Hi Uri,
The problem comes when VMs can migrate between Hypervisors. It is,
eventually the scenario can turn as follows:
Hypervisor1 (10.0.0.1) <-- Stopped due to maintenance
Hypervisor2 (10.0.0.2)
VM1 (port 5900)
VM2 (port 5901)
VM3 (port 5902)
VM4 (port 5903)
Thanks a lot!
2017-02-21 13:49 GMT+01:00 Uri Lublin <u...@redhat.com>:
> On 02/21/2017 11:04 AM, Oscar Segarra wrote:
>
>> Hi Uri,
>>
>> Thanks a lot for th example... It looks clarify the security/acl but
>> what I'd like to know is if is there any known configuration for an
>> scenario like this:
>>
>> Hypervisor1 (10.0.0.1)
>> VM1 (port 5900)
>> VM2 (port 5901)
>> Hypervisor2 (10.0.0.2)
>> VM3 (port 5902)
>> VM4 (port 5903)
>>
>>
>
> [1] http://wiki.squid-cache.org/SquidFaq/SquidAcl
> After reading "And/Or logic" subsection of [1], a configuration
> you can try is (again not even tested):
> acl HOST1 10.0.0.1
> acl HOST2 10.0.0.2
> acl PORT1 5900 5901
> acl PORT2 5902 5903
> http_access allow HOST1 PORT1
> http_access allow HOST2 PORT2
> http_access deny all
>
>
> Regards,
> Uri.
>
>
>> 2017-02-21 9:42 GMT+01:00 Uri Lublin <u...@redhat.com
>> <mailto:u...@redhat.com>>:
>>
>>
>> On 02/19/2017 07:33 PM, Oscar Segarra wrote:
>>
>> Hi Uri,
>>
>> I have not been able to find the example you suggest... can you
>> paste
>> the url of the example?
>>
>>
>> Hi Oscar,
>>
>> Disclaimer:
>> This is just an example. There may be better more secure ways
>> to do it. You should research and decide on a solution
>> according to your specific requirements.
>> I did not even test the suggested solution.
>>
>> For example:
>> http://wiki.squid-cache.org/SquidFaq/SquidAcl
>> <http://wiki.squid-cache.org/SquidFaq/SquidAcl> under
>> "Is there an easy way of banning all Destination addresses except
>> one?"
>>
>> You can configure your squid server to allow only access the
>> two hosts and specific ports on those hosts and deny the rest.
>>
>> acl GOOD_HOST dst 10.0.0.1
>> acl GOOD_HOST dst 10.0.0.2
>> acl GOOD_PORT port 5900
>> http_access allow GOOD_HOST
>> http_access allow GOOT_PORT
>> http_access deny all
>>
>> # The last command is not needed according to
>> # http://www.squid-cache.org/Doc/config/http_access/
>> <http://www.squid-cache.org/Doc/config/http_access/>
>> # but it does appear in the SquidAcl example
>>
>> Uri.
>>
>>
>
_______________________________________________
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/spice-devel
