Using a Proxy to Access EPEL from an Internal Network

I had some RHEL6 boxes on an internal network that had no access to the internet. But I wanted to install packages from EPEL via yum. The answer was to set up a proxy server and tell these internal boxes to use the proxy. Approach:

  1. Set up Squid proxy on a server that has access to the internet

  2. Configure Squid to only accept requests from my network
  3. Configure Squid to require a username and password, even on my network
  4. Install EPEL repository settings on the client
  5. Tell client to use the proxy

Set Up Squid

I'm using RHEL6. So installing Squid is just yum install squid and ensuring it will start up when the box is booted is chkconfig squid on.

Lock Down Squid

My paranoia level is high, so I commented out all the example rules and only added my network,

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src # RFC1918 possible internal network
#acl localnet src # RFC1918 possible internal network
#acl localnet src # RFC1918 possible internal network
#acl localnet src fc00::/7       # RFC 4193 local private network range
#acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl localnet src # My internal network

Just because, I commented out all the ports except 80 and 443, too.

Require a Username and Password

Even though it's on my local network, I wanted the proxy to require authentication. I'm not very concerned about encryption here so I used HTTP Basic authentication, which means I had to tell Squid to use the plugin that supports it. I added the following to the top of /etc/squid/squid.conf:

# Tell Squid to use ncsa_auth
auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/squidcredentials
auth_param basic realm Squid
acl authenticated_acl proxy_auth REQUIRED

I also changed the line

http_access allow localnet


http_access allow localnet authenticated_acl

This tells squid that clients on the network must authenticate to use the proxy.

Then I created the file at /etc/squid/squidcredentials. This file holds the username and password:

htpasswd -c /etc/squid/squidcredentials foo
New password: mysecretpassword
Re-type new password: mysecretpassword
Adding password for user foo

A hole needs to be poked in the firewall to allow hosts on the internal network to reach squid on port 3128:

iptables -I INPUT 4 -p tcp -s --dport 3128 -m state --state NEW -j ACCEPT
service iptables save

Squid needs to read the changes in /etc/squid/squid.conf, and an easy way to do that is to restart squid:

service squid restart
Stopping squid: ..................................................
Starting squid:                                            [  OK  ]

Install EPEL Repository Settings on the Client

This part is easy. Get the EPEL repository rpm and move it onto the client. Then install it with rpm:

rpm -Uvh epel-release-6-8.noarch.rpm

Tell Client to Use the Proxy

The epel-release installation placed a file in /etc/yum.repos.d/epel.repo. Edit this file and add the following three lines to the end of the [epel] section:


where proxy.example.com is the IP or DNS name of the proxy server that was set up.

If everything went well, you can now use yum update on the client and it will happily find the EPEL repository:

# yum update
epel/metalink                                           |  14 kB     00:00    
epel                                                    | 4.3 kB     00:00    
epel/primary_db                                         | 5.0 MB     00:34    
Setting up Update Process
No Packages marked for Update

If there is a typo in the password on the client, instead of the above you'll see something like

Could not get metalink https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=x86_64 error was
14: PYCURL ERROR 22 - "The requested URL returned error: 407"


Install Squid Proxy Server on CentOS / Redhat enterprise Linux 5
Enabling basic authentication in Squid

Solved: iSCSI disconnects and timeouts after successful login

Consider the following from /var/log/messages:

iscsid: Connection16:0 to [target: iqn.2012-12.com.example:fooportal, portal:,3260] through [iface: default] is operational now
kernel: sde:
kernel: connection16:0: ping timeout of 5 secs expired, recv timeout 5, last rx 4379432620, last ping 4379437620, now 4379442620
kernel: connection16:0: detected conn error (1011)
iscsid: Kernel reported iSCSI connection 16:0 error (1011 - ISCSI_ERR_CONN_FAILED: iSCSI connection failed) state (3)
iscsid: connection16:0 is operational after recovery (1 attempts)
kernel: connection16:0: ping timeout of 5 secs expired, recv timeout 5, last rx 4379445875, last ping 4379450875, now 4379455875
kernel: connection16:0: detected conn error (1011)
iscsid: Kernel reported iSCSI connection 16:0 error (1011 - ISCSI_ERR_CONN_FAILED: iSCSI connection failed) state (3)

As you can see, login to the iSCSI target was successful. But shortly thereafter, the client becomes unhappy and the connection fails out, only to be reinstated and disconnected repeatedly.

In my case, the problem ended up being jumbo frames. I diagnosed it by doing a wireshark capture of the bonded interface on the client, which revealed the following message:

scsi transfer limited due to allocation_length too small

and showed the message

[TCP Retransmission] SCSI: Read(10) LUN: 0x01 (LBA: 0x00000000, Len: 8)

Turning off jumbo frames in the bonded interfaces on both ends of the connection solved the problem.

