6.2. Installing a Squid Reverse Proxy

Install a Squid server to use as the load balancer by using reverse proxy mode. 
# yum install squid
You also need to generate SSL certificates and sign them with the Satellite CA. The easiest method is to use the rhn-ssl-tool on the Satellite server to generate the server certificates, because the CA is already available.
The Satellite SSL Maintenance Tool (rhn-ssl-tool) generates and maintains Satellite SSL keys and certificates. It also generates RPMs for use in deploying these keys and certificates. The tool is geared for use in a Satellite context, but can be useful outside of Satellite too.
In this example, the load balancer is called lb.example.com; substitute the host name that applies to your deployment, and enter a suitable build directory. Run this command on the Satellite server. 
$ rhn-ssl-tool --gen-server --set-hostname=lb.example.com -d /root/ssl-build
The rhn-ssl-tool used above creates SSL files for lb.example.com and saves the files in /root/ssl-build directory. Copy the server.crt, server.key, and the RHN-ORG-TRUSTED-SSL-CERT CA certificate from the dhcp directory to the lb.example.com load balancer. These files are used to set up SSL for the actual load balancer. The RHN-ORG-TRUSTED-SSL-CERT certificate allows SSL communication between the load balancer and the proxies.
Modify the /etc/squid/squid.conf file on the lb.example.com server to set up reverse proxy mode:

Example 6.1. Setting up Reverse Proxy Mode

#
# SSL configuration
#

# Ensure you enter each configuration directive on a single line

acl is_ssl port 443

https_port 443 cert=/etc/pki/tls/certs/lb.crt key=/etc/pki/tls/certs/lb.key accel vhost name=proxy_ssl

cache_peer proxya.example.com parent 443 0 no-query originserver round-robin ssl name=proxya.example.com sslcafile=/etc/pki/tls/certs/squid-ca.crt

cache_peer proxyb.example.com parent 443 0 no-query originserver round-robin ssl name=proxyb.example.com sslcafile=/etc/pki/tls/certs/squid-ca.crt

cache_peer_access proxya.example.com allow is_ssl
cache_peer_access proxya.example.com deny !is_ssl
cache_peer_access proxyb.example.com allow is_ssl
cache_peer_access proxyb.example.com deny !is_ssl

http_access allow is_ssl

#
# Non-SSL configuration
#

# Ensure you enter each configuration directive on a single line

acl nonssl port 80

http_port 80 accel name=proxy_nonssl defaultsite=dhcp16.example.com

cache_peer 192.168.100.16 parent 80 0 no-query name=proxy_nonssl originserver

cache_peer_access proxy_nonssl allow nonssl
cache_peer_access proxy_nonssl deny !nonssl

http_access allow nonssl

sslpassword_program /bin/password.out
forwarded_for on
The previous example demonstrates setting up two reverse proxies. Port 443 has two proxies that are used in round-robin mode. Requests are shared equally between the two proxies. The server.crt and server.key files were renamed to lb.crt and lb.key respectively (short for load balancer) for easier identification. The Satellite CA certificate was renamed to squid-ca.crt; the cache_peer sslcafile option refers to this file.
Add the certificates to the squid group: 
# chgrp squid /etc/pki/tls/certs/{lb.crt,lb.key,squid-ca.crt}
The file details should appear as follows: 
-rw-r--r--. 1 root squid   5450 Aug 23 21:23 lb.crt
-rw-r--r--. 1 root squid   1675 Aug 23 21:23 lb.key
-rw-r--r--. 1 root squid   5363 Aug 22 14:19 squid-ca.crt
The cache_peer directives set up the two proxies that will be used in round-robin format. Note that you need to specify the CA certificate so that the load balancer can communicate with the proxies. Further, we are only allowing port 443 traffic to hit these proxies using the squid acl is_ssl and cache_peer directives.
All traffic on port 80 is redirected to one proxy and defaults to the dhcp16.example.com proxy using the defaultsite directive. Acls are set up similar to the ssl port.
The sslpassword_program directive allows you to send the SSL key passphrase (if used; displayed for completeness) to squid on startup without human intervention. The contents of password.out is a bash script that echos the SSL passphrase. The forwarded_for directive configures the load balancer to send the forwarded_for headers to the proxies.

Important

Edit the /etc/squid/squid.conf and comment out the default port, 3128, that squid normally listens on: 
# Squid normally listens to port 3128
# http_port 3128
Restart squid after config modifications: 
# service squid restart