oVirt: Using a Squid Proxy for Spice
The preferred method of pulling a console for a virtual machine hosted on oVirt is Spice. However, you can only use it when on the same subnet as the host. So if, for example, you’re trying to use Spice over a VPN that puts you on a different address space than the VM host, you won’t be able to. That is, unless you use a proxy.
This tutorial will explain how to do that using Squid. I’ll be hosting it on Debian 10, but this should work on any distro.
Installing and Configuring Squid
Installation is as simple as doing:
apt install squid
Once the install completes, we have to set up the config file. The default one is probably about 2000 lines of comments explaining each setting. If you want, read it. If not, empty the file and replace it with something roughly matching the following (
# Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines # Replace to_engine with the IP of your oVirt manager, and to_vm # with your network acl to_engine dst X.X.X.X/32 acl to_vm dst X.X.X.X/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure safe ports http_access deny CONNECT !Safe_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager http_access allow to_engine http_access allow to_vm # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 # 0.0.0.0 means listen on all interfaces. To use a specific one, # change 0.0.0.0 to the IP of that port http_port 0.0.0.0:3128 # Uncomment and adjust the following to add a disk cache directory. # cache_dir ufs /var/spool/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 access_log stdio:/var/log/squid/access.log squid
to_vm lines, then do any other edits that you deem necessary, and then we’ll start and enable the service.
systemctl enable --now squid
The service takes an abnormally time long to start, but once it does we’ll then have to inform oVirt of the new proxy. On your oVirt Engine, update the config with:
engine-config -s SpiceProxyDefault=http://X.X.X.X:3128 systemctl restart ovirt-engine
Where X.X.X.X is the IP of your Squid host. Now all you have to do is make sure that “Enable SPICE Proxy” is checked when you pull a console (which it should be by default), and you’ll be able to use Spice console from anywhere.
One thought on “oVirt: Using a Squid Proxy for Spice”
Thanks for this post, just one more thing, i have to add below port in order to bring the console up.
acl Safe_ports port 5910