Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Connecting to Red Hat Insights through Insights proxy

Red Hat Insights 1-latest

Insights proxy allows those with constraints preventing Internet access to connect to Red Hat Insights

Red Hat Customer Content Services

Abstract

This document helps Red Hat Enterprise Linux administrators to connect to Red Hat Insights through a proxy. This is preferable for customers whose environment prevents them from connecting to the Internet.
Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright's message.

Chapter 1. Insights proxy overview

Red Hat Insights is a Software-as-a-Service (SaaS) application included with every subscription to Red Hat Enterprise Linux, Red Hat OpenShift, and Red Hat Ansible Automation Platform. Red Hat Insights provides predictive analytics, automatically discovers relevant insights, recommends tailored actions, and automates tasks.

If you have constraints that prevent your systems from directly accessing the Internet, Insights proxy provides capabilities and features for securely and efficiently connecting your systems to Red Hat Insights, including:

Easy Access

The Insights proxy resolves architectural, technical and firewall configuration issues, freeing you from troubleshooting these issues yourself.

Security

The Insights proxy protects your systems from malware threats by filtering traffic and scanning for malicious content. It can also serve as a firewall.

Quickly view and execute recommendations

You can view and execute recommendations to keep your fleet efficient, secure, compliant, and updated. Simply send a subset of log data to the Red Hat Insights service by using a single proxy.

Patching

You can connect to Red Hat as needed to pull the most recent patches into your network. This enables you to push updates to systems behind your firewall, using your own tools and schedules.

Chapter 2. Installing and configuring Insights proxy

To set up the Insights proxy, you will need to modify Red Hat Subscription Manager (RHSM) and your firewall. You will install the proxy and create a new rhproxy user. You will accept the automatically generated security certificate or create your own. Then, you will configure your client systems. You can customize your proxy by setting configuration options, running commands with options, and integrating with third-party servers.

2.1. Enabling the subscription manager repository

Red Hat Subscription Manager (RHSM) tracks the Red Hat products that your organization has purchased and the systems that the products are installed on. The first step in setting up Insights proxy is enabling the RHSM repository.

Prerequisites

  • You have at least one active Red Hat Enterprise Linux (RHEL) subscription.
  • You have at least one system running RHEL version 9, for the Insights proxy installation.
  • You are logged in to the system as root or have sudo permissions.
  • Your architectural environment is either Intel or Arm.

Procedure

  1. Open your command-line interface (CLI), and depending on your architectural environment, enter one of the following commands:

    • If you are running an Intel architecture system:

      Copy to Clipboard Toggle word wrap 
      [root@server ~]# subscription-manager repos --enable=insights-proxy-for-rhel-9-x86_64-rpms

    • If you are running an ARM (AARCH64) architecture system:

      Copy to Clipboard Toggle word wrap 
      [root@server ~]# subscription-manager repos--enable=insights-proxy-for-rhel-9-aarch64-rpms

Verification step

  • If your RHSM enablement procedure is successful, you will see the following output in the CLI:

    Repository insights-proxy-for-rhel-9-x86_64-rpms is enabled for this system.

Additional resources

2.2. Installing the rhproxy and service controller

You will install the rhproxy Red Hat Package Manager (RPM), which in turn installs the service controller. Then, you use the service controller to install and manage the rhproxy service.

Prerequisites

  • You have at least one active Red Hat Enterprise Linux (RHEL) subscription.
  • You have at least one system running RHEL version 9 for the Insights proxy installation.
  • You are logged in to the system as root or have sudo permissions.
  • Your architectural environment is either Intel or Arm.

Procedure

  • Open your command-line interface, and run the following command:

    Copy to Clipboard Toggle word wrap 
    [root@server ~] # dnf install -y rhproxy
    • The /usr/bin/rhproxy path is now available for you to use.

Verification step

  • Verify the installation was successful by running the following command:

    Copy to Clipboard Toggle word wrap 
    [root@server ~]# rpm -q rhproxy

Result

  • If the installation is successful, the installed version is confirmed in the output.
  • If the installation is unsuccessful, the output indicates that the procedure failed.

2.3. Creating a new proxy user and logging into Podman

By default, rhproxy runs without root permissions. Therefore, you will need to create a new user named 'rhproxy'. After you have created the rhproxy user, you will log in to Podman to manage your systems.

