Squid bloqueio por grupos. [RESOLVIDO]

firehawks
(usa Debian)

Enviado em 29/02/2012 - 15:42h

Boa tarde,

Estou com um problemão rsrsrs, preciso configurar a .conf para trabalhar com diversos grupos exemplo, Diretoria não terá acesso a nada apenas ao que tiver no arquivo X, Financeiro não terá acesso a nada apenas ao que tiver no arquivo Y, Setor Pessoal só terá acesso ao que tiver no arquivo Z, e assim vai.

##############################################################################
http_port 3128
icp_port 3130
#
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
#
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
#
cache_mem 256 MB
#
cache_swap_low 85
cache_swap_high 90
#
maximum_object_size 128 MB
#maximum_object_size 62914560 KB
minimum_object_size 0
#
maximum_object_size_in_memory 256 KB
#
cache_dir ufs /var/cache/squid 2048 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/cache/store.log
pid_filename /var/cache/squid.pid
client_netmask 255.255.255.0
#
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
#
auth_param basic realm ::Net::
#
auth_param basic children 5
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
#
# --------------------------------------------------------------------
# ACCESS CONTROLS
# --------------------------------------------------------------------
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
#
acl Safe_ports port 21 # ftp
acl Safe_ports port 70 # gopher
acl Safe_ports port 80 # http
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 443 # https
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 1025-65535 # unregistered ports
#
acl SSL_ports port 443 # https
acl SSL_ports port 465 # YAHOO - SMTP (SSL)
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl SSL_ports port 995 # YAHOO - POP3 (SSL)
#
acl purge method PURGE
acl CONNECT method CONNECT
#
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny to_localhost
#
# Criando as ACLs personalizadas
#
acl rede_interna src 192.168.0.0/24
#
####################################################################################################
###**********************************************************************************************###
###**********************************************************************************************###
###**********************************************************************************************###
###**********************************************************************************************###
####################################################################################################
#
acl usuarios proxy_auth REQUIRED
#
####################################################################################################
#TI
#
acl acesso_ti proxy_auth "/etc/squid/listas/usr_ti"
#
http_access allow acesso_ti
#
####################################################################################################
#Diretores
#
acl acesso_diretoria proxy_auth "/etc/squid/listas/diretores"
acl url_diretoria url_regex -i "/etc/squid/listas/url_diretoria"
#
http_access allow url_diretoria
http_access deny acesso_diretoria !url_diretoria
####################################################################################################
#Departamento Pessoal
#
acl acesso_pessoal proxy_auth "/etc/squid/listas/usr_pessoal"
acl url_pessoal url_regex -i "/etc/squid/listas/url_pessoal"
#
http_access deny acesso_pessoal !url_pessoal
http_access allow url_pessoal
#
####################################################################################################
#Financeiro
#
acl acesso_financeiro proxy_auth "/etc/squid/listas/usr_financeiro"
acl url_financeiro url_regex -i "/etc/squid/listas/url_financeiro"
#
http_access allow url_financeiro
http_access deny acesso_financeiro !url_financeiro
####################################################################################################
#RH
#
acl acesso_rh proxy_auth "/etc/squid/listas/usr_rh"
acl url_rh url_regex -i "/etc/squid/listas/url_rh"
#
http_access allow url_rh
http_access deny acesso_rh !url_rh
####################################################################################################
#Manutencao
#
acl acesso_manutencao proxy_auth "/etc/squid/listas/usr_manutencao"
acl url_manutencao url_regex -i "/etc/squid/listas/url_manutencao"
#
http_access allow url_manutencao
http_access deny acesso_manutencao !url_manutencao
####################################################################################################
#
http_access allow acesso_diretoria
http_access allow acesso_pessoal
http_access allow acesso_financeiro
http_access allow acesso_rh
http_access allow acesso_manutencao
#
http_access deny !rede_interna
http_access allow rede_interna
http_access deny all
icp_access allow all
#
zph_tos_local 16
zph_tos_parent off
#
cache_mgr teste@teste.com.br
visible_hostname Teste
#
error_directory /etc/squid/share/errors/Portuguese
coredump_dir /var/spool/squid/squid
####################################################################################################

Obs: só está dando certo a primeira regra que libera geral para um grupo, depois não funciona.

- Se alguem puder me ajudar... desde já agradeço.

firehawks
(usa Debian)

Enviado em 29/02/2012 - 16:03h

up

firehawks
(usa Debian)

Enviado em 29/02/2012 - 16:12h

Nussa cara, muito obrigado mesmo funcionou perfeitamente, muito obrigado... deu pra entender com os seus comentário, estava meio perdido com tanta coisa que adicionei brigadão cara.