Proxy transparente + autenticação

1. Proxy transparente + autenticação

tiago2001
(usa Debian)

Enviado em 07/01/2011 - 10:23h

Bom pessoal, quero utilizar proxy transparente + autenticação... Então decidi montar em máquinas virtuais dois squid. Um para o proxy transparente e outro para autenticação.
Em um fiz a configuração para proxy transparente, IP 192.168.2.1.

http_port 192.168.2.1:3128 transparent
cache_peer 192.168.2.20 parent 3128 3130 no-query no-digest
visible_hostname juca
acl all src 0.0.0.0/0.0.0.0
never_direct allow all
acl interno src 192.168.0.0/16
http_access allow interno
http_access allow all

E no outro um com autenticação, que seria o pai, com o ip 192.168.2.20:

http_port 3128
cache_mem 64 MB
ie_refresh on
error_directory /usr/share/squid/errors/Portuguese

# Tamanho maximo dos arquivos guardados na RAM
maximum_object_size_in_memory 256 KB

#TAMANHO MAXIMO E MINIMO NO DISCO
#maximum_object_size 100 MB
#minimum_object_size 0 KB

# DESCARTAR CACHE
#cache_swap_low 90
#cache_swap_high 95

# ESPACO HD PASTAS SUBPASTAS
#cache_dir ufs /var/cache/squid 500 16 256

access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
dns_nameservers 10.1.5.35 10.1.2.44
#hosts_file /etc/hosts

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320

cache_peer prx-saude.redegov.sp.gov.br parent 80 0 no-query default
acl all src 0.0.0.0/0.0.0.0
never_direct allow all
miss_access allow all
icp_access allow all

#Recommended minimum configuration:
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32

#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl SSL_ports port 443 563
acl SSL_ports port 8443 # Siafem
acl Safe_ports port 80 # http
acl Safe_ports port 809 # SPTRNAS
acl Safe_ports port 21 # ftp
acl Safe_ports port 22 # ftp
acl Safe_ports port 23 # Siafic]sico
acl Safe_ports port 53 # x
acl Safe_ports port 88 # x
acl Safe_ports port 443 # https
acl Safe_ports port 563 # snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8443 # Siafem
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

############################### REGRAS DE RESTRICAO #########################
# Antes de passar pela autenticacao
#############################################################################

############################### AUTENTICACAO ################################
auth_param basic program /etc/squid/users/ncsa_auth /etc/squid/users/passwd
auth_param basic realm Digite seu usuario e senha para entrar
#auth_param negotiate program <uncomment and complete this line to activate>
auth_param negotiate children 5
auth_param negotiate keep_alive off
#auth_param ntlm program <uncomment and complete this line to activate>
auth_param ntlm children 5
#auth_param ntlm keep_alive off
#auth_param digest program <uncomment and complete this line>
auth_param digest children 5
#auth_param digest realm Squid proxy-caching web server
#auth_param digest nonce_garbage_interval 5 minutes
#auth_param digest nonce_max_duration 30 minutes
#auth_param digest nonce_max_count 50
#auth_param basic program <uncomment and complete this line>
auth_param basic children 5
#auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours
authenticate_ip_ttl 0 seconds
#############################################################################

########################### Acl de login por grupo ##########################
acl full proxy_auth "/etc/squid/grupos/full"
acl videos proxy_auth "/etc/squid/grupos/videos"
acl liberado proxy_auth "/etc/squid/grupos/liberado"
acl caism proxy_auth "/etc/squid/grupos/caism"
acl restrito proxy_auth "/etc/squid/grupos/restrito"
#############################################################################
############################Acl Bloqueio de conteudo#########################
acl bloqueiatudo url_regex -i "/etc/squid/regras/bloqueiatudo"
acl sitesbloqueados url_regex -i "/etc/squid/regras/sitesbloqueados"
acl sitesliberados url_regex -i "/etc/squid/regras/sitesliberados"
acl sitescaism url_regex -i "/etc/squid/regras/sitescaism"
acl especifico url_regex -i "/etc/squid/regras/especifico"
acl musica urlpath_regex -i "/etc/squid/regras/musica"
acl streaming rep_mime_type ^video/x-ms-asf
#############################################################################

############################Tamanho de download##############################
#acl html rep_mime_type text/html
#reply_body_max_size 0 allow html
#reply_body_max_size 0 allow full
#-------Definicao do tamanho 1MB = 1024 * 1024
#reply_body_max_size 10485760 allow liberado
#reply_body_max_size 10485760 allow restrito
#############################################################################

#------------Usuarios sem restricao------------
http_access allow full
#----------------------------------------------

########################### SITE QUE NAO PASSA PELO PROXY ###################
#acl site dstdomain java.com javadl.sun.com
#always_direct allow site
#############################################################################

#-------------Usuarios liberados---------------
http_access allow especifico
http_access deny sitesbloqueados
http_access deny musica !full
http_reply_access deny streaming !full !videos
http_access allow videos
http_access allow liberado
#----------------------------------------------

#------------Usuarios restritos e caism----------------
http_access allow sitesliberados
http_access deny bloqueiatudo
http_access allow restrito
#-----------------------------------------------

acl redelocal src 192.168.0.0/16
http_access allow localhost
http_access allow redelocal
#miss_access allow redelocal
#icp_access allow redelocal
http_access allow localnet
#miss_access allow localnet
#icp_access allow localnet
http_access deny all

Depois eu fiz as seguintes regras no iptables do proxy transparente:

iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 3128 -j DNAT --to 192.168.2.20
iptables -t nat -A POSTROUTING -d 192.168.2.20 -j SNAT --to 192.168.2.1

Qd eu coloco o proxy manualmente no navegador ele vai e consegue autenticar no proxy pai... Qd eu deixo sem proxy ele vai para o proxy pai, porém ele n aparece a tela de autenticação, já dá erro de cache, como se eu tivesse digitado a senha errada.
Alguém tem alguma solução?

0 0

Quote

2. Dica

tiago2001
(usa Debian)

Enviado em 07/01/2011 - 16:52h

Ninguém tem uma dica aí não?

0 0

Quote

3. Acho que demorei um pouco

paulinhobini
(usa Debian)

Enviado em 20/06/2013 - 08:49h

tiago2001 escreveu:

Ninguém tem uma dica aí não?

Sei que o tópico é antigo, mas vou deixar uma dica para quem possa vir a ler este forum.
Nosso amigo bolou uma solução interessante, que eu particularmente ainda não tinha visto, o pessoal tem usado muito natAcl, mas essa técnica dificulta a autenticação externa, como numa base LDAP por exemplo.
Acredito que o problema ocorrido com nosso amigo foi por causa de roteamento de pacotes. Acredito que se os servidores estivessem em redes diferentes, esse erro não aconteceria.
Na prática, ficaria assim.
->Internet
->Servidor proxy autenticado (base LDAP) com duas placas de rede (eth0 cliente ADSL, eth1 10.0.0.1)
->Servidor proxy transparente com duas placas de rede (eth0 10.0.0.2, eth1 192.168.0.254)
-> Switch (em rede 192)
-> Clientes em 192

0 0

Quote