renancasini
(usa Outra)
Enviado em 21/07/2015 - 11:40h
Pessoal, Bom dia!
Estou com um problema que acredito ser simples de resolver, vamos lá:
Tenho um SQUID autenticado no AD "rodando perfeitamente", alguns sites em HTTPS quando vou entrar apresenta o seguinte erro:
Sua conexão não é particular
Invasores podem estar tentando roubar suas informações de redesedados.webdesklw.com.br (por exemplo, senhas, mensagens ou cartões de crédito). NET::ERR_CERT_AUTHORITY_INVALID
Ai em avançado consigo continuar mesmo assim.
Porem ao avançar a pagina fica toda desconfigurada não exibe imagens.
segue meu squid.conf:
# Autenticacao no Windows 2008
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 4 hours
acl AuthorizedUsers proxy_auth REQUIRED
acl bancos url_regex -i "/etc/squid/bancos"
http_access allow bancos
# Configuracoes gerais
http_port 3128
hierarchy_stoplist cgi-bin?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_replacement_policy lru
memory_replacement_policy lru
cache_mem 2 GB
maximum_object_size_in_memory 2048 KB
maximum_object_size 600 MB
minimum_object_size 1 KB
ipcache_size 2048
ipcache_low 80
ipcache_high 95
cache_dir aufs /var/spool/squid/1/ 23552 128 512
cache_dir aufs /var/spool/squid/2/ 23552 128 512
cache_dir aufs /var/spool/squid/3/ 23552 128 512
cache_dir aufs /var/spool/squid/4/ 23552 128 512
cache_replacement_policy lru
memory_replacement_policy lru
logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
access_log /var/log/squid/access.log squid
access_log daemon:/var/log/squid/access.log squid
cache_access_log /var/log/squid/access.log
cache_swap_log /var/spool/squid/swap.log
cache_mgr renan@redesedados.com.br
error_directory /usr/share/squid/errors/Portuguese
coredump_dir /var/spool/squid
refresh_pattern \^ftp: 1440 20% 10080
refresh_pattern \^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Definicao das ACLs
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # snews
acl SSL_ports port 10000 # Webmin
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 407 # msn
acl Safe_ports port 25 # smtp
acl Safe_ports port 110 # pop
acl purge method PURGE
acl CONNECT method CONNECT
################################ CACHE ####################################
#### Microsoft Update####
range_offset_limit 200 MB windowsupdate
maximum_object_size 200 MB
quick_abort_min -1
#Cache de Fotos
refresh_pattern -i \.jpg$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.gif$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.png$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.jpeg$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.bmp$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.tif$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.tiff$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.swf$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.exe$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.php$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.html$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.htm$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.shtml$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.shtm$ 0 20% 1440 reload-into-ims
# Cache De videos
refresh_pattern -i \.(mp3|mp4|m4a|ogg|mov|avi|wmv|flv)$ 43200 100% 43200 ignore-no-cache override-expire ignore-private
# Cache do Windows Update
refresh_pattern -i au.download.windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 100% 43200 reload-into-ims
refresh_pattern -i download.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 100% 43200 reload-into-ims
refresh_pattern -i msgruser.dlservice.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 100% 43200 reload-into-ims
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 100% 43200 reload-into-ims
refresh_pattern -i download.windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 100% 43200 reload-into-ims
refresh_pattern -i update.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 100% 43200 reload-into-ims
refresh_pattern -i ctldl.windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 100% 43200 reload-into-ims
refresh_pattern -i crl.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 100% 43200 reload-into-ims
refresh_pattern -i sqm.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 100% 43200 reload-into-ims
refresh_pattern -i watson.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 100% 43200 reload-into-ims
