[Spice-devel] Spice protocol behind a Firewall
Uri Lublin
uril at redhat.com
Tue Feb 21 14:18:17 UTC 2017
On 02/21/2017 02:52 PM, Oscar Segarra wrote:
> Hi Uri,
>
> The problem comes when VMs can migrate between Hypervisors. It is,
> eventually the scenario can turn as follows:
>
> Hypervisor1 (10.0.0.1) <-- Stopped due to maintenance
> Hypervisor2 (10.0.0.2)
> VM1 (port 5900)
> VM2 (port 5901)
> VM3 (port 5902)
> VM4 (port 5903)
>
> Thanks a lot!
Hi Oscar,
I do not understand what the problem is.
I think migration would work just fine.
You should configure the setup according to your requirements.
If you want to have 2 VMs running at the same time on
a single host, then the first squid configuration example
may work for you. If you like the number of VMs to be 4
please enable 4 ports (on each host).
If you want different ports enabled on different hosts
than you can try the second example.
Uri.
>
> 2017-02-21 13:49 GMT+01:00 Uri Lublin <uril at redhat.com
> <mailto:uril at redhat.com>>:
>
> On 02/21/2017 11:04 AM, Oscar Segarra wrote:
>
> Hi Uri,
>
> Thanks a lot for th example... It looks clarify the security/acl but
> what I'd like to know is if is there any known configuration for an
> scenario like this:
>
> Hypervisor1 (10.0.0.1)
> VM1 (port 5900)
> VM2 (port 5901)
> Hypervisor2 (10.0.0.2)
> VM3 (port 5902)
> VM4 (port 5903)
>
>
>
> [1] http://wiki.squid-cache.org/SquidFaq/SquidAcl
> <http://wiki.squid-cache.org/SquidFaq/SquidAcl>
> After reading "And/Or logic" subsection of [1], a configuration
> you can try is (again not even tested):
> acl HOST1 10.0.0.1
> acl HOST2 10.0.0.2
> acl PORT1 5900 5901
> acl PORT2 5902 5903
> http_access allow HOST1 PORT1
> http_access allow HOST2 PORT2
> http_access deny all
>
>
> Regards,
> Uri.
>
>
> 2017-02-21 9:42 GMT+01:00 Uri Lublin <uril at redhat.com
> <mailto:uril at redhat.com>
> <mailto:uril at redhat.com <mailto:uril at redhat.com>>>:
>
>
> On 02/19/2017 07:33 PM, Oscar Segarra wrote:
>
> Hi Uri,
>
> I have not been able to find the example you suggest...
> can you
> paste
> the url of the example?
>
>
> Hi Oscar,
>
> Disclaimer:
> This is just an example. There may be better more secure ways
> to do it. You should research and decide on a solution
> according to your specific requirements.
> I did not even test the suggested solution.
>
> For example:
> http://wiki.squid-cache.org/SquidFaq/SquidAcl
> <http://wiki.squid-cache.org/SquidFaq/SquidAcl>
> <http://wiki.squid-cache.org/SquidFaq/SquidAcl
> <http://wiki.squid-cache.org/SquidFaq/SquidAcl>> under
> "Is there an easy way of banning all Destination addresses
> except one?"
>
> You can configure your squid server to allow only access the
> two hosts and specific ports on those hosts and deny the rest.
>
> acl GOOD_HOST dst 10.0.0.1
> acl GOOD_HOST dst 10.0.0.2
> acl GOOD_PORT port 5900
> http_access allow GOOD_HOST
> http_access allow GOOT_PORT
> http_access deny all
>
> # The last command is not needed according to
> # http://www.squid-cache.org/Doc/config/http_access/
> <http://www.squid-cache.org/Doc/config/http_access/>
> <http://www.squid-cache.org/Doc/config/http_access/
> <http://www.squid-cache.org/Doc/config/http_access/>>
> # but it does appear in the SquidAcl example
>
> Uri.
>
>
>
More information about the Spice-devel
mailing list