Squid libera qualquer site

1. Squid libera qualquer site

T0T0R0
(usa CentOS)

Enviado em 19/08/2015 - 11:20h

Galera, bom dia.

Estou com um problema no meu Squid.
Consigo autenticar no meu AD, mas ele não respeita as regras de bloqueio/liberação. Está liberando qualquer página e para todos os usuários.
Alguém pode me ajudar? Segue abaixo o meu Conf do Squid.

#
# Recommended minimum configuration:
#

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm keep_alive on

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm elbr-proxy-02
auth_param basic credentialsttl 12 hours
acl AuthorizedUsers proxy_auth REQUIRED

http_access allow all AuthorizedUsers

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
acl tifutura_network dst 10.20.0.0/16
http_access allow tifutura_network

acl sites_liberados url_regex -i "/etc/squid/sites_liberados"
http_access allow sites_liberados

acl deny_cache url_regex -i "/etc/squid/deny_cache"
cache deny deny_cache

external_acl_type AD_GROUP children-max=60 %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl

#AUTENTICACAO tifutura
acl eltek proxy_auth REQUIRED

acl INTERNETBLOQ external AD_GROUP tifutura \ internetblock
http_access deny INTERNETBLOQ

#RESTRICAO POR HORARIO
acl almoco time MTWHFAS 12:15-13:30
acl liberado_horario url_regex -i "/etc/squid/liberado_horario"
http_access allow liberado_horario almoco

#BLOQUEIOS
acl sites_denied url_regex -i "/etc/squid/sites_denied"
acl proxy_denied url_regex -i "/etc/squid/proxy_denied"

#BLOQUEIO POR IP
acl ipdomain url_regex ^[^:]*://([^/@]*@)?[0-9\.]*(:|/|$|\?) ^[0-9\.]*$

#STREAMING
acl StreamingRequest1 req_mime_type -i ^video/x-ms-asf$
acl StreamingRequest2 req_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl StreamingRequest3 req_mime_type -i ^application/x-mms-framed$
acl StreamingRequest4 req_mime_type -i ^audio/x-pn-realaudio$
acl StreamingReply1 rep_mime_type -i ^video/x-ms-asf$
acl StreamingReply2 rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl StreamingReply3 rep_mime_type -i ^application/x-mms-framed$
acl StreamingReply4 rep_mime_type -i ^audio/x-pn-realaudio$

http_access deny StreamingRequest1 all
http_access deny StreamingRequest2 all
http_access deny StreamingRequest3 all
http_access deny StreamingRequest4 all

http_reply_access deny StreamingReply1 all
http_reply_access deny StreamingReply2 all
http_reply_access deny StreamingReply3 all
http_reply_access deny StreamingReply4 all

acl proib_musica urlpath_regex -i \.aif$ \.aifc$ \.aiff$ \.asf$ \.asx$ \.avi$ \.au$ \.m3u$ \.med$ \.mp3$ \.m1v$ \.mp2$ \.mp2v$ \.mpa$ \.mov$ \.mpe$ \.mpg$ \.mpeg$ \.ogg$ \.pls$ \.ram$ \.ra$ \.ram$ \.snd$ \.wma$ \.wmv$ \.wvx$ \.mid$ \.midi$ \.rmi$ \.mp4$ \.rmvb$ \.xspf$
http_access deny proib_musica

#TORRENT, DOWNLOADS
acl torrent_download urlpath_regex -i \.iso$ \.torrent$ \.bat$ \.bin$ \.sh$
acl webmsn url_regex -i "/etc/squid/im_denied"
http_access deny webmsn

#GRUPO tifutura
acl INTERNETFREE external AD_GROUP tifutura \ internetfree
http_access allow INTERNETFREE

#HTTP_ACCES

http_access deny sites_denied
http_access deny proxy_denied
http_access deny ipdomain

#http_access allow all

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

0 0

Quote

2. Re: Squid libera qualquer site

Buckminster
(usa Debian)

Enviado em 19/08/2015 - 12:13h

Esta regra

http_access allow all AuthorizedUsers

deixe assim

http_access allow AuthorizedUsers

Faça a alteração, reinicie o Squid, teste e poste aqui o resultado.

Estas regras

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

tu deve escolher somente uma delas, por exemplo, se a tua rede interna for 192.168.1.0 tu deve deixar somente a regra

acl localnet src 192.168.1.0/24

e depois mais embaixo antes de http_access deny all tu coloca http_access allow localnet.

0 0

Quote

3. Re: Squid libera qualquer site

T0T0R0
(usa CentOS)

Enviado em 19/08/2015 - 14:41h

Buckminster escreveu:

Esta regra

http_access allow all AuthorizedUsers

deixe assim

http_access allow AuthorizedUsers

Faça a alteração, reinicie o Squid, teste e poste aqui o resultado.

Estas regras

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

tu deve escolher somente uma delas, por exemplo, se a tua rede interna for 192.168.1.0 tu deve deixar somente a regra

acl localnet src 192.168.1.0/24

e depois mais embaixo antes de http_access deny all tu coloca http_access allow localnet.

Amigo, obrigado pela ajuda. Fiz o que indicou, mas continua liberando tudo.

Veja o Status do squid.service usando o comando systemctl status squid.service

ââ19114 /usr/sbin/squid -f /etc/squid/squid.conf
ââ19116 (squid-1) -f /etc/squid/squid.conf
ââ19119 /usr/bin/perl -w /usr/lib64/squid/ext_wbinfo_group_acl
ââ19120 /usr/bin/perl -w /usr/lib64/squid/ext_wbinfo_group_acl
ââ19121 /usr/bin/perl -w /usr/lib64/squid/ext_wbinfo_group_acl
ââ19122 /usr/bin/perl -w /usr/lib64/squid/ext_wbinfo_group_acl
ââ19123 /usr/bin/perl -w /usr/lib64/squid/ext_wbinfo_group_acl
ââ19124 (logfile-daemon) /var/log/squid/access.log
ââ19127 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
ââ19128 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
ââ19129 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
ââ19130 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
ââ19131 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
ââ19132 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
ââ19133 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
ââ19134 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
ââ19135 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
ââ19136 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
ââ19137 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp

0 0

Quote

4. Re: Squid libera qualquer site

Buckminster
(usa Debian)

Enviado em 19/08/2015 - 15:10h

Veja abaixo uma parte do texto do link http://www.hardware.com.br/livros/servidores-linux/proxy-com-autenticacao.html:

# Bloqueia acessos de fora da rede local antes de passar pela autenticação:
acl localnet src 192.168.1.0/24
http_access deny !localnet

# Outras regras de restrição vão aqui, de forma que o acesso seja negado
# antes mesmo de passar pela autenticação:
acl bloqueados url_regex -i "/etc/squid/bloqueados"
http_access deny bloqueados

# Autentica o usuário:
auth_param basic realm Squid
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
acl autenticados proxy_auth REQUIRED
http_access allow autenticados

# Libera o acesso da rede local e do localhost para os autenticados,
# bloqueia os demais:
http_access allow localhost
http_access allow localnet
http_access deny all

Veja que agora usamos a regra "http_access deny !localnet" no início da cadeia. A exclamação inverte a lógica da regra, fazendo com que ela bloqueie todos os endereços que não fizerem parte da acl "localnet".

Organiza essa parte do teu squid.conf da maneira que está acima, adapte para ti. A ordem das regras é importante.

Outro link para leitura:
http://www.vivaolinux.com.br/artigo/Squid-Entendendo-um-pouco-as-configuracoes/?pagina=4

0 0

Quote