Product SiteDocumentation Site

9.4. Configuration Examples

9.4.1. Squid Connecting to Non-Standard Ports

The following example provides a real-world demonstration of how SELinux complements Squid by enforcing the above Boolean and by default only allowing access to certain ports. This example will then demonstrate how to change the Boolean and show that access is then allowed.
Note that this is an example only and demonstrates how SELinux can affect a simple configuration of Squid. Comprehensive documentation of Squid is beyond the scope of this document. Refer to the official Squid documentation for further details. This example assumes that the Squid host has two network interfaces, Internet access, and that any firewall has been configured to allow access on the internal interface using the default TCP port on which Squid listens (TCP 3128).
  1. As the root user, install the squid package. Run rpm -q squid to see if the squid package is installed. If it is not installed, run yum install squid as the root user to install it.
  2. Edit the main configuration file, /etc/squid/squid.conf and confirm that the cache_dir directive is uncommented and looks similar to the following: 
    cache_dir ufs /var/spool/squid 100 16 256
    This line specifies the default settings for the cache_dir directive to be used in this example; it consists of the Squid storage format (ufs), the directory on the system where the cache resides (/var/spool/squid), the amount of disk space in megabytes to be used for the cache (100), and finally the number of first-level and second-level cache directories to be created (16 and 256 respectively).
  3. In the same configuration file, make sure the http_access allow localnet directive is uncommented. This allows traffic from the localnet ACL which is automatically configured in a default installation of Squid on Red Hat Enterprise Linux. It will allow client machines on any existing RFC1918 network to have access through the proxy, which is sufficient for this simple example.
  4. In the same configuration file, make sure the visible_hostname directive is uncommented and is configured to the hostname of the machine. The value should be the fully qualified domain name (FQDN) of the host: 
    visible_hostname squid.example.com
  5. As the root user, run service squid start to start squid. As this is the first time squid has started, this command will initialise the cache directories as specified above in the cache_dir directive and will then start the squid daemon. The output is as follows if squid starts successfully: 
    # /sbin/service squid start
init_cache_dir /var/spool/squid... Starting squid: .       [  OK  ]
  6. Confirm that the squid process ID (PID) has started as a confined service, as seen here by the squid_var_run_t value: 
    # ls -lZ /var/run/squid.pid 
-rw-r--r--. root squid unconfined_u:object_r:squid_var_run_t:s0 /var/run/squid.pid
  7. At this point, a client machine connected to the localnet ACL configured earlier is successfully able to use the internal interface of this host as its proxy. This can be configured in the settings for all common web browsers, or system-wide. Squid is now listening on the default port of the target machine (TCP 3128), but the target machine will only allow outgoing connections to other services on the Internet via common ports. This is a policy defined by SELinux itself. SELinux will deny access to non-standard ports, as shown in the next step:
  8. When a client makes a request using a non-standard port through the Squid proxy such as a website listening on TCP port 10000, a denial similar to the following is logged: 
    SELinux is preventing the squid daemon from connecting to network port 10000
  9. To allow this access, the squid_connect_any Boolean must be modified, as it is disabled by default. To turn the squid_connect_any Boolean on, run the following command as the root user: 
    # setsebool -P squid_connect_any on

    Note

    Do not use the -P option if you do not want setsebool changes to persist across reboots.
  10. The client will now be able to access non-standard ports on the Internet as Squid is now permitted to initiate connections to any port, on behalf of its clients.