Prerequisites

  • Podman is installed on your system.
  • You have at least one active Red Hat Enterprise Linux (RHEL) subscription.
  • You have at least one system running RHEL version 9, for the Insights proxy installation.
  • You are logged in to the system as root or have sudo permissions.
  • Your architectural environment is either Intel or Arm.

Procedure

  1. From the CLI, run the following command to add your new rhproxy user:

    Copy to Clipboard Toggle word wrap 
    [root@server ~]# useradd rhproxy

  2. Verify your new user has been successfully added by running the following command:

    Copy to Clipboard Toggle word wrap 
    [root@server ~]# id rhproxy

    • You should see the following output returned:

      uid=1002(rhproxy) gid=1002(rhproxy) groups=1002(rhproxy)

    • This confirms that the user rhproxy exists in the system. It also prints the user and group IDs and the group(s) the user resides in.
  3. Switch to your new rhproxy user account.

  4. Login to Podman with your Red Hat credentials and run the following command as the rhproxy user:

    Copy to Clipboard Toggle word wrap 
    [rhproxy@server ~]$ podman login registry.redhat.io

    Verification step

    • When login is successful the following output displays:
  • Login succeeded.

2.4. Configuring the firewalls for bidirectional communication with Insights

After you have installed Insights proxy you must configure your firewalls to allow bidirectional communication with Red Hat Insights. This includes configuring the firewall on the system where the Insights proxy is installed and also configuring any global firewalls that might be in place between your clients and the Insights services.

2.4.1. Configuring your Insights proxy firewall

After you have installed the Insights proxy and configured the firewall, you must also configure any global firewalls to allow bidirectional communication with Red Hat Insights. Allow all Red Hat subscription management and Red Hat Insights client tools to communicate with the Insights services through the proxy.

For your systems to be able to access the Insights proxy, you must open ports 3128 and 8443 and restart the service. These required ports are also specified in the rhproxy.env file that gets created when you install Insights proxy.

If you are using your own proxy to connect to Insights, or you want the most up-to-date list of required ports to configure, see the rhproxy.env file in the Red Hat Insights rhproxy GitHub repository.

The following procedure describes how to configure the required Red Hat ports on your firewall.

Prerequisites

  • You have at least one active Red Hat Enterprise Linux (RHEL) subscription.
  • Your RHEL system(s) are version 8 or 9.
  • You have created a new rhproxy user.
  • Your architectural environment is either Intel or Arm.

Procedure

  1. From the CLI, use the following commands to add required ports 3128 and 8443:

    Copy to Clipboard Toggle word wrap 
    [root@server ~] # firewall-cmd --permanent --add-port=3128/tcp
     Copy to Clipboard Toggle word wrap 
    [root@server ~] #  firewall-cmd --permanent --add-port=8443/tcp
     Copy to Clipboard Toggle word wrap 
    [root@server ~] # firewall-cmd --reload

  2. Now that you have made adjustments to your firewall, you will need to install and start the rhproxy service:

    Copy to Clipboard Toggle word wrap 
    [rhproxy@server ~] $ rhproxy install
     Copy to Clipboard Toggle word wrap 
    [rhproxy@server ~] $ rhproxy start

Result

After a few seconds, you will be able to forward Red Hat Insights traffic to http://<rhproxy-hostname>:3128.

Verification steps

  • Verify that the firewall configuration was successful by checking the status of the rhproxy service:

    Copy to Clipboard Toggle word wrap 
    [rhproxy@server ~] $ rhproxy status
    • When successful, the output confirms that the rhproxy service is active and running, and the most recent activity is logged.
  • Enter the following command to test the functionality:
Copy to Clipboard Toggle word wrap 
[rhproxy@server ~]$ curl -L -x http://$(hostname):3128 https://mirrors.fedoraproject.org/

Additional resources

2.4.2. Configuring your global firewall for bidirectional communication with Insights

Complete the following procedure to allow the Red Hat hostnames through your firewall or proxy so that your client systems can securely access Insights.

Important

If you are connecting to Insights through your own web proxy instead of the Insights proxy, you must also complete the required global firewall configuration.

2.4.2.1. Adding the required Red Hat hostnames to your firewall allowlist

Configure any firewall or proxy on the outgoing network to allow bidirectional communication with Red Hat Insights by allowing specified Red Hat hostnames.

