Setting up transparent proxy for RHEL/Fedora repos


recently I improved my workflow of testing Foreman and Satellite 6 instances. I do a lot of provisioning and while I could maintain my own yum mirrors, I am lazy. So I decided to create a proxy setup for CentOS, Fedora and Red Hat CDN content. This should work also for other distributions, I haven’t tested. This post is heavily based on Setting up a local caching proxy for Fedora YUM repositories by Daniel Berrangé.

Pick a server, I am using my very own workstation as I want it to be the proxy for all my test VMs. Step one, install Apache httpd and Squid.

dnf install httpd squid

Step two. Create configuration. The idea is to proxy some URLs to Squid which will maintain cache of RPM and metadata files.

There is one snag - Red Hat CDN which is only available via HTTPS. I could not figure out how to configure Apache httpd as a man-in-the-middle for HTTPS with client certificates, so I decided to use one of our internal mirrors. It currently does not contain kickstart trees, those I needed to rsync and have locally (RHEL 7.0 kickstart). The rest is proxied to which is RH internal server - find the proper hostname on Mojo.

I keep all my files in /mnt/data/www volume, this will be different for you so modify this in the configuration. Also remember to use your closest mirror instead of!

# cat > /etc/httpd/conf.d/yumcache.conf <<EOF
ProxyPass /centos/
ProxyPass /fedora/
ProxyPass /epel/

<Directory "/mnt/data/www">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
DocumentRoot "/mnt/data/www"

ProxyPass /cdn/content/dist/rhel/server/7/7.0/x86_64/kickstart/ !
Alias /cdn/content/dist/rhel/server/7/7.0/x86_64/kickstart/ /mnt/data/www/rh/rhel-7-server-kickstart/7.0/

ProxyPass /cdn/content/
ProxyRemote * http://localhost:3128/

Again, the kickstart tree for RHEL 7.0 is for some technical reasons missing from the internal mirror, sync it from somewhere:

rsync -avSHP --delete rsync:// /mnt/data/www/rh/rhel-7-server-kickstart/7.0/

If you are using SELinux, then allow Apache to do network relaying and start the service.

setsebool -P httpd_can_network_relay=1
systemctl start httpd.service
systemctl enable httpd.service

Step four, configure squid. It’s pretty much the default configuration plus little bit of changes for replacement policy and bumped minimum object size to 8 GB. Make sure you have enough space on /var/spool/squid or change that path and set appropriate cache size (in the example it’s 200 GB).

cat >> /etc/squid/squid.conf <<EOF
cache_replacement_policy heap LFUDA
maximum_object_size 8192 MB
cache_dir aufs /var/spool/squid 200000 16 256 max-size=8589934592
acl repomd url_regex /repomd\.xml$
cache deny repomd

Last step, start service and enable port from incoming hosts (depends on the firewall zone of yours):

systemctl start squid.service
systemctl enable squid.service
firewall-cmd --add-service=http --permanent

Now, configure your Installation Media to:

  • http://proxy/centos/$major/os/$arch
  • http://proxy/fedora/$major/Server/$arch/os

In order to keep using proxy for installed systems (e.g. package updates, EPEL etc), add one line to yum configuration: /etc/yum.conf:

proxy = http://proxy:3128

In case of Katello/Satellite 6 you need to go to Subscriptions and update Base URL from to http://proxy/cdn. You can update even existing subcriptions any time you want which is great.

One more note, you can rarely experience timeout issues in yum/dnf or Pulp. Just start over and it will just fix itself once Squid caches the files. That’s the only drawback of this solution.

I am turning this into wiki if you want to enhance it, go ahead! Hit that like button. And enjoy.


I’m using Sonatype Nexus and it’s yum proxy repo functionality for exactly the same thing (all my machines are using this proxy for installation and updates of packages as well). Works really well!

1 Like

If your httpd services comes with a config containing:

IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

e.g. in file /etc/httpd/conf.d/autoindex.conf

You might need to remove it.