Ce contenu n'est pas disponible dans la langue sélectionnée.
Appendix F. Proxies
F.1. SPICE Proxy
F.1.1. SPICE Proxy Overview
The SPICE Proxy is a tool used to connect SPICE Clients to virtual machines when the SPICE Clients are outside the network that connects the hypervisors. Setting up a SPICE Proxy consists of installing Squid
on a machine and configuring the firewall to allow proxy traffic. Turning a SPICE Proxy on consists of using engine-config
on the Manager to set the key SpiceProxyDefault
to a value consisting of the name and port of the proxy. Turning a SPICE Proxy off consists of using engine-config
on the Manager to remove the value to which the key SpiceProxyDefault
has been set.
The SPICE Proxy can only be used in conjunction with the standalone SPICE client, and cannot be used to connect to virtual machines using noVNC.
F.1.2. SPICE Proxy Machine Setup
This procedure explains how to set up a machine as a SPICE Proxy. A SPICE Proxy makes it possible to connect to the Red Hat Virtualization network from outside the network. We use Squid
in this procedure to provide proxy services.
Procedure
Install
Squid
on the Proxy machine:# dnf install squid
Open /etc/squid/squid.conf. Change:
http_access deny CONNECT !SSL_ports
to:
http_access deny CONNECT !Safe_ports
Start the squid service and enable it to run automatically after reboot:
# systemctl enable squid.service --now
Enable incoming requests to the squid service in the default firewalld zone:
# firewall-cmd --permanent --add-service=squid
Make this firewall rule persistent in the runtime configuration:
# firewall-cmd --reload
Confirm that the squid service appears in the list of firewall services:
# firewall-cmd --list-services ssh dhcpv6-client squid
You have now set up a machine as a SPICE proxy. Before connecting to the Red Hat Virtualization network from outside the network, activate the SPICE proxy.
F.1.3. Turning On a SPICE Proxy
This procedure explains how to activate (or turn on) the SPICE proxy.
Procedure
On the Manager, use the engine-config tool to set a proxy:
#
engine-config -s SpiceProxyDefault=someProxy
Restart the
ovirt-engine
service:# systemctl restart ovirt-engine.service
The proxy must have this form:
protocol://[host]:[port]
NoteOnly SPICE clients shipped with Red Hat Enterprise Linux 6.7, Red Hat Enterprise Linux 7.2, or later, support HTTPS proxies. Earlier clients only support HTTP. If HTTPS is specified for earlier clients, the client will ignore the proxy setting and attempt a direct connection to the host.
SPICE Proxy is now activated (turned on). It is now possible to connect to the Red Hat Virtualization network through the SPICE proxy.
F.1.4. Turning Off a SPICE Proxy
This procedure explains how to turn off (deactivate) a SPICE proxy.
Procedure
Log in to the Manager:
$ ssh root@[IP of Manager]
Run the following command to clear the SPICE proxy:
# engine-config -s SpiceProxyDefault=""
Restart the Manager:
# systemctl restart ovirt-engine.service
SPICE proxy is now deactivated (turned off). It is no longer possible to connect to the Red Hat Virtualization network through the SPICE proxy.