<div dir="ltr">Hi Uri, <div><br></div><div>Thanks a lot for th example... It looks clarify the security/acl but what I'd like to know is if is there any known configuration for an scenario like this:</div><div><br></div><div>Hypervisor1 (10.0.0.1)</div><div> VM1 (port 5900)</div><div> VM2 (port 5901)</div><div>Hypervisor2 (10.0.0.2)</div><div> VM3 (port 5902)</div><div> VM4 (port 5903)</div><div><br></div><div>Of course, VMx can be migrated from one hypervisor to the other (even live).</div><div><br></div><div>What I'd like is to configure</div><div><br></div><div>Internet --> Proxy (listening 5900, 5901, 5902, 5903) --> Hypervisor1 or Hypervisor2 (where the port is up)</div><div><br></div><div>I hope not to be the first one with this requirements :S</div><div><br></div><div>Thanks a lot.</div><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">2017-02-21 9:42 GMT+01:00 Uri Lublin <span dir="ltr"><<a href="mailto:uril@redhat.com" target="_blank">uril@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">On 02/19/2017 07:33 PM, Oscar Segarra wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Hi Uri,<br>
<br><span class="gmail-">
I have not been able to find the example you suggest... can you paste<br>
the url of the example?<br>
<br>
</span></blockquote>
<br>
Hi Oscar,<br>
<br>
Disclaimer:<br>
This is just an example. There may be better more secure ways<br>
to do it. You should research and decide on a solution<br>
according to your specific requirements.<br>
I did not even test the suggested solution.<br>
<br>
For example:<br>
<a href="http://wiki.squid-cache.org/SquidFaq/SquidAcl" rel="noreferrer" target="_blank">http://wiki.squid-cache.org/Sq<wbr>uidFaq/SquidAcl</a> under<br>
"Is there an easy way of banning all Destination addresses except one?"<br>
<br>
You can configure your squid server to allow only access the<br>
two hosts and specific ports on those hosts and deny the rest.<br>
<br>
acl GOOD_HOST dst 10.0.0.1<br>
acl GOOD_HOST dst 10.0.0.2<br>
acl GOOD_PORT port 5900<br>
http_access allow GOOD_HOST<br>
http_access allow GOOT_PORT<br>
http_access deny all<br>
<br>
# The last command is not needed according to<br>
# <a href="http://www.squid-cache.org/Doc/config/http_access/" rel="noreferrer" target="_blank">http://www.squid-cache.org/Doc<wbr>/config/http_access/</a><br>
# but it does appear in the SquidAcl example<br>
<br>
Uri.<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">
<br>
2017-02-19 18:23 GMT+01:00 Uri Lublin <<a href="mailto:uril@redhat.com" target="_blank">uril@redhat.com</a>>:<br>
On 02/19/2017 12:50 PM, Oscar Segarra wrote:<br>
<br>
Hi Uri,<br>
<br>
Is there any public documentation for configuring the http/https<br>
proxy?<br>
<br>
In my scenario, I have 2 hypervisors and I don't know exactly how to<br>
redirect each port to each hypervisor.<br>
<br>
And regarding your comments, host_ip and host_port (in first and<br>
second<br>
command) belong to the reverse proxy or the hypervisor?<br>
<br>
Thanks a lot for your help<br>
<br>
<br>
One proxy server you can try is squid (<a href="http://squid-cache.org" rel="noreferrer" target="_blank">squid-cache.org</a><br></span>
<<a href="http://squid-cache.org" rel="noreferrer" target="_blank">http://squid-cache.org</a>>).<span class="gmail-"><br>
Perhaps one of the examples on its site fits your needs.<br>
<br>
In the command below, host is the hypervisor.<br>
If you want to hide the hypervisor ip address and port<br>
perhaps a more sophisticated proxy can be used and that<br>
command line will be a bit different. I never tried it.<br>
<br>
Regards,<br>
Uri.<br>
<br>
<br>
El 19 feb. 2017 10:48 a. m., "Uri Lublin" <<a href="mailto:uril@redhat.com" target="_blank">uril@redhat.com</a><br></span>
<mailto:<a href="mailto:uril@redhat.com" target="_blank">uril@redhat.com</a>>><div><div class="gmail-h5"><br>
<br>
On 02/19/2017 08:07 AM, Oscar Segarra wrote:<br>
<br>
Hi,<br>
<br>
First of all, I'd like to say that I'm not sure<br>
enough I'm<br>
writing to<br>
the correct mailing list, I have not been able<br>
to find a common<br>
users<br>
mailing list.<br>
<br>
I'm planning to deploy a VDI solution based on<br>
SPICE. I'd like<br>
to grant<br>
access through the Internet to the VDI desktops<br>
but I don't want to<br>
expose the hypervisors to the Internet.<br>
<br>
Using virt-viewer or remote-viewer (not the<br>
html5 feature as I<br>
want USB<br>
redirection), is there any trick to make this<br>
scenario work:<br>
<br>
/Internet --> FW --> Kind of spice reverse proxy<br>
--> FW --><br>
Hypervisors<br>
(more than one)./<br>
<br>
<br>
Hi,<br>
<br>
If you have an http/https proxy server, please try:<br>
SPICE_PROXY=proxy_ip:proxy_por<wbr>t remote-viewer<br>
host_ip:host_port<br>
<br>
Hope that helps,<br>
Uri.<br>
<br>
<br>
<br>
</div></div></blockquote>
<br>
</blockquote></div><br></div></div>