HttpProxyTesting » History » Revision 7
Revision 6 (Jonathon Turel, 02/13/2019 06:28 PM) → Revision 7/8 (Justin Sherrill, 04/26/2021 03:42 PM)
h1. Proxy Testing This document provides instructions for installing and configuring an http proxy for testing with katello, as well as configuring the katello server to ensure it is only able to talk to the proxy. h2. Configuring the Proxy 1. On another machine completely seperate from your katello server, install RHEL 7, or CentOs 7. These instructions will not work for fedora (TODO: Investigate fedora instructions) 2. Disable selinux and iptables: <pre> service iptables stop setenforce 0 </pre> 2. Install squid (and needed tools): <pre> yum install httpd-tools wget squid -y </pre> 3. Configure the proxy (with basic authentication): Download the attached basic.conf, and overwrite /etc/squid/squid.conf with it, make sure squid can read it: <pre> wget https://projects.theforeman.org/attachments/download/3023/basic_el7.conf http://projects.theforeman.org/attachments/download/1357/basic_el7.conf mv -f basic_el7.conf /etc/squid/squid.conf chown squid:squid /etc/squid/squid.conf </pre> 4. Create a password file (assuming password of 'redhat' here): <pre> htpasswd -c /etc/squid/passwd admin </pre> 5. Start/restart squid: <pre> service squid restart </pre> 6. Test proxy Replace IP_ADDRESS with the ip address of your proxy: <pre> curl -X GET http://www.redhat.com/ --proxy http://admin:redhat@IP_ADDRESS:8888 </pre> h2. Block non-proxy traffic from your katello server Unless you block all other outgoing connections (Excluding dns), you won't know for sure if your katello server is actually going through the proxy or not. Lookup your dns servers, You'll need them: <pre> cat /etc/resolv.conf </pre> Edit /etc/sysconfig/iptables and replace contents with: <pre> *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -d 127.0.0.1 -j ACCEPT #replace KATELLO_SERVER_IP with the katello server's ip address -A OUTPUT -d KATELLO_SERVER_IP -j ACCEPT #replace PROXY_SERVER_IP with the proxy server's ip address -A OUTPUT -d PROXY_SERVER_IP -j ACCEPT #Replace the NAME_SERVER_IP_1 with your dns server, do the same for NAME_SERVER_IP_2 # if you have more than one -A OUTPUT -d NAME_SERVER_IP_1 -j ACCEPT -A OUTPUT -d NAME_SERVER_IP_2 -j ACCEPT -A OUTPUT -j REJECT --reject-with icmp-host-prohibited COMMIT </pre> Make sure to replace the KATELLO_SERVER_IP, PROXY_SERVER_IP, & NAME_SERVER_IP_X. '''NOTE: Make sure you use IP addresses instead of hostnames in your iptables configuration.''' Then restart iptables: <pre> service iptables restart </pre> h2. Configuring yum to use the Proxy If you haven't installed katello yet, and want to configure yum to use the proxy, edit /etc/yum.conf and add under the [main] section: <pre> [main] ***EXISTING CONFIGURATION*** proxy=http://PROXY_SERVER_IP:8888 proxy_username=admin proxy_password=redhat </pre> h2. Configuring RHSM to use the Proxy Simply edit /etc/rhsm/rhsm.conf and set the following config options that are already present: <pre> # an http proxy server to use proxy_hostname = # port for http proxy server proxy_port = # user name for authenticating to an http proxy, if needed proxy_user = # password for basic http proxy auth, if needed proxy_password = </pre> h2. Installing Katello to use the Proxy <pre> foreman-installer --scenario katello --katello-proxy-url=http://PROXY_IP --katello-proxy-port=8888 --katello-proxy-username=admin --katello-proxy-password=redhat </pre>