Squid Autenticado no AD / Duvidas / Sugestoes.

1. Squid Autenticado no AD / Duvidas / Sugestoes.

renancasini
(usa Outra)

Enviado em 03/07/2015 - 13:14h

Amigos, Boa Tarde!

Tenho as seguintes duvidas quanto meu SQUID.

1 - Quando logo em uma maquina local (fora do domínio) eu consigo navegar normalmente ao incluir o proxy no navegador (Até mesmo em sites bloqueados) pois o navegador não pede autenticação.

2 - Quando o caso acima acontece no meu relatório do SARG aparece a navegação com o IP da maquina.(lembre que meu squid está autenticando no AD). Gostaria que todos que não se autenticasse não navegasse também.

3 - Um usuário estava usando o Firefox e conseguiu varar o squid e acessar sites como FACEBOOK sem aparecer no relatório do SARG.

4 - Tenho duvidas quanto a eficiência do cache configurado nesse script do SQUID. ( se alguém poder analisar ficaria grato).

5 - Sempre que rodo o comando: squid -k reconfigure aparece as seguintes mensagens:

2015/07/03 13:00:34| WARNING: You should probably remove '192.168.0.248' from the ACL named 'low'
2015/07/03 13:00:34| WARNING: '192.168.0.248' is a subnetwork of '192.168.0.248'
2015/07/03 13:00:34| WARNING: because of this '192.168.0.248' is ignored to keep splay tree searching predictable

Essa é uma das milhares que aparecem. Tratasse do controle de banda que tenho dentro do SQUID. ( só apresenta essa mensagem, tanto o controle de banda quanto o filtro de conteúdo funciona normal.

Segue meu SQUID.CONF:

# Autenticacao no Windows 2008
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 4 hours
acl AuthorizedUsers proxy_auth REQUIRED

acl bancos url_regex -i "/etc/squid/bancos"
http_access allow bancos

# Configuracoes gerais
http_port 3128
hierarchy_stoplist cgi-bin?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_replacement_policy lru
memory_replacement_policy lru
cache_mem 2 GB
maximum_object_size_in_memory 2048 KB
maximum_object_size 600 MB
minimum_object_size 1 KB
ipcache_size 2048
ipcache_low 80
ipcache_high 95
cache_dir aufs /var/spool/squid/1/ 23552 128 512
cache_dir aufs /var/spool/squid/2/ 23552 128 512
cache_dir aufs /var/spool/squid/3/ 23552 128 512
cache_dir aufs /var/spool/squid/4/ 23552 128 512
cache_replacement_policy lru
memory_replacement_policy lru
logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
access_log /var/log/squid/access.log squid
access_log daemon:/var/log/squid/access.log squid
cache_access_log /var/log/squid/access.log
cache_swap_log /var/spool/squid/swap.log
cache_mgr renan@redesedados.com.br
error_directory /usr/share/squid/errors/Portuguese
coredump_dir /var/spool/squid
refresh_pattern \^ftp: 1440 20% 10080
refresh_pattern \^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

# Definicao das ACLs
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # snews
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 407 # msn
acl Safe_ports port 25 # smtp
acl Safe_ports port 110 # pop
acl purge method PURGE
acl CONNECT method CONNECT

################################ CACHE ####################################

#### Microsoft Update####
range_offset_limit 200 MB windowsupdate
maximum_object_size 200 MB
quick_abort_min -1.

#Cache de Fotos
refresh_pattern -i \.jpg$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.gif$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.png$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.jpeg$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.bmp$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.tif$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.tiff$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.swf$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.exe$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.php$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.html$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.htm$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.shtml$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.shtm$ 0 20% 1440 reload-into-ims

