Project

General

Profile

HttpProxyTesting » History » Version 7

Justin Sherrill, 04/26/2021 03:42 PM

1 1 Eric Helms
h1. Proxy Testing
2
3
This document provides instructions for installing and configuring an http proxy for testing with katello, as well as configuring the katello server to ensure it is only able to talk to the proxy.
4
5
h2. Configuring the Proxy
6
7 5 Justin Sherrill
1.  On another machine completely seperate from your katello server, install RHEL 7, or CentOs 7.  These instructions will not work for fedora (TODO: Investigate fedora instructions)
8 1 Eric Helms
2. Disable selinux and iptables:
9
10
<pre>
11
   service iptables stop
12
   setenforce 0
13
</pre>
14
15
2.  Install squid (and needed tools):
16
17
<pre>
18
  yum install httpd-tools wget squid -y
19
</pre>
20
21
3.  Configure the proxy (with basic authentication):
22
23
Download the attached basic.conf, and overwrite /etc/squid/squid.conf with it, make sure squid can read it:
24
25
<pre>
26 7 Justin Sherrill
   wget https://projects.theforeman.org/attachments/download/3023/basic_el7.conf
27 4 Justin Sherrill
   mv -f basic_el7.conf  /etc/squid/squid.conf
28 1 Eric Helms
   chown squid:squid /etc/squid/squid.conf
29
</pre>
30
31
32
4.  Create a password file (assuming password of 'redhat' here):
33
34
<pre>
35
   htpasswd -c  /etc/squid/passwd  admin
36
</pre>
37
38
5.  Start/restart squid:
39
40
<pre>
41
   service squid restart
42
</pre>
43
44
6.  Test proxy
45
46
Replace IP_ADDRESS with the ip address of your proxy:
47
48
<pre>
49
  curl   -X GET http://www.redhat.com/  --proxy http://admin:redhat@IP_ADDRESS:8888
50
</pre>
51
52
h2. Block non-proxy traffic from your katello server
53
54
Unless you block all other outgoing connections (Excluding dns), you won't know for sure if your katello server is actually going through the proxy or not.
55
56
Lookup your dns servers, You'll need them:
57
58
<pre>
59
cat /etc/resolv.conf
60
</pre>
61
62
Edit /etc/sysconfig/iptables and replace contents with:
63
64
<pre>
65
*filter
66
:INPUT ACCEPT [0:0]
67
:FORWARD ACCEPT [0:0]
68
:OUTPUT ACCEPT [0:0]
69
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
70
-A INPUT -i lo -j ACCEPT
71
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
72
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
73
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
74
-A INPUT -j REJECT --reject-with icmp-host-prohibited
75
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
76
77
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
78
-A OUTPUT -d 127.0.0.1 -j ACCEPT
79
80
#replace KATELLO_SERVER_IP  with the katello server's ip address
81
-A OUTPUT -d KATELLO_SERVER_IP -j ACCEPT
82
83
#replace PROXY_SERVER_IP  with the proxy server's ip address
84
-A OUTPUT -d PROXY_SERVER_IP -j ACCEPT
85
86
#Replace the NAME_SERVER_IP_1  with your dns server,  do the same for NAME_SERVER_IP_2 
87
# if you have more than one
88
-A OUTPUT -d NAME_SERVER_IP_1 -j ACCEPT
89
-A OUTPUT -d NAME_SERVER_IP_2 -j ACCEPT
90
91
-A OUTPUT -j REJECT --reject-with icmp-host-prohibited
92
COMMIT
93
</pre>
94
95
Make sure to replace the KATELLO_SERVER_IP, PROXY_SERVER_IP, & NAME_SERVER_IP_X.
96
97
'''NOTE: Make sure you use IP addresses instead of hostnames in your iptables configuration.'''
98
99
Then restart iptables:
100
<pre>
101
service iptables restart
102
</pre>
103
104
105 2 Eric Helms
h2. Configuring yum to use the Proxy
106 1 Eric Helms
107
If you haven't installed katello yet, and want to configure yum to use the proxy, edit /etc/yum.conf and add under the [main]   section:
108
109
<pre>
110
[main]
111
***EXISTING CONFIGURATION***
112
113
proxy=http://PROXY_SERVER_IP:8888
114
proxy_username=admin
115
proxy_password=redhat
116
</pre>
117
118
119 2 Eric Helms
h2. Configuring RHSM to use the Proxy
120 1 Eric Helms
121
Simply edit /etc/rhsm/rhsm.conf and set the following config options that are already present:
122
123
<pre>
124
# an http proxy server to use
125
proxy_hostname =
126
127
# port for http proxy server
128
proxy_port =
129
130
# user name for authenticating to an http proxy, if needed
131
proxy_user =
132
133
# password for basic http proxy auth, if needed
134
proxy_password =
135
136
</pre>
137
138 2 Eric Helms
h2. Installing Katello to use the Proxy
139 1 Eric Helms
140
<pre>
141 6 Jonathon Turel
foreman-installer --scenario katello --katello-proxy-url=http://PROXY_IP --katello-proxy-port=8888 --katello-proxy-username=admin --katello-proxy-password=redhat 
142 1 Eric Helms
</pre>