{"id":735,"date":"2019-11-28T21:36:00","date_gmt":"2019-11-29T05:36:00","guid":{"rendered":"https:\/\/angrysysadmins.tech\/?p=735"},"modified":"2019-11-30T01:33:56","modified_gmt":"2019-11-30T09:33:56","slug":"ovirt-using-a-squid-proxy-for-spice","status":"publish","type":"post","link":"https:\/\/angrysysadmins.tech\/index.php\/2019\/11\/bailey\/ovirt-using-a-squid-proxy-for-spice\/","title":{"rendered":"oVirt: Using a Squid Proxy for Spice"},"content":{"rendered":"\n

The preferred method of pulling a console for a virtual machine hosted on oVirt is Spice<\/a>. However, you can only use it when on the same subnet as the host. So if, for example, you’re trying to use Spice over a VPN that puts you on a different address space than the VM host, you won’t be able to. That is, unless you use a proxy.<\/p>\n\n\n\n


This tutorial will explain how to do that using Squid. I’ll be hosting it on Debian 10, but this should work on any distro.<\/p>\n\n\n\n

Installing and Configuring Squid<\/h2>\n\n\n\n

Installation is as simple as doing:
<\/p>\n\n\n\n

apt install squid<\/code><\/pre>\n\n\n\n

Once the install completes, we have to set up the config file. The default one is probably about 2000 lines of comments explaining each setting. If you want, read it. If not, empty the file and replace it with something roughly matching the following (\/etc\/squid\/squid.conf<\/code>):
<\/p>\n\n\n\n
# Example rule allowing access from your local networks.\n# Adapt to list your (internal) IP networks from where browsing\n# should be allowed\nacl localnet src 10.0.0.0\/8 # RFC1918 possible internal network\nacl localnet src 172.16.0.0\/12 # RFC1918 possible internal network\nacl localnet src 192.168.0.0\/16 # RFC1918 possible internal network\nacl localnet src fc00::\/7 # RFC 4193 local private network range\nacl localnet src fe80::\/10 # RFC 4291 link-local (directly plugged) machines\n\n# Replace to_engine with the IP of your oVirt manager, and to_vm\n# with your network \nacl to_engine dst X.X.X.X\/32\nacl to_vm dst X.X.X.X\/24\n\nacl SSL_ports port 443\nacl Safe_ports port 80 # http\nacl Safe_ports port 21 # ftp\nacl Safe_ports port 443 # https\nacl Safe_ports port 70 # gopher\nacl Safe_ports port 210 # wais\nacl Safe_ports port 1025-65535 # unregistered ports\nacl Safe_ports port 280 # http-mgmt\nacl Safe_ports port 488 # gss-http\nacl Safe_ports port 591 # filemaker\nacl Safe_ports port 777 # multiling http\nacl CONNECT method CONNECT\n\n#\n# Recommended minimum Access Permission configuration:\n#\n\n# Deny requests to certain unsafe ports\nhttp_access deny !Safe_ports\n# Deny CONNECT to other than secure safe ports\nhttp_access deny CONNECT !Safe_ports\n# Only allow cachemgr access from localhost\nhttp_access allow localhost manager\nhttp_access deny manager\nhttp_access allow to_engine\nhttp_access allow to_vm\n# And finally deny all other access to this proxy\nhttp_access deny all\n# Squid normally listens to port 3128\nhttp_port 3128\n# 0.0.0.0 means listen on all interfaces. To use a specific one,\n# change 0.0.0.0 to the IP of that port\nhttp_port 0.0.0.0:3128\n\n# Uncomment and adjust the following to add a disk cache directory.\n# cache_dir ufs \/var\/spool\/squid 100 16 256\n# Leave coredumps in the first cache dir\ncoredump_dir \/var\/spool\/squid\n\n#\n# Add any of your own refresh_pattern entries above these.\n#\nrefresh_pattern ^ftp: 1440 20% 10080\nrefresh_pattern ^gopher: 1440 0% 1440\nrefresh_pattern -i (\/cgi-bin\/|\\?) 0 0% 0\nrefresh_pattern . 0 20% 4320\n\naccess_log stdio:\/var\/log\/squid\/access.log squid<\/pre>\n\n\n\n

