Red Hat SummitE.2. Squid Proxy
E.2.1. Installing and Configuring a Squid Proxy
This section explains how to install and configure a Squid proxy to the VM Portal. A Squid proxy server is used as a content accelerator. It caches frequently-viewed content, reducing bandwidth and improving response times.
Configuring a Squid Proxy
Obtain a keypair and certificate for the HTTPS port of the Squid proxy server. You can obtain this keypair the same way that you would obtain a keypair for another SSL/TLS service. The keypair is in the form of two PEM files which contain the private key and the signed certificate. For this procedure, we assume that they are named proxy.key and proxy.cer.
NoteThe keypair and certificate can also be generated using the certificate authority of the engine. If you already have the private key and certificate for the proxy and do not want to generate it with the engine certificate authority, skip to the next step.
Choose a host name for the proxy. Then, choose the other components of the distinguished name of the certificate for the proxy.
NoteIt is good practice to use the same country and same organization name used by the engine itself. Find this information by logging in to the machine where the Manager is installed and running the following command:
openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -subject
# openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -subjectCopy to Clipboard Copied! This command outputs something like this:
subject= /C=US/O=Example Inc./CN=engine.example.com.81108
subject= /C=US/O=Example Inc./CN=engine.example.com.81108Copy to Clipboard Copied! The relevant part here is /C=US/O=Example Inc.. Use this to build the complete distinguished name for the certificate for the proxy:
/C=US/O=Example Inc./CN=proxy.example.com
/C=US/O=Example Inc./CN=proxy.example.comCopy to Clipboard Copied! Log in to the proxy machine and generate a certificate signing request:
openssl req -newkey rsa:2048 -subj '/C=US/O=Example Inc./CN=proxy.example.com' -nodes -keyout proxy.key -out proxy.req
# openssl req -newkey rsa:2048 -subj '/C=US/O=Example Inc./CN=proxy.example.com' -nodes -keyout proxy.key -out proxy.reqCopy to Clipboard Copied! ImportantYou must include the quotes around the distinguished name for the certificate. The
-nodesoption ensures that the private key is not encrypted; this means that you do not need to enter the password to start the proxy server.The command generates two files: proxy.key and proxy.req. proxy.key is the private key. Keep this file safe. proxy.req is the certificate signing request. proxy.req does not require any special protection.
To generate the signed certificate, copy the certificate signing request file from the proxy machine to the Manager machine:
scp proxy.req engine.example.com:/etc/pki/ovirt-engine/requests/.
# scp proxy.req engine.example.com:/etc/pki/ovirt-engine/requests/.Copy to Clipboard Copied! Log in to the Manager machine and sign the certificate:
/usr/share/ovirt-engine/bin/pki-enroll-request.sh --name=proxy --days=3650 --subject='/C=US/O=Example Inc./CN=proxy.example.com'
# /usr/share/ovirt-engine/bin/pki-enroll-request.sh --name=proxy --days=3650 --subject='/C=US/O=Example Inc./CN=proxy.example.com'Copy to Clipboard Copied! This signs the certificate and makes it valid for 10 years (3650 days). Set the certificate to expire earlier, if you prefer.
The generated certificate file is available in the directory /etc/pki/ovirt-engine/certs and should be named proxy.cer. On the proxy machine, copy this file from the Manager machine to your current directory:
scp engine.example.com:/etc/pki/ovirt-engine/certs/proxy.cer .
# scp engine.example.com:/etc/pki/ovirt-engine/certs/proxy.cer .Copy to Clipboard Copied! Ensure both proxy.key and proxy.cer are present on the proxy machine:
ls -l proxy.key proxy.cer
# ls -l proxy.key proxy.cerCopy to Clipboard Copied! Install the Squid proxy server package on the proxy machine:
yum install squid
# yum install squidCopy to Clipboard Copied! Move the private key and signed certificate to a place where the proxy can access them, for example to the /etc/squid directory:
cp proxy.key proxy.cer /etc/squid/.
# cp proxy.key proxy.cer /etc/squid/.Copy to Clipboard Copied! Set permissions so that the
squiduser can read these files:chgrp squid /etc/squid/proxy.* chmod 640 /etc/squid/proxy.*
# chgrp squid /etc/squid/proxy.* # chmod 640 /etc/squid/proxy.*Copy to Clipboard Copied! The Squid proxy must verify the certificate used by the engine. Copy the Manager certificate to the proxy machine. This example uses the file path /etc/squid:
scp engine.example.com:/etc/pki/ovirt-engine/ca.pem /etc/squid/.
# scp engine.example.com:/etc/pki/ovirt-engine/ca.pem /etc/squid/.Copy to Clipboard Copied! NoteThe default CA certificate is located in /etc/pki/ovirt-engine/ca.pem on the Manager machine.
Set permissions so that the
squiduser can read the certificate file:chgrp squid /etc/squid/ca.pem chmod 640 /etc/squid/ca.pem
# chgrp squid /etc/squid/ca.pem # chmod 640 /etc/squid/ca.pemCopy to Clipboard Copied! If SELinux is in enforcing mode, change the context of port 443 using the
semanagetool to permit Squid to use port 443:yum install policycoreutils-python semanage port -m -p tcp -t http_cache_port_t 443
# yum install policycoreutils-python # semanage port -m -p tcp -t http_cache_port_t 443Copy to Clipboard Copied! Replace the existing Squid configuration file with the following:
https_port 443 key=/etc/squid/proxy.key cert=/etc/squid/proxy.cer ssl-bump defaultsite=engine.example.com cache_peer engine.example.com parent 443 0 no-query originserver ssl sslcafile=/etc/squid/ca.pem name=engine login=PASSTHRU cache_peer_access engine allow all ssl_bump allow all http_access allow all
https_port 443 key=/etc/squid/proxy.key cert=/etc/squid/proxy.cer ssl-bump defaultsite=engine.example.com cache_peer engine.example.com parent 443 0 no-query originserver ssl sslcafile=/etc/squid/ca.pem name=engine login=PASSTHRU cache_peer_access engine allow all ssl_bump allow all http_access allow allCopy to Clipboard Copied! Restart the Squid proxy server:
systemctl restart squid.service
# systemctl restart squid.serviceCopy to Clipboard Copied!
Squid Proxy in the default configuration will terminate its connection after 15 idle minutes. To increase the amount of time before Squid Proxy terminates its idle connection, adjust the read_timeout option in squid.conf (for instance read_timeout 10 hours).
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}