Hello Thanks for the information. I did attempt to do this but still no console comes up on the browser. I dd attach a diagram of the network topology and how we are deploying CloudStack. The entire CloudStack environment is behind a firewall and the systems are using a class c 192.168.1.0/24 network. Within this network the ACS management server / nfs / dns servers reside with two kvm hypervisors. If I am connected on the 192.168.1.0/24 network instance console works fine as expected as it is on the same network. The issue arises is when someone on our corporate network accessing the CloudStack environment thru the firewall cannot open the instance console. We are thinking that when an instance is created with say an IP address of 192.168.1.50 and we attempt to open the console we are getting a timeout as if the browser cannot resolve the 192.168.1.50 address on our corporate DNS server, which makes senses as we don't / can't make DNS zone transfers from the environment behind the firewall to the corporate DNS server. Attached is the diagram of our setup. Any further guidance would be appreciated. Thank you.
Bill William D. Hankard Senior Enterprise Virtualization Architect / Backend Developer IBM Security X-Force Threat Intelligence and Integration Lab william_hank...@us.ibm.com Phone: 617-910-8562 From: "Rohit Yadav" <rohit.ya...@shapeblue.com> To: "users@cloudstack.apache.org" <users@cloudstack.apache.org> Date: 10/25/2021 04:47 AM Subject: [EXTERNAL] Re: Apache Cloudstack Instance Console Question Some correction - for WAN with single public IP we need both port 80/443 and 8080 for CPVM and port 8080 for ACS mgmt server. Therefore, the setup may use domains to proxy the hosts per needs. In my test setup I use nginx proxy manager ( https://nginxproxymanager.com < https://nginxproxymanager.com/ >) and have domains such as: example.com -> WAN IP console.example.com -> WAN IP The config would be to let a proxy manager proxy to hosts by the domains, for ex: example.com & console.example.com -> mapped to WAN IP WAN IP ports 80, 443, 8080 -> forward to ACS mgmt server host ports 80, 443, 8888 Run the proxy manager on ACS mgmt server host that listens on ports 80, 443, 8888 to do SSL termination and proxy as: example.com:80/443 -> proxy -> ACS mgmt server port:8080 console.example.com:80/443/8080 -> proxy -> CPVM ports 80/443/8080 (for websockets use the config shared in previous reply). Regards. ________________________________ From: Rohit Yadav <rohit.ya...@shapeblue.com> Sent: Monday, October 25, 2021 13:59 To: users@cloudstack.apache.org <users@cloudstack.apache.org> Subject: Re: Apache Cloudstack Instance Console Question Hi William, The novnc console in browser tries to connect to CPVM's port 8080 that you need to port forward/enable. 1. f you've an unsecured setup, you'll need to port forward as follows: WAN port 80 -> ACS mgmt server IP port 8080 WAN port 8080 -> CPVM public IP port 8080 (also enable/allow firewall rules for port 80, 8080) You can then access your mgmt server using, http://<WAN IP>/client. 2. If you need domain+SSL termination, then you can do the same as say using nginx: Create domain records: A record for example.com -> WAN IP A record for console.example.com -> WAN IP ACS global settings: (restarting mgmt server required) consoleproxy.sslEnabled -> true consoleproxy.url.domain -> console.example.com WAN port 443 -> nginx 443 ssl -> proxy to ACS mgmt server IP port 8080 WAN port 8080 -> nginx 8080 ssl -> proxy to CPVM port 8080 with following: nginx websockets config can look like: (in this example, CPVM has IP 192.168.1.20) listen 8080 ssl http2; location /websockify { proxy_pass http://192.168.1.20:8080/websockify ; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_cache_bypass $http_upgrade; proxy_buffering off; proxy_ignore_client_abort off; proxy_read_timeout 86400; } Note: in case you re-create the CPVM and its IP changes you'll need to update the configs suitably. Regards. ________________________________ From: David Jumani <david.jum...@shapeblue.com> Sent: Monday, October 25, 2021 10:53 To: users@cloudstack.apache.org <users@cloudstack.apache.org> Subject: Re: Apache Cloudstack Instance Console Question Hi William, You'll need to add a firewall rule to allow traffic from the public IP of the console proxy running on port 80. You can find the IP of the proxy over at Infrastructure > SystemVMs. (Or inspect the VM console page and have a look at the URL in the iframe) The console proxy also uses WebSockets, so I'm not sure if simple port forwarding will work but give it a shot! ________________________________ From: William Hankard <william_hank...@us.ibm.com> Sent: Saturday, October 23, 2021 4:09 AM To: users@cloudstack.apache.org <users@cloudstack.apache.org> Subject: Apache Cloudstack Instance Console Question Hello, I am having an issue with accessing an instance console on my Cloudstack environment. My setup is as follows: 1) Opnsense Firewall with 1 wan port and 1 lan port 2) Red Hat Management server on lan subnet 3) Red Hat KVM Hypervisor on lan subnet I have setup a port forward rule from my WAN network to the internal LAN network to my management server. I can access the management server fine through the firewall with my browser. The issue I am having is when I create an instance and try to access the console I get a timeout. I am thinking maybe I don't have some port open or there is some console / novnc configuration that needs to be done. Any pointers would be appreciated. Bill William D. Hankard Senior Enterprise Virtualization Architect / Backend Developer IBM Security X-Force Threat Intelligence and Integration Lab william_hank...@us.ibm.com Phone: 617-910-8562
