HttpProxyTesting » History » Version 7
Justin Sherrill, 04/26/2021 03:42 PM
1 | 1 | Eric Helms | h1. Proxy Testing |
---|---|---|---|
2 | |||
3 | This document provides instructions for installing and configuring an http proxy for testing with katello, as well as configuring the katello server to ensure it is only able to talk to the proxy. |
||
4 | |||
5 | h2. Configuring the Proxy |
||
6 | |||
7 | 5 | Justin Sherrill | 1. On another machine completely seperate from your katello server, install RHEL 7, or CentOs 7. These instructions will not work for fedora (TODO: Investigate fedora instructions) |
8 | 1 | Eric Helms | 2. Disable selinux and iptables: |
9 | |||
10 | <pre> |
||
11 | service iptables stop |
||
12 | setenforce 0 |
||
13 | </pre> |
||
14 | |||
15 | 2. Install squid (and needed tools): |
||
16 | |||
17 | <pre> |
||
18 | yum install httpd-tools wget squid -y |
||
19 | </pre> |
||
20 | |||
21 | 3. Configure the proxy (with basic authentication): |
||
22 | |||
23 | Download the attached basic.conf, and overwrite /etc/squid/squid.conf with it, make sure squid can read it: |
||
24 | |||
25 | <pre> |
||
26 | 7 | Justin Sherrill | wget https://projects.theforeman.org/attachments/download/3023/basic_el7.conf |
27 | 4 | Justin Sherrill | mv -f basic_el7.conf /etc/squid/squid.conf |
28 | 1 | Eric Helms | chown squid:squid /etc/squid/squid.conf |
29 | </pre> |
||
30 | |||
31 | |||
32 | 4. Create a password file (assuming password of 'redhat' here): |
||
33 | |||
34 | <pre> |
||
35 | htpasswd -c /etc/squid/passwd admin |
||
36 | </pre> |
||
37 | |||
38 | 5. Start/restart squid: |
||
39 | |||
40 | <pre> |
||
41 | service squid restart |
||
42 | </pre> |
||
43 | |||
44 | 6. Test proxy |
||
45 | |||
46 | Replace IP_ADDRESS with the ip address of your proxy: |
||
47 | |||
48 | <pre> |
||
49 | curl -X GET http://www.redhat.com/ --proxy http://admin:redhat@IP_ADDRESS:8888 |
||
50 | </pre> |
||
51 | |||
52 | h2. Block non-proxy traffic from your katello server |
||
53 | |||
54 | Unless you block all other outgoing connections (Excluding dns), you won't know for sure if your katello server is actually going through the proxy or not. |
||
55 | |||
56 | Lookup your dns servers, You'll need them: |
||
57 | |||
58 | <pre> |
||
59 | cat /etc/resolv.conf |
||
60 | </pre> |
||
61 | |||
62 | Edit /etc/sysconfig/iptables and replace contents with: |
||
63 | |||
64 | <pre> |
||
65 | *filter |
||
66 | :INPUT ACCEPT [0:0] |
||
67 | :FORWARD ACCEPT [0:0] |
||
68 | :OUTPUT ACCEPT [0:0] |
||
69 | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
||
70 | -A INPUT -i lo -j ACCEPT |
||
71 | -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT |
||
72 | -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT |
||
73 | -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT |
||
74 | -A INPUT -j REJECT --reject-with icmp-host-prohibited |
||
75 | -A FORWARD -j REJECT --reject-with icmp-host-prohibited |
||
76 | |||
77 | -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
||
78 | -A OUTPUT -d 127.0.0.1 -j ACCEPT |
||
79 | |||
80 | #replace KATELLO_SERVER_IP with the katello server's ip address |
||
81 | -A OUTPUT -d KATELLO_SERVER_IP -j ACCEPT |
||
82 | |||
83 | #replace PROXY_SERVER_IP with the proxy server's ip address |
||
84 | -A OUTPUT -d PROXY_SERVER_IP -j ACCEPT |
||
85 | |||
86 | #Replace the NAME_SERVER_IP_1 with your dns server, do the same for NAME_SERVER_IP_2 |
||
87 | # if you have more than one |
||
88 | -A OUTPUT -d NAME_SERVER_IP_1 -j ACCEPT |
||
89 | -A OUTPUT -d NAME_SERVER_IP_2 -j ACCEPT |
||
90 | |||
91 | -A OUTPUT -j REJECT --reject-with icmp-host-prohibited |
||
92 | COMMIT |
||
93 | </pre> |
||
94 | |||
95 | Make sure to replace the KATELLO_SERVER_IP, PROXY_SERVER_IP, & NAME_SERVER_IP_X. |
||
96 | |||
97 | '''NOTE: Make sure you use IP addresses instead of hostnames in your iptables configuration.''' |
||
98 | |||
99 | Then restart iptables: |
||
100 | <pre> |
||
101 | service iptables restart |
||
102 | </pre> |
||
103 | |||
104 | |||
105 | 2 | Eric Helms | h2. Configuring yum to use the Proxy |
106 | 1 | Eric Helms | |
107 | If you haven't installed katello yet, and want to configure yum to use the proxy, edit /etc/yum.conf and add under the [main] section: |
||
108 | |||
109 | <pre> |
||
110 | [main] |
||
111 | ***EXISTING CONFIGURATION*** |
||
112 | |||
113 | proxy=http://PROXY_SERVER_IP:8888 |
||
114 | proxy_username=admin |
||
115 | proxy_password=redhat |
||
116 | </pre> |
||
117 | |||
118 | |||
119 | 2 | Eric Helms | h2. Configuring RHSM to use the Proxy |
120 | 1 | Eric Helms | |
121 | Simply edit /etc/rhsm/rhsm.conf and set the following config options that are already present: |
||
122 | |||
123 | <pre> |
||
124 | # an http proxy server to use |
||
125 | proxy_hostname = |
||
126 | |||
127 | # port for http proxy server |
||
128 | proxy_port = |
||
129 | |||
130 | # user name for authenticating to an http proxy, if needed |
||
131 | proxy_user = |
||
132 | |||
133 | # password for basic http proxy auth, if needed |
||
134 | proxy_password = |
||
135 | |||
136 | </pre> |
||
137 | |||
138 | 2 | Eric Helms | h2. Installing Katello to use the Proxy |
139 | 1 | Eric Helms | |
140 | <pre> |
||
141 | 6 | Jonathon Turel | foreman-installer --scenario katello --katello-proxy-url=http://PROXY_IP --katello-proxy-port=8888 --katello-proxy-username=admin --katello-proxy-password=redhat |
142 | 1 | Eric Helms | </pre> |