Re: [CentOS] yum through a squid proxy
Hi, Resolved this issue, the fix was i had to enable port 3128 tcp outgoing then it fired right up. Thanks. Dave. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] yum through a squid proxy
What options? Did you change something from the default? RE: "Adding the options to yum.conf isn't happy either" Yum uses nothing. You just need to point it to the proxy. Add a test user in squid. $1 = username (test) $2 = password (test) /usr/local/apache2/bin/htpasswd -b /etc/squid/passwd $1 $2 Turn off IPTABLES. On the Proxy server AND on your client server. Run 'iptables -L -n' on both hosts and you should see empty chains. export http_proxy=http://test:[EMAIL PROTECTED]:3128 echo $http_proxy http://test:[EMAIL PROTECTED]:3128 yum check-update What output do you get at this point? Don't 'over think' your problem. Reduce them to their component parts. SQUID is robust and easy. If it's up and running and it's log files report no issues - then you can eliminate that from the list of problems. If you've got some odd-ball squid.conf, move it out of the folder and revert back to the default file. Also - can you plug in your proxy settings to a browser on your network and get through? Does links/elinks/lynx work from the server you're using yum on? The environmental variable that allows 'yum' on different machines or subnets 'see' the proxy is bulletproof. (I assume you're using a bash shell) If the firewall is down - again - cross that off the list. (I'm assuming that you have connectivity from the proxy server itself as well) So - if it's still not working - tail the log file for squid on the proxy (you may need to enable verbose logging) and tail the log file for yum on the client. The answer is there somewhere. -Peter My yum.conf (centos 4.5) - [EMAIL PROTECTED] local]# more /etc/yum.conf [main] cachedir=/var/cache/yum debuglevel=2 logfile=/var/log/yum.log pkgpolicy=newest installonlypkgs=kernel kernel-smp kernel-devel kernel-smp-devel kernel-largesmp kernel-largesmp-devel kernel-hugemem kernel-hugemem-devel distroverpkg=centos-release tolerant=1 exactarch=1 retries=20 obsoletes=1 gpgcheck=1 plugins=1 # PUT YOUR REPOS HERE OR IN separate files named file.repo # in /etc/yum.repos.d --- On 19/07/07, Dave <[EMAIL PROTECTED]> wrote: Hi, Thanks. I tried exporting an http_proxy environment variable, it still doesn't like the proxy. Adding the options to yum.conf isn't happy either. I am open to suggestions, what authentication scheme is yum communicating to the proxy with? Thanks. Dave. - Original Message - From: "Peter Farrell" <[EMAIL PROTECTED]> To: "CentOS mailing list" Sent: Thursday, July 19, 2007 6:01 AM Subject: Re: [CentOS] yum through a squid proxy >I don't see why that setup wouldn't work. > 1. you've added yourself to the passwd file? (you don't have to be a > unix user existing in /etc/passwd > 2. you run the export variable before using yum - or you've added this > to /etc/profile or your own .bash_profile file as well? > > export http_proxy=http://peter:[EMAIL PROTECTED]:3128 > echo $http_proxy > http://peter:[EMAIL PROTECTED]:3128 > > This is my squid.conf (see below) - nothing that I can see that would > allow / disallow access to an xml file. I run porn filters for my > network and allow ftp access to only 3 users, and allow windows > updates for the idiot boxes. > > Testing - stop iptables. If you can access other site through the > proxy from links / elinks / lynx whatever, then you know it's working > as it should. Start iptables - try the same test again - if fails then > enable port 3128 in /etc/sysconfig/iptables > > # squid server for internal > -A INPUT -i eth1 -p tcp -m tcp --dport 3128 -j ACCEPT > -A OUTPUT -p tcp -m tcp --sport 3128 -j ACCEPT > > I would look at my yum.conf after confirming the above. Comment out > everything except one. Run yum again, etc. > > *also - keep in mind that if you have multiple terms open - and you're > manually exporting the proxy variable - it's a. not persistent and b. > only valid in the term that you set it in. > > - Good luck. > -Peter Farrell - > -Cardiff, Wales > === > SQUID.CONF > === > hierarchy_stoplist cgi-bin ? > acl QUERY urlpath_regex cgi-bin \? > no_cache deny QUERY > cache_dir ufs /data/squid/cache 2048 16 256 > cache_access_log /var/log/squid/access.log > cache_log /var/log/squid/cache.log > cache_store_log /var/log/squid/store.log > auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd > auth_param basic children 5 > auth_param basic realm Internet Access > auth_param basic credentialsttl 2 hours > refresh_pattern ^ftp: 144020% 10080 > refresh_pattern ^gopher:14400% 1440 > refresh_pattern .
