squid... qual o problema e solução?

red_slack
(usa Slackware)

Enviado em 17/06/2010 - 20:49h

Pessoal tenho uma rede com +/- 60 computadores e tenho um server Debian 5.0.4 com o Squid + ThunderCache3 rodando normal, squid com o cache estatico e o TC com o dinamico, a administração me incubiu de fazer o seguinte:

1- Acesso total de alguns computadores.
2- Bloqueio total de alguns computadores.
3- Bloqueio de alguns sites a determinados computadores.
4- Bloqueio de msn em alguns computadores.

Meu atual squid:
============================================================
################################################## ##################
### ###
### AILTON FERNANDES FARIAS ###
### ###
################################################## ##################

http_port 3128 transparent
visible_hostname PrefeituraMunicipal
error_directory /usr/share/squid/errors/Portuguese/

#================================================= ==================#
# SERVIDORES DNS E POLITICA
#================================================= ==================#
dns_nameservers 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
dns_retransmit_interval 5 seconds
dns_timeout 2 minutes

#================================================= ==================#
# ACESSO DIRETO A DETERMINADOS SITES
#================================================= ==================#
acl directd dstdomain url_regex -i "/etc/squid/nocache.lst"
acl directd dstdomain .siteacessodireto.net
always_direct allow directd
cache deny directd

refresh_pattern -i \.jpg$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.gif$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.png$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.jpeg$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.bmp$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.tif$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.tiff$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.swf$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.html$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.htm$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.shtml$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.shtm$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.nub$ 2880 80% 21600 reload-into-ims
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 8640
refresh_pattern -i exe$ 0 50% 999999
refresh_pattern -i zip$ 0 50% 999999

#================================================= ==================#
# LIBERAR / BLOQUEAR IPS / SITES
#================================================= ==================#
acl sitesbloqueados dstdomain url_regex -i "/etc/squid/acls/bloqueados/sites"
http_access deny sitesbloqueados

acl ipsbloqueados url_regex -i "/etc/squid/acls/bloqueados/ips"
http_access deny ipsbloqueados

#================================================= ==================#
# BLOQUEAR/LIBERAR MSN
#================================================= ==================#
#acl ipsbloqueados url_regex -i "/etc/squid/acls/bloqueados/msn"
#acl msn url_regex -i gateway.messenger.com
#acl ipsliberados url_regex -i "/etc/squid/acls/liberados/msn"

#http_access allow ipsliberados
#http_access deny msn
#http_access deny ipsbloqueados

#================================================= ==================#
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl proxy src 192.168.10.0/24
http_access allow proxy
acl purge method PURGE
acl CONNECT method CONNECT
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 1863 # MSN
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access allow localhost
http_access deny all
http_reply_access allow all
#icp_access allow all

#================================================= ==================#
# NEGA CACHE DE ARQUIVOS ASX E ASF - STREAMING
#================================================= ==================#
acl asx url_regex -i \.asx$
cache deny asx
acl asf url_regex -i \.asf$
cache deny asf

#================================================= ==================#
# BLOQUEIO DE ARQUIVOS SUSPEITOS
#================================================= ==================#
acl vbs url_regex -i .*\.VBS$
http_access deny vbs
acl scr url_regex -i .*\.SCR$
http_access deny scr
acl cmd url_regex -i .*\.CMD$
http_access deny cmd
acl pif url_regex -i .*\.PIF$
http_access deny pif

#================================================= ==================#
# USO DA MEMORIA E DISCO PELO SQUID
#================================================= ==================#
cache_mem 400 MB
cache_swap_low 80
cache_swap_high 95

#================================================= ==================#
# TAMANHO DOS ARQUIVOS EM CACHE
#================================================= ==================#
maximum_object_size 300 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 32 KB

