allanlinux
(usa Arch Linux)
Enviado em 12/02/2015 - 11:59h
Amigos do VOL,
Peço desculpas, dei uma procurada para o meu problema mas não consegui uma solução:
Tenho um servidor com squid + squidGuard instalados, está tudo funcionado mas quando alguém abre o office, ele fica pedindo senha umas mil vezes, mesmo colocando a senha, ele pede novamente... Navegador e outras coisas está tudo normal.
Segue minha conf:
# /etc/squid3/squid.conf
####################################################
# Portas (padrao 3128)
http_port 3128
#Habilitar debug
#debug_options 28,3
####################################################################################
# CONFIGURACOES DE CACHE #
####################################################################################
# Tipo de cache (aufs), pasta raiz, tamanho em MB, diretorios pais, diretorios em cada diretorio
cache_dir aufs /var/spool/squid3 8196 16 256
# Tamanho da cache para objetos
cache_mem 1024 MB
# Tamanho maximo dos objetos que sera salvos em disco
maximum_object_size 131070 KB
# Tamanho minimo dos objetos que sera salvos em disco
minimum_object_size 0 KB
# Numero de entradas na tabela de cache de conversao de IP para FQDN
ipcache_size 16384
# Percentagem de cache baixa - padrao 90
ipcache_low 90
# Percentagem de cache baixa - padrao 95
ipcache_high 95
# Manter memoria alocada e nao usadada para nao precisar realocar quando for usar
memory_pools on
# Numero de entradas na tabela de cache de DNS
fqdncache_size 16384
# Tamanho maximo dos objetos guardados na cache
maximum_object_size_in_memory 8 MB
# Gerar resumo de cache - Util somente quando existem squids parceiros deste squid
digest_generation off
####################################################################################
# CONFIGURACOES GERAIS #
####################################################################################
# Como tratar o X-Forwared-For no cabecalho HTTP
forwarded_for off
#logar parametros das URL's
strip_query_terms on
# 5.5 ou anteior a buscar novas pánas do servido em caso de refresh
ie_refresh on
#Detecta respostas quebradas de conexoes persistentes e assuma que o reply foi enviado apos 10 segundos
detect_broken_pconn on
#Tenta executar requisicao em paralelo - Pode quebrar autenticacao NTLM/Kerberos
pipeline_prefetch off
# Continua baixando requisicao abortadas
quick_abort_min -1 KB
# continua baixando requsicoes abortadas - limite de 16KB
quick_abort_max 16 KB
# Quanto tempo manter cache de DNS
positive_dns_ttl 5 minute
# Fechar conexao TCP imediatamente
half_closed_clients off
# timeout de leitura de dados
read_timeout 240 second
# timeout de conexao
pconn_timeout 240 second
# Email do administrador
cache_mgr suporte@antlia.com.br
# Host visivel
visible_hostname svfirewall.antlia.local
# Linguagem dos erros
error_directory /usr/share/squid3/errors/pt-br
# Evita que sejam feitos coredumps.
coredump_dir /var/spool/squid3
# Numero de arquivos de log rotacionados a guardar.
logfile_rotate 120
# Tempo para agaurdar o fechamento de conexoes durante encerramento do squid
shutdown_lifetime 1 second
# palavras que sera tratadas diretamente por esse squid, ou seja, sera repassadas para vizinhos
hierarchy_stoplist cgi-bin ?
# Dominio padrao de busca
#append_domain .dominio.com.br
# Padrao refresh de cache para alguns sites
# refresh_pattern [-i] regex min percent max [options]
# -i : regular expressiona case-insensitive
# regex: Expressao regular a buscar
# min: tempo (em minutos) que um objeto sera considerado novo
# percent: % da idade do objeto que sao considerado novo
# max: limite maximo que os objetos sem tempo de expirar explicito serao considerados novos
refresh_pattern -i http.*\.gov.br/.* 720 100% 7200 reload-into-ims
refresh_pattern -i http.*\.globo.com/.* 720 100% 7200 reload-into-ims
refresh_pattern -i http.*\.terra.com.br/.* 720 100% 7200 reload-into-ims
refresh_pattern -i http.*\.google.*/.* 720 100% 10080 reload-into-ims
refresh_pattern -i http.*\.msn.*/.* 720 100% 10080 reload-into-ims
refresh_pattern -i http.*\.uol.com.*/.* 720 100% 10080 reload-into-ims
refresh_pattern -i http.*\.bol.com.*/.* 720 100% 10080 reload-into-ims
refresh_pattern -i http.*\.lyricsplugin.com.*/.* 720 100% 10080 reload-into-ims
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
####################################################################################
# LOGS #
####################################################################################
#logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %# Log de acesso
access_log /var/log/squid3/access.log
# Log de cache
cache_log /var/log/squid3/cache.log
# pasta para arquivo de dump
coredump_dir /var/spool/squid3
# comportamente para espaco em branco nas URLs
uri_whitespace allow
# Servidores de DNS a serem utilizados - Se nao for especificado, o valor de /etc/resolv.conf sera utilizado
#dns_nameservers 192.168.0.1
####################################################################################
# Autenticacao no Windows 2012 #
####################################################################################
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Proxy Squid - Digite suas credenciais
auth_param basic credentialsttl 1000 hours
####################################################################################
# ACL #
####################################################################################
# ACL de origem
# rede loopback
acl localhost src 127.0.0.1/32
# Rede local
acl rede_local src 192.168.1.0/24
# ACL de destino
#acl allDest dst 0.0.0.0/0.0.0.0
#acl to_localhost dst 127.0.0.0/8
# Portas seguras
acl SSL_ports port 443
acl SSL_ports port 8180
acl SSL_ports port 8443
# Demais servicos
acl Safe_ports port 80 # http
acl Safe_ports port 81 # http
acl Safe_ports port 20-21 # ftp
acl Safe_ports port 70 # gopher
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl Safe_ports port 8080 # http
acl Safe_ports port 8081 # http
acl Safe_ports port 8082 # http
acl Safe_ports port 8088 # http
acl Safe_ports port 8180 # http
acl Safe_ports port 3456 # receita federal - irpf
acl Safe_ports port 3001 # diario oficial
acl Safe_ports port 10000 # Webmin
acl Safe_ports port 3000 # Snorby
acl Safe_ports port 3050 # Ntopng
acl Safe_ports port 3000 # Ntop
acl Safe_ports port 10443 # Endian
acl Safe_ports port 20000 # Correios
# ACL - Liberar Office
acl office dstdomain "/etc/squid3/acls/office"
# acls default squid
acl purge method PURGE
acl CONNECT method CONNECT
acl POST method POST
# acl para obter grupos do AD
external_acl_type grupo_AD ipv4 ttl=60 %LOGIN /usr/lib/squid3/wbinfo_group.pl
# Grupos do AD
acl acesso_completo external grupo_AD CAD
acl acesso_padrao external grupo_AD Internet
#acl acesso_bloqueado external grupo_AD Internet_Acesso_Bloqueado
# acls de seguranca e protecao do cache
acl manager proto cache_object
# acl controlar sites (sites-proibidos)
#acl sites_liberados dstdomain -i "/etc/squid3/acls/sites_liberados"
#acl sites_proibidos dstdomain -i "/etc/squid3/acls/sites_proibidos"
# acl controlar palavras de se**, baixo cal**
acl palavras_liberadas url_regex -i "/etc/squid3/acls/palavras_liberadas"
acl palavras_proibidas url_regex -i "/etc/squid3/acls/palavras_proibidas"
acl ms_cryptoapi_browser browser Microsoft-CryptoAPI.*
# Mensagem de erros personalizados para alguimas ACLs
deny_info ARQ_SITES_PROIBIDOS sites_proibidos
#deny_info ARQ_SITES_PROIBIDOS sites_liberados
deny_info ARQ_SITES_PROIBIDOS sites_liberados_sem_auth
deny_info ARQ_SITES_PROIBIDOS palavras_proibidas
deny_info ARQ_SITES_PROIBIDOS palavras_liberadas
deny_info ARQ_ACESSO_BLOQUEADO acesso_bloqueado
deny_info ARQ_PORTAS_PROIBIDAS Safe_ports
deny_info ARQ_PORTAS_PROIBIDAS SSL_ports
####################################################################################
# HTTP ACCESS #
####################################################################################
# Regras das acls de origem - libera os administradores
#http_access allow admins
# Libera Office
http_access allow office
# Libera Microsoft Crypto API
http_access allow ms_cryptoapi_browser
# Regras das acls de controle (bloqueio e politicas de rede)
http_access allow manager localhost
http_access deny manager
http_access allow rede_local acesso_completo
# Regras das acls de portas - bloqueia todas as portas nao listadas
http_access deny !Safe_ports
# bloqueia conexao das portas seguras nao listadas
http_access deny CONNECT !SSL_ports
# Liberar site bloqueado
#http_access allow sites_liberados
# Controle de acesso de sites proibidos
#http_access deny sites_proibidos
# Liberacao de algumas palavras
http_access allow palavras_liberadas
# Bloqueio de algumas palavras
http_access deny palavras_proibidas
http_access allow purge localhost
http_access allow rede_local acesso_padrao
http_access allow POST rede_local acesso_padrao
http_access allow POST rede_local acesso_completo
# libera metodo POST sem autenticacao Para evitar problemas
http_access allow POST
http_access deny purge
# HTTP REPLY ACCESS
http_reply_access allow all
http_access deny all
# ICP ACCESS
icp_access deny all
# MISS ACCESS
miss_access allow rede_local
miss_access deny all
# MODO DE FTP PASSIVO
#ftp_passive on
# Negar cache de cgi-bin
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
# negar cache de POST
acl POSTS method POST
cache deny POSTS
# Integracao SquidGuard
redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
url_rewrite_access deny rede_local acesso_completo
#url_rewrite_access allow all
url_rewrite_access allow acesso_padrao
url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
url_rewrite_children 20 startup=0 idle=1 concurrency=0
Desde já, obrigado pela atenção de todos.