On Tue, Jan 28, 2014 at 9:49 AM, David Jaša wrote: > On Po, 2014-01-27 at 11:21 -0800, David Li wrote: >> Do I need to generate and install a x509 key pair for the squid proxy? How >> can I find out if the key pair has already been done? > > No. Spice channels are encrypted end-to-end so if you configure squid to > forward the connections just to the display network range of the hosts, > you anly allow connections that are encrypted anyway - so the TLS would > be here quite redundant. > > Have you made sure that you have opened port 3128 in iptables? If the > box doesn't use firewalld (which is the case on RHEL/CentOS, Fedora must > be configured to disable firewalld but I presume that engine-setup does > that), add the port definition among other opened ports > in /etc/sysconfig/iptables. > > David > > PS: I'm mangling reply-to: header for a reason. Please don't hog my > inbox, I can very well read your messages on-list. Thank you.
I made a test setting proxy on engine and it seems it is ok. I have no other ports than 80 and 443 allowed so I have to use environment with all the servers in 10.4.4.0 network client 10.4.4.61 engine 10.4.4.60 test VM 10.4.4.63 host (where test VM is running on) 10.4.4.59 # engine-config -s SpiceProxyDefault="http://10.4.4.60:3128" # systemctl restart ovirt-engine configured squid on engine on its default port 3128 I have firewalld configured on engine, so that I have this in /etc/firewalld/zones/public.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="mdns"/> <service name="ovirt-nfs"/> <service name="ovirt-http"/> <service name="dhcpv6-client"/> <service name="ovirt-websocket-proxy"/> <service name="ovirt-https"/> <service name="ssh"/> <service name="ovirt-postgres"/> <port protocol="tcp" port="6100"/> <port protocol="tcp" port="3128"/> </zone> On client CentOS 6.5 (10.4.4.61): I run firefox and connect to webadmin gui of engine (https://10.4.4.60) I have enabled spice proxy for the test VM I select console and specify to run /usr/bin/remote-viewer at popup window, enabling popups in firefox I successfully get the console $ ps -ef|grep remote g.cecchi 23897 23726 0 15:50 pts/0 00:00:00 /usr/bin/remote-viewer /tmp/console.vv g.cecchi 23923 23704 0 15:52 pts/0 00:00:00 grep remote $ sudo lsof -Pp 23897 | grep TCP remote-vi 23897 g.cecchi 4u IPv6 498441 0t0 TCP localhost:45817->localhost:6010 (ESTABLISHED) remote-vi 23897 g.cecchi 14u IPv4 498447 0t0 TCP 10.4.4.61:36909->10.4.4.60:3128 (ESTABLISHED) remote-vi 23897 g.cecchi 20u IPv4 498449 0t0 TCP 10.4.4.61:36910->10.4.4.60:3128 (ESTABLISHED) remote-vi 23897 g.cecchi 24u IPv4 498451 0t0 TCP 10.4.4.61:36911->10.4.4.60:3128 (ESTABLISHED) remote-vi 23897 g.cecchi 25u IPv4 498452 0t0 TCP 10.4.4.61:36912->10.4.4.60:3128 (ESTABLISHED) remote-vi 23897 g.cecchi 60u IPv4 497799 0t0 TCP 10.4.4.61:44961->10.4.4.60:443 (ESTABLISHED) On engine (10.4.4.60) # netstat -an|grep 3128 tcp6 0 0 :::3128 :::* LISTEN tcp6 0 0 10.4.4.60:3128 10.4.4.61:36912 ESTABLISHED tcp6 0 0 10.4.4.60:3128 10.4.4.61:36911 ESTABLISHED tcp6 0 0 10.4.4.60:3128 10.4.4.61:36910 ESTABLISHED tcp6 0 0 10.4.4.60:3128 10.4.4.61:36909 ESTABLISHED On hypervisor (10.4.4.59) $ netstat -an|grep 5901 tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN tcp 0 0 10.4.4.59:5901 10.4.4.60:38879 ESTABLISHED tcp 0 0 10.4.4.59:5901 10.4.4.60:38881 ESTABLISHED tcp 0 0 10.4.4.59:5901 10.4.4.60:38880 ESTABLISHED tcp 0 0 10.4.4.59:5901 10.4.4.60:38882 ESTABLISHED So all seems ok. Gianluca _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users