GitHub - candlepin/thumbslug: Thumbslug is a content proxy for Candlepin

This repository has been archived by the owner on Oct 15, 2019. It is now read-only.

candlepin / thumbslug Public archive

Notifications You must be signed in to change notification settings
Fork 3
Star 1

Thumbslug is a content proxy for Candlepin

candlepinproject.org

1 star 3 forks Branches Tags Activity

Star

Notifications

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 287 Commits
.settings		.settings
buildconf		buildconf
buildr		buildr
conf		conf
perf		perf
rel-eng		rel-eng
selinux		selinux
spec		spec
src		src
.checkstyle		.checkstyle
.gitignore		.gitignore
Gemfile		Gemfile
Gemfile.lock		Gemfile.lock
README		README
SECURITY		SECURITY
TESTING		TESTING
build.xml		build.xml
buildfile		buildfile
cdn-ca.pem		cdn-ca.pem
thumbslug.sh		thumbslug.sh
thumbslug.spec		thumbslug.spec

Repository files navigation

     /@
     \ \        ______  __                 __         __
   ___> \      /_  __/ / /  __ __  __ _   / /   ___  / / __ __  ___ _
  (__O)  \      / /   / _ \/ // / /  ' \ / _ \ (_-< / / / // / / _ `/
 (____@)  \    /_/   /_//_/\_,_/ /_/_/_//_.__//___//_/  \_,_/  \_, /
 (____@)   \                                                  /___/
  (__o)_    \                            A Red Hat Production
        \    \

== What? ==

Thumbslug is a content/entitlement proxy. It lets your candlepin clients access
content from the upstream cdn using locally granted entitlement certificates.

== How? ==

To run from source, use the thumbslug.sh file.

If you've installed via the rpm, you can run it as a regular system service, using 'service' or 'chkconfig' or invoke /usr/bin/thumbslug directly.

== Initial Configuration ==

You'll need to do a bit of setup first, before thumbslug will work.
 - Create a pkcs keystore containing a cert/private key for thumbslug to use
   to talk to its clients, and sign it with a CA that your clients will know.
   Place this keystore in /etc/thumbslug/server_keystore.p12
   - Example: keytool -genkeypair -alias my_certificate -keystore /etc/thumbslug/server_keystore.p12 -storepass thumbslug -validity 365 -keyalg RSA -keysize 2048 -storetype pkcs12
 - set the value of ssl.keystore.password in /etc/thumbslug/thumbslug.conf to
   match the password on the above keystore.
 - Set up a shared secret betweeen candlepin and thumbslug.
   In /etc/candlepin/candlepin.conf, set
   candlepin.auth.oauth.consumer.thumbslug.secret = <SECRET>
   In /etc/thumbslug/thumbslug.conf, set
   candlepin.oauth.secret = <SECRET>
 - copy your candlepin's CA cert (what your entitlement certs are signed with)
   to /etc/thumbslug/client-ca.pem

That's it!

This assumes your candlepin is running on the same host as thumbslug. If that's
not the case, you'll need to set some more config values. Check the 'Config
Options' section below, and the contents of /etc/thumbslug/thumbslug.conf.

You'll also have to configure your clients to talk to thumbslug. set baseurl in
rhsm.conf to match your thumbslug host/port, and repo_ca_cert to match your
thumbslug's CA cert.

== Config Options ==

port = <integer> ................... :: the local address to listen for
                                        requests on
daemonize = <true|false> ........... :: daemonize thumbslug or keep in the
                                        foreground
ssl = <true|false> ................. :: use ssl for client to thumbslug
                                        communication
ssl.keystore = <string> ............ :: pkcs12 keystore for client to thumbslug
                                        ssl verification
ssl.keystore.password = <string> ... :: password for above
ssl.ca.keystore = <string> ......... :: pem formatted x509 certificate to use
                                        to verify client entitlment
                                        certificates

ssl.client.dynamicSsl = <true|false> :: grab entitlement certificates from
                                        candlepin for thumbslug to cdn
                                        communication, or use a static one.
ssl.client.keystore = <string> ..... :: pem formatted x509 certifcate to use
                                        with dynamicSsl = false

cdn.port = <integer> ............... :: the remote cdn port to connect to
cdn.host = <string> ................ :: hostname of the cdn
cdn.ssl = <true|false> ............. :: use ssl for connecting to the cdn
cdn.ssl.ca.keystore = <string> ..... :: pem formatted x509 certificate to use
                                        to verify the cdn's certificate
cdn.sendTSheader = <true|false> .... :: add thumbslug version to cdn request

log.access = <string> .............. :: client to thumbslug http access log
log.error = <string> ............... :: debug/error log

candlepin.host = <string> .......... :: candlepin host for dynamicSsl
candlepin.port = <integer> ......... :: candlepin port
candlepin.ssl = <true|false> ....... :: use ssl to talk to candlepin
candlepin.oauth.key = <string> ..... :: shared secret with candlepin
candlepin.oauth.secret = <string> .. :: shared secret password with candlepin

== logging properties ==

Logging levels and properties can be set at runtime in the thumbslug.conf.

For ex:

log4j.logger.org.candlepin.thumbslug=INFO
log4j.logger.org.candlepin.thumbslug.HttpRequestHandler=DEBUG