This was happening because the switch I was going over (HP ProCurve 2910al) does not have jumbo frames enabled for the default VLAN:

# show vlan

Status and Counters - VLAN Information

  Maximum VLANs to support : 256                 

  VLAN ID Name                             | Status     Voice Jumbo
  ------- -------------------------------- + ---------- ----- -----
  1       DEFAULT_VLAN                     | Port-based No    No  

The ultimate solution was to create a separate VLAN on the switch and enable jumbo frames on the new VLAN. After that, everything worked swimmingly.


Darwin Streaming Server RPM for RHEL6

I wanted to run Darwin Streaming Server on Red Hat Enterprise Linux 6.

I made binary RPMs for 64-bit RHEL6 using these instructions. My changes:

  • fixed the symlink at /var/dss/modules to point to the correct directory
  • worked around the fact that DarwinStreamingServer -x does not exit when run
  • changed config path so that login to the Web Admin is possible

To install on RHEL6 (or CentOS 6, I presume):

yum install perl-Net-SSLeay
rpm -Uh DarwinStreamingServer-6.0.3-4.x86_64.rpm
qtpasswd -c -p yourpassword yourusername

You'll need to open firewall ports:

iptables -A INPUT --protocol tcp --destination $ip --dport 554 -m state --state NEW -j ACCEPT
# Cheesy perl-based web GUI started by /usr/sbin/streamingserver.pl
iptables -A INPUT --protocol tcp --destination $ip --dport 1220 -m state --state NEW -j ACCEPT
iptables -A INPUT --protocol udp --destination $ip --dport 6970:6989 -m state --state NEW -j ACCEPT
iptables -A INPUT --protocol tcp --destination $ip --dport 7070 -m state --state NEW -j ACCEPT

You can get to the web admin screen at http://example.com:1220.

Also, Apple seems to be moving toward HTTP Live Streaming and away from Darwin Streaming Server.


Which packages are in yum groupinstall "Web Server"?

On RHEL6, the following packages are installed when you do

yum groupinstall "Web Server"

on a RHEL6 minimal install:

Package Arch Version
crypto-utils x86_64 2.4.1-24.2.el6
httpd x86_64 2.2.15-15.el6_2.1
httpd-manual noarch 2.2.15-15.el6_2.1
mod_perl x86_64 2.0.4-10.el6
mod_ssl x86_64 1:2.2.15-15.el6_2
mod_wsgi x86_64 3.2-1.el6
webalizer x86_64 2.21_02-3.3.el6
Installing for dependencies:
apr x86_64 1.3.9-5.el6_2
apr-util x86_64 1.3.9-3.el6_0.1
apr-util-ldap x86_64 1.3.9-3.el6_0.1
fontconfig x86_64 2.8.0-3.el6
freetype x86_64 2.3.11-6.el6_2.9
gd x86_64 2.0.35-10.el6
httpd-tools x86_64 2.2.15-15.el6_2.1
libX11 x86_64 1.3-2.el6
libX11-common noarch 1.3-2.el6
libXau x86_64 1.0.5-1.el6
libXpm x86_64 3.5.8-2.el6
libjpeg x86_64 6b-46.el6
libpng x86_64 2:1.2.49-1.el6_2
libxcb x86_64 1.5-1.el6
mailcap noarch 2.1.31-2.el6
perl x86_64 4:5.10.1-127.el6
perl-BSD-Resource x86_64 1.29.03-3.el6
perl-ExtUtils-MakeMaker x86_64 6.55-127.el6
perl-ExtUtils-ParseXS x86_64 1:2.2003.0-127.el
perl-Module-Pluggable x86_64 1:3.90-127.el6
perl-Newt x86_64 1.08-26.el6
perl-Pod-Escapes x86_64 1:1.04-127.el6
perl-Pod-Simple x86_64 1:3.13-127.el6
perl-Test-Harness x86_64 3.17-127.el6
perl-devel x86_64 4:5.10.1-127.el6
perl-libs x86_64 4:5.10.1-127.el6
perl-version x86_64 3:0.77-127.el6

I don't use webalizer, httpd-manual, mod_wsgi or mod_perl for standard installs (mostly Drupal), so the following is a more minimal version of the above:

yum install mod_ssl httpd

That results in far fewer packages:

Package Arch Version
httpd x86_64 2.2.15-15.el6_2.1
mod_ssl x86_64 1:2.2.15-15.el6_2.1
Installing for dependencies:
apr x86_64 1.3.9-5.el6_2
apr-util x86_64 1.3.9-3.el6_0.1
apr-util-ldap x86_64 1.3.9-3.el6_0.1
httpd-tools x86_64 2.2.15-15.el6_2.1
mailcap noarch 2.1.31-2.el6



Subscribe to RSS - RHEL6