Fix the to_engine<\/code> and to_vm<\/code> lines, then do any other edits that you deem necessary, and then we’ll start and enable the service.
<\/p>\n\n\n\n
systemctl enable --now squid<\/code><\/pre>\n\n\n\n

The service takes an abnormally time long to start, but once it does we’ll then have to inform oVirt of the new proxy. On your oVirt Engine, update the config with:
<\/p>\n\n\n\n
engine-config -s SpiceProxyDefault=http:\/\/X.X.X.X:3128\nsystemctl restart ovirt-engine<\/code><\/pre>\n\n\n\n

Where X.X.X.X is the IP of your Squid host. Now all you have to do is make sure that “Enable SPICE Proxy” is checked when you pull a console (which it should be by default), and you’ll be able to use Spice console from anywhere.<\/p>\n","protected":false},"excerpt":{"rendered":"
The preferred method of pulling a console for a virtual machine hosted on oVirt is Spice. However, you can only use it when on the same subnet as the host. So if, for example, you’re trying to use Spice over a VPN that puts you on a different address space than the VM host, you 
Read More »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[99,8,21,22],"tags":[100,6,17,168,169],"coauthors":[37],"class_list":["post-735","post","type-post","status-publish","format-standard","hentry","category-debian","category-linux","category-ovirt","category-virtualization","tag-debian","tag-linux","tag-ovirt","tag-spice","tag-squid"],"yoast_head":"\noVirt: Using a Squid Proxy for Spice - Angry Sysadmins<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/angrysysadmins.tech\/index.php\/2019\/11\/bailey\/ovirt-using-a-squid-proxy-for-spice\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"oVirt: Using a Squid Proxy for Spice - Angry Sysadmins\" \/>\n<meta property=\"og:description\" content=\"The preferred method of pulling a console for a virtual machine hosted on oVirt is Spice. However, you can only use it when on the same subnet as the host. So if, for example, you’re trying to use Spice over a VPN that puts you on a different address space than the VM host, you Read More »\" \/>\n<meta property=\"og:url\" content=\"https:\/\/angrysysadmins.tech\/index.php\/2019\/11\/bailey\/ovirt-using-a-squid-proxy-for-spice\/\" \/>\n<meta property=\"og:site_name\" content=\"Angry Sysadmins\" \/>\n<meta property=\"article:published_time\" content=\"2019-11-29T05:36:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-11-30T09:33:56+00:00\" \/>\n<meta name=\"author\" content=\"Cat Kasin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Cat Kasin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/angrysysadmins.tech\\\/index.php\\\/2019\\\/11\\\/bailey\\\/ovirt-using-a-squid-proxy-for-spice\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/angrysysadmins.tech\\\/index.php\\\/2019\\\/11\\\/bailey\\\/ovirt-using-a-squid-proxy-for-spice\\\/\"},\"author\":{\"name\":\"Cat Kasin\",\"@id\":\"https:\\\/\\\/angrysysadmins.tech\\\/#\\\/schema\\\/person\\\/151b2d23439b55b970060836f317a14d\"},\"headline\":\"oVirt: Using a Squid Proxy for Spice\",\"datePublished\":\"2019-11-29T05:36:00+00:00\",\"dateModified\":\"2019-11-30T09:33:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/angrysysadmins.tech\\\/index.php\\\/2019\\\/11\\\/bailey\\\/ovirt-using-a-squid-proxy-for-spice\\\/\"},\"wordCount\":255,\"commentCount\":1,\"keywords\":[\"Debian\",\"Linux\",\"Ovirt\",\"SPICE\",\"Squid\"],\"articleSection\":[\"Debian\",\"Linux\",\"oVirt\",\"Virtualization\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/angrysysadmins.tech\\\/index.php\\\/2019\\\/11\\\/bailey\\\/ovirt-using-a-squid-proxy-for-spice\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/angrysysadmins.tech\\\/index.php\\\/2019\\\/11\\\/bailey\\\/ovirt-using-a-squid-proxy-for-spice\\\/\",\"url\":\"https:\\\/\\\/angrysysadmins.tech\\\/index.php\\\/2019\\\/11\\\/bailey\\\/ovirt-using-a-squid-proxy-for-spice\\\/\",\"name\":\"oVirt: Using a Squid Proxy for Spice - Angry Sysadmins\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/angrysysadmins.tech\\\/#website\"},\"datePublished\":\"2019-11-29T05:36:00+00:00\",\"dateModified\":\"2019-11-30T09:33:56+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/angrysysadmins.tech\\\/#\\\/schema\\\/person\\\/151b2d23439b55b970060836f317a14d\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/angrysysadmins.tech\\\/index.php\\\/2019\\\/11\\\/bailey\\\/ovirt-using-a-squid-proxy-for-spice\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/angrysysadmins.tech\\\/index.php\\\/2019\\\/11\\\/bailey\\\/ovirt-using-a-squid-proxy-for-spice\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/angrysysadmins.tech\\\/index.php\\\/2019\\\/11\\\/bailey\\\/ovirt-using-a-squid-proxy-for-spice\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/angrysysadmins.tech\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"oVirt: Using a Squid Proxy for Spice\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/angrysysadmins.tech\\\/#website\",\"url\":\"https:\\\/\\\/angrysysadmins.tech\\\/\",\"name\":\"Angry Sysadmins\",\"description\":\"A site full of angry sysadmins here to vent and help\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/angrysysadmins.tech\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/angrysysadmins.tech\\\/#\\\/schema\\\/person\\\/151b2d23439b55b970060836f317a14d\",\"name\":\"Cat Kasin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/e83bfa1b7d9ce082bd6b68938f580039db8d5571ad6c5d012e6a5243a189309e?s=96&d=mm&r=g23b0ffb86dd6c08514a66a6a50f7a0a9\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/e83bfa1b7d9ce082bd6b68938f580039db8d5571ad6c5d012e6a5243a189309e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/e83bfa1b7d9ce082bd6b68938f580039db8d5571ad6c5d012e6a5243a189309e?s=96&d=mm&r=g\",\"caption\":\"Cat Kasin\"},\"description\":\"I build virtual environments and challenges for Cybersecurity students to complete as a way to gain experience before graduating and entering the workforce.\",\"url\":\"https:\\\/\\\/angrysysadmins.tech\\\/index.php\\\/author\\\/bailey\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"oVirt: Using a Squid Proxy for Spice - Angry Sysadmins","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/angrysysadmins.tech\/index.php\/2019\/11\/bailey\/ovirt-using-a-squid-proxy-for-spice\/","og_locale":"en_US","og_type":"article","og_title":"oVirt: Using a Squid Proxy for Spice - Angry Sysadmins","og_description":"The preferred method of pulling a console for a virtual machine hosted on oVirt is Spice. However, you can only use it when on the same subnet as the host. So if, for example, you’re trying to use Spice over a VPN that puts you on a different address space than the VM host, you Read More »","og_url":"https:\/\/angrysysadmins.tech\/index.php\/2019\/11\/bailey\/ovirt-using-a-squid-proxy-for-spice\/","og_site_name":"Angry Sysadmins","article_published_time":"2019-11-29T05:36:00+00:00","article_modified_time":"2019-11-30T09:33:56+00:00","author":"Cat Kasin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Cat Kasin","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/angrysysadmins.tech\/index.php\/2019\/11\/bailey\/ovirt-using-a-squid-proxy-for-spice\/#article","isPartOf":{"@id":"https:\/\/angrysysadmins.tech\/index.php\/2019\/11\/bailey\/ovirt-using-a-squid-proxy-for-spice\/"},"author":{"name":"Cat Kasin","@id":"https:\/\/angrysysadmins.tech\/#\/schema\/person\/151b2d23439b55b970060836f317a14d"},"headline":"oVirt: Using a Squid Proxy for