#================================================= ==================#
# POLITICA DE SUBSTITUIÇO DO CACHE
#================================================= ==================#
cache_replacement_policy heap LFUDA
memory_replacement_policy lru

ipcache_size 4096
ipcache_low 90
ipcache_high 95

fqdncache_size 1024
max_filedescriptors 1024

cache_dir aufs /thunder 10000 16 256

cache_effective_user proxy
ftp_user anonymous@anonymous.com.br

#================================================= ==================#
# LOG DOS ACESSOS PELO CACHE PARA USO COM SARG
#================================================= ==================#
access_log /var/log/squid/access.log

acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts

coredump_dir /var/spool/squid

server_persistent_connections off
zph_mode tos
zph_local 0x30

#================================================= ==================#
# THUNDERCACHE 3.X - REGEX
#================================================= ==================#
acl thunder_lst url_regex -i "/etc/thunder/thunder.lst"
cache deny thunder_lst
cache_peer 192.168.10.250 parent 8080 0 proxy-only no-digest
dead_peer_timeout 2 seconds
cache_peer_access 192.168.10.250 allow thunder_lst
cache_peer_access 192.168.10.250 deny all

#================================================= ==================#
# FIM
#================================================= ==================#

Dessa forma ai o bloqueio de site esta funcionando, mas bloqueia todos os computadores da rede. O Bloqueio por IP não esta funcionando. O que devo fazer para ter as quanto opções que me pediram?

Diede
(usa Debian)

Enviado em 17/06/2010 - 21:31h

Ok, tente assim:

http_port 3128 transparent
visible_hostname PrefeituraMunicipal
error_directory /usr/share/squid/errors/Portuguese/
dns_nameservers 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
dns_retransmit_interval 5 seconds
dns_timeout 2 minutes
acl directd dstdomain url_regex -i "/etc/squid/nocache.lst"
acl directd dstdomain .siteacessodireto.net
always_direct allow directd
cache deny directd
refresh_pattern -i \.jpg$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.gif$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.png$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.jpeg$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.bmp$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.tif$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.tiff$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.swf$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.html$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.htm$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.shtml$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.shtm$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.nub$ 2880 80% 21600 reload-into-ims
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 8640
refresh_pattern -i exe$ 0 50% 999999
refresh_pattern -i zip$ 0 50% 999999

#================================================= ==================#
# LIBERAR / BLOQUEAR IPS / SITES
#================================================= ==================#
acl sitesbloqueados dstdomain url_regex -i "/etc/squid/acls/bloqueados/sites"
acl ipsbloqueados url_regex -i "/etc/squid/acls/bloqueados/ips"


acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl proxy src 192.168.10.0/24
acl purge method PURGE
acl CONNECT method CONNECT
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 1863 # MSN
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access allow localhost
http_access allow proxy
http_access allow !ipsbloqueados !sitesbloqueados
http_reply_access allow all
acl asx url_regex -i \.asx$
cache deny asx
acl asf url_regex -i \.asf$
cache deny asf
acl vbs url_regex -i .*\.VBS$
http_access deny vbs
acl scr url_regex -i .*\.SCR$
http_access deny scr
acl cmd url_regex -i .*\.CMD$
http_access deny cmd
acl pif url_regex -i .*\.PIF$
http_access deny pif
cache_mem 400 MB
cache_swap_low 80
cache_swap_high 95
maximum_object_size 300 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 32 KB
cache_replacement_policy heap LFUDA
memory_replacement_policy lru
ipcache_size 4096
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
max_filedescriptors 1024
cache_dir aufs /thunder 10000 16 256
cache_effective_user proxy
ftp_user anonymous@anonymous.com.br
access_log /var/log/squid/access.log
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
coredump_dir /var/spool/squid
server_persistent_connections off
zph_mode tos
zph_local 0x30
acl thunder_lst url_regex -i "/etc/thunder/thunder.lst"
cache deny thunder_lst
cache_peer 192.168.10.250 parent 8080 0 proxy-only no-digest
dead_peer_timeout 2 seconds
cache_peer_access 192.168.10.250 allow thunder_lst
cache_peer_access 192.168.10.250 deny all

red_slack
(usa Slackware)

Enviado em 18/06/2010 - 22:38h

Obrigado pela dica, já tenho 03 das 04 situações resolvidas (1, 2 e 3) só me resta a 4ª a do msn, meu squid ficou assim:

####################################################################
### ###
### AILTON FERNANDES FARIAS ###
### ###
####################################################################

http_port 3128 transparent
visible_hostname PrefeituraMunicipal
error_directory /usr/share/squid/errors/Portuguese/

#===================================================================#
# SERVIDORES DNS E POLITICA
#===================================================================#
dns_nameservers 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
dns_retransmit_interval 5 seconds
dns_timeout 2 minutes

