[CentOS] yum through a squid proxy

Thu Jul 19 11:45:21 UTC 2007
Dave <dmehler26 at woh.rr.com>

Hi,
    Thanks. I tried exporting an http_proxy environment variable, it still 
doesn't like the proxy. Adding the options to yum.conf isn't happy either. I 
am open to suggestions, what authentication scheme is yum communicating to 
the proxy with?
Thanks.
Dave.

----- Original Message ----- 
From: "Peter Farrell" <peter.d.farrell at gmail.com>
To: "CentOS mailing list" <centos at centos.org>
Sent: Thursday, July 19, 2007 6:01 AM
Subject: Re: [CentOS] yum through a squid proxy


>I don't see why that setup wouldn't work.
> 1. you've added yourself to the passwd file? (you don't have to be a
> unix user existing in /etc/passwd
> 2. you run the export variable before using yum - or you've added this
> to /etc/profile or your own .bash_profile file as well?
>
> export http_proxy=http://peter:password@192.168.25.25:3128
> echo $http_proxy
> http://peter:password@192.168.25.25:3128
>
> This is my squid.conf (see below) - nothing that I can see that would
> allow / disallow access to an xml file. I run porn filters for my
> network and allow ftp access to only 3 users, and allow windows
> updates for the idiot boxes.
>
> Testing - stop iptables. If you can access other site through the
> proxy from links / elinks / lynx whatever, then you know it's working
> as it should. Start iptables - try the same test again - if fails then
> enable port 3128 in /etc/sysconfig/iptables
>
> # squid server for internal
> -A INPUT -i eth1 -p tcp -m tcp --dport 3128 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --sport 3128 -j ACCEPT
>
> I would look at my yum.conf after confirming the above. Comment out
> everything except one. Run yum again, etc.
>
> *also - keep in mind that if you have multiple terms open - and you're
> manually exporting the proxy variable - it's a. not persistent and b.
> only valid in the term that you set it in.
>
> - Good luck.
> -Peter Farrell -
> -Cardiff, Wales
> ===========================
> SQUID.CONF
> ===========================
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> cache_dir ufs /data/squid/cache 2048 16 256
> cache_access_log /var/log/squid/access.log
> cache_log /var/log/squid/cache.log
> cache_store_log /var/log/squid/store.log
> auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
> auth_param basic children 5
> auth_param basic realm Internet Access
> auth_param basic credentialsttl 2 hours
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern .               0       20%     4320
> acl ftp_allow proxy_auth_regex martin
> acl ftp_allow proxy_auth_regex peter
> acl ftp_allow proxy_auth_regex bhanu
> acl all src 0.0.0.0/0.0.0.0
> acl winupdate dstdomain .microsoft.com .windowsupdate.com
> acl ftp proto FTP
> acl ssl_ports port 443      # https
> acl safe_ports port 80 1863 8888 443  # http, https
> acl CONNECT method CONNECT
> acl example dst 21.21.21.0/255.255.255.0
> acl porn url_regex "/etc/squid/porn"
> acl porn1 url_regex "/etc/squid/porn1"
> acl porn2 url_regex "/etc/squid/porn2"
> acl everyone proxy_auth REQUIRED
> http_access allow winupdate
> http_access allow example
> http_access allow ftp_allow
> http_access deny ftp
> http_access deny !safe_ports
> http_access deny CONNECT !ssl_ports
> http_access deny porn
> http_access deny porn1
> http_access deny porn2
> http_access allow everyone
> http_access deny all
> always_direct allow example
> always_direct allow winupdate
> no_cache deny example
> no_cache deny winupdate
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> cache_mgr sysadmin at example.com
> cache_effective_user squid
> visible_hostname pollux.example.com
> unique_hostname pollux
> logfile_rotate 10
> coredump_dir /var/log/squid/cache
> ===========================
>
> On 19/07/07, Dave <dmehler26 at woh.rr.com> wrote:
>> Hello,
>>     I've got a centos5 box that is now behind a what was transparent 
>> squid
>> proxy. The proxy now has it's own dedicated ip and uses proxy basic
>> authentication. I've got a firewall that redirects all outgoing port 80
>> traffic to that ip so anyone wishing access goes proxied. The problem is 
>> yum
>> on my centos5 can't retrieve the .xml files for the various yum
>> repositories. In the squid access.log on the router i'm seeing invalid
>> request method. This means that the box isn't yet talking proxy and is 
>> still
>> trying to go through direct. To my yum.conf file i added lines similar to
>> these:
>>
>> # The proxy server - proxy server:port number
>> proxy=http://mycache.mydomain.com:3128
>> # The account details for yum connections
>> proxy_username=yum-user
>> proxy_password=qwerty
>>
>> I tried port 80 on that proxy line with the same results. Telneting to 
>> that
>> ip/port works fine, iptables isn't blocking it. On the firewall i added 
>> the
>> yum-user to the password file and used squid's ncsa_auth program to 
>> confirm
>> the username/password combination, output was a simple "ok". On the 
>> centos5
>> box i did a service network restart, which didn't work, yum update gave 
>> me
>> the same error.
>>     Any suggestions welcome.
>>     Thanks.
>> Dave.
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos