[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Spacewalk-list] Squid Proxy for Spacewalk




I always suggest your layout architecture with spacewalk server and proxies, but for scale out reasons and not for security reasons, because for example on rhn communications clients first do authentications (and others stuff like request what channels repo they are subscribed to), and this communications is forwarded by proxies to spacewalk servers, so there aren't segregations between servers and clients 

but your mileage may vary
Amedeo



Inviato da Tablet Samsung



-------- Messaggio originale --------
Da: Matthew Madey <mattmadey gmail com>
Data: 10/11/2014 22:17 (GMT+01:00)
A: spacewalk-list redhat com
Oggetto: Re: [Spacewalk-list] Squid Proxy for Spacewalk


I would just go ahead with the Spacewalk Proxy, even if you don't care about caching packages.. We register all clients through the Spacewalk proxies, and our Spacewalk servers (Primary and Standby) sit behind a load balancer. This way we force compliance at the Proxy level.. no clients can communicate directly to the Spacewalk server, and only the Spacewalk proxies can broker traffic between client and server. As an additional layer of Security.. you can use the root CA certificate for your organization on the load balancer, and append that to your SSL-CERT that the proxies use for communication to the Spacewalk server.. This is what allows only the Proxies to get traffic through the load balancer, while your clients use the normal SSL-CERT generated by the Spacewalk server. 

I suppose you could use just a standard Squid proxy, as long as it will pass SSL traffic also.. but I'd recommend using the supported Spacewalk Proxy approach.. 

On Mon, Nov 10, 2014 at 1:51 PM, Waldirio Manhães Pinheiro <waldirio gmail com> wrote:
Hello Friends

You can do this (as mentioned by Amedeo) or you can use a SW in your DMZ and another SW in your Internal Network, the second will just sync channels from the main SW (Inter Satellite Sync - ISS), but at the end, I recommend proxy too.

B'Regards


On Mon, Nov 10, 2014 at 5:25 PM, Amedeo Salvati <amedeo oscert net> wrote:
Glen,  i don't understand the reasons... but you can install one spacewalk server and one spacewalk proxy and then, your clients will connect to your spacewalk proxy, that will forward request to spacewalk server



Inviato da Tablet Samsung



-------- Messaggio originale --------
Da: Glen Collins <glenc2004 comcast net>
Data: 10/11/2014 19:29 (GMT+01:00)
A: Amedeo Salvati <amedeo oscert net>
Cc: spacewalk-list redhat com,glenc2004 comcast net
Oggetto: Re: [Spacewalk-list] Squid Proxy for Spacewalk


Thanks for the reply. My security guys just want another level of security. The SW server is already in my DMZ. But they want my clients to connect to a proxy and then have the proxy connect to the SW server. I don't need any sort of caching, just need a forwarder which I thought squid could do just fine.

Thanks

Glen Collins


squid on spacewalk proxy is used to cache rpms, and on default configurations accept only connections from localhost...

instead of using squid to improve security you can filter access to your spacewalk server by putting it on dmz behind your firewall and then enable only hosts that you want.

best regards
 
Cc:
Data: Mon, 10 Nov 2014 09:54:45 +0000
Oggetto: Re: [Spacewalk-list] Squid Proxy for Spacewalk

> not out of the box, it needs configuring but yup it does, im pretty sure when you isntall the proxy it also installs and configures squid

> On 10 November 2014 03:37, Glen Collins <glenc2004 comcast net> wrote:
> Hello all. Is it possible to just use a squid proxy out of the box for spacewalk? I don't need to cache packages and such. I just need to restrict access from the client side to the spacewalk master. Just another level of access our security guys want. Just didn't want to go down this rabbit whole if it's not going to work and I'll just have to go fourth with adding the actual spacewalk proxy.

> Thanks

> Glen Collins

> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list redhat com
> https://www.redhat.com/mailman/listinfo/spacewalk-list



_______________________________________________
Spacewalk-list mailing list
Spacewalk-list redhat com
https://www.redhat.com/mailman/listinfo/spacewalk-list


_______________________________________________
Spacewalk-list mailing list
Spacewalk-list redhat com
https://www.redhat.com/mailman/listinfo/spacewalk-list


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]