This repository has been archived by the owner on Oct 15, 2019. It is now read-only.
Thumbslug is a content proxy for Candlepin
candlepin/thumbslug
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
master
Could not load branches
Nothing to show
Could not load tags
Nothing to show
{{ refName }}
default
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code
-
Clone
Use Git or checkout with SVN using the web URL.
Work fast with our official CLI. Learn more about the CLI.
- Open with GitHub Desktop
- Download ZIP
Sign In Required
Please sign in to use Codespaces.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching Xcode
If nothing happens, download Xcode and try again.
Launching Visual Studio Code
Your codespace will open once ready.
There was a problem preparing your codespace, please try again.
Latest commit
Git stats
Files
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
/@
\ \ ______ __ __ __
___> \ /_ __/ / / __ __ __ _ / / ___ / / __ __ ___ _
(__O) \ / / / _ \/ // / / ' \ / _ \ (_-< / / / // / / _ `/
(____@) \ /_/ /_//_/\_,_/ /_/_/_//_.__//___//_/ \_,_/ \_, /
(____@) \ /___/
(__o)_ \ A Red Hat Production
\ \
== What? ==
Thumbslug is a content/entitlement proxy. It lets your candlepin clients access
content from the upstream cdn using locally granted entitlement certificates.
== How? ==
To run from source, use the thumbslug.sh file.
If you've installed via the rpm, you can run it as a regular system service, using 'service' or 'chkconfig' or invoke /usr/bin/thumbslug directly.
== Initial Configuration ==
You'll need to do a bit of setup first, before thumbslug will work.
- Create a pkcs keystore containing a cert/private key for thumbslug to use
to talk to its clients, and sign it with a CA that your clients will know.
Place this keystore in /etc/thumbslug/server_keystore.p12
- Example: keytool -genkeypair -alias my_certificate -keystore /etc/thumbslug/server_keystore.p12 -storepass thumbslug -validity 365 -keyalg RSA -keysize 2048 -storetype pkcs12
- set the value of ssl.keystore.password in /etc/thumbslug/thumbslug.conf to
match the password on the above keystore.
- Set up a shared secret betweeen candlepin and thumbslug.
In /etc/candlepin/candlepin.conf, set
candlepin.auth.oauth.consumer.thumbslug.secret = <SECRET>
In /etc/thumbslug/thumbslug.conf, set
candlepin.oauth.secret = <SECRET>
- copy your candlepin's CA cert (what your entitlement certs are signed with)
to /etc/thumbslug/client-ca.pem
That's it!
This assumes your candlepin is running on the same host as thumbslug. If that's
not the case, you'll need to set some more config values. Check the 'Config
Options' section below, and the contents of /etc/thumbslug/thumbslug.conf.
You'll also have to configure your clients to talk to thumbslug. set baseurl in
rhsm.conf to match your thumbslug host/port, and repo_ca_cert to match your
thumbslug's CA cert.
== Config Options ==
port = <integer> ................... :: the local address to listen for
requests on
daemonize = <true|false> ........... :: daemonize thumbslug or keep in the
foreground
ssl = <true|false> ................. :: use ssl for client to thumbslug
communication
ssl.keystore = <string> ............ :: pkcs12 keystore for client to thumbslug
ssl verification
ssl.keystore.password = <string> ... :: password for above
ssl.ca.keystore = <string> ......... :: pem formatted x509 certificate to use
to verify client entitlment
certificates
ssl.client.dynamicSsl = <true|false> :: grab entitlement certificates from
candlepin for thumbslug to cdn
communication, or use a static one.
ssl.client.keystore = <string> ..... :: pem formatted x509 certifcate to use
with dynamicSsl = false
cdn.port = <integer> ............... :: the remote cdn port to connect to
cdn.host = <string> ................ :: hostname of the cdn
cdn.ssl = <true|false> ............. :: use ssl for connecting to the cdn
cdn.ssl.ca.keystore = <string> ..... :: pem formatted x509 certificate to use
to verify the cdn's certificate
cdn.sendTSheader = <true|false> .... :: add thumbslug version to cdn request
log.access = <string> .............. :: client to thumbslug http access log
log.error = <string> ............... :: debug/error log
candlepin.host = <string> .......... :: candlepin host for dynamicSsl
candlepin.port = <integer> ......... :: candlepin port
candlepin.ssl = <true|false> ....... :: use ssl to talk to candlepin
candlepin.oauth.key = <string> ..... :: shared secret with candlepin
candlepin.oauth.secret = <string> .. :: shared secret password with candlepin
== logging properties ==
Logging levels and properties can be set at runtime in the thumbslug.conf.
For ex:
log4j.logger.org.candlepin.thumbslug=INFO
log4j.logger.org.candlepin.thumbslug.HttpRequestHandler=DEBUG
About
Thumbslug is a content proxy for Candlepin
Resources
Security policy
Stars
Watchers
Forks
Packages 0
No packages published