You can find the minimum required hostnames for bidirectional communication with Red Hat Insights in the /home/rhproxy/.config/rhproxy/env/redhat.servers allowlist file, which gets created when you install Insights proxy.

If you are using your own proxy to connect to Insights, or you want to get the most up-to-date list, go to the Red Hat Insights rhproxy GitHub repository.

If clients in your environment use any other repositories with additional hostnames, you will need to allow those nodes also.

Prerequisites

  • You have at least one active Red Hat Enterprise Linux (RHEL) subscription.
  • Your RHEL system(s) are version 8 or 9.
  • You have created a new rhproxy user.
  • Your architectural environment is either Intel or Arm.
  • You have completed the steps in Configuring your Insights proxy firewall.

Procedure

  1. Log on as a System Administrator on the outgoing network firewall or proxy, and then add the following Red Hat hostnames to the allowlist configuration:

    Copy to Clipboard Toggle word wrap 
    api.access.redhat.com
cert-api.access.redhat.com
console.redhat.com
cert.console.redhat.com
cloud.redhat.com
cert.cloud.redhat.com
connect.cloud.redhat.com
subscription.rhsm.redhat.com
sso.redhat.com
cdn.redhat.com
mirrors.fedoraproject.org
mirrormanager.fedoraproject.org
codecs.fedoraproject.org
  2. Optional: If clients in your environment use any other repositories with additional hostnames, and you have enabled these hostnames in the mirror.servers file on the Insights proxy node, be sure to make the corresponding changes to the firewall proxy also.
  3. Optional: If you use Extra Packages for Enterprise Linux (EPEL) in your environment, allow the required hostnames on the outgoing network firewall or proxy, which you defined in the epel.servers allowlist file.
  4. Restart your firewall service to ensure that your allowlist changes take effect.

Result

You should now be able to connect and use Red Hat Insights to gain visibility of your systems and proactively identify and mitigate operational and vulnerability risks.

Verification steps

  • Enter the following curl command to test the functionality:
Copy to Clipboard Toggle word wrap 
[rhproxy@server ~]$ curl -L -x http://$(hostname):3128 https://mirrors.fedoraproject.org/

Additional resources

2.5. Obtaining a security certificate

In order to establish a secure connection, you will need a certificate for accessing any resources served by the proxy. Note that the rhproxy service creates a self-signed certificate for downloads if none are found in the /home/rhproxy/.local/share/rhproxy/certs/ file.

  • If you prefer, you can provide your own HTTPS certificate and key, and record them in appropriate files. If you chose this route:

    • Record your certificate in the following file:

      /home/rhproxy/.local/share/rhproxy/certs/rhproxy.crt

    • Record your key in the following file:

      /home/rhproxy/.local/share/rhproxy/certs/rhproxy.key

Additional resources

2.6. Configuring client systems

When you have the Insights proxy installed and running, you will need to configure your client systems. This enables Red Hat Subscription Manager (RHSM) and the Insights client tools to communicate with Insights through the proxy. You will only need to do this once, after the initial installation. Use the helper script, configure-client.sh, to complete your required configuration.

Prerequisites

  • You have root user access.
  • You have at least one active Red Hat Enterprise Linux (RHEL) subscription.
  • Your RHEL system(s) are version 8 or 9.
  • You have created a new rhproxy user.
  • Your architectural environment is either Intel or Arm.
Important

If you change the hostname or IP address of your Insights proxy, ensure the configure-client.sh script is rerun on each client system.

Procedure

  1. Open your CLI, and use the curl command to download the helper script to configure-client.sh:

    Copy to Clipboard Toggle word wrap 
    [root@client ~]# curl -k -L https://<rhproxy-hostname>:8443/download/bin/configure-client.sh -o configure-client.sh
     Copy to Clipboard Toggle word wrap 
    [root@client ~]# chmod +x configure-client.sh

  2. Run the script as follows:

    Copy to Clipboard Toggle word wrap 
    [root@client ~]# ./configure-client.sh --configure --proxy-host <rhproxy-hostname>

Verification step

  • Run the following test commands to ensure that your configuration was successful:

    • Run this command on the client systems:

      Copy to Clipboard Toggle word wrap 
      [root@client ~]# insights-client --test-connection

    • Run this command on the Insights proxy server:

      Copy to Clipboard Toggle word wrap 
      [rhproxy@server ~]$ rhproxy status

Additional resources

Chapter 3. Customizing the Insights proxy

With Insights proxy, you can designate additional dnf or yum servers, customize the rhproxy configuration, and use customized commands and configuration options.

3.1. Designating optional dnf and yum servers

To add additional third-party servers, including non-Red Hat and non-EPEL servers, create a custom allowlist for rhproxy.

Save the hostnames of systems providing dnf repositories in the following file:

  • /home/rhproxy/.config/rhproxy/env/mirror.servers

    1. Open the /home/rhproxy/.config/rhproxy/env/mirror.servers file, and add the hostnames of any systems that provide dnf repositories.

    2. After adding your systems, restart the service:

      Copy to Clipboard Toggle word wrap 
      [rhproxy@server ~]$ rhproxy restart

Verification step

  • Run the following command to ensure that your third-party services were added:

    Copy to Clipboard Toggle word wrap 
    [root@server ~]# curl -x http://$(hostname):3128 https://<host name>

3.2. Customizing the rhproxy configuration

You might decide to customize your rhproxy configuration. For a list of configurable options and their descriptions, see Appendix A.

Prerequisites

  • You have at least one active Red Hat Enterprise Linux (RHEL) subscription.
  • You have at least one system running RHEL version 9, for the Insights proxy installation.
  • You are logged in to the system as root or have sudo permissions.
  • Your architectural environment is either Intel or Arm.
  • You are logged in as the new rhproxy user.

Procedure

  1. Log in to the Insights proxy server.
  2. Edit the /home/rhproxy/.config/rhproxy/env/rhproxy.env file to make changes to the default configuration.

  3. Restart Insights proxy for your configuration edits to take effect:

    Copy to Clipboard Toggle word wrap 
    [rhpproxy@server ~]$ rhproxy restart

    See the following for a list of allowed upstream servers:

    • /home/rhproxy/.config/rhproxy/env/redhat.servers for RedHat Insights Servers
    • /home/rhproxy/.config/rhproxy/env/epel.servers for Dnf/Yum EPEL Servers
Important

The files mentioned in this procedure get overwritten with rhproxy RPM updates, therefore, you must reapply the manual configuration updates that you make.

3.3. Unconfiguring client systems when you want to disable the Insights proxy

You might decide to stop using the Insights proxy. Use the following procedure to unconfigure your client systems so that they no longer go through the Insights proxy.

Prerequisites

  • You have at least one active Red Hat Enterprise Linux (RHEL) subscription.
  • You have at least one system running RHEL version 9, for the Insights proxy installation.
  • You are logged in to the system as root or have sudo permissions.
  • Your architectural environment is either Intel or Arm.

Procedure

  1. Open your command-line interface, and navigate to the specific client system you want to remove from the Insights proxy.

  2. Run the following command on your client system:

    Copy to Clipboard Toggle word wrap 
    [root@client ~] ./configure-client.sh --unconfigure

    Verification step

    • If the procedure is successful, you will see the following output:

      Un-Configuring insights-client/rhsm/rhc/rhcd from proxying to Insights

3.4. Appendix A: Command options for Insights proxy

You can use the following options with the rhproxy command:

Table 3.1. Command options for Insights proxy
OptionDescription

install

Installs Insights proxy.

uninstall [-f]

Uninstalls Insights proxy. Specify -f to force remove the certifications and downloaded data.

start

Starts the Insights proxy.

stop

Stops the Insights proxy.

restart

Restarts Insights proxy.

status

Displays the status of the proxy’s running service and connection logs.

update

If you change the default 3128 port, you will need to use this option to update the configure-client.sh script.

3.5. Appendix B: Configuration options for Insights proxy

If you want to run your proxy with non-default parameters, see the following table for a list of available options that you can set in the /home/rhproxy/.config/rhproxy/env/rhproxy.env configuration file.

Table 3.2. Configuration options for Insights proxy
OptionDescription

RHPROXY_DISABLE

This option will disable an active proxy. This defaults to 0.

RHPROXY_DEBUG_CONFIG

Use this option to log environment variables and Nginx configuration upon startup. This defaults to 0.

RHPROXY_SERVICE_PORT

Use this option to define the listening port of the Insights proxy. This defaults to 3128.

