Unable to proxy Instant Messaging after upgrade to Fedora 4
Danilo Câmara
dfcamara at ic.unicamp.br
Sun Jul 17 17:34:30 UTC 2005
Well, I finally discovered the problem was related to SELinux. In short,
if you want to proxy instant messaging (IM) in Squid you do:
1. Include the desired IM ports in SSL_ports ACL and let Squid deny
others ports, i.e., edit the following line in /etc/squid/squid.conf to
include (1863 for MSN, 5190 for AIM/ICQ, 5222 for Jabber, ...):
acl SSL_ports port 443 563 1863 5190 5222
2. Allow squid_connect_any in SELinux, i.e., execute in command line:
setsebool -P squid_connect_any=1
Maybe there is a better approach in SELinux to allow connect only to the
needed ports instead of any port, but I don't know yet.
On Fri, 2005-07-08 at 11:48 -0300, dfcamara at ic.unicamp.br wrote:
> I used to proxy my instant messaging (IM) throw Squid in Fedora 3 and it
> worked fine. What I did was to enable CONNECT in any port, not only to the
> listed SSL ports. So, I commented the following line in
> /etc/squid/squid.conf:
>
> # Deny CONNECT to other than SSL ports
> #http_access deny CONNECT !SSL_ports
>
> Now I know a better approach is to list the ports I use in my IM client
> (Gaim) in the list of allowed SSL ports and let Squid deny other ports.
> i.e. include ports 1863 (MSN), 5190 (AIM/ICQ) and 5222 (Jabber) in
> SSL_ports:
>
> acl SSL_ports port 443 563 1863 5190 5222
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
>
> Now that I've upgraded to Fedora 4 (in fact I did a fresh install), I can
> no longer proxy IM throw Squid, now I'm receiving 503 (service
> unavailable) errors:
>
> /var/log/squid/access.log:
> 1120832745.447 5004 127.0.0.1 TCP_MISS/503 0 CONNECT jabber.org:5222 -
> DIRECT/- -
> 1120832748.639 256 127.0.0.1 TCP_MISS/503 0 CONNECT
> login.oscar.aol.com:5190 - DIRECT/- -
> 1120832762.732 527 127.0.0.1 TCP_MISS/503 0 CONNECT
> messenger.hotmail.com:1863 - DIRECT/- -
>
> I'm running Gaim (IM client) in the proxy host for testing purposes. If I
> disable proxy in Gaim it connects, indicating there is no problem with the
> connection itself. but when I switch it to use proxy, I receive the errors
> above.
>
> Any ideas?
--
Danilo Câmara <dfcamara at ic.unicamp.br>
More information about the fedora-list
mailing list