Proxy squid

alvarotim
(usa Slackware)

Enviado em 20/11/2008 - 10:15h

Bom dia pessoal do VOL, estou com um problema para subir o squid, inseri essa configuração básica só para teste no squid, mas quando tento navegar pelo browser das máquinas na rede interna, não abre nada, as vezes apresenta mensagem de erros como página restrita, usei o nmap e aparece a porta 3128 aberta, as configurações de nat para a internet estão ok, uso o Debian 3.1 sarge, alguem saberia dizer o que esta acontecendo.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

#sistema básico para o funcionamento do squid

visible_hostname FlexNetwork
http_port 192.168.0.1:3128

acl all src 0.0.0.0/0.0.0.0
http_access allow all


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

debian:/etc/squid# nmap 192.168.0.1

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2008-10-31 20:06 BRST
Interesting ports on 192.168.0.1:
(The 1655 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
113/tcp open auth
139/tcp open netbios-ssn
445/tcp open microsoft-ds
548/tcp open afpovertcp
755/tcp open unknown
3128/tcp open squid-http

Nmap finished: 1 IP address (1 host up) scanned in 0.416 seconds
debian:/etc/squid#

Slim Shinoda
(usa OpenSuSE)

Enviado em 20/11/2008 - 10:19h

Eu não entendo de squid mas pelo visto parece que a porta 1655 está fechada.

ventrue.w
(usa Debian)

Enviado em 20/11/2008 - 12:41h

E ai Kara... Blz??

É o seguinte, para o squid funcionar, vc tera de configurar no arquivo /etc/squid/squid.conf algumas linhas que são importantes.

Nessa sua configuração existem erros, como por exemplo na porta ao qual sera fornecida o serviço, estou encaminhando aqui um squid.conf bem simples com algumas esplicações para vc analisar.
Dentro do aquivo sites.txt que vc ira criar, vc pode inserir nomes de sites que nao podera acessar.


############################################################################################################
http_port 3128 ###### Porta de acesso do proxy
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
visible_hostname MAQ51
acl all src 0.0.0.0/0.0.0.0
##########Libera rede Interna#############
acl rede_interna src 192.168.0.0/24 ####Faixa de ip ao qual sua rede trabalha
##########################################
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#########Libera Rede Interna para Net#############
http_access allow rede_interna
##################################################
http_access allow localhost
########Arquivo de bloqueio de sites############################
acl sites url_regex -i "/etc/squid/sites.txt" ##### Esse arquivo tem de ser cirado nesse mesmo endereço
http_access deny sites all
http_access allow all
####################################
http_reply_access allow all
icp_access allow all
cache_effective_group proxy
coredump_dir /var/spool/squid

##########################################################################################################
Apos configurar e salvar essas configurações, saia do modo VI e digite

squid -k reconfigure

Pronto, deve estar funcionando, nas estações configure o proxy aprontando para o IP e a porta da maquina ao qual esta rodando o squid.

Bom é isso..... Espero ajudar.

gjuniorpb
(usa Conectiva)

Enviado em 21/11/2008 - 08:24h

vc tem q colocar mais augumas configuraçõe ai tipo tamanho do cache numero da porta e colocar o squid como transparente

para squid 2.5 a baixo aconfiguração basica fica assim

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 256 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
ipcache_size 2048
ipcache_low 90
ipcache_high 95
##Tamanho do cache 38000 => 38Gb
cache_dir ufs /var/cache/squid/ 38000 128 64
####################
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
emulate_httpd_log on
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 0% 4320

acl hotmail_domains dstdomain .hotmail.msn.com
header_access Accept-Encoding deny hotmail_domains

#auth_param basic program /usr/bin/ncsa_auth /etc/squid/passwd
#auth_param basic children 5
#auth_param basic realm Digite sua senha
#auth_param basic credentialsttl 2 hours
#auth_param basic casesensitive off

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all
http_reply_access allow all
icp_access allow all
cache_effective_user squid
cache_effective_group squid
visible_hostname on

####Proxy Transparente####
httpd_accel_port 80
httpd_accel_host virtual
httpd_accel_uses_host_header on
coredump_dir /var/cache/squid
httpd_accel_with_proxy off
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@@@@@@@@@@@para squid 2.6 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 256 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
ipcache_size 2048
ipcache_low 90
ipcache_high 95
##Tamanho do cache 38000 => 38Gb
cache_dir ufs /var/cache/squid/ 38000 128 64
####################
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
emulate_httpd_log on
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 0% 4320

acl hotmail_domains dstdomain .hotmail.msn.com
header_access Accept-Encoding deny hotmail_domains

#auth_param basic program /usr/bin/ncsa_auth /etc/squid/passwd
#auth_param basic children 5
#auth_param basic realm Digite sua senha
#auth_param basic credentialsttl 2 hours
#auth_param basic casesensitive off

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all
http_reply_access allow all
icp_access allow all
cache_effective_user squid
cache_effective_group squid
visible_hostname on
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


ai tem q redirecionar todos os pacotes da porta 80 para o squid

iptables -t nat -A PREROUTING -p tcp -m multiport --dport 80,3128 -s 0/0 -j REDIRECT --to-port 3128