Squid x Bradesco
1. Squid x Bradesco
juniorbiu
(usa Debian)
Enviado em 03/09/2015 - 10:14h
Caros, bom dia.Venho mais uma vez recorrer aos senhores para buscar mais uma luz no fim do túnel.
Hoje tenho um proxy implantado em mais de 40 localidades e ultimamente temos recebido reports de problemas com o acesso ao site do Bradesco. Para ser mais especifico no acesso a conta pelo site.
Vou dar uma visão do que tenho implantado, o que já fiz e o que tenho recebido de erro. Vou postar ao final as configurações do proxy.pac, squid e squidguard.
====
CentOS release 6.4 (Final)
Squid Cache: Version 3.1.10
SquidGuard: 1.3 Berkeley DB 4.7.25
====
O acesso ao site está dentro da normalidade, mas ao tentar acessar a conta o navegador recebe o erro de ERR_TIMED_OUT, seja pelo IE ou pelo Chrome.
Dentro da rede, temos implantado o proxy.pac, com instrução via WPAD de quem é o servidor proxy com a configuração indicada a seguir.
O que eu já tentei e não obtive sucesso:
1. Coloquei o site para não fazer cache no squid com a indicação no squid.conf
acl SITE dstdomain www.site.com.br
no_cache deny SITE
2. Já fiz a liberação no firewall da localdiade para que o site do Bradesco pudesse ser acessado sem o proxy com a indicação no proxy.pac
If the hostname matches, send direct.
if (dnsDomainIs(host, ".intranet.domain.com") ||
shExpMatch(host, "(*.abcdomain.com|abcdomain.com)"))
return "DIRECT";
ou
if (dnsDomainIs(host, ".abcdomain.com"))
return "DIRECT";
ou
if (shExpMatch(url, "http://abcdomain.com/folder/*"))
return "DIRECT";
Tudo o que fiz, o erro ao site permanece o mesmo, com a saída de log:
TCP_HIT/200 7093 GET http://www.bradesco.com.br/html/classic/home/images/banners/thumb-banner-credito-imobiliario.jpg - NONE/- image/jpeg
TCP_MISS/200 0 CONNECT www.ib2.bradesco.com.br:443 - DIRECT/200.155.82.116
TCP_MISS/200 0 CONNECT wwwss.bradesco.com.br:443 - DIRECT/200.155.82.2 –
Percebam que o erro do site é "0" e ai tudo se perde.
Quando eu acesso sem o proxy (rede guest) o funcionamento é normal.
Já pegaram esse erro? Poderiam me ajudar o que eu poderia fazer?
Agradeço desde já a ajuda de sempre.
********************************************************
---------------------------------------------------
PROXY.PAC
---------------------------------------------------
function FindProxyForURL(url, host)
{
/* verifica se o requisitante estah na faixa de enderecos privados */
if (isInNet(myIpAddress(), "10.0.0.0", "255.0.0.0") ||
isInNet(myIpAddress(), "172.16.0.0", "255.240.0.0") ||
isInNet(myIpAddress(), "192.168.0.0", "255.255.0.0"))
{
/* verifica se o endereçde destino eh a propria maquia ou estah na faixa de enderecos privados */
if (isPlainHostName(host) ||
dnsDomainIs(host, "localhost") ||
isInNet(host, "127.0.0.1", "255.255.255.255") ||
isInNet(host, "10.0.0.0", "255.0.0.0") ||
isInNet(host, "172.16.0.0", "255.240.0.0") ||
isInNet(host, "192.168.0.0", "255.255.0.0"))
{
/* acesso direto via roteamento */
return "DIRECT";
}
/* verifica se o endereçde origem estah na faixa de enderecos da localidade */
else if (isInNet(myIpAddress(), "10.x.x.x.0", "255.255.254.0"))
{
/* acesso via Proxy OR */
return "PROXY 10.x.x.x:8080";
}
else
{
/* acesso direto via roteamento */
return "DIRECT";
}
}
else
{
/* acesso direto via roteamento */
return "DIRECT";
}
}
---------------------------------------------------
SQUID.CONF
---------------------------------------------------
[root@PRX ~]# cat /etc/squid/squid.conf
http_port 10.x.x.x:8080
hierarchy_stoplist cgi-bin ?