Re: [CentOS] yum through a squid proxy
Hi, Thanks. I tried exporting an http_proxy environment variable, it still doesn't like the proxy. Adding the options to yum.conf isn't happy either. I am open to suggestions, what authentication scheme is yum communicating to the proxy with? Thanks. Dave. - Original Message - From: "Peter Farrell" <[EMAIL PROTECTED]> To: "CentOS mailing list" Sent: Thursday, July 19, 2007 6:01 AM Subject: Re: [CentOS] yum through a squid proxy I don't see why that setup wouldn't work. 1. you've added yourself to the passwd file? (you don't have to be a unix user existing in /etc/passwd 2. you run the export variable before using yum - or you've added this to /etc/profile or your own .bash_profile file as well? export http_proxy=http://peter:[EMAIL PROTECTED]:3128 echo $http_proxy http://peter:[EMAIL PROTECTED]:3128 This is my squid.conf (see below) - nothing that I can see that would allow / disallow access to an xml file. I run porn filters for my network and allow ftp access to only 3 users, and allow windows updates for the idiot boxes. Testing - stop iptables. If you can access other site through the proxy from links / elinks / lynx whatever, then you know it's working as it should. Start iptables - try the same test again - if fails then enable port 3128 in /etc/sysconfig/iptables # squid server for internal -A INPUT -i eth1 -p tcp -m tcp --dport 3128 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 3128 -j ACCEPT I would look at my yum.conf after confirming the above. Comment out everything except one. Run yum again, etc. *also - keep in mind that if you have multiple terms open - and you're manually exporting the proxy variable - it's a. not persistent and b. only valid in the term that you set it in. - Good luck. -Peter Farrell - -Cardiff, Wales === SQUID.CONF === hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_dir ufs /data/squid/cache 2048 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd auth_param basic children 5 auth_param basic realm Internet Access auth_param basic credentialsttl 2 hours refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl ftp_allow proxy_auth_regex martin acl ftp_allow proxy_auth_regex peter acl ftp_allow proxy_auth_regex bhanu acl all src 0.0.0.0/0.0.0.0 acl winupdate dstdomain .microsoft.com .windowsupdate.com acl ftp proto FTP acl ssl_ports port 443 # https acl safe_ports port 80 1863 443 # http, https acl CONNECT method CONNECT acl example dst 21.21.21.0/255.255.255.0 acl porn url_regex "/etc/squid/porn" acl porn1 url_regex "/etc/squid/porn1" acl porn2 url_regex "/etc/squid/porn2" acl everyone proxy_auth REQUIRED http_access allow winupdate http_access allow example http_access allow ftp_allow http_access deny ftp http_access deny !safe_ports http_access deny CONNECT !ssl_ports http_access deny porn http_access deny porn1 http_access deny porn2 http_access allow everyone http_access deny all always_direct allow example always_direct allow winupdate no_cache deny example no_cache deny winupdate http_access deny all http_reply_access allow all icp_access allow all cache_mgr [EMAIL PROTECTED] cache_effective_user squid visible_hostname pollux.example.com unique_hostname pollux logfile_rotate 10 coredump_dir /var/log/squid/cache === On 19/07/07, Dave <[EMAIL PROTECTED]> wrote: Hello, I've got a centos5 box that is now behind a what was transparent squid proxy. The proxy now has it's own dedicated ip and uses proxy basic authentication. I've got a firewall that redirects all outgoing port 80 traffic to that ip so anyone wishing access goes proxied. The problem is yum on my centos5 can't retrieve the .xml files for the various yum repositories. In the squid access.log on the router i'm seeing invalid request method. This means that the box isn't yet talking proxy and is still trying to go through direct. To my yum.conf file i added lines similar to these: # The proxy server - proxy server:port number proxy=http://mycache.mydomain.com:3128 # The account details for yum connections proxy_username=yum-user proxy_password=qwerty I tried port 80 on that proxy line with the same results. Telneting to that ip/port works fine, iptables isn't blocking it. On the firewall i added the yum-user to the password file and used squid's ncsa_auth program to confirm the username/password combination, output was a simple "ok". On the centos5 box i did a service network restart, which didn't work, yum update gave me the same error
Re: [CentOS] yum through a squid proxy
I don't see why that setup wouldn't work. 1. you've added yourself to the passwd file? (you don't have to be a unix user existing in /etc/passwd 2. you run the export variable before using yum - or you've added this to /etc/profile or your own .bash_profile file as well? export http_proxy=http://peter:[EMAIL PROTECTED]:3128 echo $http_proxy http://peter:[EMAIL PROTECTED]:3128 This is my squid.conf (see below) - nothing that I can see that would allow / disallow access to an xml file. I run porn filters for my network and allow ftp access to only 3 users, and allow windows updates for the idiot boxes. Testing - stop iptables. If you can access other site through the proxy from links / elinks / lynx whatever, then you know it's working as it should. Start iptables - try the same test again - if fails then enable port 3128 in /etc/sysconfig/iptables # squid server for internal -A INPUT -i eth1 -p tcp -m tcp --dport 3128 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 3128 -j ACCEPT I would look at my yum.conf after confirming the above. Comment out everything except one. Run yum again, etc. *also - keep in mind that if you have multiple terms open - and you're manually exporting the proxy variable - it's a. not persistent and b. only valid in the term that you set it in. - Good luck. -Peter Farrell - -Cardiff, Wales === SQUID.CONF === hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_dir ufs /data/squid/cache 2048 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd auth_param basic children 5 auth_param basic realm Internet Access auth_param basic credentialsttl 2 hours refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl ftp_allow proxy_auth_regex martin acl ftp_allow proxy_auth_regex peter acl ftp_allow proxy_auth_regex bhanu acl all src 0.0.0.0/0.0.0.0 acl winupdate dstdomain .microsoft.com .windowsupdate.com acl ftp proto FTP acl ssl_ports port 443 # https acl safe_ports port 80 1863 443 # http, https acl CONNECT method CONNECT acl example dst 21.21.21.0/255.255.255.0 acl porn url_regex "/etc/squid/porn" acl porn1 url_regex "/etc/squid/porn1" acl porn2 url_regex "/etc/squid/porn2" acl everyone proxy_auth REQUIRED http_access allow winupdate http_access allow example http_access allow ftp_allow http_access deny ftp http_access deny !safe_ports http_access deny CONNECT !ssl_ports http_access deny porn http_access deny porn1 http_access deny porn2 http_access allow everyone http_access deny all always_direct allow example always_direct allow winupdate no_cache deny example no_cache deny winupdate http_access deny all http_reply_access allow all icp_access allow all cache_mgr [EMAIL PROTECTED] cache_effective_user squid visible_hostname pollux.example.com unique_hostname pollux logfile_rotate 10 coredump_dir /var/log/squid/cache === On 19/07/07, Dave <[EMAIL PROTECTED]> wrote: Hello, I've got a centos5 box that is now behind a what was transparent squid proxy. The proxy now has it's own dedicated ip and uses proxy basic authentication. I've got a firewall that redirects all outgoing port 80 traffic to that ip so anyone wishing access goes proxied. The problem is yum on my centos5 can't retrieve the .xml files for the various yum repositories. In the squid access.log on the router i'm seeing invalid request method. This means that the box isn't yet talking proxy and is still trying to go through direct. To my yum.conf file i added lines similar to these: # The proxy server - proxy server:port number proxy=http://mycache.mydomain.com:3128 # The account details for yum connections proxy_username=yum-user proxy_password=qwerty I tried port 80 on that proxy line with the same results. Telneting to that ip/port works fine, iptables isn't blocking it. On the firewall i added the yum-user to the password file and used squid's ncsa_auth program to confirm the username/password combination, output was a simple "ok". On the centos5 box i did a service network restart, which didn't work, yum update gave me the same error. Any suggestions welcome. Thanks. Dave. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] yum through a squid proxy
Hello, I've got a centos5 box that is now behind a what was transparent squid proxy. The proxy now has it's own dedicated ip and uses proxy basic authentication. I've got a firewall that redirects all outgoing port 80 traffic to that ip so anyone wishing access goes proxied. The problem is yum on my centos5 can't retrieve the .xml files for the various yum repositories. In the squid access.log on the router i'm seeing invalid request method. This means that the box isn't yet talking proxy and is still trying to go through direct. To my yum.conf file i added lines similar to these: # The proxy server - proxy server:port number proxy=http://mycache.mydomain.com:3128 # The account details for yum connections proxy_username=yum-user proxy_password=qwerty I tried port 80 on that proxy line with the same results. Telneting to that ip/port works fine, iptables isn't blocking it. On the firewall i added the yum-user to the password file and used squid's ncsa_auth program to confirm the username/password combination, output was a simple "ok". On the centos5 box i did a service network restart, which didn't work, yum update gave me the same error. Any suggestions welcome. Thanks. Dave. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
