Thumbslug is a content proxy for Candlepin
Java Ruby Shell
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
.settings
buildconf
buildr
conf
perf
rel-eng
selinux
spec
src
.checkstyle
.gitignore
Gemfile
Gemfile.lock
README
SECURITY
TESTING
build.xml
buildfile
cdn-ca.pem
thumbslug.sh
thumbslug.spec

README

     /@
     \ \        ______  __                 __         __
   ___> \      /_  __/ / /  __ __  __ _   / /   ___  / / __ __  ___ _
  (__O)  \      / /   / _ \/ // / /  ' \ / _ \ (_-< / / / // / / _ `/
 (____@)  \    /_/   /_//_/\_,_/ /_/_/_//_.__//___//_/  \_,_/  \_, /
 (____@)   \                                                  /___/
  (__o)_    \                            A Red Hat Production
        \    \

== What? ==

Thumbslug is a content/entitlement proxy. It lets your candlepin clients access
content from the upstream cdn using locally granted entitlement certificates.

== How? ==

To run from source, use the thumbslug.sh file.

If you've installed via the rpm, you can run it as a regular system service, using 'service' or 'chkconfig' or invoke /usr/bin/thumbslug directly.

== Initial Configuration ==

You'll need to do a bit of setup first, before thumbslug will work.
 - Create a pkcs keystore containing a cert/private key for thumbslug to use
   to talk to its clients, and sign it with a CA that your clients will know.
   Place this keystore in /etc/thumbslug/server_keystore.p12
   - Example: keytool -genkeypair -alias my_certificate -keystore /etc/thumbslug/server_keystore.p12 -storepass thumbslug -validity 365 -keyalg RSA -keysize 2048 -storetype pkcs12
 - set the value of ssl.keystore.password in /etc/thumbslug/thumbslug.conf to
   match the password on the above keystore.
 - Set up a shared secret betweeen candlepin and thumbslug.
   In /etc/candlepin/candlepin.conf, set
   candlepin.auth.oauth.consumer.thumbslug.secret = <SECRET>
   In /etc/thumbslug/thumbslug.conf, set
   candlepin.oauth.secret = <SECRET>
 - copy your candlepin's CA cert (what your entitlement certs are signed with)
   to /etc/thumbslug/client-ca.pem

That's it!

This assumes your candlepin is running on the same host as thumbslug. If that's
not the case, you'll need to set some more config values. Check the 'Config
Options' section below, and the contents of /etc/thumbslug/thumbslug.conf.

You'll also have to configure your clients to talk to thumbslug. set baseurl in
rhsm.conf to match your thumbslug host/port, and repo_ca_cert to match your
thumbslug's CA cert.

== Config Options ==

port = <integer> ................... :: the local address to listen for
                                        requests on
daemonize = <true|false> ........... :: daemonize thumbslug or keep in the
                                        foreground
ssl = <true|false> ................. :: use ssl for client to thumbslug
                                        communication
ssl.keystore = <string> ............ :: pkcs12 keystore for client to thumbslug
                                        ssl verification
ssl.keystore.password = <string> ... :: password for above
ssl.ca.keystore = <string> ......... :: pem formatted x509 certificate to use
                                        to verify client entitlment
                                        certificates

ssl.client.dynamicSsl = <true|false> :: grab entitlement certificates from
                                        candlepin for thumbslug to cdn
                                        communication, or use a static one.
ssl.client.keystore = <string> ..... :: pem formatted x509 certifcate to use
                                        with dynamicSsl = false

cdn.port = <integer> ............... :: the remote cdn port to connect to
cdn.host = <string> ................ :: hostname of the cdn
cdn.ssl = <true|false> ............. :: use ssl for connecting to the cdn
cdn.ssl.ca.keystore = <string> ..... :: pem formatted x509 certificate to use
                                        to verify the cdn's certificate
cdn.sendTSheader = <true|false> .... :: add thumbslug version to cdn request

log.access = <string> .............. :: client to thumbslug http access log
log.error = <string> ............... :: debug/error log

candlepin.host = <string> .......... :: candlepin host for dynamicSsl
candlepin.port = <integer> ......... :: candlepin port
candlepin.ssl = <true|false> ....... :: use ssl to talk to candlepin
candlepin.oauth.key = <string> ..... :: shared secret with candlepin
candlepin.oauth.secret = <string> .. :: shared secret password with candlepin

== logging properties ==

Logging levels and properties can be set at runtime in the thumbslug.conf.

For ex:

log4j.logger.org.candlepin.thumbslug=INFO
log4j.logger.org.candlepin.thumbslug.HttpRequestHandler=DEBUG