Mvalente
(usa CentOS)
Enviado em 04/10/2016 - 22:13h
Fala pessoal!!! Eu tenho o Squid integrado ao AD e quero bloquear Videos só para o Grupo de "internet Padrão" e os outros grupos podem acessar normalmente, já fiz de tudo mais não trava os videos e continuam passando!! Será que poderiam dar uma força?? To quebrando a cabeça... Meu squid.conf é esse abaixo: Agradeço quem puder dar uma força....
#############################################################################
#############################################################################
## ARQUIVO DE CONFIGURACAO DO SQUID - COM AUTENTICACAO NO ACTIVE DIRECTORY ##
#############################################################################
#############################################################################
##DEFINE A PORTA DE CONEXAO DO SQUID#########################################
http_port 3128
##DEFINE O TAMANHO MAXIMO DE UM OBJETO PARA SER ARMAZENADO EM CACHE##########
maximum_object_size 131070 KB
##DEFINE O TAMANHO MINIMO DE UM OBJETO PARA SER ARMAZENADO EM CACHE##########
minimum_object_size 0 KB
##DEFINE O TAMANHO MAXIMO DE UM OBJETO EM CACHE DE MEMORIA###################
maximum_object_size_in_memory 8 MB
##DEFINE A QUANTIDADE DE MEMORIA RAM A SER ALOCADA PARA CACHE################
cache_mem 256 MB
##ALTERA A PERFORMANCE EM CONEXOES PIPELINE (PARALELO)#######################
pipeline_prefetch on
##CACHE DE FQDN##############################################################
fqdncache_size 1024
##Inibe a informacao da versao do Squid quando um site for bloqueado#########
httpd_suppress_version_string on
##Add any of your own refresh_pattern entries above these####################
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
##DEFINE A % DO USO DO CACHE#################################################
cache_swap_low 90
cache_swap_high 95
##LOGS#######################################################################
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
##DEFINE O LOCAL DO CACHE####################################################
cache_dir ufs /var/spool/squid 8192 16 256
##CONTROLE DO LOG############################################################
logfile_rotate 10
##ARQUIVO ONDE CONTEM OS HOSTNAME DAS ESTACOES OU SERVIDORES#################
hosts_file /etc/hosts
##LIBERAR O ACESSO AO SITE DA CAIXA - PROBLEMAS COM PROXY####################
acl caixa dstdomain .caixa.gov.br
always_direct allow caixa
cache deny caixa
##NFE########################################################################
acl nfe dstdomain "/etc/squid/nfe"
http_access allow nfe
##LIBERAR O ACESSO SEM O PROXY###############################################
acl acessos_semproxy url_regex -i "/etc/squid/acls/acessos_semproxy"
acl acessos_semproxy2 dstdomain -i "/etc/squid/acls/acessos_semproxy2"
http_access allow acessos_semproxy
http_access allow acessos_semproxy2
##LIBERACAO SKYPE###########################################################
acl skype_domain dstdom_regex skype.com
http_access allow skype_domain
##HOSTS QUE NAO PRECISAM DE AUTENTICACAO#####################################
acl liberados_sem_autenticacao src "/etc/squid/acls/liberados_sem_autenticacao"
http_access allow liberados_sem_autenticacao
##MACS LIBERADOS#############################################################
acl mac_liberado arp "/etc/squid/acls/mac_liberado"
http_access allow mac_liberado
##ACL PADROES################################################################
# portas seguras
acl SSL_ports port 81
acl SSL_ports port 82
acl SSL_ports port 563
acl SSL_ports port 443
acl SSL_ports port 8180
acl SSL_ports port 8443
# Demais servicos
acl Safe_ports port 80 # http
acl Safe_ports port 81 # http
acl Safe_ports port 82 # http
acl Safe_ports port 20-21 # ftp
acl Safe_ports port 70 # gopher
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl Safe_ports port 8080 # http
acl Safe_ports port 8081 # http
acl Safe_ports port 8082 # http
acl Safe_ports port 8088 # http
acl Safe_ports port 8180 8443 # https
acl Safe_ports port 3456 # receita federal - irpf
acl Safe_ports port 3001 # diario oficial
acl CONNECT method CONNECT
acl localhost src 127.0.0.1/32
http_access allow localhost
##BLOQUEIA O ACESSO UNSAFE PORTS##############################################
http_access deny !Safe_ports
##Deny CONNECT to other than secure SSL port##################################
http_access deny CONNECT !SSL_ports
##SITES QUE NAO TERAO CACHE###################################################
acl NOCACHE url_regex "/etc/squid/acls/sites_acesso_sem_cache" \?
