Skip to content

Using the RHEL/Rocky Connector with a Web Proxy

If web access is being blocked to the machines in your environment the Connector will not work. In order to give the Connector machine access to the required resources from the internet, a web proxy server is required. The web proxy server must support the HTTP Connect method and it must be enabled. Both HTTP and HTTPS traffic will be proxied through the same proxy server.

Using the Connector on Rocky Linux/RHEL with a Web Proxy

The following steps outline how to use the Connector on Rocky Linux/RHEL with a web proxy:

  1. Set up a web proxy with access to the Internet, for example Squid.
  2. Ensure that HTTP Connect is enabled on the web proxy. For Squid for example, the config file may look like this:
    # Allowed Source IPs (ie, machines with IPs)
    acl localnet src # RFC1918 possible internal network
    # Allowed ports to proxy traffic (Default)
    acl SSL_ports port 443
    acl Safe_ports port 80      # http
    acl Safe_ports port 21      # ftp
    acl Safe_ports port 443     # https
    acl Safe_ports port 70      # gopher
    acl Safe_ports port 210     # wais
    acl Safe_ports port 1025-65535  # unregistered ports
    acl Safe_ports port 280     # http-mgmt
    acl Safe_ports port 488     # gss-http
    acl Safe_ports port 591     # filemaker
    acl Safe_ports port 777     # multiling http
    # Enable HTTP Connect
    acl CONNECT method CONNECT
    # Default Squid http_access settings
    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports
    # Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports
    # Only allow cachemgr access from localhost
    http_access allow localhost manager
    http_access deny manager
    # Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed
    http_access allow localnet
    http_access allow localhost
    # And finally deny all other access to this proxy
    http_access deny all
    # Squid normally listens to port 3128
    http_port 3128
    # Leave coredumps in the first cache dir (Default)
    coredump_dir /var/spool/squid
    # Default Refresh patterns
    refresh_pattern ^ftp:       1440    20% 10080
    refresh_pattern ^gopher:    1440    0%  1440
    refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
    refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
    refresh_pattern .       0   20% 4320
  3. To test that the proxy is working correctly, using SSH, open a terminal on the Connector host machine and run the following set of commands:
    # Running curl to cam should time out since the host should not be able to route to the internet
    $ curl
    curl: (7) Failed to connect to port 80: Connection timed out
    $ curl
    curl: (7) Failed to connect to port 443: Connection timed out
    # Setting the proxy settings in the environment for curl to test that it works for HTTP and HTTPS traffic
    $ export http_proxy=http://<ip-of-proxy-server>:<proxy-port (default 3128)>
    $ curl
    <head><title>308 Permanent Redirect</title></head>
    <body bgcolor="white">
    <center><h1>308 Permanent Redirect</h1></center>
    $ export https_proxy=$http_proxy
    $ curl
    <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name="theme-color" content="#000000"><link rel="manifest" href="/manifest.json"><link rel="shortcut icon" href="/favicon.ico"><title>Anyware Manager</title><link href="/static/css/main.27391ea7.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this app.</noscript><div id="root" class="full-height"></div><script type="text/javascript" src="/static/js/main.45a05db7.js"></script></body></html>
    # Clear the settings from the environment
    $ unset http_proxy
    $ unset https_proxy
  4. To run the installer with the proxy settings, you can apply them in the environment:
    # Installer will read proxy setting from environment if http_proxy, https_proxy, HTTP_PROXY, or HTTPS_PROXY are set
    $ export https_proxy=http://<ip-of-proxy-server>:<proxy-port (default 3128)>
    $ ./cas-connector configure ...
    or through the command line option:
    $ ./cas-connector configure --https-proxy http://<ip-of-proxy-server>:<proxy-port (default 3128)> ...
  5. The installer should run as normal and configure the containers with the web proxy settings provided.

Proxy Passwords are not Supported

Proxy passwords are not supported with the Connector at this time.