Dúvida sobre autenticação no squid

1. Dúvida sobre autenticação no squid

Paulo Humberto Lima Nunes
paulinunex

(usa Outra)

Enviado em 22/07/2011 - 09:52h

Bom dia,

Como não consegui encontrar ninguém com a mesma dúvida, estou postando aqui...

Bem, estou tentando configurar o squid para autenticação em um servidor samba pdc.

O problema é que nao sei onde ponho as acl's de autenticação, se antes das regras de bloqueio ou depois, e mais, como eu integro com as acl's de horário?

Segue o meu squid.conf:

###################################################################################################

#Configuração básica
###################################################################################################
http_port ####
visible_hostname #######

cache_mem 512 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 3,8 GB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 5120 16 256
cache_access_log /var/log/squid/access.log
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280

error_directory /usr/share/squid/errors/pt-br

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # swat
acl Safe_ports port 110 587 #mail
acl Safe_ports port 1025-65535 # portas altas
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

#A partira daqui aparecem as minhas dúvidas
###################################################################################################
###################################################################################################


#Cada arquivo contém os IP's das máquinas
###################################################################################################
acl hora_consultorios_geral src "/etc/squid/horas/consultorios"
acl hora_consultorios_manha src "/etc/squid/horas/consultorios_manha"
acl hora_consultorios_tarde src "/etc/squid/horas/consultorios_tarde"
acl hora_contabilidade src "/etc/squid/horas/contabilidade"
acl hora_direcao src "/etc/squid/horas/direcao"
acl hora_laudos src "/etc/squid/horas/laudos"
acl hora_recepcao src "/etc/squid/horas/recepcao"
acl hora_rh src "/etc/squid/horas/rh"
acl hora_ti src "/etc/squid/horas/ti"
acl hora_uti src "/etc/squid/horas/uti"


#ACL's de configuração dos horários de acesso
###################################################################################################
#acl almoco time 12:00-14:00
acl consultorios time MTWHF 07:00-12:00 14:00-18:00
acl consultorios_manha time MTWHF 07:00-12:00
acl consultorios_tarde time MTWHF 14:00-18:00
acl contabilidade time 08:00-12:00 14:00-18:00
acl direcao time 08:00-12:00 14:00-18:00
#acl laudos time 08:00-12:00 14:00-18:00
acl recepcao time 08:00-12:00 14:00-18:00
#acl rh time 08:00-12:00 14:00-18:00
acl ti time 00:00-23:59
acl uti time 08:00-12:00 14:00-18:00


#Aqui está o problema, não sei se ponho as regras de autenticação aqui...
###################################################################################################
auth_param basic realm Squid
authenticate_ip_ttl 5 minutes
auth_param basic program /usr/lib/squid/smb_auth -W ###### -U ########
acl autenticados proxy_auth REQUIRED
http_access allow autenticados


#Liberação dos IP's das máquinas que não devem passar pelas acl's de bloqueio abaixo
###################################################################################################
http_access allow hora_consultorios_geral consultorios
#http_access deny !hora_consultorios_geral
http_access allow hora_consultorios_manha consultorios_manha
#http_access deny !hora_consultorios_manha
http_access allow hora_consultorios_tarde consultorios_tarde
#http_access deny !hora_consultorios_tarde
http_access allow hora_laudos consultorios
#http_access deny !hora_laudos
http_access allow hora_direcao direcao
#http_access deny !hora_direcao
http_access allow hora_ti ti
#http_access deny !hora_ti


#ACL's de bloqueio e liberação de sites
###################################################################################################
acl bloqueados url_regex -i "/etc/squid/sites/bloqueados"
http_access deny bloqueados

acl palavrasproibidas dstdom_regex "/etc/squid/palavrasproibidas"
http_access deny palavrasproibidas

acl permitidos url_regex -i "/etc/squid/sites/liberados"
http_access allow permitidos
http_access deny !permitidos


#Liberação dos IP's das máquinas que devem passar pelas acl's de bloqueio acima
###################################################################################################
http_access allow hora_contabilidade contabilidade
#http_access deny !hora_contabilidade
http_access allow hora_uti uti
#http_access deny !hora_uti
http_access allow hora_recepcao recepcao
#http_access deny !hora_recepcao


#Ou se ponho as regras de autenticação aqui!
###################################################################################################
auth_param basic realm Squid
authenticate_ip_ttl 5 minutes
auth_param basic program /usr/lib/squid/smb_auth -W ###### -U ########
acl autenticados proxy_auth REQUIRED
http_access allow autenticados


#Fim da dúvida
###################################################################################################
http_access deny all

acl redelocal src 10.1.1.0/24
http_access allow localhost
http_access allow redelocal

http_access deny all

###################################################################################################

O fato é que, se ponho as ACL's de autenticação antes dos bloqueios o squid pede a autenticação, mas libera tudo, tudo mesmo, sem passar pelas ACL's de bloqueio, nem pelas ACL's de horário.
Se ponho as ACL's de autenticação depois das regras de bloqueio e de horário ele não autentica, mas passa pelas regras de bloqueio e horas.

O que devo fazer, onde estou errando?


  






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts