squid bloqueia bancos [RESOLVIDO]

maurolarrat
(usa Ubuntu)

Enviado em 12/05/2011 - 09:21h

olá,

após configurar e conseguir executar o squid, o acesso à site s de bancos (caixa, bradesco, banco do brasil, e itau) é bloqueado.

acessos como google e outros sites funcionam.

meu squid:

############################################################################
# ACLs de identificação da rede.
############################################################################

# localhost.
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32

# Intranets.
acl INTRANET src 192.168.0.0/24
acl INTRANETWRL src 192.168.1.0/24


############################################################################
# ACLs que identificam as portas abertas na rede.
############################################################################

acl SSL_ports port 443 # https
acl SSL_ports port 444 # https
acl SSL_ports port 447 # https
acl SSL_ports port 563 # https snews
acl SSL_ports port 7443 # https
acl SSL_ports port 873 # https rsync
acl SSL_ports port 10000 # https
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 3456 # RECEITANET
acl Safe_ports port 95 # AND SAT
acl Safe_ports port 3307 # AND SAT
acl Safe_ports port 8080 # CONSULTA NÚMERO
acl Safe_ports port 587 # TURBOSITE SMTP
acl Safe_ports port 25 # TURBOSITE SMTP
acl Safe_ports port 110 # TURBOSITE POP3
acl Safe_ports port 993 # GMAIL IMAP
acl Safe_ports port 465 # GMAIL SMTP
acl Safe_ports port 5900 # VNC
acl Safe_ports port 5500 # VNC
acl Safe_ports port 5800 # VNC
acl Safe_ports port 30000 # BRADESCO
acl Safe_ports port 3128 # Squid
acl Safe_ports port 3130 # Squid
acl Safe_ports port 3388 # Sisloc
acl Safe_ports port 3389 # Sisloc
acl Safe_ports port 3389 # Sisloc
acl Safe_ports port 1433 # Sisloc
acl Safe_ports port 1434 # Sisloc
acl Safe_ports port 47 # Sisloc
acl Safe_ports port 10001-10220 # VNC Sisloc
acl Safe_ports port 8080 # Câmeras GGB
acl Safe_ports port 8010 # Câmeras NG
acl Safe_ports port 5050 # Câmeras NG
acl Safe_ports port 6050 # Câmeras NG
acl purge method PURGE
acl CONNECT method CONNECT


############################################################################
# ACLs que definem as permissões de acesso http.
############################################################################

# Para bloqueio do msn messenger.
acl MSNMESSENGER url_regex -i gateway.dll

# Para definir IPs liberados.
acl IPSLIBERADOS url_regex -i "/etc/squid/liberados/ips"

# Sites que não passam pelo proxy.
acl sites_sem_proxy dstdomain "/etc/squid/liberados/sites"

############################################################################
# Regras de acesso http.
############################################################################

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge

# Bloqueia o acesso http à portas não permitidas.
http_access deny !Safe_ports

# Bloqueia o acesso https à portas não permitidas.
http_access deny CONNECT !SSL_ports

# Bloqueia msn messenger.
#http_access deny MSNMESSENGER !IPSLIBERADOS

# Sites que não passam pelo proxy são liberados.
always_direct allow sites_sem_proxy

# Permite acesso à internet às nossas redes.
http_access allow INTRANET
http_access allow INTRANETWRL
http_access allow localhost

# Bloqueia acessos à internet.
http_access deny all

# Permite requisições ICPs apenas das intranets.
icp_access allow INTRANET
icp_access allow INTRANETWRL
icp_access deny all


############################################################################
# Porta http do Squid.
############################################################################

# Squid normally listens to port 3128
http_port 3128 transparent


############################################################################
# Configurações adicionais.
############################################################################

# TAG: upgrade_http0.9
# Don't upgrade ShoutCast responses to HTTP
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast

# TAG: broken_vary_encoding
# Many servers have broken support for on-the-fly Content-Encoding,
# returning the same ETag on both plain and gzip:ed variants.
# Vary replies matching this access list will have the cache split
# on the Accept-Encoding header of the request and not trusting the
# ETag to be unique.
#
# Apache mod_gzip and mod_deflate known to be broken so don't trust
# Apache to signal ETag correctly on such responses
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

