[CentOS] yum through a squid proxy

Thu Jul 19 12:55:03 UTC 2007
Peter Farrell <peter.d.farrell at gmail.com>

What options? Did you change something from the default?
RE: "Adding the options to yum.conf isn't happy either"

Yum uses nothing. You just need to point it to the proxy.

Add a test user in squid.
$1 = username (test)
$2 = password  (test)
/usr/local/apache2/bin/htpasswd -b /etc/squid/passwd $1 $2

Turn off IPTABLES. On the Proxy server AND on your client server.
Run 'iptables -L -n' on both hosts and you should see empty chains.

export http_proxy=http://test:test@192.168.1.1:3128
echo $http_proxy
http://test:test@192.168.1.1:3128

yum check-update

What output do you get at this point?

Don't 'over think' your problem. Reduce them to their component parts.
SQUID is robust and easy. If it's up and running and it's log files
report no issues - then you can eliminate that from the list of
problems.  If you've got some odd-ball squid.conf, move it out of the
folder and revert back to the default file.
Also - can you plug in your proxy settings to a browser on your
network and get through? Does links/elinks/lynx work from the server
you're using yum on?

The environmental variable that allows 'yum' on different machines or
subnets 'see' the proxy is bulletproof. (I assume you're using a bash
shell)
If the firewall is down - again - cross that off the list. (I'm
assuming that you have connectivity from the proxy server itself as
well)

So - if it's still not working - tail the log file for squid on the
proxy (you may need to enable verbose logging) and tail the log file
for yum on the client. The answer is there somewhere.

-Peter

My yum.conf (centos 4.5)
---------------------------------
[root at altair local]# more /etc/yum.conf
[main]
cachedir=/var/cache/yum
debuglevel=2
logfile=/var/log/yum.log
pkgpolicy=newest
installonlypkgs=kernel kernel-smp kernel-devel kernel-smp-devel
kernel-largesmp kernel-largesmp-devel kernel-hugemem
kernel-hugemem-devel
distroverpkg=centos-release
tolerant=1
exactarch=1
retries=20
obsoletes=1
gpgcheck=1
plugins=1

# PUT YOUR REPOS HERE OR IN separate files named file.repo
# in /etc/yum.repos.d
---------------------------------------------------



