Python's default proxy support for HTTPS connects to a proxy just like it would for http, and has the proxy GET from the https url. Thankfully, this fails, as there are all kinds of security problems with this. What we need is to have the client connect to the proxy and issue a CONNECT command, which allows the client to directly connect to RHN via a tunnel through the proxy. I'm not sure at what level we would want to implement this.
I've submitted a patch to M2Crypto that implements CONNECT support. See bug 6975 in M2Crypto's bugzilla: https://bugzilla.osafoundation.org/show_bug.cgi?id=6975
Created attachment 138597 [details] proxy CONNECT support The patch against m2crypto
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering. This request is not yet committed for inclusion in release.
This blocker corresponds to release criteria 19c5: yum connects through authenticated/unauthenticated http proxy from client to RHN
QE ack for RHEL5B2.
This should be fixed as of yum-rhn-plugin-0.1.9-3
*** Bug 212403 has been marked as a duplicate of this bug. ***
I tried to retest this with yum-rhn-plugin-0.2.0-1.el5 and m2crypto-0.16-6.el5 on the client. The squid log from cellar.rhndev (our http proxy) says: 1162154752.339 173 192.168.34.90 TCP_MISS/200 3500 CONNECT xmlrpc.rhn.webqa.redhat.com:443 - DIRECT/192.168.6.124 - 1162154752.455 110 192.168.34.90 TCP_MISS/200 3612 CONNECT xmlrpc.rhn.webqa.redhat.com:443 - DIRECT/192.168.6.124 - which I guess is correct. However, if I try to actually do any yumming through this http proxy, I get errors depending on my configuration. Configuration 1: client -> RHN proxy -> non-authenticated http proxy -> RHN ============================================================================ http proxy log: 1162156041.443 216 192.168.32.35 TCP_MISS/200 2273 POST http://test07.rhndev.redhat.com/XMLRPC - DIRECT/192.168.36.23 text/xml 1162156041.586 129 192.168.32.35 TCP_MISS/200 2405 POST http://test07.rhndev.redhat.com/XMLRPC - DIRECT/192.168.36.23 text/xml 1162156042.147 0 192.168.32.35 TCP_DENIED/403 1370 CONNECT test07.rhndev.redhat.com:80 - NONE/- text/html RHN proxy log: no entries client error: http://test07.rhndev.redhat.com/XMLRPC/GET-REQ/rhel-x86_64-server-5-beta/repodata/repomd.xml: [Errno 4] IOError: <urlopen error Proxy connection failed: 403> Trying other mirror. Error: Cannot open/read repomd.xml file for repository: rhel-x86_64-server-5-beta ** The above configuration works fine if I remove the http proxy and just use the RHN proxy. Configuration 2: client -> non-authenticated http proxy -> RHN =============================================================== http proxy log: 1162156145.684 177 192.168.34.90 TCP_MISS/200 3500 CONNECT xmlrpc.rhn.webqa.redhat.com:443 - DIRECT/192.168.6.124 - 1162156145.802 113 192.168.34.90 TCP_MISS/200 3612 CONNECT xmlrpc.rhn.webqa.redhat.com:443 - DIRECT/192.168.6.124 - client error: https://xmlrpc.rhn.webqa.redhat.com/XMLRPC/GET-REQ/rhel-i386-server-5-beta/repodata/repomd.xml: [Errno 4] IOError: <urlopen error The connect operation timed out> Trying other mirror. Error: Cannot open/read repomd.xml file for repository: rhel-i386-server-5-beta So, I would say proxy support still does not work for the yum client, authenticated or not.
What versions of yum and urlgrabber are you using? I was able to use a proxy fine with the following rpms: rhn-client-tools-0.2.7-1.el5 m2crypto-0.16-6.el5 python-urlgrabber-3.1.0-1 yum-3.0-5.3 yum-rhn-plugin-0.2.0-1.el5
Both configurations work for x86_64 client with the following package profile: rhn-client-tools-0.2.7-1.el5 m2crypto-0.16-6.el5 python-urlgrabber-3.1.0-1 yum-3.0-5.3 yum-rhn-plugin-0.2.0-1.el5 rhnlib-2.2.5-1.el5 For i386 client, same.
Also works with authenticated http proxy.
Closing as the fixes are included in the latest RHEL5 trees (20061111.0)