Spice","datePublished":"2019-11-29T05:36:00+00:00","dateModified":"2019-11-30T09:33:56+00:00","mainEntityOfPage":{"@id":"https:\/\/angrysysadmins.tech\/index.php\/2019\/11\/bailey\/ovirt-using-a-squid-proxy-for-spice\/"},"wordCount":255,"commentCount":1,"keywords":["Debian","Linux","Ovirt","SPICE","Squid"],"articleSection":["Debian","Linux","oVirt","Virtualization"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/angrysysadmins.tech\/index.php\/2019\/11\/bailey\/ovirt-using-a-squid-proxy-for-spice\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/angrysysadmins.tech\/index.php\/2019\/11\/bailey\/ovirt-using-a-squid-proxy-for-spice\/","url":"https:\/\/angrysysadmins.tech\/index.php\/2019\/11\/bailey\/ovirt-using-a-squid-proxy-for-spice\/","name":"oVirt: Using a Squid Proxy for Spice - Angry Sysadmins","isPartOf":{"@id":"https:\/\/angrysysadmins.tech\/#website"},"datePublished":"2019-11-29T05:36:00+00:00","dateModified":"2019-11-30T09:33:56+00:00","author":{"@id":"https:\/\/angrysysadmins.tech\/#\/schema\/person\/151b2d23439b55b970060836f317a14d"},"breadcrumb":{"@id":"https:\/\/angrysysadmins.tech\/index.php\/2019\/11\/bailey\/ovirt-using-a-squid-proxy-for-spice\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/angrysysadmins.tech\/index.php\/2019\/11\/bailey\/ovirt-using-a-squid-proxy-for-spice\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/angrysysadmins.tech\/index.php\/2019\/11\/bailey\/ovirt-using-a-squid-proxy-for-spice\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/angrysysadmins.tech\/"},{"@type":"ListItem","position":2,"name":"oVirt: Using a Squid Proxy for Spice"}]},{"@type":"WebSite","@id":"https:\/\/angrysysadmins.tech\/#website","url":"https:\/\/angrysysadmins.tech\/","name":"Angry Sysadmins","description":"A site full of angry sysadmins here to vent and help","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/angrysysadmins.tech\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/angrysysadmins.tech\/#\/schema\/person\/151b2d23439b55b970060836f317a14d","name":"Cat Kasin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/e83bfa1b7d9ce082bd6b68938f580039db8d5571ad6c5d012e6a5243a189309e?s=96&d=mm&r=g23b0ffb86dd6c08514a66a6a50f7a0a9","url":"https:\/\/secure.gravatar.com\/avatar\/e83bfa1b7d9ce082bd6b68938f580039db8d5571ad6c5d012e6a5243a189309e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e83bfa1b7d9ce082bd6b68938f580039db8d5571ad6c5d012e6a5243a189309e?s=96&d=mm&r=g","caption":"Cat Kasin"},"description":"I build virtual environments and challenges for Cybersecurity students to complete as a way to gain experience before graduating and entering the workforce.","url":"https:\/\/angrysysadmins.tech\/index.php\/author\/bailey\/"}]}},"_links":{"self":[{"href":"https:\/\/angrysysadmins.tech\/index.php\/wp-json\/wp\/v2\/posts\/735","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/angrysysadmins.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/angrysysadmins.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/angrysysadmins.tech\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/angrysysadmins.tech\/index.php\/wp-json\/wp\/v2\/comments?post=735"}],"version-history":[{"count":7,"href":"https:\/\/angrysysadmins.tech\/index.php\/wp-json\/wp\/v2\/posts\/735\/revisions"}],"predecessor-version":[{"id":743,"href":"https:\/\/angrysysadmins.tech\/index.php\/wp-json\/wp\/v2\/posts\/735\/revisions\/743"}],"wp:attachment":[{"href":"https:\/\/angrysysadmins.tech\/index.php\/wp-json\/wp\/v2\/media?parent=735"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/angrysysadmins.tech\/index.php\/wp-json\/wp\/v2\/categories?post=735"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/angrysysadmins.tech\/index.php\/wp-json\/wp\/v2\/tags?post=735"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/angrysysadmins.tech\/index.php\/wp-json\/wp\/v2\/coauthors?post=735"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}