Unable to proxy Instant Messaging after upgrade to Fedora 4

Danilo Câmara dfcamara at ic.unicamp.br
Sun Jul 17 17:34:30 UTC 2005


Well, I finally discovered the problem was related to SELinux. In short,
if you want to proxy instant messaging (IM) in Squid you do:

1. Include the desired IM ports in SSL_ports ACL and let Squid deny
others ports, i.e., edit the following line in /etc/squid/squid.conf to
include (1863 for MSN, 5190 for AIM/ICQ, 5222 for Jabber, ...):

 acl SSL_ports port 443 563 1863 5190 5222


2. Allow squid_connect_any in SELinux, i.e., execute in command line:

 setsebool -P squid_connect_any=1


Maybe there is a better approach in SELinux to allow connect only to the
needed ports instead of any port, but I don't know yet.


On Fri, 2005-07-08 at 11:48 -0300, dfcamara at ic.unicamp.br wrote:
> I used to proxy my instant messaging (IM) throw Squid in Fedora 3 and it
> worked fine. What I did was to enable CONNECT in any port, not only to the
> listed SSL ports. So, I commented the following line in
> /etc/squid/squid.conf:
> 
> # Deny CONNECT to other than SSL ports
> #http_access deny CONNECT !SSL_ports
> 
> Now I know a better approach is to list the ports I use in my IM client
> (Gaim) in the list of allowed SSL ports and let Squid deny other ports.
> i.e. include ports 1863 (MSN), 5190 (AIM/ICQ) and 5222 (Jabber) in
> SSL_ports:
> 
> acl SSL_ports port 443 563 1863 5190 5222
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
> 
> Now that I've upgraded to Fedora 4 (in fact I did a fresh install), I can
> no longer proxy IM throw Squid, now I'm receiving 503 (service
> unavailable) errors:
> 
> /var/log/squid/access.log:
> 1120832745.447   5004 127.0.0.1 TCP_MISS/503 0 CONNECT jabber.org:5222 -
> DIRECT/- -
> 1120832748.639    256 127.0.0.1 TCP_MISS/503 0 CONNECT
> login.oscar.aol.com:5190 - DIRECT/- -
> 1120832762.732    527 127.0.0.1 TCP_MISS/503 0 CONNECT
> messenger.hotmail.com:1863 - DIRECT/- -
> 
> I'm running Gaim (IM client) in the proxy host for testing purposes. If I
> disable proxy in Gaim it connects, indicating there is no problem with the
> connection itself. but when I switch it to use proxy, I receive the errors
> above.
> 
> Any ideas?
-- 
Danilo Câmara <dfcamara at ic.unicamp.br>




More information about the fedora-list mailing list