# Cache De videos
refresh_pattern -i \.(mp3|mp4|m4a|ogg|mov|avi|wmv|flv)$ 43200 100% 43200 ignore-no-cache override

# Cache do Windows Update.
refresh_pattern -i au.download.windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|ps
refresh_pattern -i download.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 4320
refresh_pattern -i msgruser.dlservice.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 100
refresh_pattern -i download.windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf)
refresh_pattern -i update.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 43200
refresh_pattern -i ctldl.windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 432
refresh_pattern -i crl.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 100
refresh_pattern -i sqm.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 100
refresh_pattern -i watson.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 43200
refresh_pattern -i go.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 100%
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 100% 43
refresh_pattern -i msftncsi.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 100% 432
refresh_pattern -i stats1.update.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf)
refresh_pattern -i windowsupdate.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf)
refresh_pattern -i redir.metaservices.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip
refresh_pattern -i images.metaservices.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zi
refresh_pattern -i c.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 4320 100% 4
refresh_pattern -i www.download.windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|p">www.download.windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|p
refresh_pattern -i wustat.windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 4320 100
refresh_pattern -i sls.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf) 4320 100%
refresh_pattern -i productactivation.one.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|
refresh_pattern -i ntservicepack.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|psf)

#Cache Java ( Faz cache do Java ) ##
refresh_pattern -i sdlc-esd.sun.com/.*\.(cab|exe|dll|msi) 999999 100% 43200 reload-into-ims
refresh_pattern -i javadl-esd.sun.com/.*\.(cab|exe|dll|msi) 999999 100% 43200 reload-into-ims
refresh_pattern -i javadl.oracle.com/.*\.(cab|exe|dll|msi) 999999 100% 43200 reload-into-ims
refresh_pattern -i rps-svcs.sun.com/.*\.(cab|exe|dll|msi) 999999 100% 43200 reload-into-ims

#Cache atulizacao avira ( Faz cache do Avira ) ##
refresh_pattern -i personal.avira-update.com/.*\.(cab|exe|dll|msi|gz) 999999 100% 43200 reload-in

#Cache atualizacao symantec
refresh_pattern -i liveupdate.symantecliveupdate.com/.*\.(cab|exe|dll|msi) 999999 100% 43200 relo
refresh_pattern -i symantecliveupdate.com/.*\.(cab|exe|dll|msi) 999999 100% 43200 reload-into-ims

#Cache avast
refresh_pattern -i avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i x2486472.ivps9x.u.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-i
refresh_pattern -i h3565960.ivps9x.u.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-i
refresh_pattern -i r2493514.ivps9x.u.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-i
refresh_pattern -i x8761469.iavs9x.u.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-i
refresh_pattern -i j7434223.iavs9x.u.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-i
refresh_pattern -i y7292228.ivps9x.u.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-i
refresh_pattern -i z0183749.ivps9x.u.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-i
refresh_pattern -i c0307764.ivps9x.u.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-i
refresh_pattern -i x9942723.iavs9x.u.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-i
refresh_pattern -i t0964766.iavs9x.u.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-i
refresh_pattern -i w2416805.ivps9x.u.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-i
refresh_pattern -i ai.ff.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i eu.ff.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i su.ff.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i program.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i vl.ff.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i an.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i v7.stats.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i static.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i emupdate.avast.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-into-ims
refresh_pattern -i software-files-a.cnet.com/.*\.(vpu|cab|stamp|exe) 999999 100% 43200 reload-int

###### Microsoft #####
acl windowsupdate dstdomain stats1.update.microsoft.com
acl windowsupdate dstdomain msftncsi.com
acl windowsupdate dstdomain microsoft.com
acl windowsupdate dstdomain go.microsoft.com
acl windowsupdate dstdomain watson.microsoft.com
acl windowsupdate dstdomain sqm.microsoft.com
acl windowsupdate dstdomain ctldl.windowsupdate.com
acl windowsupdate dstdomain windowsupdate.com
acl windowsupdate dstdomain msgruser.dlservice.microsoft.com
acl windowsupdate dstdomain download.microsoft.com
acl windowsupdate dstdomain au.download.windowsupdate.com
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com

#### AVAST #####
acl avast dstdomain avast.com
acl avast dstdomain software-files-a.cnet.com

######################################## CONTROLE DE BANDA ##########################

#Crie uma acl com as extensoes serao aplicadas o filtro
acl download url_regex -i ftp .mov .mpeg .wav .tar .mp3 .exe .zip .rar .mpg .avi .rmvb .pps .wmv
acl navegacao urlpath_regex -i \.htm$ \.html$ \.php \.cgi \.pl \.asp \.cf$ \.jpeg$ \.jpg$ \.png$

