I had some RHEL6 boxes on an internal network that had no access to the internet. But I wanted to install packages from EPEL via yum. The answer was to set up a proxy server and tell these internal boxes to use the proxy. Approach:
- Set up Squid proxy on a server that has access to the internet
- Configure Squid to only accept requests from my network
- Configure Squid to require a username and password, even on my network
- Install EPEL repository settings on the client
- Tell client to use the proxy
Set Up Squid
I'm using RHEL6. So installing Squid is just yum install squid
and ensuring it will start up when the box is booted is chkconfig squid on
.
Lock Down Squid
My paranoia level is high, so I commented out all the example rules and only added my network, 198.51.100.0/24:
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl localnet src 198.51.100.0/24 # My internal network
Just because, I commented out all the ports except 80 and 443, too.
Require a Username and Password
Even though it's on my local network, I wanted the proxy to require authentication. I'm not very concerned about encryption here so I used HTTP Basic authentication, which means I had to tell Squid to use the plugin that supports it. I added the following to the top of /etc/squid/squid.conf
:
# Tell Squid to use ncsa_auth
auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/squidcredentials
auth_param basic realm Squid
acl authenticated_acl proxy_auth REQUIRED
I also changed the line
http_access allow localnet
to
http_access allow localnet authenticated_acl
This tells squid that clients on the 198.51.100.0 network must authenticate to use the proxy.
Then I created the file at /etc/squid/squidcredentials
. This file holds the username and password:
htpasswd -c /etc/squid/squidcredentials foo
New password: mysecretpassword
Re-type new password: mysecretpassword
Adding password for user foo
A hole needs to be poked in the firewall to allow hosts on the internal network to reach squid on port 3128:
iptables -I INPUT 4 -p tcp -s 198.51.100.0/24 --dport 3128 -m state --state NEW -j ACCEPT
service iptables save
Squid needs to read the changes in /etc/squid/squid.conf
, and an easy way to do that is to restart squid:
service squid restart
Stopping squid: ..................................................
Starting squid: [ OK ]
Install EPEL Repository Settings on the Client
This part is easy. Get the EPEL repository rpm and move it onto the client. Then install it with rpm:
rpm -Uvh epel-release-6-8.noarch.rpm
Tell Client to Use the Proxy
The epel-release installation placed a file in /etc/yum.repos.d/epel.repo
. Edit this file and add the following three lines to the end of the [epel] section:
proxy=http://username:password@proxy.example.com:3128/
where proxy.example.com is the IP or DNS name of the proxy server that was set up.
If everything went well, you can now use yum update
on the client and it will happily find the EPEL repository:
# yum update
epel/metalink | 14 kB 00:00
epel | 4.3 kB 00:00
epel/primary_db | 5.0 MB 00:34
Setting up Update Process
No Packages marked for Update
If there is a typo in the password on the client, instead of the above you'll see something like
Could not get metalink https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=x86_64 error was
14: PYCURL ERROR 22 - "The requested URL returned error: 407"
References:
Install Squid Proxy Server on CentOS / Redhat enterprise Linux 5
Enabling basic authentication in Squid