# TAG: extension_methods
# Squid only knows about standardized HTTP request methods.
# You can add up to 20 additional "extension" methods here.
extension_methods REPORT MERGE MKACTIVITY CHECKOUT

# TAG: hosts_file
hosts_file /etc/hosts

# TAG: coredump_dir
# By default Squid leaves core files in the directory from where
# it was started. If you set 'coredump_dir' to a directory
# that exists, Squid will chdir() to that directory at startup
# and coredump files will be left there.
#
#Default:
# coredump_dir none
#
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid



o arquivo sites:

www.bradesco.com.br">www.bradesco.com.br
www.bradescopessoajuridica.com.br
www.bradescoseguros.com.br
www.bradescosaude.com.br
www.bradescoprime.com.br
www.bradesco.com
www.bradescoimoveis.com.br
www.bradescouniversitarios.com.br
www.bradescocapitalizacao.com.br
www.bb.com.br
www2.bancobrasil.com.br
www.caixa.gov.br
www1.caixa.gov.br
www8.caixa.gov.br
internetbanking.caixa.gov.br
www.caixacapitalizacao.com.br
www.caixavidaeprevidencia.com.br


regras do iptables:

# HTTP/HTTPS (COM SQUID)
#FILTER
#iptables -A INPUT -i $INTRA -p tcp -m multiport --dport 3128,3130 -j ACCEPT
#iptables -A INPUT -i $INTRA -p tcp -m multiport --dport 80,443 -j ACCEPT
#NAT
#viptables -t nat -A PREROUTING -i $INTRA -p tcp -m multiport --dport 80,443 -j REDIRECT --to-port 3128

estou fazendo algumas pesquisas na internet, mas se alguém tiver uma dica aí eu agradeço!

eritonalmeida
(usa Debian)

Enviado em 12/05/2011 - 09:44h

ta bagunçado seu squid.conf. qual acl ta liberando os sites dos bancos?

maurolarrat
(usa Ubuntu)

Enviado em 12/05/2011 - 10:28h

são essas:

# Sites que não passam pelo proxy.
acl sites_sem_proxy dstdomain "/etc/squid/liberados/sites"

# Sites que não passam pelo proxy são liberados.
always_direct allow sites_sem_proxy

Estava pesquisando e verifiquei que o squid se atrapalha para lidar com sites de bancos, tendo que ser feito um pre-roteamento no iptables para resolver...então fiz isso no iptables, antes do pre-roteamento para o squid (removendo também as regras do squid para os bancos citadas acima):

# Bradesco
iptables -t nat -I PREROUTING -i $INTRA -d 200.155.0.0/16 -p tcp -m multiport --dport 80,443 -j ACCEPT

# Banco do Brasil
iptables -t nat -I PREROUTING -i $INTRA -d 170.66.0.0/16 -p tcp -m multiport --dport 80,443 -j ACCEPT

# Itau
iptables -t nat -I PREROUTING -i $INTRA -d 200.196.152.0/24 -p tcp -m multiport --dport 80,443 -j ACCEPT


e apos estas regras (usando o append -A), pro squid:

iptables -t nat -A PREROUTING -i $INTRA -p tcp -m multiport --dport 80,443 -j REDIRECT --to-port 3128


Detalhe, eu já tentei não especificando as portas para acesso aos bancos....

Não funcionou com nada acima.

eritonalmeida
(usa Debian)

Enviado em 12/05/2011 - 10:36h

tem alguns problemas ai.

1- falta http_access allow sites_sem_proxy

2- o arquivo de sites precisa ser assim
bradesco.com.br
bradescopessoajuridica.com.br
bradescoseguros.com.br
bradescosaude.com.br
bradescoprime.com.br

maurolarrat
(usa Ubuntu)

Enviado em 12/05/2011 - 10:49h

não funcionou.

esse squid é muito complicado... :\

maurolarrat
(usa Ubuntu)

Enviado em 12/05/2011 - 11:14h

ok, aparentenmente funcionou depois que eu mudei um pequeno detalhe no preroteamento do iptables:

# HTTP/HTTPS (COM SQUID)
#FILTER
iptables -A INPUT -i $INTRA -p tcp -m multiport --dport 3128,3130 -j ACCEPT
iptables -A INPUT -i $INTRA -p tcp -m multiport --dport 80,443 -j ACCEPT
iptables -A FORWARD -p tcp -m multiport --dport 80,443 -j ACCEPT # MUDEI AQUI !!!!!!!
#NAT Pré-roteamento Squid. DEVE utilizar APPEND (-A) para não bloquear as regras de banco abaixo.
iptables -t nat -A PREROUTING -i $INTRA -p tcp -m multiport --dport 80 -j REDIRECT --to-port 3128

# Bradesco
iptables -t nat -I PREROUTING -i $INTRA -d 200.155.0.0/16 -j ACCEPT

# Banco do Brasil
iptables -t nat -I PREROUTING -i $INTRA -d 170.66.0.0/16 -j ACCEPT

# Itau
iptables -t nat -I PREROUTING -i $INTRA -d 200.196.152.0/24 -j ACCEPT

# Caixa
iptables -t nat -I PREROUTING -i $INTRA -d 200.201.160.0/24 -j ACCEPT
iptables -t nat -I PREROUTING -i $INTRA -d 200.201.166.0/24 -j ACCEPT
iptables -t nat -I PREROUTING -i $INTRA -d 200.201.173.0/24 -j ACCEPT
iptables -t nat -I PREROUTING -i $INTRA -d 200.201.174.0/24 -j ACCEPT

deixei o forward habilitado tanto para entrar quanto para sair da rede na 80 e na 443. Antes estava apenas para sair da rede.

Estou em testes... caso de algum pau eu posto aqui.

eritonalmeida
(usa Debian)

Enviado em 12/05/2011 - 11:21h

para aprender vc precisa começar com o basicão do squid. dei uma simplificada no seu squid.conf, testa ai depois vai colocando mais regras.

http_port 3128 transparent

cache_dir ufs /var/spool/squid 2048 16 256
cache_access_log /var/log/squid/access.log
error_directory /usr/share/squid/errors/Portuguese
coredump_dir /var/spool/squid


acl manager proto cache_object
acl all src all
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32

acl SSL_ports port 443 # https
acl SSL_ports port 444 # https
acl SSL_ports port 447 # https
acl SSL_ports port 563 # https snews
acl SSL_ports port 7443 # https
acl SSL_ports port 873 # https rsync
acl SSL_ports port 10000 # https
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 3456 # RECEITANET
acl Safe_ports port 95 # AND SAT
acl Safe_ports port 3307 # AND SAT
acl Safe_ports port 8080 # CONSULTA NÚMERO
acl Safe_ports port 587 # TURBOSITE SMTP
acl Safe_ports port 25 # TURBOSITE SMTP
acl Safe_ports port 110 # TURBOSITE POP3
acl Safe_ports port 993 # GMAIL IMAP
acl Safe_ports port 465 # GMAIL SMTP
acl Safe_ports port 5900 # VNC
acl Safe_ports port 5500 # VNC
acl Safe_ports port 5800 # VNC
acl Safe_ports port 30000 # BRADESCO
acl Safe_ports port 3128 # Squid
acl Safe_ports port 3130 # Squid
acl Safe_ports port 3388 # Sisloc
acl Safe_ports port 3389 # Sisloc
acl Safe_ports port 3389 # Sisloc
acl Safe_ports port 1433 # Sisloc
acl Safe_ports port 1434 # Sisloc
acl Safe_ports port 47 # Sisloc
acl Safe_ports port 10001-10220 # VNC Sisloc
acl Safe_ports port 8080 # Câmeras GGB
acl Safe_ports port 8010 # Câmeras NG
acl Safe_ports port 5050 # Câmeras NG
acl Safe_ports port 6050 # Câmeras NG
acl purge method PURGE
acl CONNECT method CONNECT

# Para bloqueio do msn messenger.
acl MSNMESSENGER url_regex -i gateway.dll

# Para definir IPs liberados.
acl IPSLIBERADOS url_regex -i "/etc/squid/liberados/ips"

# Sites que não passam pelo proxy.
acl sites_sem_proxy url_regex -i "/etc/squid/liberados/sites"

http_access allow localhost
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow sites_sem_proxy
http_access deny MSNMESSENGER !IPSLIBERADOS
http_access deny all