# Crie outra acl com os IPs que serao aplicados a regra
acl fast src "/etc/squid/fast"
acl medium src "/etc/squid/medium"
acl low src "/etc/squid/low"

delay_pools 3
# Significa que teremos tres controles de banda

# Primeiro controle
delay_class 1 2

#-1/-1 significa que nao teremos limites para a delay pool 1
delay_parameters 1 -1/-1 -1/-1
delay_access 1 allow fast

# Segundo controle
delay_class 2 2

# Limita a sua banda por pessoa
#delay_parameters 2 2097152/2097152 2097152/2097152<---># 2 mb
#delay_parameters 2 1835008/1835008 1835008/1835008<---># 1,75 mb
delay_parameters 2 1572864/1572864 1572864/1572864<----># 1,5 mb
#delay_parameters 2 1310720/1310720 1310720/1310720<---># 1,25 mb
#delay_parameters 2 1048576/1048576 1048576/1048576<---># 1 mb
#delay_parameters 2 943718.4/943718.4 943718.4/943718.4># 900 kb
#delay_parameters 2 838860.8/838860.8 838860.8/838860.8># 800 kb
#delay_parameters 2 734003.2/734003.2 734003.2/734003.2># 700 kb
#delay_parameters 2 629145.6/629145.6 629145.6/629145.6># 600 kb
#delay_parameters 2 524288/524288 524288/524288><------># 500 kb

delay_access 2 allow medium
delay_access 2 allow navegacao

# Terceiro controle
delay_class 3 2

# Limita a sua banda por pessoa
#delay_parameters 3 2097152/2097152 2097152/2097152<---># 2 mb
#delay_parameters 3 1835008/1835008 1835008/1835008<---># 1,75 mb
#delay_parameters 3 1572864/1572864 1572864/1572864<---># 1,5 mb
#delay_parameters 3 1310720/1310720 1310720/1310720<---># 1,25 mb
#delay_parameters 3 1048576/1048576 1048576/1048576<---># 1 mb
#delay_parameters 3 943718.4/943718.4 943718.4/943718.4># 900 kb
#delay_parameters 3 838860.8/838860.8 838860.8/838860.8># 800 kb
#delay_parameters 3 734003.2/734003.2 734003.2/734003.2># 700 kb
#delay_parameters 3 629145.6/629145.6 629145.6/629145.6># 600 kb
delay_parameters 3 524288/524288 524288/524288<><------># 500 kb

delay_access 3 allow low
delay_access 3 allow navegacao

#usuarios com acesso total
acl fast src "/etc/squid/fast"

#usuarios controlados
acl medium src "/etc/squid/medium"
acl low src "/etc/squid/low"

################################################# CONTROLE DE INTERNET ##################

external_acl_type grupo_ad %LOGIN /usr/lib/squid/wbinfo_group.pl

#acl grp- external grupo_ad.

acl grp-admins external grupo_ad admins
acl grp-diretores external grupo_ad diretores
acl grp-gerentes external grupo_ad gerentes
acl grp-funcionarios external grupo_ad funcionarios
acl grp-estagiarios external grupo_ad estagiarios

acl diretores dstdomain -i "/etc/squid/diretores"
acl gerentes dstdomain -i "/etc/squid/gerentes"
acl funcionarios dstdomain -i "/etc/squid/funcionarios"
acl liberados dstdomain -i "/etc/squid/liberados"

acl almoco time 11:00-13:00

acl microsoft url_regex "/etc/squid/ms-update"
acl domain_watson dstdomain watson.microsoft.com
http_access allow microsoft
http_access allow domain_watson

# Ativando as ACLs Padrao
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny to_localhost

# Ativando as ACLs Personalizadas
http_access allow almoco
http_access allow grp-admins
http_access deny diretores
http_access allow grp-diretores
http_access deny gerentes
http_access allow grp-gerentes
http_access deny funcionarios
http_access allow grp-funcionarios
http_access deny grp-estagiarios !liberados
http_access allow liberados
http_access deny all

0 0

Quote