Running A Repository Through Proxy

When you have a Linux servers farm it is wise to have a local repository so that your servers don't connect to the outside when updates are needed. In fact it is imperative to limit the access to outside resources for your servers in order to enforce strong security policy and PCI compliance.

Running a repository though may require quite a lot of disk space. For example, a CentOS repository for 2 branches will go above 30-40 GB not to mention all the bandwidth needed for permanently syncing it. That's why it is much wiser to use a caching proxy through which your servers should go, download packages and leave them available locally for the next needing them.

Setting up Squid caching proxy for this purpose is very simple and straight forward. Once you install Squid change its configurration(usually /etc/squid.conf) to:
http_port 80 accel defaultsite=repo.website-security.info
acl all src 0.0.0.0/0.0.0.0

cache_peer mirror.centos.org parent 80 0 no-query originserver name=myAccel

acl our_sites dstdomain repo.website-security.info
http_access allow our_sites
cache_peer_access myAccel allow our_sites
cache_peer_access myAccel deny all

refresh_pattern -i .rpm$ 129600 100% 129600

cache_dir ufs /var/squid/cache 10000 16 256
In the above example we assume that our Linux (Centos) servers will connect to the proxy by the address repo.website-security.info for updates. This should be explicitly configured in their repo files in /etc/yum.repos.d/. The proxy itself will get the updates from mirror.centos.org. Again, adjust the mirror to a closer to your servers one. 

Now when a server updates / installs .rpm software the proxy will cache the downloaded files and make it easier for the next server needing them. This is great for security, bandwidth and performance.

blog comments powered by Disqus