<div dir="ltr"><span class="gmail-im" style="font-size:12.8px"> Hi,<br>><br></span><span style="font-size:12.8px">> In my environment I have deployed two KVM hypervisors. I'd like to deploy</span><br style="font-size:12.8px"><span class="gmail-im" style="font-size:12.8px">> in my DMZ a squid proxy host in order to hide hypervisor IPs and Ports from<br>> the clients.<br><br></span><span style="font-size:12.8px">Why? What's the problem with the clients knowing the true values?</span><div><br></div><div>--> I want to publis VDI Desktops through Internet. If I have 10 hypervisors I don't want to publish 10 public IPs, I prefer just tu publish a proxy server.<br style="font-size:12.8px"><span class="gmail-im" style="font-size:12.8px"><br>> Each virtual machine has a unique port but VMs can run on any hypervisor.<br><br></span><span style="font-size:12.8px">It doesn't sound to me like the VMs are actually part of what you're trying to</span><br style="font-size:12.8px"><span style="font-size:12.8px">do here? You're just talking about client connections to hypervisors; the VMs</span><br style="font-size:12.8px"><span style="font-size:12.8px">are not part of that.</span></div><div><br></div><div>--> The hypervisor has a specific port for each VM. If you connect to the hypervisor by that port, you are connecting directly to the virtual machine. This is how SPICE works.<br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">> Is it possible to achieve this with squid?</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">What protocol do the clients use to communicate with the KVM Hypervisors?</span><br style="font-size:12.8px"><br>--> The protocol is SPICE (<a href="https://www.spice-space.org/">https://www.spice-space.org/</a>)<br><br style="font-size:12.8px"><span style="font-size:12.8px">If it's HTTP, HTTPS or FTP, then you can probably configure Squid in</span><br style="font-size:12.8px"><span style="font-size:12.8px">accelerator mode and use it to do what you want.</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">However, why are you trying to do this? What is the risk involved in the</span><br style="font-size:12.8px"><span style="font-size:12.8px">clients knowing the true IPs and ports of the hypervisors, which would be</span><br style="font-size:12.8px"><span style="font-size:12.8px">mitigated by having them connect via a proxy instead?</span><br style="font-size:12.8px"><br><span style="font-size:12.8px">Have you considered using HAproxy or LVS, both of which are far more generic</span><br style="font-size:12.8px"><span style="font-size:12.8px">network proxies than Squid is?</span></div><div><br></div><div>--> I have not considered it yet... <br style="font-size:12.8px"><span class="gmail-im" style="font-size:12.8px"><br>> Is there any example how to configure this?<br><br></span><span style="font-size:12.8px">Not that I have ever heard of, however if it is a protocol which Squid can</span><br style="font-size:12.8px"><span style="font-size:12.8px">handle, it really doesn't matter what the specific backend system is; there are</span><br style="font-size:12.8px"><span style="font-size:12.8px">plenty of examples on how to do HTTP, HTTPS and FTP.</span><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2017-02-19 23:15 GMT+01:00 Antony Stone <span dir="ltr"><<a href="mailto:Antony.Stone@squid.open.source.it" target="_blank">Antony.Stone@squid.open.source.it</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Sunday 19 February 2017 at 19:05:57, Oscar Segarra wrote:<br>
<br>
> Hi,<br>
><br>
</span>> In my environment I have deployed two KVM hypervisors. I'd like to deploy<br>
<span class="">> in my DMZ a squid proxy host in order to hide hypervisor IPs and Ports from<br>
> the clients.<br>
<br>
</span>Why? What's the problem with the clients knowing the true values?<br>
<span class=""><br>
> Each virtual machine has a unique port but VMs can run on any hypervisor.<br>
<br>
</span>It doesn't sound to me like the VMs are actually part of what you're trying to<br>
do here? You're just talking about client connections to hypervisors; the VMs<br>
are not part of that.<br>
<br>
> Is it possible to achieve this with squid?<br>
<br>
What protocol do the clients use to communicate with the KVM Hypervisors?<br>
<br>
If it's HTTP, HTTPS or FTP, then you can probably configure Squid in<br>
accelerator mode and use it to do what you want.<br>
<br>
However, why are you trying to do this? What is the risk involved in the<br>
clients knowing the true IPs and ports of the hypervisors, which would be<br>
mitigated by having them connect via a proxy instead?<br>
<br>
Have you considered using HAproxy or LVS, both of which are far more generic<br>
network proxies than Squid is?<br>
<span class=""><br>
> Is there any example how to configure this?<br>
<br>
</span>Not that I have ever heard of, however if it is a protocol which Squid can<br>
handle, it really doesn't matter what the specific backend system is; there are<br>
plenty of examples on how to do HTTP, HTTPS and FTP.<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
Antony.<br>
<br>
--<br>
Numerous psychological studies over the years have demonstrated that the<br>
majority of people genuinely believe they are not like the majority of people.<br>
<br>
Please reply to the list;<br>
please *don't* CC me.<br>
______________________________<wbr>_________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.<wbr>org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/<wbr>listinfo/squid-users</a><br>
</font></span></blockquote></div><br></div>