Autenticação no SQUID3 [RESOLVIDO]

anderramos
(usa Debian)

Enviado em 19/02/2010 - 16:26h

boa tarde a todos, bem sou iniciante no linux,e tenho uma rede com 16 maquinas tenho, um proxy squid configurado certinho rodando, com bloqueio de sites, etc...td certinho a minha duvida é a seguinte
que linhas e onde eu add no meu squid, para que os usuarios faça a autenticação, ja tentei varios
tutorias e nao deu certo, aguardo uma resposta de vcs muito obrigado.

segue a conf do meu squid.



# inicio da configuração do meu proxy
http_port 3128
cache_mem 512 MB #
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid3 60028876 16 256

maximum_object_size 30000 KB
maximum_object_size_in_memory 40 KB

access_log /var/log/squid3/access.log squid
cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log
mime_table /usr/share/squid3/mime.conf

cache_mgr dddjandersonrramos@msn.com
memory_pools off

diskd_program /usr/lib/squid3/diskd
unlinkd_program /usr/lib/squid3/unlinkd

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
quick_abort_max 16 KB
quick_abort_pct 95
quick_abort_min 16 KB
request_header_max_size 20 KB
reply_header_max_size 20 KB
request_body_max_size 0 KB

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl redelocal src 192.168.0.0/24

# ############ ACL para o bloqueio de spyware
acl spyware dstdomain "/etc/squid3/spyware"


# ####### ACL de ips liberados no proxy com acesso total ###
acl livre src 192.168.0.112
acl livre src 192.168.0.113

## acl para bloqueio de dawloads por extencoes
acl extensoes_proibidas url_regex -i "/etc/squid3/extensoes_proibidas"

# ACL portas utilizadas.
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 1863 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

### libera acesso total a alguns
http_access allow livre

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

#### inicio da regra de sites permitidos por grupo ######

#### recepcao ##########

acl sites_liberados_recepcao dstdomain "/etc/squid3/sites_liberados_recepcao"
acl recepcao src 192.168.0.100
acl recepcao src 192.168.0.101
http_access allow recepcao sites_liberados_recepcao
http_access deny recepcao

###### faturamento #######

acl sites_liberados_faturamento dstdomain "/etc/squid3/sites_liberados_faturamento"
acl faturamento src 192.168.0.102
acl faturamento src 192.168.0.103
http_access allow faturamento sites_liberados_faturamento
http_access deny faturamento

###### RH ##############

acl sites_liberados_rh dstdomain "/etc/squid3/sites_liberados_rh"
acl rh src 192.168.0.104
acl rh src 192.168.0.103
acl rh src 192.168.0.105
http_access allow rh sites_liberados_rh
http_access deny rh


##### Farmacia ############

acl sites_liberados_farmacia dstdomain "/etc/squid3/sites_liberados_farmacia"
acl farmacia src 192.168.0.107
acl farmacia src 192.168.0.108
http_access allow farmacia sites_liberados_farmacia
http_access deny farmacia


####### Posto e Centro cirurgico ###########
acl sites_liberados_postocentro dstdomain "/etc/squid3/sites_liberados_postocentro"
acl postocentro src 192.168.0.109
acl postocentro src 192.168.0.110
http_access allow postocentro sites_liberados_postocentro
http_access deny postocentro


###### fim da regra de bloqueio por grupos #######

http_access deny spyware
http_access deny extensoes_proibidas
http_access allow redelocal

mail_program mail
cache_effective_user proxy
cache_effective_group proxy
httpd_suppress_version_string off
visible_hostname INSANE

error_directory /usr/share/squid3/errors/Portuguese/

wesley00
(usa Debian)

Enviado em 21/02/2010 - 11:57h

#proxy com autenticaçao
#adicione as seguintes linhas no seu conf

auth_param basic realm (Server Proxy) Digite a senha
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
acl autenticados proxy_auth REQUIRED


crie arquivo a ser usado: #touch /etc/suid/squid_passwd
cadastre os logins e senhas: #htpasswd /etc/squid/squd_passwd "usuario"

Espero ter ajudado!!!!
ate +....

anderramos
(usa Debian)

Enviado em 27/02/2010 - 10:59h

bem consegui autenticar so que agora, depois de autenticar as regras de bloqueio nao funciona mais...ja mudei as regras varias vezes sem sucesso, sniff..

sei que o problemas esta em http_access allow... e
http_access deny.... mais infeslislemte nao sei onde... gostaria muito da ajuda de voces mais uma vez..

muito obrigado

icaro.macedo
(usa Debian)

Enviado em 03/03/2010 - 18:55h

Nobre amigo, para que o Squid faça autenticação correta vc adiciona as seguintes linhas antes das ACLs:

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Digite seu Usuario e Senha!!
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

Esta ACL força a autenticação dos usuarios:

acl usuarios proxy_auth REQUIRED

Na parte de http_access colocar o seguinte:

# configuracoes padroes #
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost

# Configuracies de acessos #
http_access deny !usuarios --->> onde isto é a acl que criamos logo acima

aki vc adiciona o que é liberado e o que é bloqueado.


http_access allow rede -->> onde (rede) é a acl acima de minha rede completa
http_access deny all

Espero ter ajudado!!!

JoeBala
(usa Outra)

Enviado em 23/12/2011 - 15:18h

Alguém pode por favor me dá uma luz. Sou calouro em squid!!!

Já verifiquei o arquivo ncsa_auth e o passwd. A princípio estão íntegros e no local correto. Qual pode ser a causa dele não querer autenticar??? usuário navega normal com as mesmas regras que separei por ip, pois não pede pra autenticar.



Debian com Squid3

Meu squid.conf
----------------------------------------------------------------------------------------------
http_port 3128 transparent
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwd
auth_param basic children 5
auth_param basic realm Digite seu usuario e senha
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
visible_hostname forumti
cache_mgr webmaster@localhost
error_directory /usr/share/squid3/errors/Portuguese

hierarchy_stoplist cgi-bin ?
cache_mem 32 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 100 MB
cache_dir ufs /var/spool/squid3 2040 16 256

refresh_pattern ^ftp: 360 20% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

access_log /var/log/squid3/access.log

acl localhost src 127.0.0.1/32
acl localnet src 10.30.0.0/16


#TI
acl user_free src "/etc/squid3/user_free"
http_access allow user_free

#Autentica
acl usuarios proxy_auth REQUIRED
http_access allow usuarios

#Superintendentes e Gerentes
acl user_chefia src "/etc/squid3/user_chefia"

#Marketing e Merchandising
acl user_social src "/etc/squid3/user_social"

#Operacional
acl user_operacional src "/etc/squid3/user_operacional"

#Administrativo
acl user_administrativo src "/etc/squid3/user_administrativo"

#Financeiro
acl user_financeiro src "/etc/squid3/user_financeiro"

#usuario Download
acl user_download src "/etc/squid3/user_download"

#usuario msn
acl user_msn src "/etc/squid3/user_msn"

#sites excessao
acl unblockedsites url_regex -i "/etc/squid3/unblock"

#horario de acesso
acl almoco time MTWHF 13:00-14:00
http_access deny almoco user_operacional
http_access allow localnet almoco

acl free time MTWHFSA 07:00-09:00
http_access allow localnet free

acl manager proto cache_object
http_access allow manager localhost
http_access deny manager


#controle download
acl download url_regex -i "/etc/squid3/extensions"
http_access allow download user_download
http_access deny download !unblockedsites


#controle de banda
delay_pools 2

#sem restricao de banda
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_access 1 allow user_free

#restricao banda geral
delay_class 2 2
delay_parameters 2 20000/20000 20000/20000
delay_access 2 allow all

#Bloqueio MSN
acl msn url_regex -i /gateway/gateway.dll
http_access allow msn user_social
http_access allow msn user_chefia
http_access deny msn !user_msn


acl purge method PURGE
http_access allow purge localhost
http_access deny purge

acl Safe_ports port 21 # ftp
acl Safe_ports port 70 # gopher
acl Safe_ports port 80 # http
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 443 # https
acl Safe_ports port 488 # gss-http
acl Safe_ports port 563 # mntps
acl Safe_ports port 591 # filemaker
acl Safe_ports port 633 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # swat
acl Safe_ports port 1025-65535 # unregistered ports
http_access deny !Safe_ports

acl connect method CONNECT
acl ssl_ports port 443 # https
acl ssl_ports port 563 # mntps
acl ssl_ports port 873 # rsync
http_access deny connect !SSL_ports


#url dominio bloqueados
acl domains dstdomain "/etc/squid3/domains"
http_access deny domains !unblockedsites


#palavras bloqueadas
acl words url_regex -i "/etc/squid3/words"
http_access deny words !unblockedsites


#extension blocked
acl extensions urlpath_regex -i "/etc/squid3/extensions"
http_access allow extensions user_download
http_access deny extensions !unblockedsites


#Bloqueio porta 443 https
acl https port 443
http_access allow https user_chefia
http_access allow https user_social
http_access allow https user_msn
http_access deny https !unblockedsites


http_access allow localnet
http_access allow localhost
http_access deny all
----------------------------------------------------------------------------------------------

saitam
(usa Slackware)

