squid.conf

Squid (squid.conf)

dastyler

Squid com controle por mac address / Transparente / Active Directory

Categoria: Networking

Software: Squid

[ Hits: 9.154 ]

Por: Davi Ribeiro

0 0

Denuncie Favoritos Indicar

Esta conf está em produção e permite fácil migração de proxy transparente validando no Active Directory. A conf permite controle de mac address por arquivo, bastando inserir nos arquivos correspondentes o mac address da placa de rede dos clientes (útil para quem usa DHCP) e possui solução para quem teve problemas ao acessar páginas JSP usando proxy no Internet Explorer.

[]´s

#http_port 3126
#http_port 192.168.0.252:3128 transparent
http_port 192.168.0.252:3128
icp_port 0
hierarchy_stoplist cgi-bin ?

##Bypass em paginas jsp e jnlp:
hierarchy_stoplist jsp
hierarchy_stoplist jnlp
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 16 MB

##objetos no cache
maximum_object_size 4096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 8 KB
cache_dir ufs /var/spool/squid 3000 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log

##gerenciamento de ftp
#ftp_passive off
ftp_passive on
ftp_sanitycheck off
ftp_telnet_protocol off
auth_param basic children 200
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

##Habilitando LOG com users do servidor AD (M$)
#auth_param ntlm program /usr/bin/ntlm_auth CONTROL/servidor --helper-protocol=squid-2.5-ntlmssp
#auth_param ntlm children 200
#auth_param ntlm keep_alive on
######

refresh_pattern ^ftp:      1440   20%   10080
refresh_pattern ^gopher:   1440   0%   1440
refresh_pattern .      0   20%   4320
read_timeout 30 seconds
half_closed_clients off
pconn_timeout 120 seconds
shutdown_lifetime 10 seconds
#acl all src 0.0.0.0/0.0.0.0


##Horarios liberados para acesso
#acl usuario proxy_auth REQUIRED
acl sabado time A 07:30-18:00
acl tarde time MTWHF 17:30-20:00
acl manha time MTWHF 07:30-08:30
acl almoco time MTWHF 12:00-13:15
acl suporte_dir arp "/usr/local/squid/etc/squid/mac_address_suporte_dir"
acl suporte arp "/usr/local/squid/etc/squid/mac_address_negado"
acl desenvolvimento arp "/usr/local/squid/etc/squid/mac_maquinas_desenvolvimento"
acl financeiro arp "/usr/local/squid/etc/squid/mac_maquinas_finan"
acl web arp "/usr/local/squid/etc/squid/mac_maquinas_web"

##opcional - malware
#acl malware url_regex -i "/usr/local/squid/etc/squid/malware.txt"
#acl redelocal src 192.168.0.0/24
acl block_loja arp "/usr/local/squid/etc/squid/block_full_loja"
acl loja arp "/usr/local/squid/etc/squid/loja"
acl sites_proibidos_loja dstdomain "/usr/local/squid/etc/squid/deny_loja"
acl loja_lib arp "/usr/local/squid/etc/squid/mac_loja"
acl direct_access dstdomain "/usr/local/squid/etc/squid/direct_access"

###BLOQUEIA DOWNLOADS DE ARQUIVOS
acl downloads urlpath_regex "/usr/local/squid/etc/squid/downloads"
acl extensions urlpath_regex "/usr/local/squid/etc/squid/extensions"

###Dominios permitidos para navegacao em qualquer horario
acl loja_allwd dstdomain "/usr/local/squid/etc/squid/sites_loja"
acl domain_allwd dstdomain "/usr/local/squid/etc/squid/domains_allowed"
acl domain_negados dstdomain "/usr/local/squid/etc/squid/negados"

acl permitidos dstdom_regex "/usr/local/squid/etc/squid/permitidos"
acl acessoweb url_regex "/usr/local/squid/etc/squid/acesso"
acl pathweb urlpath_regex "/usr/local/squid/etc/squid/acesso_path"

