rpm -q squid
to see if the squid package is installed. If it is not installed, run yum install squid
as the root user to install it.
/etc/squid/squid.conf
and confirm that the cache_dir
directive is uncommented and looks similar to the following:
cache_dir ufs /var/spool/squid 100 16 256
cache_dir
directive to be used in this example; it consists of the Squid storage format (ufs), the directory on the system where the cache resides (/var/spool/squid), the amount of disk space in megabytes to be used for the cache (100), and finally the number of first-level and second-level cache directories to be created (16 and 256 respectively).
http_access allow localnet
directive is uncommented. This allows traffic from the localnet
ACL which is automatically configured in a default installation of Squid on Fedora 13. It will allow client machines on any existing RFC1918 network to have access through the proxy, which is sufficient for this simple example.
visible_hostname
directive is uncommented and is configured to the hostname of the machine. The value should be the fully qualified domain name (FQDN) of the host:
visible_hostname squid.example.com
service squid start
to start squid
. As this is the first time squid
has started, this command will initialise the cache directories as specified above in the cache_dir
directive and will then start the squid
daemon. The output is as follows if squid
starts successfully:
# /sbin/service squid start init_cache_dir /var/spool/squid... Starting squid: . [ OK ]
squid
process ID (PID) has started as a confined service, as seen here by the squid_var_run_t
value:
# ls -lZ /var/run/squid.pid
-rw-r--r--. root squid unconfined_u:object_r:squid_var_run_t:s0 /var/run/squid.pid
localnet
ACL configured earlier is successfully able to use the internal interface of this host as its proxy. This can be configured in the settings for all common web browsers, or system-wide. Squid is now listening on the default port of the target machine (TCP 3128), but the target machine will only allow outgoing connections to other services on the Internet via common ports. This is a policy defined by SELinux itself. SELinux will deny access to non-standard ports, as shown in the next step:
SELinux is preventing the squid daemon from connecting to network port 10000
squid_connect_any
Boolean must be modified, as it is disabled by default. To turn the squid_connect_any
Boolean on, run the following command as the root user:
# setsebool -P squid_connect_any on
Note
-P
option if you do not want setsebool
changes to persist across reboots.