Show Table of Contents
20.4. Configuration Examples
20.4.1. Squid Connecting to Non-Standard Ports
The following example provides a real-world demonstration of how SELinux complements Squid by enforcing the above Boolean and by default only allowing access to certain ports. This example will then demonstrate how to change the Boolean and show that access is then allowed.
Note that this is an example only and demonstrates how SELinux can affect a simple configuration of Squid. Comprehensive documentation of Squid is beyond the scope of this document. See the official Squid documentation for further details. This example assumes that the Squid host has two network interfaces, Internet access, and that any firewall has been configured to allow access on the internal interface using the default TCP port on which Squid listens (TCP 3128).
- Confirm that the squid is installed:
~]$
rpm -q squidpackage squid is not installedIf the package is not installed, use theyumutility as root to install it:~]#
yum install squid - Edit the main configuration file,
/etc/squid/squid.conf, and confirm that thecache_dirdirective is uncommented and looks similar to the following:cache_dir ufs /var/spool/squid 100 16 256
This line specifies the default settings for thecache_dirdirective to be used in this example; it consists of the Squid storage format (ufs), the directory on the system where the cache resides (/var/spool/squid), the amount of disk space in megabytes to be used for the cache (100), and finally the number of first-level and second-level cache directories to be created (16and256respectively). - In the same configuration file, make sure the
http_access allow localnetdirective is uncommented. This allows traffic from thelocalnetACL which is automatically configured in a default installation of Squid on Red Hat Enterprise Linux. It will allow client machines on any existing RFC1918 network to have access through the proxy, which is sufficient for this simple example. - In the same configuration file, make sure the
visible_hostnamedirective is uncommented and is configured to the host name of the machine. The value should be the fully qualified domain name (FQDN) of the host:visible_hostname squid.example.com
- As root, enter the following command to start the
squiddaemon. As this is the first timesquidhas started, this command will initialise the cache directories as specified above in thecache_dirdirective and will then start the daemon:~]#
systemctl start squid.serviceEnsure thatsquidstarts successfully. The output will include the information below, only the time stamp will differ:~]#
systemctl status squid.servicesquid.service - Squid caching proxy Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled) Active: active (running) since Thu 2014-02-06 15:00:24 CET; 6s ago - Confirm that the
squidprocess ID (PID) has started as a confined service, as seen here by thesquid_var_run_tvalue:~]#
ls -lZ /var/run/squid.pid-rw-r--r--. root squid unconfined_u:object_r:squid_var_run_t:s0 /var/run/squid.pid - At this point, a client machine connected to the
localnetACL configured earlier is successfully able to use the internal interface of this host as its proxy. This can be configured in the settings for all common web browsers, or system-wide. Squid is now listening on the default port of the target machine (TCP 3128), but the target machine will only allow outgoing connections to other services on the Internet through common ports. This is a policy defined by SELinux itself. SELinux will deny access to non-standard ports, as shown in the next step: - When a client makes a request using a non-standard port through the Squid proxy such as a website listening on TCP port 10000, a denial similar to the following is logged:
SELinux is preventing the squid daemon from connecting to network port 10000
- To allow this access, the
squid_connect_anyBoolean must be modified, as it is disabled by default:~]#
setsebool -P squid_connect_any onNote
Do not use the-Poption if you do not wantsetseboolchanges to persist across reboots. - The client will now be able to access non-standard ports on the Internet as Squid is now permitted to initiate connections to any port, on behalf of its clients.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.