Enviado em 23/12/2011 - 16:00h

@JoeBala fiz algumas alterações no teu squid.conf confere.
É importante avisar que proxy transparent e autenticado não funcionam juntos, deve escolher transparent OU autenticado.
proxy transparent: apenas 1 regra iptables que faz o redirecionamento da porta 80 para 3128(squid).
proxy autenticado: precisa configurar no navegador apontando o ip:porta na estação.

crie usuários do proxy
Nota: necessário ter o Apache instalado.
touch /etc/squid3/passwd
httpasswd /etc/squid3/passwd usuario

Segue as alterações feitas do squid.conf

http_port 3128
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwd
auth_param basic children 5
auth_param basic realm Digite seu usuario e senha
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
visible_hostname forumti
cache_mgr webmaster@localhost
error_directory /usr/share/squid3/errors/Portuguese

hierarchy_stoplist cgi-bin ?
cache_mem 256 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 100 MB
cache_dir ufs /var/spool/squid3 2040 16 256

refresh_pattern ^ftp: 360 20% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

access_log /var/log/squid3/access.log

acl localhost src 127.0.0.1/32
acl localnet src 10.30.0.0/16


#TI
acl user_free proxy_auth "/etc/squid3/user_free"
http_access allow user_free

#Autentica
acl usuarios proxy_auth REQUIRED
http_access allow usuarios

#Superintendentes e Gerentes
acl user_chefia proxy_auth "/etc/squid3/user_chefia"
http_access allow user_chefia

#Marketing e Merchandising
acl user_social proxy_auth "/etc/squid3/user_social"
http_access deny user_social

#Operacional
acl user_operacional proxy_auth "/etc/squid3/user_operacional"
http_access deny user_operacional

#Administrativo
acl user_administrativo proxy_auth "/etc/squid3/user_administrativo"
http_access allow user_administrativo

#Financeiro
acl user_financeiro proxy_auth "/etc/squid3/user_financeiro"
http_access deny user_financeiro

#usuario Download
acl user_download proxy_auth "/etc/squid3/user_download"

#usuario msn
acl user_msn proxy_auth "/etc/squid3/user_msn"
http_access deny user_msn

#sites excessao
acl unblockedsites url_regex -i "/etc/squid3/unblock"

#horario de acesso
acl almoco time MTWHF 13:00-14:00
http_access deny almoco user_operacional
http_access allow localnet almoco

acl free time MTWHFSA 07:00-09:00
http_access allow localnet free

acl manager proto cache_object
http_access allow manager localhost
http_access deny manager


#controle download
acl download url_regex -i "/etc/squid3/extensions"
http_access allow download user_download
http_access deny download !unblockedsites


#controle de banda
delay_pools 2

#sem restricao de banda
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_access 1 allow user_free

#restricao banda geral
delay_class 2 2
delay_parameters 2 20000/20000 20000/20000
delay_access 2 allow all

#Bloqueio MSN
acl msn url_regex -i /gateway/gateway.dll
http_access allow msn user_social
http_access allow msn user_chefia
http_access deny msn !user_msn


acl purge method PURGE
http_access allow purge localhost
http_access deny purge

acl Safe_ports port 21	 # ftp
acl Safe_ports port 70	 # gopher
acl Safe_ports port 80	 # http
acl Safe_ports port 210	 # wais
acl Safe_ports port 280	 # http-mgmt
acl Safe_ports port 443	 # https
acl Safe_ports port 488	 # gss-http
acl Safe_ports port 563	 # mntps
acl Safe_ports port 591	 # filemaker
acl Safe_ports port 633	 # cups
acl Safe_ports port 777	 # multiling http
acl Safe_ports port 873	 # rsync
acl Safe_ports port 901	 # swat
acl Safe_ports port 1025-65535	 # unregistered ports	
http_access deny !Safe_ports

acl connect method CONNECT
acl ssl_ports port 443	 # https
acl ssl_ports port 563	 # mntps
acl ssl_ports port 873	 # rsync
http_access deny connect !SSL_ports


#url dominio bloqueados
acl domains dstdomain "/etc/squid3/domains"
http_access deny domains !unblockedsites


#palavras bloqueadas
acl words url_regex -i "/etc/squid3/words"
http_access deny words !unblockedsites


#extension blocked
acl extensions urlpath_regex -i "/etc/squid3/extensions"
http_access allow extensions user_download
http_access deny extensions !unblockedsites


#Bloqueio porta 443 https
acl https port 443
http_access allow https user_chefia
http_access allow https user_social
http_access allow https user_msn
http_access deny https !unblockedsites

http_access allow localhost
http_access deny allow

 

JoeBala
(usa Outra)

Enviado em 23/12/2011 - 17:27h

.