visible_hostname proxy
# Memoria cache
cache_mem 2048 MB
memory_pools off
#Tamanho maximo de arquivos alocados na RAM
maximum_object_size_in_memory 512 KB
memory_replacement_policy heap GDSF
quick_abort_min -1 KB
# Maximo e Minimo armazenados em disco
maximum_object_size 512 MB
minimum_object_size 0 KB
# Porcentagem de atualizacao do cache - limpo ao atingir o maximo
cache_replacement_policy heap LFUDA
cache_swap_low 80
cache_swap_high 90
ipcache_size 1024
ipcache_low 80
ipcache_high 90
fqdncache_size 1024
# Download e Upload
## Upload - padrao desabilitado
#client_request_buffer_max_size 512 KB
## Download
reply_body_max_size 300 MB
# Sites Corporativos
acl local_websites dst_as 10.0.0.0/255.0.0.0
http_access allow local_websites
acl manager proto cache_object
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# ---- Cache do Windows Update ----
refresh_pattern windowsupdate.com/.*.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern download.microsoft.com/.*.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern update.microsoft.com/.*.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern www.microsoft.com/.*.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern au.download.windowsupdate.com/.*.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
# Configuracoes de cache, dono, logs, errors
cache_effective_group squid
cache_dir aufs /var/cache/squid/cache/1 10000 10 128
cache_dir aufs /var/cache/squid/cache/2 10000 10 128
cache_dir aufs /var/cache/squid/cache/3 10000 10 128
cache_dir aufs /var/cache/squid/cache/4 5000 10 128
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
error_directory /usr/share/squid/errors/pt-br/
#cache_mgr proxy@xxx.com
#httpd_suppress_version_string on
#mail_from xx@xxx.com
# Atualizacoes do cache
hierarchy_stoplist cgi-bin ?
hierarchy_stoplist html ?
refresh_pattern -i \.jpg$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.gif$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.png$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.jpeg$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.bmp$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.tif$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.tiff$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.swf$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.exe$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.php$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.html$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.htm$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.shtml$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.shtm$ 0 20% 1440 reload-into-ims
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
refresh_pattern -i \.(mp3|mp4|m4a|exe|avi|wmv|flv|rar|zip|)$ 10080 90% 999999 ignore-no-cache override-expire ignore-private
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
################################################
## SQUIDGUARD ##
################################################
redirect_program /usr/bin/squidguard -c /etc/squid/squidguard.conf
#Numero de processos do squidguard
redirect_children 20
#Mantem o Squid funcionando quando o Squidguard pare
redirector_bypass on
##############################################
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
# Rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
###############################################
## ACL SQSTAT ##
###############################################
acl manager proto cache_object
acl webserver src 10.x.x.x/255.255.255.0
http_access allow manager webserver
http_access deny manager
##############################################
half_closed_clients off
server_persistent_connections off
client_persistent_connections off
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
------------------------------
SQUIDGUARD.CONF
------------------------------
[root@PRX ~]# cat /etc/squid/squidguard.conf
#
# CONFIG FILE FOR SQUIDGUARD
#
dbhome /var/lib/squidguard
logdir /var/log/squidguard
#
# TIME RULES:
# abbrev for weekdays:
# s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat
############################
#### Configuracao TI ####
############################
src livres {
iplist /var/www/html/Dash/squid/files/liberados/ip/ip
}
# Hora Almoco
time almoco {
weekly smtwhfa 12:00-14:00
}
src lan {
ip 10.0.0.0/8
}
#############################
#### ACL Padrao Bloqueio ####
#############################
dest ads {
domainlist ads/domains
urllist ads/urls
}
dest adult {
domainlist adult/domains
urllist adult/urls
}
dest aggressive {
domainlist aggressive/domains
urllist aggressive/urls
}
dest drugs {
domainlist drugs/domains
urllist drugs/urls
}
dest gambling {
domainlist gambling/domains
urllist gambling/urls
}
dest proxy {
domainlist proxy/domains
urllist proxy/urls
}
dest violence {
domainlist violence/domains
urllist violence/urls
}
dest hacking {
domainlist hacking/domains
urllist hacking/urls
}
dest warez {
domainlist warez/domains
urllist warez/urls
}
dest black {
urllist /var/www/html/Dash/squid/files/bloqueados/palavras/pl_bloqueadas
}
## ACL BLOQUEIO ##
acl {
livres {
pass !ads !adult !aggressive !drugs !gambling !proxy !violence !hacking !warez all
}
}
acl {
lan within almoco {
pass !ads !adult !aggressive !drugs !gambling !proxy !violence !hacking !warez all
}
}
acl {
default {
pass !black !ads !adult !aggressive !drugs !gambling !proxy !violence !hacking !warez all
redirect http://localhost/block.html
}
}
******************************************
A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.
Site hospedado por:
