Hi Gianluca, Finally it worked for me! Thanks a lot for help!
The doc is little vague in terms of all the things you need to do. I will try to write something up based on my own experience and share with everyone here. David ----- Original Message ----- > From: Gianluca Cecchi <gianluca.cec...@gmail.com> > To: "users@ovirt.org" <users@ovirt.org> > Cc: David Li <david...@sbcglobal.net> > Sent: Tuesday, January 28, 2014 9:21 AM > Subject: Re: [Users] Spice-proxy questions > > On Tue, Jan 28, 2014 at 9:49 AM, David Jaša wrote: >> On Po, 2014-01-27 at 11:21 -0800, David Li wrote: >>> Do I need to generate and install a x509 key pair for the squid proxy? > How can I find out if the key pair has already been done? >> >> No. Spice channels are encrypted end-to-end so if you configure squid to >> forward the connections just to the display network range of the hosts, >> you anly allow connections that are encrypted anyway - so the TLS would >> be here quite redundant. >> >> Have you made sure that you have opened port 3128 in iptables? If the >> box doesn't use firewalld (which is the case on RHEL/CentOS, Fedora > must >> be configured to disable firewalld but I presume that engine-setup does >> that), add the port definition among other opened ports >> in /etc/sysconfig/iptables. >> >> David >> >> PS: I'm mangling reply-to: header for a reason. Please don't hog my >> inbox, I can very well read your messages on-list. Thank you. > > > I made a test setting proxy on engine and it seems it is ok. > I have no other ports than 80 and 443 allowed so I have to use > environment with all the servers in 10.4.4.0 network > > client 10.4.4.61 > engine 10.4.4.60 > test VM 10.4.4.63 > host (where test VM is running on) 10.4.4.59 > > > # engine-config -s SpiceProxyDefault="http://10.4.4.60:3128" > # systemctl restart ovirt-engine > > configured squid on engine on its default port 3128 > > I have firewalld configured on engine, so that I have this in > /etc/firewalld/zones/public.xml > > <?xml version="1.0" encoding="utf-8"?> > <zone> > <short>Public</short> > <description>For use in public areas. You do not trust the other > computers on networks to not harm your computer. Only selected > incoming connections are accepted.</description> > <service name="mdns"/> > <service name="ovirt-nfs"/> > <service name="ovirt-http"/> > <service name="dhcpv6-client"/> > <service name="ovirt-websocket-proxy"/> > <service name="ovirt-https"/> > <service name="ssh"/> > <service name="ovirt-postgres"/> > <port protocol="tcp" port="6100"/> > <port protocol="tcp" port="3128"/> > </zone> > > > On client CentOS 6.5 (10.4.4.61): > I run firefox and connect to webadmin gui of engine (https://10.4.4.60) > I have enabled spice proxy for the test VM > I select console and specify to run /usr/bin/remote-viewer at popup > window, enabling popups in firefox > I successfully get the console > > $ ps -ef|grep remote > g.cecchi 23897 23726 0 15:50 pts/0 00:00:00 /usr/bin/remote-viewer > /tmp/console.vv > g.cecchi 23923 23704 0 15:52 pts/0 00:00:00 grep remote > > $ sudo lsof -Pp 23897 | grep TCP > remote-vi 23897 g.cecchi 4u IPv6 498441 0t0 TCP > localhost:45817->localhost:6010 (ESTABLISHED) > remote-vi 23897 g.cecchi 14u IPv4 498447 0t0 TCP > 10.4.4.61:36909->10.4.4.60:3128 (ESTABLISHED) > remote-vi 23897 g.cecchi 20u IPv4 498449 0t0 TCP > 10.4.4.61:36910->10.4.4.60:3128 (ESTABLISHED) > remote-vi 23897 g.cecchi 24u IPv4 498451 0t0 TCP > 10.4.4.61:36911->10.4.4.60:3128 (ESTABLISHED) > remote-vi 23897 g.cecchi 25u IPv4 498452 0t0 TCP > 10.4.4.61:36912->10.4.4.60:3128 (ESTABLISHED) > remote-vi 23897 g.cecchi 60u IPv4 497799 0t0 TCP > 10.4.4.61:44961->10.4.4.60:443 (ESTABLISHED) > > > On engine (10.4.4.60) > # netstat -an|grep 3128 > tcp6 0 0 :::3128 :::* LISTEN > tcp6 0 0 10.4.4.60:3128 10.4.4.61:36912 > ESTABLISHED > tcp6 0 0 10.4.4.60:3128 10.4.4.61:36911 > ESTABLISHED > tcp6 0 0 10.4.4.60:3128 10.4.4.61:36910 > ESTABLISHED > tcp6 0 0 10.4.4.60:3128 10.4.4.61:36909 > ESTABLISHED > > > On hypervisor (10.4.4.59) > $ netstat -an|grep 5901 > tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN > tcp 0 0 10.4.4.59:5901 10.4.4.60:38879 > ESTABLISHED > tcp 0 0 10.4.4.59:5901 10.4.4.60:38881 > ESTABLISHED > tcp 0 0 10.4.4.59:5901 10.4.4.60:38880 > ESTABLISHED > tcp 0 0 10.4.4.59:5901 10.4.4.60:38882 > ESTABLISHED > > So all seems ok. > Gianluca > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users