Squid com autenticação [RESOLVIDO]

removido
(usa Nenhuma)

Enviado em 02/05/2011 - 16:28h

Olá amigos, saudações!

Estou com um problema com squid, (lembro-os que sou iniciante) quero usar autenticação, mas quando faço isso o msn não conecta de jeito nenhum. Já peguei várias linhas de conf na net, inclusive aqui. Já coloquei usuario e senha na configuração do msn. Porém sem sucesso. Criei arquivo com os endereços do msn, o squid busca, mas, nada.

Ao tentar conectar no msn, aparece que não foi possível encontrar meus contatos...

No log do squid está mostrando bloqueios (denied) na porta 1863 e 443


OBS. Eu utilizo Opensuse. (versão 11.0) e faço redirecionamento da rede para porta 3128 no susefirewall2.


Segue a conf: (sem msn)

http_port 3128

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

cache_mem 64 MB

cache_swap_low 85
cache_swap_high 90

maximum_object_size 128 MB
minimum_object_size 0

maximum_object_size_in_memory 64 KB

cache_dir ufs /var/cache/squid 5000 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
client_netmask 255.255.255.0


auth_param basic program /etc/squid/users/ncsa_auth /etc/squid/users/passwd
auth_param basic realm FIRESAT
auth_param basic children 5
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
#
acl Safe_ports port 21 # ftp
acl Safe_ports port 70 # gopher
acl Safe_ports port 80 # http
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 443 # https
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 1025-65535 # unregistered ports
#
acl SSL_ports port 443 # https
acl SSL_ports port 465 # YAHOO - SMTP (SSL)
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl SSL_ports port 995 # YAHOO - POP3 (SSL)
#
acl purge method PURGE
acl CONNECT method CONNECT
#
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny to_localhost
#
# Criando as ACLs personalizadas
#
acl rede_interna src 192.168.30.0/24
#
#*******************************************************#
# - Ambiente com 3 grupos: #
# #
# Grupo 1 - usr_total - os usuários tem acesso livre a Internet #
# Grupo 2 - usr_bloqueado - os usuáriosacessam qualquer site que #
# não estiver na lista url_bloqueado #
# Grupo 3 - usr_restrito - os usuários acessam somente os sites #
# que estiverem na lista url_liberado #
#*******************************************************#
#
acl usuarios proxy_auth REQUIRED

#*** Usuarios com acesso livre
#
acl acesso_livre proxy_auth "/etc/squid/listas/usr_livre"
#
http_access allow acesso_livre
#
#*** usuários com acesso controlado pelos sites bloqueados
#
acl acesso_restrito proxy_auth "/etc/squid/listas/usr_restrito"
acl url_bloqueado url_regex -i "/etc/squid/listas/url_bloqueado"
#
http_access deny url_bloqueado
http_access allow acesso_restrito !url_bloqueado
#
#*** Usuarios com acesso somente aos sites liberados
#
acl acesso_bloqueado proxy_auth "/etc/squid/listas/usr_bloqueado"
acl url_liberado url_regex -i "/etc/squid/listas/url_liberado"
#
http_access allow url_liberado
http_access deny acesso_bloqueado !url_liberado
#
http_access allow usuarios acesso_livre
http_access allow usuarios acesso_restrito
http_access allow usuarios acesso_bloqueado

http_access deny !rede_interna
http_access allow rede_interna
http_access deny all
icp_access allow all
#
cache_mgr webmaster
visible_hostname xxxxxxx
#
error_directory /usr/share/squid/errors/Portuguese
coredump_dir /var/spool/squid


Origado a todos.

renato_pacheco
(usa Debian)

Enviado em 02/05/2011 - 16:52h

Jogue aki quais são as linhas q o log do squid mostra quando bloqueia. Assim fica mais fácil saber a origem.

matheusoveral
(usa Ubuntu)

Enviado em 02/05/2011 - 16:52h

Cara eu quebrei muito a minha cabeça tentando achar uma solução.
Porem não consegui... tudo que tu tentou eu também tentei.
No meu caso eu configurei uma regra no squid para liberar detenminado IP(ipcommsn);
Configurei o DNS;
Liberei a porta do msn (1863);
E apliquei uma regra para bloquear os acessos deste IP, sites pornograficos, etc...
Funcionou sem autenticação!

