Liberar site no squid

25. Analisando...

dastyler
(usa Fedora)

Enviado em 02/07/2009 - 14:03h

NOvamenet suas regras e seguindo a logica anterior, não tem como colocar o http_access allow sites_liberados antes da regra http_access deny proxys?
E mesmo assim nao funcionou?

0 0

Quote

26. Qual ...

dastyler
(usa Fedora)

Enviado em 02/07/2009 - 14:17h

o skema de autenticação usado no seu Squid?
Tente colocar a linha http_access allow sites_liberados antes dos bloqueios (deny) no squid.conf.
Parta efeitos de teste, mude:

http_access deny all
para:

http_access allow all

e rode squid -k reconfigure e veja o que dá...;)

[]´s

0 0

Quote

27. Re: Liberar site no squid

mn.2192
(usa Slackware)

Enviado em 03/07/2009 - 11:00h

olha como está meu squid agora

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl desbloqueados url_regex -i "/etc/squid/arquivos/liberados/sites_liberados.txt"
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8

acl Safe_ports port 443
#acl SSL_ports port 443
acl SSL_ports port 563
acl SSL_ports port 25
acl SSL_ports port 110
acl SSL_ports port 110
acl Safe_ports port 80 # http
acl Safe_ports port 20-21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
#acl Safe_ports port 110 # POP
#acl Safe_ports port 25 # SMTP
acl CONNECT method CONNECT

## CONFIGURACAO DAS ACLs
acl gdiretoria proxy_auth "/etc/squid/arquivos/grupos/gdiretoria" REQUIRED
acl gproducao proxy_auth "/etc/squid/arquivos/grupos/gproducao" REQUIRED
acl grestrito proxy_auth "/etc/squid/arquivos/grupos/grestrito" REQUIRED
acl gmail proxy_auth "/etc/squid/arquivos/grupos/gmail" REQUIRED
acl gmsn proxy_auth "/etc/squid/arquivos/grupos/gmsn" REQUIRED
acl rede_local src 192.168.1.0/255.255.255.0

acl dl_gdiretoria dstdomain "/etc/squid/arquivos/liberados/dl_gdiretoria"
acl dl_gproducao dstdomain "/etc/squid/arquivos/liberados/dl_gproducao"
acl dl_grestrito dstdomain "/etc/squid/arquivos/liberados/dl_grestrito"
acl dl_gmail dstdomain "/etc/squid/arquivos/liberados/dl_gmail"
acl dl_geral dstdomain "/etc/squid/arquivos/liberados/dl_geral"
acl db_geral dstdomain "/etc/squid/arquivos/bloqueados/db_geral"
#acl db_gproducao dstdomain "/etc/squid/arquivos/bloqueados/db_gproducao"
acl dl_gmsn dstdomain "/etc/squid/arquivos/liberados/dl_gmsn"
#acl db_msn dstdomain "/etc/squid/arquivos/bloqueados/db_msn"
acl proxys dstdomain "/etc/squid/arquivos/bloqueados/proxys"
#acl desktop_msn req_mime_type -i ^application/x-msn-messenger$
acl sites_liberados dstdomain "/etc/squid/arquivos/liberados/sites_liberados"

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
#http_access deny !CONNECT SSL_ports
http_access allow CONNECT SSL_ports
http_access allow localhost
http_access deny !rede_local

http_access allow sites_liberados
http_access deny proxys
http_access deny db_geral
http_access allow dl_geral
http_access allow gproducao dl_gproducao
http_access allow grestrito dl_grestrito
http_access allow gmsn dl_gmsn
http_access allow dl_gmail
http_access allow gdiretoria

http_reply_access allow all
icp_access allow all
coredump_dir /var/lib/squid/cache
http_access deny all

e mesmo assim não funciona. Qdo dou um squid -k reconfigure da erro

0 0

Quote

28. Vamos lá mn:

dastyler
(usa Fedora)

Enviado em 03/07/2009 - 11:29h

Qual o erro que esta apresentando?
Vou postar uma conf de exemplo que voce possa se basear para resolver o problema:

#http_port 3126
#http_port 3128 transparent
http_port 192.168.0.252:3128
icp_port 0
hierarchy_stoplist cgi-bin ?

##Bypass em paginas jsp e jnlp:
hierarchy_stoplist jsp
hierarchy_stoplist jnlp
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 16 MB

##objetos no cache
maximum_object_size 4096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 8 KB
cache_dir ufs /var/spool/squid 3000 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log

##gerenciamento de ftp
#ftp_passive off
ftp_passive on
ftp_sanitycheck off
ftp_telnet_protocol off
auth_param basic children 200
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

##Habilitando LOG com users do servidor AD (M$)
#auth_param ntlm program /usr/bin/ntlm_auth CONTROL/servidor --helper-protocol=squid-2.5-ntlmssp
#auth_param ntlm children 200
#auth_param ntlm keep_alive on
######

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
read_timeout 30 seconds
half_closed_clients off
pconn_timeout 120 seconds
shutdown_lifetime 10 seconds
#acl all src 0.0.0.0/0.0.0.0

