Enviado em 17/06/2010 - 20:49h
Pessoal tenho uma rede com +/- 60 computadores e tenho um server Debian 5.0.4 com o Squid + ThunderCache3 rodando normal, squid com o cache estatico e o TC com o dinamico, a administração me incubiu de fazer o seguinte:
1- Acesso total de alguns computadores.
2- Bloqueio total de alguns computadores.
3- Bloqueio de alguns sites a determinados computadores.
4- Bloqueio de msn em alguns computadores.
Meu atual squid:
============================================================
################################################## ##################
### ###
### AILTON FERNANDES FARIAS ###
### ###
################################################## ##################
http_port 3128 transparent
visible_hostname PrefeituraMunicipal
error_directory /usr/share/squid/errors/Portuguese/
#================================================= ==================#
# SERVIDORES DNS E POLITICA
#================================================= ==================#
dns_nameservers 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
dns_retransmit_interval 5 seconds
dns_timeout 2 minutes
#================================================= ==================#
# ACESSO DIRETO A DETERMINADOS SITES
#================================================= ==================#
acl directd dstdomain url_regex -i "/etc/squid/nocache.lst"
acl directd dstdomain .siteacessodireto.net
always_direct allow directd
cache deny directd
refresh_pattern -i \.jpg$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.gif$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.png$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.jpeg$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.bmp$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.tif$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.tiff$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.swf$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.html$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.htm$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.shtml$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.shtm$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.nub$ 2880 80% 21600 reload-into-ims
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 8640
refresh_pattern -i exe$ 0 50% 999999
refresh_pattern -i zip$ 0 50% 999999
#================================================= ==================#
# LIBERAR / BLOQUEAR IPS / SITES
#================================================= ==================#
acl sitesbloqueados dstdomain url_regex -i "/etc/squid/acls/bloqueados/sites"
http_access deny sitesbloqueados
acl ipsbloqueados url_regex -i "/etc/squid/acls/bloqueados/ips"
http_access deny ipsbloqueados
#================================================= ==================#
# BLOQUEAR/LIBERAR MSN
#================================================= ==================#
#acl ipsbloqueados url_regex -i "/etc/squid/acls/bloqueados/msn"
#acl msn url_regex -i gateway.messenger.com
#acl ipsliberados url_regex -i "/etc/squid/acls/liberados/msn"
#http_access allow ipsliberados
#http_access deny msn
#http_access deny ipsbloqueados
#================================================= ==================#
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl proxy src 192.168.10.0/24
http_access allow proxy
acl purge method PURGE
acl CONNECT method CONNECT
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 1863 # MSN
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access allow localhost
http_access deny all
http_reply_access allow all
#icp_access allow all
#================================================= ==================#
# NEGA CACHE DE ARQUIVOS ASX E ASF - STREAMING
#================================================= ==================#
acl asx url_regex -i \.asx$
cache deny asx
acl asf url_regex -i \.asf$
cache deny asf
#================================================= ==================#
# BLOQUEIO DE ARQUIVOS SUSPEITOS
#================================================= ==================#
acl vbs url_regex -i .*\.VBS$
http_access deny vbs
acl scr url_regex -i .*\.SCR$
http_access deny scr
acl cmd url_regex -i .*\.CMD$
http_access deny cmd
acl pif url_regex -i .*\.PIF$
http_access deny pif
#================================================= ==================#
# USO DA MEMORIA E DISCO PELO SQUID
#================================================= ==================#
cache_mem 400 MB
cache_swap_low 80
cache_swap_high 95
#================================================= ==================#
# TAMANHO DOS ARQUIVOS EM CACHE
#================================================= ==================#
maximum_object_size 300 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 32 KB
#================================================= ==================#
# POLITICA DE SUBSTITUIÇO DO CACHE
#================================================= ==================#
cache_replacement_policy heap LFUDA
memory_replacement_policy lru
ipcache_size 4096
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
max_filedescriptors 1024
cache_dir aufs /thunder 10000 16 256
cache_effective_user proxy
ftp_user anonymous@anonymous.com.br
#================================================= ==================#
# LOG DOS ACESSOS PELO CACHE PARA USO COM SARG
#================================================= ==================#
access_log /var/log/squid/access.log
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
coredump_dir /var/spool/squid
server_persistent_connections off
zph_mode tos
zph_local 0x30
#================================================= ==================#
# THUNDERCACHE 3.X - REGEX
#================================================= ==================#
acl thunder_lst url_regex -i "/etc/thunder/thunder.lst"
cache deny thunder_lst
cache_peer 192.168.10.250 parent 8080 0 proxy-only no-digest
dead_peer_timeout 2 seconds
cache_peer_access 192.168.10.250 allow thunder_lst
cache_peer_access 192.168.10.250 deny all
#================================================= ==================#
# FIM
#================================================= ==================#
Dessa forma ai o bloqueio de site esta funcionando, mas bloqueia todos os computadores da rede. O Bloqueio por IP não esta funcionando. O que devo fazer para ter as quanto opções que me pediram?
