lucasguara
(usa Debian)
Enviado em 02/04/2013 - 17:50h
Pessoal estou com a seguinte dificuldade.Preciso bloquear o acesso a internet , de todos usuários que não está nos grupos do AD abaixo. Exemplo se eu criar um usuário fora desses grupos ele continua acessando quero que nao acesse nada somente se estiver nos grupos ou=internet,dc=gardenia,dc=loca
acl AcessoFull external ldap_group LdapVSAcessoFull
acl AcessoEmpresa external ldap_group LdapVSAcessoEmpresa
acl AcessoOperacional external ldap_group LdapVSAcessoOperacional
acl DownloadLiberado src "/etc/squid/downloadliberado"
acl BloqueioDownload rep_mime_type -i "/etc/squid/bloqueiodownload"
acl https_negado dstdomain "/etc/squid/https_negado.txt"
acl dominios_bloqueados url_regex "/etc/squid/dominios_bloqueados.txt"
acl sites-semsenha url_regex -i "/etc/squid/sites-semsenha.txt"
acl sites-operacional url_regex -i "/etc/squid/sites-operacional.txt"
acl Sites-Almoco url_regex -i "/etc/squid/Sites-Almoco.txt"
acl AcessoAlmoco11horas external ldap_group LdapVSAlmoco11horas
acl Almoco-1100-1200 time 11:00-12:00
acl AcessoAlmoco12horas external ldap_group LdapVSAlmoco12horas
acl Almoco-1200-1300 time 12:00-13:00
acl GPAcessoBancos external ldap_group ldapAcessoBancos
acl Acesso-Bancos url_regex -i "/etc/squid/bancos.txt"
#########################################################
Segue meu squid completo desde ja agradeço.
auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b "dc=gardenia,dc=local" -D "cn=proxy_user,ou=internet,dc=gardenia,dc=local" -w "123456" -f sAMAccountName=%s -h 129.1.1.1
auth_param basic realm "Acesso a internet - GARDENIA"
auth_param basic children 5
auth_param basic credentialsttl 15 minute
visible_hostname vsgateway
external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group -R -b "dc=gardenia,dc=local" -D "cn=proxy_user,ou=internet,dc=gardenia,dc=local" -w "123456" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=internet,dc=gardenia,dc=local))" -h 129.1.1.1
acl all src 129.1.1.0/24
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 8443
acl Safe_ports port "/etc/squid/safe_ports.txt" # multiling http
acl CONNECT method CONNECT
icp_access allow all
http_port 3128
hierarchy_stoplist cgi-bin ?
#debug_options ALL,1 33,2
access_log /var/log/squid/access.log
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
acl csserasa url_regex "/etc/squid/csserasa.txt"
acl AcessoFull external ldap_group LdapVSAcessoFull
acl AcessoEmpresa external ldap_group LdapVSAcessoEmpresa
acl AcessoOperacional external ldap_group LdapVSAcessoOperacional
acl DownloadLiberado src "/etc/squid/downloadliberado"
acl BloqueioDownload rep_mime_type -i "/etc/squid/bloqueiodownload"
acl https_negado dstdomain "/etc/squid/https_negado.txt"
acl dominios_bloqueados url_regex "/etc/squid/dominios_bloqueados.txt"
acl sites-semsenha url_regex -i "/etc/squid/sites-semsenha.txt"
acl sites-operacional url_regex -i "/etc/squid/sites-operacional.txt"
acl Sites-Almoco url_regex -i "/etc/squid/Sites-Almoco.txt"
acl AcessoAlmoco11horas external ldap_group LdapVSAlmoco11horas
acl Almoco-1100-1200 time 11:00-12:00
acl AcessoAlmoco12horas external ldap_group LdapVSAlmoco12horas
acl Almoco-1200-1300 time 12:00-13:00
acl GPAcessoBancos external ldap_group ldapAcessoBancos
acl Acesso-Bancos url_regex -i "/etc/squid/bancos.txt"
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
no_cache deny csserasa
always_direct allow csserasa
http_access allow localhost
http_access allow sites-semsenha
http_access allow csserasa
http_access allow AcessoFull
http_access allow Sites-Almoco AcessoAlmoco12horas Almoco-1200-1300
http_access deny CONNECT https_negado
http_access allow AcessoEmpresa !dominios_bloqueados
http_access allow AcessoOperacional sites-semsenha sites-operacional
http_access allow sites-operacional
http_access allow GPAcessoBancos Acesso-Bancos
#Maquinas Liberada para Download
http_reply_access allow sites-semsenha
#Bloqueio de Download
http_reply_access allow DownloadLiberado
http_reply_access deny BloqueioDownload
http_access deny all
http_access deny all
broken_vary_encoding allow apache
cache_effective_user squid
cache_effective_group squid
coredump_dir /var/spool/squid
debug_options 28,9