Re: proxying fedora mirrors with HTTPS
On Thu, Mar 26, 2020 at 10:54:25AM -0600, Ken Dreyer wrote: > I see pykickstart supports https URLs for --proxy, so I think I can > just do --proxy https://squid.example.com:3128 ? > > I don't understand how I would get the installer to trust my custom CA > to communicate with the HTTPS proxy, though. You should be able to use the new --sslcacert, etc. arguments. https://pykickstart.readthedocs.io/en/latest/kickstart-docs.html#url There has been some discussion about replacing them with a way to specify a full repo config file, but that hasn't gone anywhere yet so the arguments should be around at least until there is a suitable replacement for them. -- Brian C. Lane (PST8PDT) - weldr.io - lorax - parted - pykickstart ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
proxying fedora mirrors with HTTPS
For several years I've run my kickstart installs through a squid proxy that caches packages that I download. My kickstarts have something like this: url --url=http://mirror.chpc.utah.edu/pub/fedora/linux/releases/31/Everything/x86_64/os/ --proxy=http://squid.example.com:3128 As I test many repeated Fedora installs in my network, I can rely on Squid's caching, so the packages download faster and I put less load on the Fedora mirrors. This all happens over plaintext HTTP, and as I do more Fedora automated installs, that's concerning. Is there any easy way to do similar package caching with a Fedora mirror that provides HTTPS? I read https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit . I think I would use this to have Squid to generate and sign its own certificates for the Fedora mirror host on the fly? I see pykickstart supports https URLs for --proxy, so I think I can just do --proxy https://squid.example.com:3128 ? I don't understand how I would get the installer to trust my custom CA to communicate with the HTTPS proxy, though. Am I headed in the right direction? Has anyone else done something like this? - Ken ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
