Hi Urii,
What I meant is that VMs can move dynamically bethween hypervisors (or hosts) and therefore squid configuration may change according to where VMs are placed on.
What I can do is opening the whole rank 5634 - 6166 (accodring to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.1/html/Administration_Guide/Virtualization_Host_Firewall_Requirements1.html) on each hypervisor.
I will test it in my lab environment and I will let you know.
Have you any advice on the following question:
Regarding to sizing the squid server... has anyone tested how many Microsoft Windows 7 (or 8, or 10) can be supported by an unique squid proxy server?
Thanks a lot!
2017-02-21 15:18 GMT+01:00 Uri Lublin <uril@xxxxxxxxxx>:
On 02/21/2017 02:52 PM, Oscar Segarra wrote:
Hi Uri,
The problem comes when VMs can migrate between Hypervisors. It is,
eventually the scenario can turn as follows:
Hypervisor1 (10.0.0.1) <-- Stopped due to maintenance
Hypervisor2 (10.0.0.2)
VM1 (port 5900)
VM2 (port 5901)
VM3 (port 5902)
VM4 (port 5903)
Thanks a lot!
Hi Oscar,
I do not understand what the problem is.
I think migration would work just fine.
You should configure the setup according to your requirements.
If you want to have 2 VMs running at the same time on
a single host, then the first squid configuration example
may work for you. If you like the number of VMs to be 4
please enable 4 ports (on each host).
If you want different ports enabled on different hosts
than you can try the second example.
Uri.
2017-02-21 13:49 GMT+01:00 Uri Lublin <uril@xxxxxxxxxx
<mailto:uril@xxxxxxxxxx>>:<mailto:uril@xxxxxxxxxx <mailto:uril@xxxxxxxxxx>>>:
On 02/21/2017 11:04 AM, Oscar Segarra wrote:
Hi Uri,
Thanks a lot for th example... It looks clarify the security/acl but
what I'd like to know is if is there any known configuration for an
scenario like this:
Hypervisor1 (10.0.0.1)
VM1 (port 5900)
VM2 (port 5901)
Hypervisor2 (10.0.0.2)
VM3 (port 5902)
VM4 (port 5903)
[1] http://wiki.squid-cache.org/SquidFaq/SquidAcl
<http://wiki.squid-cache.org/SquidFaq/SquidAcl >
After reading "And/Or logic" subsection of [1], a configuration
you can try is (again not even tested):
acl HOST1 10.0.0.1
acl HOST2 10.0.0.2
acl PORT1 5900 5901
acl PORT2 5902 5903
http_access allow HOST1 PORT1
http_access allow HOST2 PORT2
http_access deny all
Regards,
Uri.
2017-02-21 9:42 GMT+01:00 Uri Lublin <uril@xxxxxxxxxx
<mailto:uril@xxxxxxxxxx>
On 02/19/2017 07:33 PM, Oscar Segarra wrote:
Hi Uri,
I have not been able to find the example you suggest...
can you
paste
the url of the example?
Hi Oscar,
Disclaimer:
This is just an example. There may be better more secure ways
to do it. You should research and decide on a solution
according to your specific requirements.
I did not even test the suggested solution.
For example:
http://wiki.squid-cache.org/SquidFaq/SquidAcl
<http://wiki.squid-cache.org/SquidFaq/SquidAcl >
<http://wiki.squid-cache.org/SquidFaq/SquidAcl
<http://wiki.squid-cache.org/SquidFaq/SquidAcl >> under
"Is there an easy way of banning all Destination addresses
except one?"
You can configure your squid server to allow only access the
two hosts and specific ports on those hosts and deny the rest.
acl GOOD_HOST dst 10.0.0.1
acl GOOD_HOST dst 10.0.0.2
acl GOOD_PORT port 5900
http_access allow GOOD_HOST
http_access allow GOOT_PORT
http_access deny all
# The last command is not needed according to
# http://www.squid-cache.org/Doc/config/http_access/
<http://www.squid-cache.org/Doc/config/http_access/ >
<http://www.squid-cache.org/Doc/config/http_access/
<http://www.squid-cache.org/Doc/config/http_access/ >>
# but it does appear in the SquidAcl example
Uri.
_______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel