How to use HTTPS (https://) proxy with Red Hat Satellite 6.10 onwards?

Solution Verified - Updated

Environment

  • Red Hat Satellite 6.10
  • Red Hat Satellite 6.11
  • HTTPS Proxy configured on Satellite

Issue

  • After upgrading to Satellite 6.10, repository synchronization fails with an HTTP Proxy that uses an https:// URL protocol. http:// proxy URLs work fine, however.

  • When synchronizing repositories on Red Hat Satellite 6.10 via an https:// proxy server, it fails with the error:

       Only http proxies are supported

  • This issue has been reported via This content is not included.Bugzilla 1993917 and is fixed in the errata RHSA-2024:2010.

Resolution

  • This content is not included.Upgrade the Red Hat Satellite server to version 6.15 to fix the reported issue.

  • For the Red Hat Satellite server version 6.14 and older:

    Workaround: To continue using https:// proxies with Satellite 6.10, we recommend creating an intermediary Squid http:// proxy server that forwards all requests to the original https:// proxy. Please refer to the steps below:

    • Install Squid on another machine with network access to the original https:// proxy. Squid can be installed by running:

        # yum install squid

    • (RHEL 7 / Squid 3.5) Enter these configuration lines at the end of /etc/squid/squid.conf:

        cache_peer <original https:// proxy hostname> parent <original https:// proxy port> 0 no-query default ssl \
    sslcafile=/path/to/CA/certificate # The CA certificate used to sign the HTTPS proxy's certificate
acl all src 0.0.0.0/0.0.0.0
http_access allow all
never_direct allow all

      # Example cache_peer line:
   cache_peer rhel7.example.com parent 3128 0 no-query default ssl \
    sslcafile=/etc/squid/ssl_cert/myCA.pem

    • (RHEL 8 / Squid 4.x) Enter these configuration lines at the end of /etc/squid/squid.conf:

        cache_peer <original https:// proxy hostname> parent <original https:// proxy port> 0 no-query default tls \
    sslcafile=/path/to/CA/certificate # The CA certificate used to sign the HTTPS proxy's certificate
acl all src 0.0.0.0/0.0.0.0
http_access allow all
never_direct allow all

      # Example cache_peer line:
cache_peer rhel7.example.com parent 3128 0 no-query default tls \
    sslcafile=/etc/squid/ssl_cert/myCA.pem

    Note: if a different version of Squid is being used, please adapt the configuration options by following the Content from www.squid-cache.org is not included.documentation for the version in use.

    • Allow the Squid proxy service through the firewall (replacing port 3128 as necessary):

        # firewall-cmd --permanent --add-port=3128/tcp
  # firewall-cmd --reload

    • Configure SELinux to allow Satellite to sync repositories through Squid (replacing port 3128 as necessary):

        # semanage port -m -t http_port_t -p tcp 3128

    • Restart Squid:

        # systemctl restart squid

    • Update the old HTTP Proxy setting in the Satellite web UI to match the Squid forwarder that was just created. The HTTP Proxy URL should have http:// for a prefix before the new Squid proxy's address. After the HTTP Proxy is updated, repository syncing will work and requests will continue to be directed to the original https:// proxy.
      The HTTP Proxy can be updated via: Infrastructure -> HTTP Proxies page and Administer -> Settings -> General tab, update "HTTP(S) proxy"

For more KB articles/solutions related to Red Hat Satellite 6.x Repository Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Repository Issues.

Root Cause

  • In Satellite 6.10, we are using Pulp3 for the content management which currently does not support proxy servers with the https:// prefix.
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.