CentOS - Jul 2007 - yum through a squid proxy

Hello,
    I've got a centos5 box that is now behind a what was transparent squid 
proxy. The proxy now has it's own dedicated ip and uses proxy basic 
authentication. I've got a firewall that redirects all outgoing port 80 
traffic to that ip so anyone wishing access goes proxied. The problem is yum 
on my centos5 can't retrieve the .xml files for the various yum 
repositories. In the squid access.log on the router i'm seeing invalid 
request method. This means that the box isn't yet talking proxy and is still
trying to go through direct. To my yum.conf file i added lines similar to 
these:

# The proxy server - proxy server:port number
proxy=http://mycache.mydomain.com:3128
# The account details for yum connections
proxy_username=yum-user
proxy_password=qwerty

I tried port 80 on that proxy line with the same results. Telneting to that 
ip/port works fine, iptables isn't blocking it. On the firewall i added the 
yum-user to the password file and used squid's ncsa_auth program to confirm 
the username/password combination, output was a simple "ok". On the
centos5
box i did a service network restart, which didn't work, yum update gave me 
the same error.
    Any suggestions welcome.
    Thanks.
Dave.

I don't see why that setup wouldn't work.
1. you've added yourself to the passwd file? (you don't have to be a
unix user existing in /etc/passwd
2. you run the export variable before using yum - or you've added this
to /etc/profile or your own .bash_profile file as well?

export http_proxy=http://peter:password at 192.168.25.25:3128
echo $http_proxy
http://peter:password at 192.168.25.25:3128

This is my squid.conf (see below) - nothing that I can see that would
allow / disallow access to an xml file. I run porn filters for my
network and allow ftp access to only 3 users, and allow windows
updates for the idiot boxes.

Testing - stop iptables. If you can access other site through the
proxy from links / elinks / lynx whatever, then you know it's working
as it should. Start iptables - try the same test again - if fails then
enable port 3128 in /etc/sysconfig/iptables

# squid server for internal
-A INPUT -i eth1 -p tcp -m tcp --dport 3128 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 3128 -j ACCEPT

I would look at my yum.conf after confirming the above. Comment out
everything except one. Run yum again, etc.

*also - keep in mind that if you have multiple terms open - and you're
manually exporting the proxy variable - it's a. not persistent and b.
only valid in the term that you set it in.

- Good luck.
-Peter Farrell -
-Cardiff, Wales
==========================SQUID.CONF
==========================hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_dir ufs /data/squid/cache 2048 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Internet Access
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl ftp_allow proxy_auth_regex martin
acl ftp_allow proxy_auth_regex peter
acl ftp_allow proxy_auth_regex bhanu
acl all src 0.0.0.0/0.0.0.0
acl winupdate dstdomain .microsoft.com .windowsupdate.com
acl ftp proto FTP
acl ssl_ports port 443      # https
acl safe_ports port 80 1863 8888 443  # http, https
acl CONNECT method CONNECT
acl example dst 21.21.21.0/255.255.255.0
acl porn url_regex "/etc/squid/porn"
acl porn1 url_regex "/etc/squid/porn1"
acl porn2 url_regex "/etc/squid/porn2"
acl everyone proxy_auth REQUIRED
http_access allow winupdate
http_access allow example
http_access allow ftp_allow
http_access deny ftp
http_access deny !safe_ports
http_access deny CONNECT !ssl_ports
http_access deny porn
http_access deny porn1
http_access deny porn2
http_access allow everyone
http_access deny all
always_direct allow example
always_direct allow winupdate
no_cache deny example
no_cache deny winupdate
http_access deny all
http_reply_access allow all
icp_access allow all
cache_mgr sysadmin at example.com
cache_effective_user squid
visible_hostname pollux.example.com
unique_hostname pollux
logfile_rotate 10
coredump_dir /var/log/squid/cache
==========================
On 19/07/07, Dave <dmehler26 at woh.rr.com> wrote:
> Hello,
>     I've got a centos5 box that is now behind a what was transparent
squid
> proxy. The proxy now has it's own dedicated ip and uses proxy basic
> authentication. I've got a firewall that redirects all outgoing port 80
> traffic to that ip so anyone wishing access goes proxied. The problem is
yum
> on my centos5 can't retrieve the .xml files for the various yum
> repositories. In the squid access.log on the router i'm seeing invalid
> request method. This means that the box isn't yet talking proxy and is
still
> trying to go through direct. To my yum.conf file i added lines similar to
> these:
>
> # The proxy server - proxy server:port number
> proxy=http://mycache.mydomain.com:3128
> # The account details for yum connections
> proxy_username=yum-user
> proxy_password=qwerty
>
> I tried port 80 on that proxy line with the same results. Telneting to that
> ip/port works fine, iptables isn't blocking it. On the firewall i added
the
> yum-user to the password file and used squid's ncsa_auth program to
confirm
> the username/password combination, output was a simple "ok". On
the centos5
> box i did a service network restart, which didn't work, yum update gave
me
> the same error.
>     Any suggestions welcome.
>     Thanks.
> Dave.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>