#===================================================================#
# ACESSO DIRETO A DETERMINADOS SITES
#===================================================================#
acl directd dstdomain url_regex -i "/etc/squid/nocache.lst"
acl directd dstdomain .siteacessodireto.net
always_direct allow directd
cache deny directd

refresh_pattern -i \.jpg$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.gif$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.png$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.jpeg$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.bmp$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.tif$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.tiff$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.swf$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.html$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.htm$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.shtml$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.shtm$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.nub$ 2880 80% 21600 reload-into-ims
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 8640
refresh_pattern -i exe$ 0 50% 999999
refresh_pattern -i zip$ 0 50% 999999

#===================================================================#
# LIBERAR / BLOQUEAR / IPS / SITES
#===================================================================#
#-----SITES E IPS PARCIALMENTE BLOQUEADOS-----#
acl sites_pro_1 url_regex -i "/etc/squid/acls/bloqueados/sites_proibidos1"
acl ips_sites_proibidos src "/etc/squid/acls/bloqueados/ips_sites_proibidos"
http_access deny ips_sites_proibidos sites_pro_1

#-----IPS 100% LIBERADOS-----#
acl ipsliberados src "/etc/squid/acls/liberados/ips"
http_access allow ipsliberados

#-----IP'S 100% BLOQUEADOS----#
acl ipsbloqueados src "/etc/squid/acls/bloqueados/ips"
http_access deny ipsbloqueados

#===================================================================#
# BLOQUEAR/LIBERAR MSN
#===================================================================#
#acl ipsbloqueados url_regex -i "/etc/squid/acls/bloqueados/msn"
#acl msn url_regex -i gateway.messenger.com
#acl ipsliberados url_regex -i "/etc/squid/acls/liberados/msn"

#http_access allow ipsliberados
#http_access deny msn
#http_access deny ipsbloqueados

#===================================================================#
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl proxy src 192.168.10.0/24
http_access allow proxy
acl purge method PURGE
acl CONNECT method CONNECT
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 1863 # MSN
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access allow localhost
http_access deny all
http_reply_access allow all
#icp_access allow all

#===================================================================#
# NEGA CACHE DE ARQUIVOS ASX E ASF - STREAMING
#===================================================================#
acl asx url_regex -i \.asx$
cache deny asx
acl asf url_regex -i \.asf$
cache deny asf

#===================================================================#
# BLOQUEIO DE ARQUIVOS SUSPEITOS
#===================================================================#
acl vbs url_regex -i .*\.VBS$
http_access deny vbs
acl scr url_regex -i .*\.SCR$
http_access deny scr
acl cmd url_regex -i .*\.CMD$
http_access deny cmd
acl pif url_regex -i .*\.PIF$
http_access deny pif

#===================================================================#
# USO DA MEMORIA E DISCO PELO SQUID
#===================================================================#
cache_mem 400 MB
cache_swap_low 80
cache_swap_high 95

#===================================================================#
# TAMANHO DOS ARQUIVOS EM CACHE
#===================================================================#
maximum_object_size 300 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 32 KB

#===================================================================#
# POLITICA DE SUBSTITUIÇO DO CACHE
#===================================================================#
cache_replacement_policy heap LFUDA
memory_replacement_policy lru

ipcache_size 4096
ipcache_low 90
ipcache_high 95

fqdncache_size 1024
max_filedescriptors 1024

cache_dir aufs /thunder 10000 16 256

cache_effective_user proxy
ftp_user anonymous@anonymous.com.br

#===================================================================#
# LOG DOS ACESSOS PELO CACHE PARA USO COM SARG
#===================================================================#
access_log /var/log/squid/access.log

acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts

coredump_dir /var/spool/squid

server_persistent_connections off
zph_mode tos
zph_local 0x30

#===================================================================#
# THUNDERCACHE 3.X - REGEX
#===================================================================#
acl thunder_lst url_regex -i "/etc/thunder/thunder.lst"
cache deny thunder_lst
cache_peer 192.168.10.250 parent 8080 0 proxy-only no-digest
dead_peer_timeout 2 seconds
cache_peer_access 192.168.10.250 allow thunder_lst
cache_peer_access 192.168.10.250 deny all

#===================================================================#
# FIM
#===================================================================#

Tem como me ajudar no item 4? Bloqueios de msn em alguns computadores. Preciso também de uma forma de amarrar o IP ao MAC, o que me sujerem???

Desde já grato