##Liberacao do MSN
acl msn urlpath_regex -i gateway.dll messenger
acl google_asp urlpath_regex -i ABInfGoogle.asp ABInfPri.asp?MODULO=WEB AB*.asp
acl msn_mime req_mime_type -i ^application/x-msn-messenger$
acl loginmsn dst login.live.com by4.omega.contacts.msn.com nexus.passport.com loginnet.passport.com
acl gtwmsn url_regex http.messenger.*.com messenger gateway.dll

###LIberacao
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 8080   #Apache
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443 563   # https, snews
acl Safe_ports port 70      # gopher
acl Safe_ports port 210      # wais
acl Safe_ports port 1025-65535   # unregistered ports
acl Safe_ports port 280      # http-mgmt
acl Safe_ports port 488      # gss-http
acl Safe_ports port 591      # filemaker
acl Safe_ports port 777      # multiling http
acl Safe_ports port 809      ##SPTRANS
acl CONNECT method CONNECT



##trata extensoes diretas de pagina
always_direct allow direct_access
http_access allow extensions

##Liberando sites (ESTA É A REGRA QUE MANDA NOS SITES QUE SÃO LIBERADOS PARA USO PARA TODOS OS USERS):
http_access allow domain_allwd 
http_access allow loja_lib
####REGRAS loja LOJA
http_access allow loja_allwd

#Bloqueia o restante na loja:
http_access deny loja


###lista de malware e negados
#http_access deny malware
http_access deny domain_negados
http_access deny downloads



#Bloquear apos conmfirmacao de sites a serem acessados e inclusao na acl loja_allwd
#http_access deny loja_lib
#http_access allow loja_lib

###DOWNLOADS
#reply_body_max_size 10240 deny limite
#http_access deny downloads


##ip permitidos
#http_access allow ippermitidos
http_access allow permitidos

##Bloqueio/Liberacao de MSN
http_access allow loginmsn
http_access allow msn
http_access allow msn_mime
http_access allow CONNECT loginmsn
http_access allow gtwmsn
#http_access allow msnomega
##Block na loja
http_access deny block_loja
http_access deny loja_lib sites_proibidos_loja


#POr horario para o suporte
http_access allow suporte sabado
http_access allow suporte almoco
http_access allow suporte manha
http_access allow suporte tarde
####MSN POR HORARIO - opcional:
#http_access allow msn almoco manha tarde
#http_access allow msn_mime almoco manha tarde

#http_access deny macteste
http_access allow permitidos
http_access allow acessoweb
http_access allow pathweb

http_access allow suporte_dir
##Negando acesso aos macs do suporte
http_access deny suporte
#http_access allow suporte

###LIBERACAO DA AUTENTICACAO NO ACTIVE DIRECTORY
#http_access allow usuario


##BLOQUEIO DE SITES PARA TODOS OS USUARIOS
#http_access deny domain_negados

##LIberando restante dos acessos a este proxy:
#http_access deny redelocal
http_access allow web
tcp_outgoing_tos 0x30 web
http_access allow financeiro
http_access allow desenvolvimento
tcp_outgoing_tos 0x30 desenvolvimento
#http_access allow loja

### - testando regra comentada abaixo
#http_access allow !suporte
http_access allow localhost
http_access allow manager 
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
#http_access deny domain_negados
#http_access deny all
http_reply_access allow all
icp_access deny all
#acl limite src 192.168.0.0/24
#reply_body_max_size 0 deny limite
cache_mgr root
cache_effective_user squid
cache_effective_group squid
visible_hostname controlp
#httpd_accel_host virtual
#httpd_accel_port 80
#httpd_accel_with_proxy on
#httpd_accel_uses_host_header on
server_persistent_connections off
memory_pools off
forwarded_for unknown
error_directory /usr/share/squid/errors/Portuguese
coredump_dir /var/spool/squid/coredump

Comentários

Nenhum comentário foi encontrado.