refresh_pattern -i go.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 100% 43200 reload-into-ims
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 100% 43200 reload-into-ims
refresh_pattern -i msftncsi.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 100% 43200 reload-into-ims
refresh_pattern -i stats1.update.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 4320 100% 43200 reload-into-ims
refresh_pattern -i windowsupdate.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 4320 100% 43200 reload-into-ims
refresh_pattern -i redir.metaservices.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 4320 100% 43200 reload-into-ims
refresh_pattern -i images.metaservices.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 4320 100% 43200 reload-into-ims
refresh_pattern -i c.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 4320 100% 43200 reload-into-ims
refresh_pattern -i
www.download.windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf)">
www.download.windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 4320 100% 43200 reload-into-ims
refresh_pattern -i wustat.windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 4320 100% 43200 reload-into-ims
refresh_pattern -i sls.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 4320 100% 43200 reload-into-ims
refresh_pattern -i productactivation.one.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 4320 100% 43200 reload-into-ims
refresh_pattern -i ntservicepack.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 4320 100% 43200 reload-into-ims
#Cache Java ( Faz cache do Java ) ##
refresh_pattern -i sdlc-esd.sun.com/.*\.(cab|exe|dll|msi) 999999 100% 43200 reload-into-ims
refresh_pattern -i javadl-esd.sun.com/.*\.(cab|exe|dll|msi) 999999 100% 43200 reload-into-ims
refresh_pattern -i javadl.oracle.com/.*\.(cab|exe|dll|msi) 999999 100% 43200 reload-into-ims
refresh_pattern -i rps-svcs.sun.com/.*\.(cab|exe|dll|msi) 999999 100% 43200 reload-into-ims
#Cache atulizacao avira ( Faz cache do Avira ) ##
refresh_pattern -i personal.avira-update.com/.*\.(cab|exe|dll|msi|gz) 999999 100% 43200 reload-into-ims
#Cache atualizacao symantec
refresh_pattern -i liveupdate.symantecliveupdate.com/.*\.(cab|exe|dll|msi) 999999 100% 43200 reload-into-ims
refresh_pattern -i symantecliveupdate.com/.*\.(cab|exe|dll|msi) 999999 100% 43200 reload-into-ims
#Cache avast
refresh_pattern -i avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i x2486472.ivps9x.u.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i h3565960.ivps9x.u.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i r2493514.ivps9x.u.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i x8761469.iavs9x.u.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i j7434223.iavs9x.u.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i y7292228.ivps9x.u.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i z0183749.ivps9x.u.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i c0307764.ivps9x.u.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i x9942723.iavs9x.u.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i t0964766.iavs9x.u.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i w2416805.ivps9x.u.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i ai.ff.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i eu.ff.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i su.ff.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i program.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i vl.ff.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i an.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i v7.stats.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i static.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i emupdate.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i software-files-a.cnet.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
###### Microsoft #####
acl windowsupdate dstdomain stats1.update.microsoft.com
acl windowsupdate dstdomain msftncsi.com
acl windowsupdate dstdomain microsoft.com
acl windowsupdate dstdomain go.microsoft.com
acl windowsupdate dstdomain watson.microsoft.com
acl windowsupdate dstdomain sqm.microsoft.com
acl windowsupdate dstdomain ctldl.windowsupdate.com
acl windowsupdate dstdomain windowsupdate.com
acl windowsupdate dstdomain msgruser.dlservice.microsoft.com
acl windowsupdate dstdomain download.microsoft.com
acl windowsupdate dstdomain au.download.windowsupdate.com