On 19/07/07, Dave <dmehler26 at woh.rr.com> wrote:
> Hi,
>     Thanks. I tried exporting an http_proxy environment variable, it still
> doesn't like the proxy. Adding the options to yum.conf isn't happy either. I
> am open to suggestions, what authentication scheme is yum communicating to
> the proxy with?
> Thanks.
> Dave.
>
> ----- Original Message -----
> From: "Peter Farrell" <peter.d.farrell at gmail.com>
> To: "CentOS mailing list" <centos at centos.org>
> Sent: Thursday, July 19, 2007 6:01 AM
> Subject: Re: [CentOS] yum through a squid proxy
>
>
> >I don't see why that setup wouldn't work.
> > 1. you've added yourself to the passwd file? (you don't have to be a
> > unix user existing in /etc/passwd
> > 2. you run the export variable before using yum - or you've added this
> > to /etc/profile or your own .bash_profile file as well?
> >
> > export http_proxy=http://peter:password@192.168.25.25:3128
> > echo $http_proxy
> > http://peter:password@192.168.25.25:3128
> >
> > This is my squid.conf (see below) - nothing that I can see that would
> > allow / disallow access to an xml file. I run porn filters for my
> > network and allow ftp access to only 3 users, and allow windows
> > updates for the idiot boxes.
> >
> > Testing - stop iptables. If you can access other site through the
> > proxy from links / elinks / lynx whatever, then you know it's working
> > as it should. Start iptables - try the same test again - if fails then
> > enable port 3128 in /etc/sysconfig/iptables
> >
> > # squid server for internal
> > -A INPUT -i eth1 -p tcp -m tcp --dport 3128 -j ACCEPT
> > -A OUTPUT -p tcp -m tcp --sport 3128 -j ACCEPT
> >
> > I would look at my yum.conf after confirming the above. Comment out
> > everything except one. Run yum again, etc.
> >
> > *also - keep in mind that if you have multiple terms open - and you're
> > manually exporting the proxy variable - it's a. not persistent and b.
> > only valid in the term that you set it in.
> >
> > - Good luck.
> > -Peter Farrell -
> > -Cardiff, Wales
> > ===========================
> > SQUID.CONF
> > ===========================
> > hierarchy_stoplist cgi-bin ?
> > acl QUERY urlpath_regex cgi-bin \?
> > no_cache deny QUERY
> > cache_dir ufs /data/squid/cache 2048 16 256
> > cache_access_log /var/log/squid/access.log
> > cache_log /var/log/squid/cache.log
> > cache_store_log /var/log/squid/store.log
> > auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
> > auth_param basic children 5
> > auth_param basic realm Internet Access
> > auth_param basic credentialsttl 2 hours
> > refresh_pattern ^ftp:           1440    20%     10080
> > refresh_pattern ^gopher:        1440    0%      1440
> > refresh_pattern .               0       20%     4320
> > acl ftp_allow proxy_auth_regex martin
> > acl ftp_allow proxy_auth_regex peter
> > acl ftp_allow proxy_auth_regex bhanu
> > acl all src 0.0.0.0/0.0.0.0
> > acl winupdate dstdomain .microsoft.com .windowsupdate.com
> > acl ftp proto FTP
> > acl ssl_ports port 443      # https
> > acl safe_ports port 80 1863 8888 443  # http, https
> > acl CONNECT method CONNECT
> > acl example dst 21.21.21.0/255.255.255.0
> > acl porn url_regex "/etc/squid/porn"
> > acl porn1 url_regex "/etc/squid/porn1"
> > acl porn2 url_regex "/etc/squid/porn2"
> > acl everyone proxy_auth REQUIRED
> > http_access allow winupdate
> > http_access allow example
> > http_access allow ftp_allow
> > http_access deny ftp
> > http_access deny !safe_ports
> > http_access deny CONNECT !ssl_ports
> > http_access deny porn
> > http_access deny porn1
> > http_access deny porn2
> > http_access allow everyone
> > http_access deny all
> > always_direct allow example
> > always_direct allow winupdate
> > no_cache deny example
> > no_cache deny winupdate
> > http_access deny all
> > http_reply_access allow all
> > icp_access allow all
> > cache_mgr sysadmin at example.com
> > cache_effective_user squid
> > visible_hostname pollux.example.com
> > unique_hostname pollux
> > logfile_rotate 10
> > coredump_dir /var/log/squid/cache
> > ===========================
> >
> > On 19/07/07, Dave <dmehler26 at woh.rr.com> wrote:
> >> Hello,
> >>     I've got a centos5 box that is now behind a what was transparent
> >> squid
> >> proxy. The proxy now has it's own dedicated ip and uses proxy basic
> >> authentication. I've got a firewall that redirects all outgoing port 80
> >> traffic to that ip so anyone wishing access goes proxied. The problem is
> >> yum
> >> on my centos5 can't retrieve the .xml files for the various yum
> >> repositories. In the squid access.log on the router i'm seeing invalid
> >> request method. This means that the box isn't yet talking proxy and is
> >> still
> >> trying to go through direct. To my yum.conf file i added lines similar to
> >> these:
> >>
> >> # The proxy server - proxy server:port number
> >> proxy=http://mycache.mydomain.com:3128
> >> # The account details for yum connections
> >> proxy_username=yum-user
> >> proxy_password=qwerty
> >>
> >> I tried port 80 on that proxy line with the same results. Telneting to
> >> that
> >> ip/port works fine, iptables isn't blocking it. On the firewall i added
> >> the
> >> yum-user to the password file and used squid's ncsa_auth program to
> >> confirm
> >> the username/password combination, output was a simple "ok". On the
> >> centos5
> >> box i did a service network restart, which didn't work, yum update gave
> >> me
> >> the same error.
> >>     Any suggestions welcome.
> >>     Thanks.
> >> Dave.
> >>
> >> _______________________________________________
> >> CentOS mailing list
> >> CentOS at centos.org
> >> http://lists.centos.org/mailman/listinfo/centos
> >>
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>