RHPROXY_DNS_SERVER

Use this option to define which DNS server to use for name resolution. This defaults to 1.1.1.1. The rhproxy service will use the system DNS resolver if defined, otherwise it defaults to 1.1.1.1.

RHPROXY_WEB_SERVER_DISABLE

Use this option to disable the Insights proxy web server. This defaults to 0.

RHPROXY_WEB_SERVER_PORT

Use this option to define the listening port of the Insights proxy web server. This defaults to 8443.

Chapter 4. Connecting to Red Hat Insights through your own proxy

You might choose to use your own proxy to act as a gateway between the public Internet and your private network. This is a good security measure to protect your systems from malicious activity. To connect your systems to Red Hat Insights you must add hostnames, ports and allow additional URLs.

4.1. Connecting to Red Hat Insights through your own proxy

Note

If you are a Red Hat Satellite user, no proxy is required because Satellite serves as a proxy itself. See this article for more information: How to configure Red Hat Satellite 6 with proxy server

To connect to Red Hat Insights, include specific hostnames and ports on your proxy’s outgoing network.

Prerequisites

  • You have at least one active Red Hat Enterprise Linux (RHEL) subscription.
  • You are logged in to the system as root or have sudo permissions.
  • Your system is registered with Red Hat Subscription Manager (RHSM).

Procedure

You must include the following hostnames and ports on your proxy’s outgoing network, to connect to Red Hat Insights:

  • Navigate to your outgoing network configuration and add the following addresses and ports:

    Copy to Clipboard Toggle word wrap 
    https://cert-api.access.redhat.com:443
     Copy to Clipboard Toggle word wrap 
    https://cert.cloud.redhat.com:443
     Copy to Clipboard Toggle word wrap 
    https://cert.console.redhat.com:443

  • Add the Red Hat Hybrid Cloud Console URL so that you can manage your account and hosts in the Red Hat Insights Web UI:

    Copy to Clipboard Toggle word wrap 
    https://console.redhat.com:443

  • Add the URL for Single-Sign-On to Red Hat to ensure access to authorization:

    Copy to Clipboard Toggle word wrap 
    https://sso.redhat.com:443

Each host using your proxy needs the following details added to the /etc/rhsm/rhsm.conf file.

Note

This information is required for RHSM, Insights client and remote host configuration (rhc).

  • Add your http proxy server’s URL:

    Copy to Clipboard Toggle word wrap 
    proxy_hostname =

  • Add the proxy scheme for authorization purposes (http is the default):

    Copy to Clipboard Toggle word wrap 
    proxy_scheme = http

  • Add the port for your proxy server:

    Copy to Clipboard Toggle word wrap 
    proxy_port =

  • Optional

    If your proxy requires authentication, add your user name and password for authenticating:

    Copy to Clipboard Toggle word wrap 
    proxy_user =
     Copy to Clipboard Toggle word wrap 
    proxy_password =

  • Add any domains you want to opt out from the proxy:

    Copy to Clipboard Toggle word wrap 
    no_proxy =

  • By default, Insights client uses RHSM’s configuration for a proxy. You can edit the insights-client.conf configuration file to change the proxy:

    Copy to Clipboard Toggle word wrap 
    /etc/insights-client/insights-client.conf

Verification step

To verify connectivity, open your command line interface (CLI) and run the following command as root:

Copy to Clipboard Toggle word wrap 
[root@server ~]# insights-client --test-connection --net-debug

  • If connectivity is successful, you will see the following output in your CLI:

    Copy to Clipboard Toggle word wrap 
    End API URL Connection Test: SUCCESS

Connectivity tests completed successfully
See `/var/log/insights-client/insights-client.log` for more details.

Additional resources

Providing feedback on Red Hat documentation

We appreciate and prioritize your feedback regarding our documentation. Provide as much detail as possible, so that your request can be quickly addressed.

Prerequisites

  • You are logged in to the Red Hat Customer Portal.

Procedure

To provide feedback, perform the following steps:

  1. Click the following link: Create Issue
  2. Describe the issue or enhancement in the Summary text box.
  3. Provide details about the issue or requested enhancement in the Description text box.
  4. Type your name in the Reporter text box.
  5. Click the Create button.

This action creates a documentation ticket and routes it to the appropriate documentation team. Thank you for taking the time to provide feedback.

Legal Notice

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat, Inc.