1- Acesso total de alguns computadores.
2- Bloqueio total de alguns computadores.
3- Bloqueio de alguns sites a determinados computadores.
4- Bloqueio de msn em alguns computadores.
Meu atual squid:
============================================================
################################################## ##################
### ###
### AILTON FERNANDES FARIAS ###
### ###
################################################## ##################
http_port 3128 transparent
visible_hostname PrefeituraMunicipal
error_directory /usr/share/squid/errors/Portuguese/
#================================================= ==================#
# SERVIDORES DNS E POLITICA
#================================================= ==================#
dns_nameservers 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
dns_retransmit_interval 5 seconds
dns_timeout 2 minutes
#================================================= ==================#
# ACESSO DIRETO A DETERMINADOS SITES
#================================================= ==================#
acl directd dstdomain url_regex -i "/etc/squid/nocache.lst"
acl directd dstdomain .siteacessodireto.net
always_direct allow directd
cache deny directd
refresh_pattern -i \.jpg$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.gif$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.png$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.jpeg$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.bmp$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.tif$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.tiff$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.swf$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.html$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.htm$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.shtml$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.shtm$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.nub$ 2880 80% 21600 reload-into-ims
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 8640
refresh_pattern -i exe$ 0 50% 999999
refresh_pattern -i zip$ 0 50% 999999
#================================================= ==================#
# LIBERAR / BLOQUEAR IPS / SITES
#================================================= ==================#
acl sitesbloqueados dstdomain url_regex -i "/etc/squid/acls/bloqueados/sites"
http_access deny sitesbloqueados
acl ipsbloqueados url_regex -i "/etc/squid/acls/bloqueados/ips"
http_access deny ipsbloqueados
#================================================= ==================#
# BLOQUEAR/LIBERAR MSN
#================================================= ==================#
#acl ipsbloqueados url_regex -i "/etc/squid/acls/bloqueados/msn"
#acl msn url_regex -i gateway.messenger.com
#acl ipsliberados url_regex -i "/etc/squid/acls/liberados/msn"
#http_access allow ipsliberados
#http_access deny msn
#http_access deny ipsbloqueados
#================================================= ==================#
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl proxy src 192.168.10.0/24
http_access allow proxy
acl purge method PURGE
acl CONNECT method CONNECT
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 1863 # MSN
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access allow localhost
http_access deny all
http_reply_access allow all
#icp_access allow all
#================================================= ==================#
# NEGA CACHE DE ARQUIVOS ASX E ASF - STREAMING
#================================================= ==================#
acl asx url_regex -i \.asx$
cache deny asx
acl asf url_regex -i \.asf$
cache deny asf
#================================================= ==================#
# BLOQUEIO DE ARQUIVOS SUSPEITOS
#================================================= ==================#
acl vbs url_regex -i .*\.VBS$
http_access deny vbs
acl scr url_regex -i .*\.SCR$
http_access deny scr
acl cmd url_regex -i .*\.CMD$
http_access deny cmd
acl pif url_regex -i .*\.PIF$
http_access deny pif
#================================================= ==================#
# USO DA MEMORIA E DISCO PELO SQUID
#================================================= ==================#
cache_mem 400 MB
cache_swap_low 80
cache_swap_high 95
#================================================= ==================#
# TAMANHO DOS ARQUIVOS EM CACHE
#================================================= ==================#
maximum_object_size 300 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 32 KB
#================================================= ==================#
# POLITICA DE SUBSTITUIÇO DO CACHE
#================================================= ==================#
cache_replacement_policy heap LFUDA
memory_replacement_policy lru
ipcache_size 4096
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
max_filedescriptors 1024
cache_dir aufs /thunder 10000 16 256
cache_effective_user proxy
ftp_user anonymous@anonymous.com.br
#================================================= ==================#
# LOG DOS ACESSOS PELO CACHE PARA USO COM SARG
#================================================= ==================#
access_log /var/log/squid/access.log
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
coredump_dir /var/spool/squid
server_persistent_connections off
zph_mode tos
zph_local 0x30
#================================================= ==================#
# THUNDERCACHE 3.X - REGEX
#================================================= ==================#
acl thunder_lst url_regex -i "/etc/thunder/thunder.lst"
cache deny thunder_lst
cache_peer 192.168.10.250 parent 8080 0 proxy-only no-digest
dead_peer_timeout 2 seconds
cache_peer_access 192.168.10.250 allow thunder_lst
cache_peer_access 192.168.10.250 deny all
#================================================= ==================#
# FIM
#================================================= ==================#
Dessa forma ai o bloqueio de site esta funcionando, mas bloqueia todos os computadores da rede. O Bloqueio por IP não esta funcionando. O que devo fazer para ter as quanto opções que me pediram?
