I would just go ahead with the Spacewalk Proxy, even if you don't care about caching packages.. We register all clients through the Spacewalk proxies, and our Spacewalk servers (Primary and Standby) sit behind a load balancer. This way we force compliance at the Proxy level.. no clients can communicate directly to the Spacewalk server, and only the Spacewalk proxies can broker traffic between client and server. As an additional layer of Security.. you can use the root CA certificate for your organization on the load balancer, and append that to your SSL-CERT that the proxies use for communication to the Spacewalk server.. This is what allows only the Proxies to get traffic through the load balancer, while your clients use the normal SSL-CERT generated by the Spacewalk server.
I suppose you could use just a standard Squid proxy, as long as it will pass SSL traffic also.. but I'd recommend using the supported Spacewalk Proxy approach.. On Mon, Nov 10, 2014 at 1:51 PM, Waldirio Manhães Pinheiro < [email protected]> wrote: > Hello Friends > > You can do this (as mentioned by Amedeo) or you can use a SW in your DMZ > and another SW in your Internal Network, the second will just sync channels > from the main SW (Inter Satellite Sync - ISS), but at the end, I recommend > proxy too. > > B'Regards > > ______________ > Atenciosamente > Waldirio > msn: [email protected] > Skype: waldirio > Site: www.waldirio.com.br > Blog: blog.waldirio.com.br > LinkedIn: http://br.linkedin.com/pub/waldirio-pinheiro/22/b21/646 > PGP: www.waldirio.com.br/public.html > > On Mon, Nov 10, 2014 at 5:25 PM, Amedeo Salvati <[email protected]> wrote: > >> Glen, i don't understand the reasons... but you can install one >> spacewalk server and one spacewalk proxy and then, your clients will >> connect to your spacewalk proxy, that will forward request to spacewalk >> server >> >> >> >> Inviato da Tablet Samsung >> >> >> >> -------- Messaggio originale -------- >> Da: Glen Collins <[email protected]> >> Data: 10/11/2014 19:29 (GMT+01:00) >> A: Amedeo Salvati <[email protected]> >> Cc: [email protected],[email protected] >> Oggetto: Re: [Spacewalk-list] Squid Proxy for Spacewalk >> >> >> Thanks for the reply. My security guys just want another level of >> security. The SW server is already in my DMZ. But they want my clients to >> connect to a proxy and then have the proxy connect to the SW server. I >> don't need any sort of caching, just need a forwarder which I thought squid >> could do just fine. >> >> Thanks >> >> Glen Collins >> >> ------------------------------ >> squid on spacewalk proxy is used to cache rpms, and on default >> configurations accept only connections from localhost... >> >> instead of using squid to improve security you can filter access to your >> spacewalk server by putting it on dmz behind your firewall and then enable >> only hosts that you want. >> >> best regards >> >> Da: [email protected] >> A: [email protected], [email protected] >> Cc: >> Data: Mon, 10 Nov 2014 09:54:45 +0000 >> Oggetto: Re: [Spacewalk-list] Squid Proxy for Spacewalk >> >> > not out of the box, it needs configuring but yup it does, im pretty >> sure when you isntall the proxy it also installs and configures squid >> >> > On 10 November 2014 03:37, Glen Collins <[email protected]> wrote: >> >>> > Hello all. Is it possible to just use a squid proxy out of the box for >>> spacewalk? I don't need to cache packages and such. I just need to restrict >>> access from the client side to the spacewalk master. Just another level of >>> access our security guys want. Just didn't want to go down this rabbit >>> whole if it's not going to work and I'll just have to go fourth with adding >>> the actual spacewalk proxy. >>> >>> > Thanks >>> >>> > Glen Collins >>> >>> > _______________________________________________ >>> > Spacewalk-list mailing list >>> > [email protected] <[email protected]> >>> > https://www.redhat.com/mailman/listinfo/spacewalk-list >>> <https://www.redhat.com/mailman/listinfo/spacewalk-list> >>> >> >> >> >> _______________________________________________ >> Spacewalk-list mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/spacewalk-list >> > > > _______________________________________________ > Spacewalk-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/spacewalk-list >
_______________________________________________ Spacewalk-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/spacewalk-list