no_cache deny NOCACHE
##############################################################################
# AUTENTICACAO NO ACTIVE DIRECTORY #
##############################################################################
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 20
auth_param basic realm Squid proxy server
##DEFINE O TIMEOUT DE LOGON NO PROXY##
auth_param basic credentialsttl 12 hours
##DESATIVA A VERIFICAÇÃO DE LETRAS MAIÚSCULAS E MINÚSCULAS##
auth_param basic casesensitive off
external_acl_type ad_group ttl=600 %LOGIN /usr/lib64/squid/wbinfo_group.pl
###########################################################################
# ACL's - GRUPOS DO AD #
###########################################################################
# Nome ACL TIPO Nome Grupo AD #
###########################################################################
acl internet_acesso_bloqueado external ad_group internet_acesso_bloqueado
acl internet_acesso_completo external ad_group internet_acesso_completo
acl internet_acesso_padrao external ad_group internet_acesso_padrao
acl internet_acesso_rede_sociais external ad_group internet_acesso_rede_sociais
acl internet_acesso_rede_teamviewer external ad_group internet_acesso_rede_teamviewer
acl internet_acesso_rede_whatsapp external ad_group internet_acesso_rede_whatsapp
##ACL's - Permitidos - Proibidos - Outras#####################################
acl downloads_proibidos urlpath_regex -i "/etc/squid/acls/downloads_proibidos"
acl sites_liberados url_regex -i "/etc/squid/acls/sites_liberados"
acl sites_proibidos url_regex -i "/etc/squid/acls/sites_proibidos"
acl sites_rede_sociais url_regex -i "/etc/squid/acls/sites_rede_sociais"
acl sites_teamviewer url_regex -i "/etc/squid/acls/sites_teamviewer"
acl sites_whatsapp url_regex -i "/etc/squid/acls/sites_whatsapp"
################## ACL for Radio / Video Stream ###########################
acl StreamingRequest req_mime_type -i ^video/x-ms-asf$
acl StreamingRequest req_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl StreamingRequest req_mime_type -i ^application/x-mms-framed$
acl StreamingRequest req_mime_type -i ^audio/x-pn-realaudio$
acl StreamingReply rep_mime_type -i ^video/x-ms-asf$
acl StreamingReply rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl StreamingReply rep_mime_type -i ^application/x-mms-framed$
acl StreamingReply rep_mime_type -i ^audio/x-pn-realaudio$
acl streaming req_mime_type ^video/x-ms-asf
acl videomusic urlpath_regex -i \.aif$ \.aifc$ \.aiff$ \.asf$ \.asx$ \.avi$ \.au$ \.m3u$ \.med$ \.mp3$ \.mp4$ \.m1v$ \.mp2$ \.mp2v$ \.mpa$ \.mov$ \.mpe$ \.mpg$ \.mpeg$ \.ogg$ \.pls$ \.ram$ \.ra$ \.ram$ \.snd$ \.wma$ \.wmv$ \.wvx$ \.mid$ \.midi$ \.rmi$ \.flv$
###########################################################################
# DEFINIÇÃO DAS REGRAS DE ACESSOS #
###########################################################################
##REGRA PARA GARANTIR A AUTENTICACAO##
acl autenticados proxy_auth REQUIRED
##PERMISSOES DE ACESSO AO GRUPO "internet_acesso_completo"##
##ACESSO FULL LIBERADO
http_access allow internet_acesso_completo
##BLOQUEAR USUARIOS##
http_access deny internet_acesso_bloqueado
##LIBERA ACESSO EM HORARIO DE ALMOCO##
#acl almoco time MTWHFAS 12:00-14:00
#http_access allow almoco
#LIBERA ACESSO AO SITES REDE SOCIAS##
http_access allow internet_acesso_rede_sociais sites_rede_sociais
#LIBERA ACESSO AO SITES TEAMVIEWER##
http_access allow internet_acesso_rede_teamviewer sites_teamviewer
#LIBERA ACESSO AO SITES WHATSAPP##
http_access allow internet_acesso_rede_whatsapp sites_whatsapp
##FAZ A NEGACAO DOS SITES PROIBIDOS##
##DEPOIS LIBERA SITES AO GRUPO "internet_acesso_padrao"##
##DEPOIS BLOQUEIA O STREAMING DE VIDEO##
http_access deny sites_proibidos
http_access allow internet_acesso_padrao
#http_reply_access deny streaming
http_access deny videomusic internet_acesso_padrao
http_reply_access deny streaming internet_acesso_padrao
http_access deny StreamingRequest internet_acesso_padrao
http_reply_access deny StreamingRequest internet_acesso_padrao
http_access deny StreamingReply internet_acesso_padrao
http_reply_access deny StreamingReply internet_acesso_padrao
##PERMISSOES DE ACESSO AO SITES LIBERADOS ###
http_access allow autenticados sites_liberados
##DEFININDO A ORDEM DAS ACL's##
#http_access deny downloads_proibidos
http_access deny all
http_reply_access allow all
icp_access allow all
miss_access allow all
##DIRETORIO DAS PAGINAS DE ERROS##############################################
error_directory /usr/share/squid/errors/pt-br
##OUTRAS OPCOES DE CACHE######################################################
#cache_effective_group squid
cache_effective_user squid
coredump_dir /var/spool/squid