Com autenticação só consegui com o Amsn.

removido
(usa Nenhuma)

Enviado em 02/05/2011 - 18:45h

1304352387.488 1814 192.168.30.0 TCP_DENIED/407 1857 POST http://gateway.messenger.hotmail.com/gateway/gateway.dll? - NONE/- text/html
1304352387.705 179 192.168.30.0 TCP_DENIED/407 1854 POST http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll - NONE/- text/html
1304352401.107 35 192.168.30.0 TCP_DENIED/407 1740 CONNECT login.live.com:443 - NONE/- text/html
1304352404.197 0 192.168.30.0 TCP_DENIED/407 1854 POST http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll - NONE/- text/html
1304352408.665 2 192.168.30.0 TCP_DENIED/407 1740 CONNECT login.live.com:443 - NONE/- text/html
1304352411.784 8 192.168.30.0 TCP_DENIED/400 2269 POST error:invalid-request - NONE/- text/html
1304352412.393 1 192.168.30.0 TCP_DENIED/407 1854 POST http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll - NONE/- text/html
1304352413.686 12 192.168.30.0 TCP_DENIED/407 1740 CONNECT login.live.com:443 - NONE/- text/html
1304352422.394 0 192.168.30.0 TCP_DENIED/407 1854 POST http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll - NONE/- text/html
1304352423.864 0 192.168.30.0 TCP_DENIED/407 1761 GET http://www.google.com.br/ - NONE/- text/html
1304352460.876 151 192.168.30.0 TCP_DENIED/407 1761 CONNECT loginnet.passport.com:443 - NONE/- text/html
1304352466.943 0 192.168.30.0 TCP_DENIED/407 1761 CONNECT loginnet.passport.com:443 - NONE/- text/html
1304352500.548 1 192.168.30.0 TCP_DENIED/407 1761 CONNECT loginnet.passport.com:443 192.168.30.1 NONE/- text/html
1304352502.999 0 192.168.30.0 TCP_DENIED/407 1761 CONNECT loginnet.passport.com:443 192.168.30.1 NONE/- text/html
1304352517.009 0 192.168.30.0 TCP_DENIED/407 1761 CONNECT loginnet.passport.com:443 192.168.30.1 NONE/- text/html
1304352517.094 0 192.168.30.0 TCP_DENIED/407 1761 CONNECT loginnet.passport.com:443 192.168.30.1 NONE/- text/html
1304352524.508 0 192.168.30.0 TCP_DENIED/407 1740 CONNECT login.live.com:443 192.168.30.1 NONE/- text/html
1304352527.691 349 192.168.30.0 TCP_DENIED/407 1854 POST http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll - NONE/- text/html
1304352535.506 15 192.168.30.0 TCP_DENIED/407 1740 CONNECT login.live.com:443 192.168.30.1 NONE/- text/html
1304352540.841 0 192.168.30.0 TCP_DENIED/407 1854 POST http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll - NONE/- text/html
1304352540.930 579 192.168.30.0 TCP_DENIED/407 1761 CONNECT loginnet.passport.com:443 192.168.30.1 NONE/- text/html
1304352541.016 1 192.168.30.0 TCP_DENIED/407 1761 CONNECT loginnet.passport.com:443 192.168.30.1 NONE/- text/html
1304352543.665 1 192.168.30.0 TCP_DENIED/407 1740 CONNECT login.live.com:443 192.168.30.1 NONE/- text/html
1304352546.699 0 192.168.30.0 TCP_DENIED/407 1761 CONNECT loginnet.passport.com:443 192.168.30.1 NONE/- text/html
1304352546.784 0 192.168.30.0 TCP_DENIED/407 1761 CONNECT loginnet.passport.com:443 192.168.30.1 NONE/- text/html
1304352547.469 0 192.168.30.0 TCP_DENIED/407 1854 POST http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll - NONE/- text/html
1304352549.215 1 192.168.30.0 TCP_DENIED/407 1761 CONNECT loginnet.passport.com:443 192.168.30.1 NONE/- text/html
1304352549.307 1 192.168.30.0 TCP_DENIED/407 1761 CONNECT loginnet.passport.com:443 192.168.30.1 NONE/- text/html
1304352549.496 2 192.168.30.0 TCP_DENIED/407 1740 CONNECT login.live.com:443 192.168.30.1 NONE/- text/html
1304352556.691 0 192.168.30.0 TCP_DENIED/407 1761 CONNECT loginnet.passport.com:443 192.168.30.1 NONE/- text/html
1304352556.784 0 192.168.30.0 TCP_DENIED/407 1761 CONNECT loginnet.passport.com:443 192.168.30.1 NONE/- text/html
1304352568.890 1 192.168.30.0 TCP_DENIED/407 1854 POST http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll - NONE/- text/html
1304352579.278 576 192.168.30.0 TCP_DENIED/407 1761 GET http://www.google.com.br/ - NONE/- text/html
1304352587.798 1844 192.168.30.0 TCP_MISS/200 12016 GET http://www.google.com.br/ lazaro DIRECT/74.125.229.116 text/html
1304352588.594 631 192.168.30.0 TCP_MISS/204 464 GET http://www.google.com.br/csi? lazaro DIRECT/74.125.229.116 text/html
1304352589.380 1582 192.168.30.0 TCP_MISS/204 372 GET http://clients1.google.com.br/generate_204 lazaro DIRECT/72.14.204.102 text/html
1304352590.983 0 192.168.30.0 TCP_DENIED/407 1740 CONNECT login.live.com:443 192.168.30.1 NONE/- text/html
1304352591.132 3151 192.168.30.0 TCP_MISS/204 575 GET http://www.google.com/gen_204? lazaro DIRECT/74.125.229.114 text/html
1304352593.780 0 192.168.30.0 TCP_DENIED/407 1854 POST http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll - NONE/- text/html
1304352687.132 1 192.168.30.0 TCP_DENIED/407 1761 CONNECT loginnet.passport.com:443 192.168.30.1 NONE/- text/html
1304352775.619 0 192.168.30.0 TCP_DENIED/400 2269 POST error:invalid-request - NONE/- text/html
1304353110.811 2583 192.168.30.0 TCP_DENIED/407 1809 GET http://weather.service.msn.com/data.aspx? - NONE/- text/html
1304353137.173 0 192.168.30.0 TCP_DENIED/400 2269 POST error:invalid-request - NONE/- text/html
1304353502.546 0 192.168.30.0 TCP_DENIED/400 2269 POST error:invalid-request - NONE/- text/html
1304353676.693 2395 192.168.30.0 TCP_MISS/200 1992 GET http://weather.service.msn.com/data.aspx? lazaro DIRECT/65.55.17.39 text/xml

