[Spacewalk-list] Squid Proxy for Spacewalk

Matthew Madey mattmadey at gmail.com
Mon Nov 10 21:17:15 UTC 2014


I would just go ahead with the Spacewalk Proxy, even if you don't care
about caching packages.. We register all clients through the Spacewalk
proxies, and our Spacewalk servers (Primary and Standby) sit behind a load
balancer. This way we force compliance at the Proxy level.. no clients can
communicate directly to the Spacewalk server, and only the Spacewalk
proxies can broker traffic between client and server. As an additional
layer of Security.. you can use the root CA certificate for your
organization on the load balancer, and append that to your SSL-CERT that
the proxies use for communication to the Spacewalk server.. This is what
allows only the Proxies to get traffic through the load balancer, while
your clients use the normal SSL-CERT generated by the Spacewalk server.

I suppose you could use just a standard Squid proxy, as long as it will
pass SSL traffic also.. but I'd recommend using the supported Spacewalk
Proxy approach..

On Mon, Nov 10, 2014 at 1:51 PM, Waldirio Manhães Pinheiro <
waldirio at gmail.com> wrote:

> Hello Friends
>
> You can do this (as mentioned by Amedeo) or you can use a SW in your DMZ
> and another SW in your Internal Network, the second will just sync channels
> from the main SW (Inter Satellite Sync - ISS), but at the end, I recommend
> proxy too.
>
> B'Regards
>
> ______________
> Atenciosamente
> Waldirio
> msn: waldirio at gmail.com
> Skype: waldirio
> Site: www.waldirio.com.br
> Blog: blog.waldirio.com.br
> LinkedIn: http://br.linkedin.com/pub/waldirio-pinheiro/22/b21/646
> PGP: www.waldirio.com.br/public.html
>
> On Mon, Nov 10, 2014 at 5:25 PM, Amedeo Salvati <amedeo at oscert.net> wrote:
>
>> Glen,  i don't understand the reasons... but you can install one
>> spacewalk server and one spacewalk proxy and then, your clients will
>> connect to your spacewalk proxy, that will forward request to spacewalk
>> server
>>
>>
>>
>> Inviato da Tablet Samsung
>>
>>
>>
>> -------- Messaggio originale --------
>> Da: Glen Collins <glenc2004 at comcast.net>
>> Data: 10/11/2014 19:29 (GMT+01:00)
>> A: Amedeo Salvati <amedeo at oscert.net>
>> Cc: spacewalk-list at redhat.com,glenc2004 at comcast.net
>> Oggetto: Re: [Spacewalk-list] Squid Proxy for Spacewalk
>>
>>
>> Thanks for the reply. My security guys just want another level of
>> security. The SW server is already in my DMZ. But they want my clients to
>> connect to a proxy and then have the proxy connect to the SW server. I
>> don't need any sort of caching, just need a forwarder which I thought squid
>> could do just fine.
>>
>> Thanks
>>
>> Glen Collins
>>
>> ------------------------------
>> squid on spacewalk proxy is used to cache rpms, and on default
>> configurations accept only connections from localhost...
>>
>> instead of using squid to improve security you can filter access to your
>> spacewalk server by putting it on dmz behind your firewall and then enable
>> only hosts that you want.
>>
>> best regards
>>
>> Da: spacewalk-list-bounces at redhat.com
>> A: glenc2004 at comcast.net, spacewalk-list at redhat.com
>> Cc:
>> Data: Mon, 10 Nov 2014 09:54:45 +0000
>> Oggetto: Re: [Spacewalk-list] Squid Proxy for Spacewalk
>>
>> > not out of the box, it needs configuring but yup it does, im pretty
>> sure when you isntall the proxy it also installs and configures squid
>>
>> > On 10 November 2014 03:37, Glen Collins <glenc2004 at comcast.net> wrote:
>>
>>> > Hello all. Is it possible to just use a squid proxy out of the box for
>>> spacewalk? I don't need to cache packages and such. I just need to restrict
>>> access from the client side to the spacewalk master. Just another level of
>>> access our security guys want. Just didn't want to go down this rabbit
>>> whole if it's not going to work and I'll just have to go fourth with adding
>>> the actual spacewalk proxy.
>>>
>>> > Thanks
>>>
>>> > Glen Collins
>>>
>>> > _______________________________________________
>>> > Spacewalk-list mailing list
>>> > Spacewalk-list at redhat.com <Spacewalk-list at redhat.com>
>>> > https://www.redhat.com/mailman/listinfo/spacewalk-list
>>> <https://www.redhat.com/mailman/listinfo/spacewalk-list>
>>>
>>
>>
>>
>> _______________________________________________
>> Spacewalk-list mailing list
>> Spacewalk-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>
>
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20141110/9ef12355/attachment.htm>


More information about the Spacewalk-list mailing list