Project

General

Profile

Proxy Testing

This document provides instructions for installing and configuring an http proxy for testing with katello, as well as configuring the katello server to ensure it is only able to talk to the proxy.

Configuring the Proxy

1. On another machine completely seperate from your katello server, install RHEL 7, or CentOs 7. These instructions will not work for fedora (TODO: Investigate fedora instructions)
2. Disable selinux and iptables:

   service iptables stop
   setenforce 0

2. Install squid (and needed tools):

  yum install httpd-tools wget squid -y

3. Configure the proxy (with basic authentication):

Download the attached basic.conf, and overwrite /etc/squid/squid.conf with it, make sure squid can read it:

   wget http://projects.theforeman.org/attachments/download/1357/basic_el7.conf
   mv -f basic_el7.conf  /etc/squid/squid.conf
   chown squid:squid /etc/squid/squid.conf

4. Create a password file (assuming password of 'redhat' here):

   htpasswd -c  /etc/squid/passwd  admin

5. Start/restart squid:

   service squid restart

6. Test proxy

Replace IP_ADDRESS with the ip address of your proxy:

  curl   -X GET http://www.redhat.com/  --proxy http://admin:redhat@IP_ADDRESS:8888

Block non-proxy traffic from your katello server

Unless you block all other outgoing connections (Excluding dns), you won't know for sure if your katello server is actually going through the proxy or not.

Lookup your dns servers, You'll need them:

cat /etc/resolv.conf

Edit /etc/sysconfig/iptables and replace contents with:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -d 127.0.0.1 -j ACCEPT

#replace KATELLO_SERVER_IP  with the katello server's ip address
-A OUTPUT -d KATELLO_SERVER_IP -j ACCEPT

#replace PROXY_SERVER_IP  with the proxy server's ip address
-A OUTPUT -d PROXY_SERVER_IP -j ACCEPT

#Replace the NAME_SERVER_IP_1  with your dns server,  do the same for NAME_SERVER_IP_2 
# if you have more than one
-A OUTPUT -d NAME_SERVER_IP_1 -j ACCEPT
-A OUTPUT -d NAME_SERVER_IP_2 -j ACCEPT

-A OUTPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Make sure to replace the KATELLO_SERVER_IP, PROXY_SERVER_IP, & NAME_SERVER_IP_X.

'''NOTE: Make sure you use IP addresses instead of hostnames in your iptables configuration.'''

Then restart iptables:

service iptables restart

Configuring yum to use the Proxy

If you haven't installed katello yet, and want to configure yum to use the proxy, edit /etc/yum.conf and add under the [main] section:

[main]
***EXISTING CONFIGURATION***

proxy=http://PROXY_SERVER_IP:8888
proxy_username=admin
proxy_password=redhat

Configuring RHSM to use the Proxy

Simply edit /etc/rhsm/rhsm.conf and set the following config options that are already present:

# an http proxy server to use
proxy_hostname =

# port for http proxy server
proxy_port =

# user name for authenticating to an http proxy, if needed
proxy_user =

# password for basic http proxy auth, if needed
proxy_password =

Installing Katello to use the Proxy

foreman-installer --scenario katello --katello-proxy-url=http://PROXY_IP --katello-proxy-port=8888 --katello-proxy-username=admin --katello-proxy-password=redhat