[Spacewalk-list] Squid Proxy for Spacewalk

Amedeo Salvati amedeo at oscert.net
Mon Nov 10 22:15:18 UTC 2014 

I always suggest your layout architecture with spacewalk server and proxies, but for scale out reasons and not for security reasons, because for example on rhn communications clients first do authentications (and others stuff like request what channels repo they are subscribed to), and this communications is forwarded by proxies to spacewalk servers, so there aren't segregations between servers and clients 

but your mileage may vary
Amedeo



Inviato da Tablet Samsung

-------- Messaggio originale --------
Da: Matthew Madey <mattmadey at gmail.com> 
Data: 10/11/2014  22:17  (GMT+01:00) 
A: spacewalk-list at redhat.com 
Oggetto: Re: [Spacewalk-list] Squid Proxy for Spacewalk 
 
I would just go ahead with the Spacewalk Proxy, even if you don't care about caching packages.. We register all clients through the Spacewalk proxies, and our Spacewalk servers (Primary and Standby) sit behind a load balancer. This way we force compliance at the Proxy level.. no clients can communicate directly to the Spacewalk server, and only the Spacewalk proxies can broker traffic between client and server. As an additional layer of Security.. you can use the root CA certificate for your organization on the load balancer, and append that to your SSL-CERT that the proxies use for communication to the Spacewalk server.. This is what allows only the Proxies to get traffic through the load balancer, while your clients use the normal SSL-CERT generated by the Spacewalk server. 

I suppose you could use just a standard Squid proxy, as long as it will pass SSL traffic also.. but I'd recommend using the supported Spacewalk Proxy approach.. 

On Mon, Nov 10, 2014 at 1:51 PM, Waldirio Manhães Pinheiro <waldirio at gmail.com> wrote:
Hello Friends

You can do this (as mentioned by Amedeo) or you can use a SW in your DMZ and another SW in your Internal Network, the second will just sync channels from the main SW (Inter Satellite Sync - ISS), but at the end, I recommend proxy too.

B'Regards

______________
Atenciosamente
Waldirio
msn: waldirio at gmail.com
Skype: waldirio
Site: www.waldirio.com.br
Blog: blog.waldirio.com.br
LinkedIn: http://br.linkedin.com/pub/waldirio-pinheiro/22/b21/646
PGP: www.waldirio.com.br/public.html

On Mon, Nov 10, 2014 at 5:25 PM, Amedeo Salvati <amedeo at oscert.net> wrote:
Glen,  i don't understand the reasons... but you can install one spacewalk server and one spacewalk proxy and then, your clients will connect to your spacewalk proxy, that will forward request to spacewalk server



Inviato da Tablet Samsung



-------- Messaggio originale --------
Da: Glen Collins <glenc2004 at comcast.net> 
Data: 10/11/2014 19:29 (GMT+01:00) 
A: Amedeo Salvati <amedeo at oscert.net> 
Cc: spacewalk-list at redhat.com,glenc2004 at comcast.net 
Oggetto: Re: [Spacewalk-list] Squid Proxy for Spacewalk 


Thanks for the reply. My security guys just want another level of security. The SW server is already in my DMZ. But they want my clients to connect to a proxy and then have the proxy connect to the SW server. I don't need any sort of caching, just need a forwarder which I thought squid could do just fine.

Thanks

Glen Collins

squid on spacewalk proxy is used to cache rpms, and on default configurations accept only connections from localhost...

instead of using squid to improve security you can filter access to your spacewalk server by putting it on dmz behind your firewall and then enable only hosts that you want.

best regards
 
Da: spacewalk-list-bounces at redhat.com
A: glenc2004 at comcast.net, spacewalk-list at redhat.com
Cc:
Data: Mon, 10 Nov 2014 09:54:45 +0000
Oggetto: Re: [Spacewalk-list] Squid Proxy for Spacewalk

> not out of the box, it needs configuring but yup it does, im pretty sure when you isntall the proxy it also installs and configures squid

> On 10 November 2014 03:37, Glen Collins <glenc2004 at comcast.net> wrote:
> Hello all. Is it possible to just use a squid proxy out of the box for spacewalk? I don't need to cache packages and such. I just need to restrict access from the client side to the spacewalk master. Just another level of access our security guys want. Just didn't want to go down this rabbit whole if it's not going to work and I'll just have to go fourth with adding the actual spacewalk proxy.

> Thanks

> Glen Collins

> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list



_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list


_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20141110/24d559fd/attachment.htm>

More information about the Spacewalk-list mailing list