, you are connecting directly to the virtual
machine. This is how SPICE works.
> Is it possible to achieve this with squid?
What protocol do the clients use to communicate with the KVM Hypervisors?
--> The protocol is SPICE (https://www.spice-space.org/)
If it's HTTP, HTTPS or FTP, then you can probably configure Squid in
accelerator mode and use it to do what you want.
However, why are you trying to do this? What is the risk involved in the
clients knowing the true IPs and ports of the hypervisors, which would be
mitigated by having them connect via a proxy instead?
Have you considered using HAproxy or LVS, both of which are far more generic
network proxies than Squid is?
--> I have not considered it yet...
> Is there any example how to configure this?
Not that I have ever heard of, however if it is a protocol which Squid can
handle, it really doesn't matter what the specific backend system is; there
are
plenty of examples on how to do HTTP, HTTPS and FTP.
2017-02-19 23:15 GMT+01:00 Antony Stone :
> On Sunday 19 February 2017 at 19:05:57, Oscar Segarra wrote:
>
> > Hi,
> >
> > In my environment I have deployed two KVM hypervisors. I'd like to deploy
> > in my DMZ a squid proxy host in order to hide hypervisor IPs and Ports
> from
> > the clients.
>
> Why? What's the problem with the clients knowing the true values?
>
> > Each virtual machine has a unique port but VMs can run on any hypervisor.
>
> It doesn't sound to me like the VMs are actually part of what you're
> trying to
> do here? You're just talking about client connections to hypervisors; the
> VMs
> are not part of that.
>
> > Is it possible to achieve this with squid?
>
> What protocol do the clients use to communicate with the KVM Hypervisors?
>
> If it's HTTP, HTTPS or FTP, then you can probably configure Squid in
> accelerator mode and use it to do what you want.
>
> However, why are you trying to do this? What is the risk involved in the
> clients knowing the true IPs and ports of the hypervisors, which would be
> mitigated by having them connect via a proxy instead?
>
> Have you considered using HAproxy or LVS, both of which are far more
> generic
> network proxies than Squid is?
>
> > Is there any example how to configure this?
>
> Not that I have ever heard of, however if it is a protocol which Squid can
> handle, it really doesn't matter what the specific backend system is;
> there are
> plenty of examples on how to do HTTP, HTTPS and FTP.
>
>
>
> Antony.
>
> --
> Numerous psychological studies over the years have demonstrated that the
> majority of people genuinely believe they are not like the majority of
> people.
>
>Please reply to the
> list;
> please *don't* CC
> me.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
