[Spice-devel] Spice protocol behind a Firewall

Oscar Segarra oscar.segarra at gmail.com
Tue Feb 21 09:04:52 UTC 2017


Hi Uri,

Thanks a lot for th example... It looks clarify the security/acl but what
I'd like to know is if is there any known configuration for an scenario
like this:

Hypervisor1 (10.0.0.1)
    VM1 (port 5900)
    VM2 (port 5901)
Hypervisor2 (10.0.0.2)
    VM3 (port 5902)
    VM4 (port 5903)

Of course, VMx can be migrated from one hypervisor to the other (even live).

What I'd like is to configure

Internet --> Proxy (listening 5900, 5901, 5902, 5903) --> Hypervisor1 or
Hypervisor2 (where the port is up)

I hope not to be the first one with this requirements :S

Thanks a lot.


2017-02-21 9:42 GMT+01:00 Uri Lublin <uril at redhat.com>:

> On 02/19/2017 07:33 PM, Oscar Segarra wrote:
>
>> Hi Uri,
>>
>> I have not been able to find the example you suggest... can you paste
>> the url of the example?
>>
>>
> Hi Oscar,
>
> Disclaimer:
>    This is just an example. There may be better more secure ways
>    to do it. You should research and decide on a solution
>    according to your specific requirements.
>    I did not even test the suggested solution.
>
> For example:
> http://wiki.squid-cache.org/SquidFaq/SquidAcl under
> "Is there an easy way of banning all Destination addresses except one?"
>
> You can configure your squid server to allow only access the
> two hosts and specific ports on those hosts and deny the rest.
>
> acl GOOD_HOST dst 10.0.0.1
> acl GOOD_HOST dst 10.0.0.2
> acl GOOD_PORT port 5900
> http_access allow GOOD_HOST
> http_access allow GOOT_PORT
> http_access deny all
>
> # The last command is not needed according to
> # http://www.squid-cache.org/Doc/config/http_access/
> # but it does appear in the SquidAcl example
>
> Uri.
>
>
>> 2017-02-19 18:23 GMT+01:00 Uri Lublin <uril at redhat.com>:
>>     On 02/19/2017 12:50 PM, Oscar Segarra wrote:
>>
>>         Hi Uri,
>>
>>         Is there any public documentation for configuring the http/https
>>         proxy?
>>
>>         In my scenario, I have 2 hypervisors and I don't know exactly how
>> to
>>         redirect each port to each hypervisor.
>>
>>         And regarding your comments, host_ip and host_port (in first and
>>         second
>>         command) belong to the reverse proxy or the hypervisor?
>>
>>         Thanks a lot for your help
>>
>>
>>     One proxy server you can try is squid (squid-cache.org
>>     <http://squid-cache.org>).
>>     Perhaps one of the examples on its site fits your needs.
>>
>>     In the command below, host is the hypervisor.
>>     If you want to hide the hypervisor ip address and port
>>     perhaps a more sophisticated proxy can be used and that
>>     command line will be a bit different. I never tried it.
>>
>>     Regards,
>>         Uri.
>>
>>
>>         El 19 feb. 2017 10:48 a. m., "Uri Lublin" <uril at redhat.com
>>         <mailto:uril at redhat.com>>
>>
>>
>>                 On 02/19/2017 08:07 AM, Oscar Segarra wrote:
>>
>>                         Hi,
>>
>>                         First of all, I'd like to say that I'm not sure
>>                 enough I'm
>>                         writing to
>>                         the correct mailing list, I have not been able
>>                 to find a common
>>                         users
>>                         mailing list.
>>
>>                         I'm planning to deploy a VDI solution based on
>>                 SPICE. I'd like
>>                         to grant
>>                         access through the Internet to the VDI desktops
>>                 but I don't want to
>>                         expose the hypervisors to the Internet.
>>
>>                         Using virt-viewer or remote-viewer (not the
>>                 html5 feature as I
>>                         want USB
>>                         redirection), is there any trick to make this
>>                 scenario work:
>>
>>                         /Internet --> FW --> Kind of spice reverse proxy
>>                 --> FW -->
>>                         Hypervisors
>>                         (more than one)./
>>
>>
>>                 Hi,
>>
>>                 If you have an http/https proxy server, please try:
>>                   SPICE_PROXY=proxy_ip:proxy_port  remote-viewer
>>             host_ip:host_port
>>
>>                 Hope that helps,
>>                     Uri.
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/spice-devel/attachments/20170221/215d633c/attachment-0001.html>


More information about the Spice-devel mailing list