oVirt: Using a Squid Proxy for Spice

The preferred method of pulling a console for a virtual machine hosted on oVirt is Spice. However, you can only use it when on the same subnet as the host. So if, for example, you’re trying to use Spice over a VPN that puts you on a different address space than the VM host, you won’t be able to. That is, unless you use a proxy.

This tutorial will explain how to do that using Squid. I’ll be hosting it on Debian 10, but this should work on any distro.

Installing and Configuring Squid

Installation is as simple as doing:

apt install squid

Once the install completes, we have to set up the config file. The default one is probably about 2000 lines of comments explaining each setting. If you want, read it. If not, empty the file and replace it with something roughly matching the following (/etc/squid/squid.conf):

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

# Replace to_engine with the IP of your oVirt manager, and to_vm
# with your network 
acl to_engine dst X.X.X.X/32
acl to_vm dst X.X.X.X/24

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#

# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure safe ports
http_access deny CONNECT !Safe_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
http_access allow to_engine
http_access allow to_vm
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
# 0.0.0.0 means listen on all interfaces. To use a specific one,
# change 0.0.0.0 to the IP of that port
http_port 0.0.0.0:3128

# Uncomment and adjust the following to add a disk cache directory.
# cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

access_log stdio:/var/log/squid/access.log squid

Fix the to_engine and to_vm lines, then do any other edits that you deem necessary, and then we’ll start and enable the service.

systemctl enable --now squid

The service takes an abnormally time long to start, but once it does we’ll then have to inform oVirt of the new proxy. On your oVirt Engine, update the config with:

engine-config -s SpiceProxyDefault=http://X.X.X.X:3128
systemctl restart ovirt-engine

Where X.X.X.X is the IP of your Squid host. Now all you have to do is make sure that “Enable SPICE Proxy” is checked when you pull a console (which it should be by default), and you’ll be able to use Spice console from anywhere.