[Spice-devel] Spice protocol behind a Firewall

Oscar Segarra oscar.segarra at gmail.com
Tue Feb 21 14:44:08 UTC 2017 

Hi Urii,

What I meant is that VMs can move dynamically bethween hypervisors (or
hosts) and therefore squid configuration may change according to where VMs
are placed on.

What I can do is opening the whole rank 5634 - 6166 (accodring to
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.1/html/Administration_Guide/Virtualization_Host_Firewall_Requirements1.html)
on each hypervisor.

I will test it in my lab environment and I will let you know.

Have you any advice on the following question:

Regarding to sizing the squid server... has anyone tested how many
Microsoft Windows 7 (or 8, or 10) can be supported by an unique squid proxy
server?

Thanks a lot!


2017-02-21 15:18 GMT+01:00 Uri Lublin <uril at redhat.com>:

> On 02/21/2017 02:52 PM, Oscar Segarra wrote:
>
>> Hi Uri,
>>
>> The problem comes when VMs can migrate between Hypervisors. It is,
>> eventually the scenario can turn as follows:
>>
>> Hypervisor1 (10.0.0.1) <-- Stopped due to maintenance
>> Hypervisor2 (10.0.0.2)
>>     VM1 (port 5900)
>>     VM2 (port 5901)
>>     VM3 (port 5902)
>>     VM4 (port 5903)
>>
>> Thanks a lot!
>>
>
> Hi Oscar,
>
> I do not understand what the problem is.
> I think migration would work just fine.
>
> You should configure the setup according to your requirements.
> If you want to have 2 VMs running at the same time on
> a single host, then the first squid configuration example
> may work for you. If you like the number of VMs to be 4
> please enable 4 ports (on each host).
> If you want different ports enabled on different hosts
> than you can try the second example.
>
> Uri.
>
>
>
>> 2017-02-21 13:49 GMT+01:00 Uri Lublin <uril at redhat.com
>> <mailto:uril at redhat.com>>:
>>
>>
>>     On 02/21/2017 11:04 AM, Oscar Segarra wrote:
>>
>>         Hi Uri,
>>
>>         Thanks a lot for th example... It looks clarify the security/acl
>> but
>>         what I'd like to know is if is there any known configuration for
>> an
>>         scenario like this:
>>
>>         Hypervisor1 (10.0.0.1)
>>             VM1 (port 5900)
>>             VM2 (port 5901)
>>         Hypervisor2 (10.0.0.2)
>>             VM3 (port 5902)
>>             VM4 (port 5903)
>>
>>
>>
>>     [1] http://wiki.squid-cache.org/SquidFaq/SquidAcl
>>     <http://wiki.squid-cache.org/SquidFaq/SquidAcl>
>>     After reading "And/Or logic" subsection of [1], a configuration
>>     you can try is (again not even tested):
>>       acl HOST1 10.0.0.1
>>       acl HOST2 10.0.0.2
>>       acl PORT1 5900 5901
>>       acl PORT2 5902 5903
>>       http_access allow HOST1 PORT1
>>       http_access allow HOST2 PORT2
>>       http_access deny all
>>
>>
>>     Regards,
>>         Uri.
>>
>>
>>         2017-02-21 9:42 GMT+01:00 Uri Lublin <uril at redhat.com
>>         <mailto:uril at redhat.com>
>>         <mailto:uril at redhat.com <mailto:uril at redhat.com>>>:
>>
>>
>>
>>             On 02/19/2017 07:33 PM, Oscar Segarra wrote:
>>
>>                 Hi Uri,
>>
>>                 I have not been able to find the example you suggest...
>>         can you
>>                 paste
>>                 the url of the example?
>>
>>
>>             Hi Oscar,
>>
>>             Disclaimer:
>>                This is just an example. There may be better more secure
>> ways
>>                to do it. You should research and decide on a solution
>>                according to your specific requirements.
>>                I did not even test the suggested solution.
>>
>>             For example:
>>             http://wiki.squid-cache.org/SquidFaq/SquidAcl
>>         <http://wiki.squid-cache.org/SquidFaq/SquidAcl>
>>             <http://wiki.squid-cache.org/SquidFaq/SquidAcl
>>         <http://wiki.squid-cache.org/SquidFaq/SquidAcl>> under
>>             "Is there an easy way of banning all Destination addresses
>>         except one?"
>>
>>             You can configure your squid server to allow only access the
>>             two hosts and specific ports on those hosts and deny the rest.
>>
>>             acl GOOD_HOST dst 10.0.0.1
>>             acl GOOD_HOST dst 10.0.0.2
>>             acl GOOD_PORT port 5900
>>             http_access allow GOOD_HOST
>>             http_access allow GOOT_PORT
>>             http_access deny all
>>
>>             # The last command is not needed according to
>>             # http://www.squid-cache.org/Doc/config/http_access/
>>         <http://www.squid-cache.org/Doc/config/http_access/>
>>             <http://www.squid-cache.org/Doc/config/http_access/
>>         <http://www.squid-cache.org/Doc/config/http_access/>>
>>             # but it does appear in the SquidAcl example
>>
>>             Uri.
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/spice-devel/attachments/20170221/bfebb726/attachment-0001.html>

More information about the Spice-devel mailing list