renato_pacheco
(usa Debian)

Enviado em 03/05/2011 - 12:32h

Nas suas regras, libere o acesso a esses dois arquivos:

gateway.dll
sqmserver.dll

Dae resolve o seu problema.

removido
(usa Nenhuma)

Enviado em 03/05/2011 - 19:02h

Olá brothers.

O problema foi resolvido, obrigado pela ajuda de vocês.

Bom, ficou assim para a conf acima:

No susefirewall2 tem essa linha:
FW_FORWARD=""

então coloquei assim:

FW_FORWARD="192.168.30.0/24 -p tcp --dport 1863 -j ACCEPT"

Fonte: (http://www.vivaolinux.com.br/topico/Squid-Iptables/Liberar-msn-para-alguns-IPs-no-Iptables)
(troquei o REJECT pelo ACCEPT

Quanto aos endereços que o Renato disse-me para liberar, funciona perfeitamente com a conf abaixo:

O msn funciona normalmente, basta o usuário ter acesso full ou colocar no arquivo liberados_url os endereços do msn que o Renato falou, para quem tem acesso bloqueado.

Obs. Obviamente, só funcionará com o nome e senha do usuário no proxy do msn.

A outra conf:


# TAG: visible_hostname
visible_hostname ELETROSAT

# TAG: http_port
# Squid normally listens to port 3128
http_port 192.125.10.254:3128

# TAG: acl
# Defining an Access List

auth_param basic program /etc/squid/users/ncsa_auth /etc/squid/users/passwd
auth_param basic children 5
auth_param basic realm FIRESAT
acl grpacessorestrito proxy_auth "/etc/squid/grpacessorestrito"
acl grpacessototal proxy_auth "/etc/squid/grpacessototal"
acl bloqueios_url url_regex "/etc/squid/bloqueios_url"
acl liberados_url url_regex "/etc/squid/liberados_url"

acl all src 192.125.10.0/255.255.255.0
acl autenticacao proxy_auth REQUIRED
http_access allow grpacessototal
http_access deny bloqueios_url !liberados_url
http_access allow grpacessorestrito
acl manager proto cache_object
http_access allow autenticacao
http_access deny all
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl QUERY urlpath_regex cgi-bin \?
acl apache rep_header Server ^Apache


# TAG: cache
cache deny QUERY

# TAG: broken_vary_encoding
broken_vary_encoding allow apache

# TAG: access_log
access_log /var/log/squid/access.log

# TAG: http_access
http_access allow all
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost


# TAG: icp_access
icp_access allow all

# TAG: cache_mem (bytes)
cache_mem 128 MB

# TAG: maximum_object_size_in_memory (bytes)
maximum_object_size_in_memory 8 MB

ipcache_size 3072

ipcache_low 90

ipcache_high 93

# TAG: memory_replacement_policy
memory_replacement_policy lru

# TAG: cache_replacement_policy
cache_replacement_policy lru

# TAG: cache_dir
cache_dir ufs /var/cache/squid 5000 16 256

# TAG: minimum_object_size (bytes)
minimum_object_size 0 KB

# TAG: maximum_object_size (bytes)
maximum_object_size 512 MB

# TAG: cache_swap_low (percent, 0-100)
# TAG: cache_swap_high (percent, 0-100)
cache_swap_low 90

cache_swap_high 95

# TAG: cache_log
cache_log /var/log/squid/cache.log

# TAG: cache_store_log
cache_store_log /var/log/squid/store.log

# ADMINISTRATIVE PARAMETERS
# -----------------------------------------------------------------------------
# TAG: cache_mgr
cache_mgr esoares.toc@gmail.com

client_lifetime 1 days

connect_timeout 2 minutes

emulate_httpd_log off

error_directory /usr/share/squid/errors/Portuguese

ftp_passive on

removido
(usa Nenhuma)

Enviado em 03/05/2011 - 19:04h

Abraço.