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain
www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
#### AVAST #####
acl avast dstdomain avast.com
acl avast dstdomain software-files-a.cnet.com
######################################## CONTROLE DE BANDA #####################################################
#Crie uma acl com as extensoes serao aplicadas o filtro
acl download url_regex -i ftp .mov .mpeg .wav .tar .mp3 .exe .zip .rar .mpg .avi .rmvb .pps .wmv .msi .iso
acl navegacao urlpath_regex -i \.htm$ \.html$ \.php \.cgi \.pl \.asp \.cf$ \.jpeg$ \.jpg$ \.png$ \.gif$
# Crie outra acl com os IPs que serao aplicados a regra
acl fast src "/etc/squid/fast"
acl medium src "/etc/squid/medium"
acl low src "/etc/squid/low"
delay_pools 3
# Significa que teremos tres controles de banda
# Primeiro controle
delay_class 1 2
#-1/-1 significa que nao teremos limites para a delay pool 1
delay_parameters 1 -1/-1 -1/-1
delay_access 1 allow fast
# Segundo controle
delay_class 2 2
# Limita a sua banda por pessoa
#delay_parameters 2 2097152/2097152 2097152/2097152 # 2 mb
#delay_parameters 2 1835008/1835008 1835008/1835008 # 1,75 mb
delay_parameters 2 1572864/1572864 1572864/1572864 # 1,5 mb
#delay_parameters 2 1310720/1310720 1310720/1310720 # 1,25 mb
#delay_parameters 2 1048576/1048576 1048576/1048576 # 1 mb
#delay_parameters 2 943718.4/943718.4 943718.4/943718.4 # 900 kb
#delay_parameters 2 838860.8/838860.8 838860.8/838860.8 # 800 kb
#delay_parameters 2 734003.2/734003.2 734003.2/734003.2 # 700 kb
#delay_parameters 2 629145.6/629145.6 629145.6/629145.6 # 600 kb
#delay_parameters 2 524288/524288 524288/524288 # 500 kb
delay_access 2 allow medium
delay_access 2 allow navegacao
# Terceiro controle
delay_class 3 2
# Limita a sua banda por pessoa
#delay_parameters 3 2097152/2097152 2097152/2097152 # 2 mb
#delay_parameters 3 1835008/1835008 1835008/1835008 # 1,75 mb
#delay_parameters 3 1572864/1572864 1572864/1572864 # 1,5 mb
#delay_parameters 3 1310720/1310720 1310720/1310720 # 1,25 mb
#delay_parameters 3 1048576/1048576 1048576/1048576 # 1 mb
#delay_parameters 3 943718.4/943718.4 943718.4/943718.4 # 900 kb
#delay_parameters 3 838860.8/838860.8 838860.8/838860.8 # 800 kb
#delay_parameters 3 734003.2/734003.2 734003.2/734003.2 # 700 kb
#delay_parameters 3 629145.6/629145.6 629145.6/629145.6 # 600 kb
delay_parameters 3 524288/524288 524288/524288 # 500 kb
delay_access 3 allow low
delay_access 3 allow navegacao
#usuarios com acesso total
acl fast src "/etc/squid/fast"
#usuarios controlados
acl medium src "/etc/squid/medium"
acl low src "/etc/squid/low"
################################################# CONTROLE DE INTERNET #################################################
external_acl_type grupo_ad %LOGIN /usr/lib/squid/wbinfo_group.pl
#acl grp- external grupo_ad
# Criacao dos grupos
acl grp-admins external grupo_ad admins
acl grp-diretores external grupo_ad diretores
acl grp-gerentes external grupo_ad gerentes
acl grp-funcionarios external grupo_ad funcionarios
acl grp-estagiarios external grupo_ad estagiarios
# Regras Para Diretores
acl sitesd dstdomain -i "/etc/squid/sitesd"
acl palavrasd url_regex -i "/etc/squid/palavrasd"
acl downloadsd urlpath_regex -i "/etc/squid/downloadsd"
# Regras Para Gerentes
acl sitesg dstdomain -i "/etc/squid/sitesg"
acl palavrasg url_regex -i "/etc/squid/palavrasg"
acl downloadsg urlpath_regex -i "/etc/squid/downloadsg"
# Regras Para Funcionarios
acl sitesf dstdomain -i "/etc/squid/sitesf"
acl palavrasf url_regex -i "/etc/squid/palavrasf"
acl downloadsf urlpath_regex -i "/etc/squid/downloadsf"
# Regras Para Estagiarios
acl sitese dstdomain -i "/etc/squid/sitese"
acl almoco time 11:00-13:00
acl microsoft url_regex "/etc/squid/ms-update"
acl domain_watson dstdomain watson.microsoft.com
http_access allow microsoft
http_access allow domain_watson
# Ativando as ACLs Padrao
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny to_localhost
# Ativando as ACLs Personalizadas
http_access allow almoco
http_access allow grp-admins
http_access deny sitesd
http_access deny palavrasd
http_access deny downloadsd
http_access allow grp-diretores
http_access deny sitesg
http_access deny palavrasg
http_access deny downloadsg
http_access allow grp-gerentes
http_access deny sitesf
http_access deny palavrasf
http_access deny downloadsf
http_access allow grp-funcionarios
http_access deny grp-estagiarios !sitese
http_access allow sitese
http_access deny all