[Spice-devel] Spice protocol behind a Firewall

Uri Lublin uril at redhat.com
Tue Feb 21 14:18:17 UTC 2017


On 02/21/2017 02:52 PM, Oscar Segarra wrote:
> Hi Uri,
>
> The problem comes when VMs can migrate between Hypervisors. It is,
> eventually the scenario can turn as follows:
>
> Hypervisor1 (10.0.0.1) <-- Stopped due to maintenance
> Hypervisor2 (10.0.0.2)
>     VM1 (port 5900)
>     VM2 (port 5901)
>     VM3 (port 5902)
>     VM4 (port 5903)
>
> Thanks a lot!

Hi Oscar,

I do not understand what the problem is.
I think migration would work just fine.

You should configure the setup according to your requirements.
If you want to have 2 VMs running at the same time on
a single host, then the first squid configuration example
may work for you. If you like the number of VMs to be 4
please enable 4 ports (on each host).
If you want different ports enabled on different hosts
than you can try the second example.

Uri.


>
> 2017-02-21 13:49 GMT+01:00 Uri Lublin <uril at redhat.com
> <mailto:uril at redhat.com>>:
>
>     On 02/21/2017 11:04 AM, Oscar Segarra wrote:
>
>         Hi Uri,
>
>         Thanks a lot for th example... It looks clarify the security/acl but
>         what I'd like to know is if is there any known configuration for an
>         scenario like this:
>
>         Hypervisor1 (10.0.0.1)
>             VM1 (port 5900)
>             VM2 (port 5901)
>         Hypervisor2 (10.0.0.2)
>             VM3 (port 5902)
>             VM4 (port 5903)
>
>
>
>     [1] http://wiki.squid-cache.org/SquidFaq/SquidAcl
>     <http://wiki.squid-cache.org/SquidFaq/SquidAcl>
>     After reading "And/Or logic" subsection of [1], a configuration
>     you can try is (again not even tested):
>       acl HOST1 10.0.0.1
>       acl HOST2 10.0.0.2
>       acl PORT1 5900 5901
>       acl PORT2 5902 5903
>       http_access allow HOST1 PORT1
>       http_access allow HOST2 PORT2
>       http_access deny all
>
>
>     Regards,
>         Uri.
>
>
>         2017-02-21 9:42 GMT+01:00 Uri Lublin <uril at redhat.com
>         <mailto:uril at redhat.com>
>         <mailto:uril at redhat.com <mailto:uril at redhat.com>>>:
>
>
>             On 02/19/2017 07:33 PM, Oscar Segarra wrote:
>
>                 Hi Uri,
>
>                 I have not been able to find the example you suggest...
>         can you
>                 paste
>                 the url of the example?
>
>
>             Hi Oscar,
>
>             Disclaimer:
>                This is just an example. There may be better more secure ways
>                to do it. You should research and decide on a solution
>                according to your specific requirements.
>                I did not even test the suggested solution.
>
>             For example:
>             http://wiki.squid-cache.org/SquidFaq/SquidAcl
>         <http://wiki.squid-cache.org/SquidFaq/SquidAcl>
>             <http://wiki.squid-cache.org/SquidFaq/SquidAcl
>         <http://wiki.squid-cache.org/SquidFaq/SquidAcl>> under
>             "Is there an easy way of banning all Destination addresses
>         except one?"
>
>             You can configure your squid server to allow only access the
>             two hosts and specific ports on those hosts and deny the rest.
>
>             acl GOOD_HOST dst 10.0.0.1
>             acl GOOD_HOST dst 10.0.0.2
>             acl GOOD_PORT port 5900
>             http_access allow GOOD_HOST
>             http_access allow GOOT_PORT
>             http_access deny all
>
>             # The last command is not needed according to
>             # http://www.squid-cache.org/Doc/config/http_access/
>         <http://www.squid-cache.org/Doc/config/http_access/>
>             <http://www.squid-cache.org/Doc/config/http_access/
>         <http://www.squid-cache.org/Doc/config/http_access/>>
>             # but it does appear in the SquidAcl example
>
>             Uri.
>
>
>



More information about the Spice-devel mailing list