Red Hat Training
A Red Hat training course is available for Red Hat Satellite
6.2. Installing a Squid Reverse Proxy
Install a Squid server to use as the load balancer by using reverse proxy mode.
# yum install squid
You also need to generate SSL certificates and sign them with the Satellite CA. The easiest method is to use the
rhn-ssl-tool
on the Satellite server to generate the server certificates, because the CA is already available.
The Satellite SSL Maintenance Tool (rhn-ssl-tool) generates and maintains Satellite SSL keys and certificates. It also generates RPMs for use in deploying these keys and certificates. The tool is geared for use in a Satellite context, but can be useful outside of Satellite too.
In this example, the load balancer is called
lb.example.com
; substitute the host name that applies to your deployment, and enter a suitable build directory. Run this command on the Satellite server.
$ rhn-ssl-tool --gen-server --set-hostname=lb.example.com -d /root/ssl-build
The
rhn-ssl-tool
used above creates SSL files for lb.example.com
and saves the files in /root/ssl-build
directory. Copy the server.crt
, server.key
, and the RHN-ORG-TRUSTED-SSL-CERT
CA certificate from the dhcp
directory to the lb.example.com
load balancer. These files are used to set up SSL for the actual load balancer. The RHN-ORG-TRUSTED-SSL-CERT
certificate allows SSL communication between the load balancer and the proxies.
Modify the
/etc/squid/squid.conf
file on the lb.example.com
server to set up reverse proxy mode:
Example 6.1. Setting up Reverse Proxy Mode
# # SSL configuration # # Ensure you enter each configuration directive on a single line acl is_ssl port 443 https_port 443 cert=/etc/pki/tls/certs/lb.crt key=/etc/pki/tls/certs/lb.key accel vhost name=proxy_ssl cache_peer proxya.example.com parent 443 0 no-query originserver round-robin ssl name=proxya.example.com sslcafile=/etc/pki/tls/certs/squid-ca.crt cache_peer proxyb.example.com parent 443 0 no-query originserver round-robin ssl name=proxyb.example.com sslcafile=/etc/pki/tls/certs/squid-ca.crt cache_peer_access proxya.example.com allow is_ssl cache_peer_access proxya.example.com deny !is_ssl cache_peer_access proxyb.example.com allow is_ssl cache_peer_access proxyb.example.com deny !is_ssl http_access allow is_ssl # # Non-SSL configuration # # Ensure you enter each configuration directive on a single line acl nonssl port 80 http_port 80 accel name=proxy_nonssl defaultsite=dhcp16.example.com cache_peer 192.168.100.16 parent 80 0 no-query name=proxy_nonssl originserver cache_peer_access proxy_nonssl allow nonssl cache_peer_access proxy_nonssl deny !nonssl http_access allow nonssl sslpassword_program /bin/password.out forwarded_for on
The previous example demonstrates setting up two reverse proxies. Port 443 has two proxies that are used in round-robin mode. Requests are shared equally between the two proxies. The
server.crt
and server.key
files were renamed to lb.crt
and lb.key
respectively (short for load balancer) for easier identification. The Satellite CA certificate was renamed to squid-ca.crt
; the cache_peer sslcafile
option refers to this file.
Add the certificates to the
squid
group:
# chgrp squid /etc/pki/tls/certs/{lb.crt,lb.key,squid-ca.crt}
The file details should appear as follows:
-rw-r--r--. 1 root squid 5450 Aug 23 21:23 lb.crt -rw-r--r--. 1 root squid 1675 Aug 23 21:23 lb.key -rw-r--r--. 1 root squid 5363 Aug 22 14:19 squid-ca.crt
The
cache_peer
directives set up the two proxies that will be used in round-robin format. Note that you need to specify the CA certificate so that the load balancer can communicate with the proxies. Further, we are only allowing port 443 traffic to hit these proxies using the squid acl is_ssl
and cache_peer
directives.
All traffic on port 80 is redirected to one proxy and defaults to the dhcp16.example.com proxy using the
defaultsite
directive. Acls are set up similar to the ssl port.
The
sslpassword_program
directive allows you to send the SSL key passphrase (if used; displayed for completeness) to squid on startup without human intervention. The contents of password.out is a bash script that echos the SSL passphrase. The forwarded_for
directive configures the load balancer to send the forwarded_for
headers to the proxies.
Important
Edit the
/etc/squid/squid.conf
and comment out the default port, 3128, that squid normally listens on:
# Squid normally listens to port 3128 # http_port 3128
Restart squid after config modifications:
# service squid restart