红帽全球峰会此内容没有您所选择的语言版本。
6.2. Installing a Squid Reverse Proxy
Install a Squid server to use as the load balancer by using reverse proxy mode.
yum install squid
# yum install squid
You also need to generate SSL certificates and sign them with the Satellite CA. The easiest method is to use the
rhn-ssl-tool on the Satellite server to generate the server certificates, because the CA is already available.
The Satellite SSL Maintenance Tool (rhn-ssl-tool) generates and maintains Satellite SSL keys and certificates. It also generates RPMs for use in deploying these keys and certificates. The tool is geared for use in a Satellite context, but can be useful outside of Satellite too.
In this example, the load balancer is called
lb.example.com; substitute the host name that applies to your deployment, and enter a suitable build directory. Run this command on the Satellite server.
rhn-ssl-tool --gen-server --set-hostname=lb.example.com -d /root/ssl-build
$ rhn-ssl-tool --gen-server --set-hostname=lb.example.com -d /root/ssl-build
The
rhn-ssl-tool used above creates SSL files for lb.example.com and saves the files in /root/ssl-build directory. Copy the server.crt, server.key, and the RHN-ORG-TRUSTED-SSL-CERT CA certificate from the dhcp directory to the lb.example.com load balancer. These files are used to set up SSL for the actual load balancer. The RHN-ORG-TRUSTED-SSL-CERT certificate allows SSL communication between the load balancer and the proxies.
Modify the
/etc/squid/squid.conf file on the lb.example.com server to set up reverse proxy mode:
Example 6.1. Setting up Reverse Proxy Mode
The previous example demonstrates setting up two reverse proxies. Port 443 has two proxies that are used in round-robin mode. Requests are shared equally between the two proxies. The
server.crt and server.key files were renamed to lb.crt and lb.key respectively (short for load balancer) for easier identification. The Satellite CA certificate was renamed to squid-ca.crt; the cache_peer sslcafile option refers to this file.
Add the certificates to the
squid group:
chgrp squid /etc/pki/tls/certs/{lb.crt,lb.key,squid-ca.crt}
# chgrp squid /etc/pki/tls/certs/{lb.crt,lb.key,squid-ca.crt}
The file details should appear as follows:
-rw-r--r--. 1 root squid 5450 Aug 23 21:23 lb.crt -rw-r--r--. 1 root squid 1675 Aug 23 21:23 lb.key -rw-r--r--. 1 root squid 5363 Aug 22 14:19 squid-ca.crt
-rw-r--r--. 1 root squid 5450 Aug 23 21:23 lb.crt
-rw-r--r--. 1 root squid 1675 Aug 23 21:23 lb.key
-rw-r--r--. 1 root squid 5363 Aug 22 14:19 squid-ca.crt
The
cache_peer directives set up the two proxies that will be used in round-robin format. Note that you need to specify the CA certificate so that the load balancer can communicate with the proxies. Further, we are only allowing port 443 traffic to hit these proxies using the squid acl is_ssl and cache_peer directives.
All traffic on port 80 is redirected to one proxy and defaults to the dhcp16.example.com proxy using the
defaultsite directive. Acls are set up similar to the ssl port.
The
sslpassword_program directive allows you to send the SSL key passphrase (if used; displayed for completeness) to squid on startup without human intervention. The contents of password.out is a bash script that echos the SSL passphrase. The forwarded_for directive configures the load balancer to send the forwarded_for headers to the proxies.
Important
Edit the
/etc/squid/squid.conf and comment out the default port, 3128, that squid normally listens on:
Squid normally listens to port 3128 http_port 3128
# Squid normally listens to port 3128
# http_port 3128
Restart squid after config modifications:
service squid restart
# service squid restart
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}