##Horarios liberados para acesso
#acl usuario proxy_auth REQUIRED
acl sabado time A 07:30-18:00
acl tarde time MTWHF 17:30-20:00
acl manha time MTWHF 07:30-08:30
acl almoco time MTWHF 12:00-13:15
acl suporte_dir arp "/usr/local/squid/etc/squid/mac_address_suporte_dir"
acl suporte arp "/usr/local/squid/etc/squid/mac_address_negado"
acl desenvolvimento arp "/usr/local/squid/etc/squid/mac_maquinas_desenvolvimento"
acl financeiro arp "/usr/local/squid/etc/squid/mac_maquinas_finan"
acl web arp "/usr/local/squid/etc/squid/mac_maquinas_web"

##opcional - malware
#acl malware url_regex -i "/usr/local/squid/etc/squid/malware.txt"
#acl redelocal src 192.168.0.0/24
acl block_loja arp "/usr/local/squid/etc/squid/block_full_loja"
acl loja arp "/usr/local/squid/etc/squid/loja"
acl sites_proibidos_loja dstdomain "/usr/local/squid/etc/squid/deny_loja"
acl loja_lib arp "/usr/local/squid/etc/squid/mac_loja"
acl direct_access dstdomain "/usr/local/squid/etc/squid/direct_access"

###BLOQUEIA DOWNLOADS DE ARQUIVOS
acl downloads urlpath_regex "/usr/local/squid/etc/squid/downloads"
acl extensions urlpath_regex "/usr/local/squid/etc/squid/extensions"

###Dominios permitidos para navegacao em qualquer horario
acl loja_allwd dstdomain "/usr/local/squid/etc/squid/sites_loja"
acl domain_allwd dstdomain "/usr/local/squid/etc/squid/domains_allowed"
acl domain_negados dstdomain "/usr/local/squid/etc/squid/negados"

acl permitidos dstdom_regex "/usr/local/squid/etc/squid/permitidos"
acl acessoweb url_regex "/usr/local/squid/etc/squid/acesso"
acl pathweb urlpath_regex "/usr/local/squid/etc/squid/acesso_path"

##Liberacao do MSN
acl msn urlpath_regex -i gateway.dll messenger
acl google_asp urlpath_regex -i ABInfGoogle.asp ABInfPri.asp?MODULO=WEB AB*.asp
acl msn_mime req_mime_type -i ^application/x-msn-messenger$
acl loginmsn dst login.live.com by4.omega.contacts.msn.com nexus.passport.com loginnet.passport.com
acl gtwmsn url_regex http.messenger.*.com messenger gateway.dll

###LIberacao
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 8080 #Apache
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 809 ##SPTRANS
acl CONNECT method CONNECT

##trata extensoes diretas de pagina
always_direct allow direct_access
http_access allow extensions

##Liberando sites (ESTA É A REGRA QUE MANDA NOS SITES QUE SÃO LIBERADOS PARA USO PARA TODOS OS USERS):
http_access allow domain_allwd
http_access allow loja_lib
####REGRAS loja LOJA
http_access allow loja_allwd

#Bloqueia o restante na loja:
http_access deny loja

###lista de malware e negados
#http_access deny malware
http_access deny domain_negados
http_access deny downloads

#Bloquear apos conmfirmacao de sites a serem acessados e inclusao na acl loja_allwd
#http_access deny loja_lib
#http_access allow loja_lib

###DOWNLOADS
#reply_body_max_size 10240 deny limite
#http_access deny downloads

##ip permitidos
#http_access allow ippermitidos
http_access allow permitidos

##Bloqueio/Liberacao de MSN
http_access allow loginmsn
http_access allow msn
http_access allow msn_mime
http_access allow CONNECT loginmsn
http_access allow gtwmsn
#http_access allow msnomega
##Block na loja
http_access deny block_loja
http_access deny loja_lib sites_proibidos_loja

#POr horario para o suporte
http_access allow suporte sabado
http_access allow suporte almoco
http_access allow suporte manha
http_access allow suporte tarde
####MSN POR HORARIO - opcional:
#http_access allow msn almoco manha tarde
#http_access allow msn_mime almoco manha tarde

#http_access deny macteste
http_access allow permitidos
http_access allow acessoweb
http_access allow pathweb

http_access allow suporte_dir
##Negando acesso aos macs do suporte
http_access deny suporte
#http_access allow suporte

###LIBERACAO DA AUTENTICACAO NO ACTIVE DIRECTORY
#http_access allow usuario

##BLOQUEIO DE SITES PARA TODOS OS USUARIOS
#http_access deny domain_negados

##LIberando restante dos acessos a este proxy:
#http_access deny redelocal
http_access allow web
tcp_outgoing_tos 0x30 web
http_access allow financeiro
http_access allow desenvolvimento
tcp_outgoing_tos 0x30 desenvolvimento
#http_access allow loja

### - testando regra comentada abaixo
#http_access allow !suporte
http_access allow localhost
http_access allow manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
##opcional:
#http_access deny domain_negados
#http_access deny all
http_reply_access allow all
icp_access deny all
cache_mgr root
cache_effective_user squid
cache_effective_group squid
visible_hostname controlp
server_persistent_connections off
memory_pools off
forwarded_for unknown
error_directory /usr/share/squid/errors/Portuguese
coredump_dir /var/spool/squid/coredump

0 0

Quote