Project

General

Profile

HttpProxyTesting » History » Revision 7

Revision 6 (Jonathon Turel, 02/13/2019 06:28 PM) → Revision 7/8 (Justin Sherrill, 04/26/2021 03:42 PM)

h1. Proxy Testing 

 This document provides instructions for installing and configuring an http proxy for testing with katello, as well as configuring the katello server to ensure it is only able to talk to the proxy. 

 h2. Configuring the Proxy 

 1.    On another machine completely seperate from your katello server, install RHEL 7, or CentOs 7.    These instructions will not work for fedora (TODO: Investigate fedora instructions) 
 2. Disable selinux and iptables: 

 <pre> 
    service iptables stop 
    setenforce 0 
 </pre> 

 2.    Install squid (and needed tools): 

 <pre> 
   yum install httpd-tools wget squid -y 
 </pre> 

 3.    Configure the proxy (with basic authentication): 

 Download the attached basic.conf, and overwrite /etc/squid/squid.conf with it, make sure squid can read it: 

 <pre> 
    wget https://projects.theforeman.org/attachments/download/3023/basic_el7.conf http://projects.theforeman.org/attachments/download/1357/basic_el7.conf 
    mv -f basic_el7.conf    /etc/squid/squid.conf 
    chown squid:squid /etc/squid/squid.conf 
 </pre> 


 4.    Create a password file (assuming password of 'redhat' here): 

 <pre> 
    htpasswd -c    /etc/squid/passwd    admin 
 </pre> 

 5.    Start/restart squid: 

 <pre> 
    service squid restart 
 </pre> 

 6.    Test proxy 

 Replace IP_ADDRESS with the ip address of your proxy: 

 <pre> 
   curl     -X GET http://www.redhat.com/    --proxy http://admin:redhat@IP_ADDRESS:8888 
 </pre> 

 h2. Block non-proxy traffic from your katello server 

 Unless you block all other outgoing connections (Excluding dns), you won't know for sure if your katello server is actually going through the proxy or not. 

 Lookup your dns servers, You'll need them: 

 <pre> 
 cat /etc/resolv.conf 
 </pre> 

 Edit /etc/sysconfig/iptables and replace contents with: 

 <pre> 
 *filter 
 :INPUT ACCEPT [0:0] 
 :FORWARD ACCEPT [0:0] 
 :OUTPUT ACCEPT [0:0] 
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
 -A INPUT -i lo -j ACCEPT 
 -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT 
 -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT 
 -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT 
 -A INPUT -j REJECT --reject-with icmp-host-prohibited 
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited 

 -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
 -A OUTPUT -d 127.0.0.1 -j ACCEPT 

 #replace KATELLO_SERVER_IP    with the katello server's ip address 
 -A OUTPUT -d KATELLO_SERVER_IP -j ACCEPT 

 #replace PROXY_SERVER_IP    with the proxy server's ip address 
 -A OUTPUT -d PROXY_SERVER_IP -j ACCEPT 

 #Replace the NAME_SERVER_IP_1    with your dns server,    do the same for NAME_SERVER_IP_2  
 # if you have more than one 
 -A OUTPUT -d NAME_SERVER_IP_1 -j ACCEPT 
 -A OUTPUT -d NAME_SERVER_IP_2 -j ACCEPT 

 -A OUTPUT -j REJECT --reject-with icmp-host-prohibited 
 COMMIT 
 </pre> 

 Make sure to replace the KATELLO_SERVER_IP, PROXY_SERVER_IP, & NAME_SERVER_IP_X. 

 '''NOTE: Make sure you use IP addresses instead of hostnames in your iptables configuration.''' 

 Then restart iptables: 
 <pre> 
 service iptables restart 
 </pre> 


 h2. Configuring yum to use the Proxy 

 If you haven't installed katello yet, and want to configure yum to use the proxy, edit /etc/yum.conf and add under the [main]     section: 

 <pre> 
 [main] 
 ***EXISTING CONFIGURATION*** 

 proxy=http://PROXY_SERVER_IP:8888 
 proxy_username=admin 
 proxy_password=redhat 
 </pre> 


 h2. Configuring RHSM to use the Proxy 

 Simply edit /etc/rhsm/rhsm.conf and set the following config options that are already present: 

 <pre> 
 # an http proxy server to use 
 proxy_hostname = 

 # port for http proxy server 
 proxy_port = 

 # user name for authenticating to an http proxy, if needed 
 proxy_user = 

 # password for basic http proxy auth, if needed 
 proxy_password = 

 </pre> 

 h2. Installing Katello to use the Proxy 

 <pre> 
 foreman-installer --scenario katello --katello-proxy-url=http://PROXY_IP --katello-proxy-port=8888 --katello-proxy-username=admin --katello-proxy-password=redhat  
 </pre>