BLOQUEAR TUDO PELO SQUID E LIBERAR SOMENTE ALGUNS SITES [RESOLVIDO]

1. BLOQUEAR TUDO PELO SQUID E LIBERAR SOMENTE ALGUNS SITES [RESOLVIDO]

Rogerio Pereira Rosa Morilha
rogercars

(usa Outra)

Enviado em 23/06/2017 - 01:17h

Galera to tentando ja tem alguns dias mas nao estou conseguindo...alguem pode me ajudar

meu cenario é o seguinte....tenho debian 8.8.0 instalado e atualizado....ja consegui bloquear facebook e liberar somente pra alguns tambem, agora o problema é bloquera tudo pelo squid e liberar somente alguns sites mais nao estou conseguindo....alguem pode dar uma dica


MINHA PLACAS DE REDE

uto lo
iface lo inet loopback

allow-hotplug eth0
allow-hotplug eth1

auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet static
address 192.168.0.1
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1

MEU DHCP

ddns-update-style none;
default-lease-time 600;
max-lease-time 7200;
authoritative;

log-facility local7;

subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.10 192.168.0.254;
option routers 192.168.0.1;
option domain-name-servers 192.168.25.1, 10.0.0.1;
option broadcast-address 192.168.0.255;
}

MEU SQUID

#######################################EXEMPLOS DE CRIAÇÃO DE USUARIO E SENHA###############
#
# auth_param basic program /usr/lib/squid3/basic_ncsa_auth /usr/etc/passwd
# auth_param basic children 20 startup=0 idle=1
# auth_param digest program /usr/lib/squid3/digest_pw_auth /usr/etc/digpass
# auth_param digest children 20 startup=0 idle=1
# auth_param ntlm program /usr/bin/ntlm_auth
# auth_param ntlm children 20 startup=0 idle=1
# auth_param ntlm keep_alive on
# auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego
# auth_param negotiate children 20 startup=0 idle=1
# auth_param negotiate keep_alive on
##auth_param negotiate program <uncomment and complete this line to activate>
##auth_param negotiate children 20 startup=0 idle=1
##auth_param negotiate keep_alive on
##
##auth_param ntlm program <uncomment and complete this line to activate>
##auth_param ntlm children 20 startup=0 idle=1
##auth_param ntlm keep_alive on
##
##auth_param digest program <uncomment and complete this line>
##auth_param digest children 20 startup=0 idle=1
##auth_param digest realm Squid proxy-caching web server
##auth_param digest nonce_garbage_interval 5 minutes
##auth_param digest nonce_max_duration 30 minutes
##auth_param digest nonce_max_count 50
##
##auth_param basic program <uncomment and complete this line>
##auth_param basic children 5 startup=5 idle=1
##auth_param basic realm Squid proxy-caching web server
##auth_param basic credentialsttl 2 hours
# authenticate_cache_garbage_interval 1 hour
# authenticate_ttl 1 hour
# authenticate_ip_ttl 1 second
#
#########################################EXEMPLOS DE ACL'S#####################################
#
# acl aclname src ip-address/mask ... # clients IP address [fast]
# acl aclname src addr1-addr2/mask ... # range of addresses [fast]
# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow]
# acl aclname localip ip-address/mask ... # IP address the client connected to [fast]
#
# acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
# acl aclname srcdomain .foo.com ...
# # reverse lookup, from client IP [slow]
# acl aclname dstdomain [-n] .foo.com ...
# # Destination server from URL [fast]
# acl aclname srcdom_regex [-i] \.foo\.com ...
# # regex matching client name [slow]
# acl aclname dstdom_regex [-n] [-i] \.foo\.com ...
# # regex matching server [fast]
#
# acl aclname src_as number ...
# acl aclname dst_as number ...
# # cache_peer_access mycache.mydomain.net allow asexample
# # cache_peer_access mycache_mydomain.net deny all
#
# acl aclname peername myPeer ...
# # acl aclname time [day-abbrevs] [h1:m1-h2:m2]
# # acl aclname url_regex [-i] ^http:// ...
# # regex matching on whole URL [fast]
# acl aclname urllogin [-i] [^a-zA-Z0-9] ...
# # regex matching on URL login field
# acl aclname urlpath_regex [-i] \.gif$ ...
# # regex matching on URL path [fast]
#
# acl aclname port 80 70 21 0-1024... # destination TCP port [fast]
# # ranges are alloed
# acl aclname localport 3128 ... # TCP port the client connected to [fast]
# # NP: for interception mode this is usually '80'
#
# acl aclname myportname 3128 ... # http(s)_port name [fast]
#
# acl aclname proto HTTP FTP ... # request protocol [fast]
#
# acl aclname method GET POST ... # HTTP request method [fast]
#
# acl aclname http_status 200 301 500- 400-403 ...
# # status code in reply [fast]
#
# acl aclname browser [-i] regexp ...
# # pattern match on User-Agent header (see also req_header below) [fast]
#
# acl aclname referer_regex [-i] regexp ...
# # pattern match on Referer header [fast]
# # Referer is highly unreliable, so use with care
#
# acl aclname ident username ...
# acl aclname ident_regex [-i] pattern ...
# # string match on ident output [slow]
# # use REQUIRED to accept any non-null ident.
#
# acl aclname proxy_auth [-i] username ...
# acl aclname proxy_auth_regex [-i] pattern ...
# acl aclname snmp_community string ...
# # acl snmppublic snmp_community public
#
# acl aclname maxconn number
# acl aclname max_user_ip [-s] number
# acl aclname random probability
# acl aclname req_mime_type [-i] mime-type ...
# acl aclname req_header header-name [-i] any\.regex\.here
# acl aclname rep_mime_type [-i] mime-type ...
# acl aclname rep_header header-name [-i] any\.regex\.here
# acl aclname external class_name [arguments...]
# acl aclname ca_cert attribute values...
# acl aclname ext_user username ...
# acl aclname ext_user_regex [-i] pattern ...
# acl aclname tag tagvalue ...
# al aclname hier_code codename ...
# acl aclname note name [value ...]
# acl aclname any-of acl1 acl2 ...
# acl aclname all-of acl1 acl2 ...
#
# acl macaddress arp 09:00:2b:23:45:67
# acl myexample dst_as 1241
# acl password proxy_auth REQUIRED
# acl fileupload req_mime_type -i ^multipart/form-data$
# acl javascript rep_mime_type -i ^application/x-javascript$
#
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# acl localhost src 127.0.0.1
# acl my_other_proxy srcdomain .proxy.example.com
# follow_x_forwarded_for allow localhost
# follow_x_forwarded_for allow my_other_proxy
#
# acl_uses_indirect_client on
# delay_pool_uses_indirect_client on
# log_uses_indirect_client on
# tproxy_uses_indirect_client off

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

## Allow ICP queries from local networks only
##icp_access allow localnet
##icp_access deny all

## Allow HTCP queries from local networks only
##htcp_access allow localnet
##htcp_access deny all

## Allow HTCP CLR requests from trusted peers
#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2
#htcp_clr_access allow htcp_clr_peer
#htcp_clr_access deny all

# Squid normally listens to port 3128
http_port 3128

# host_verify_strict off
# client_dst_passthru on
# ssl_unclean_shutdown off
# automatic SSL/TLS version negotiation
# sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
# sslcrtd_children 32 startup=5 idle=1
# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1

# dead_peer_timeout 10 seconds
# forward_max_tries 10

# cache_mem 256 MB
# maximum_object_size_in_memory 512 KB
# memory_replacement_policy lru
# cache_replacement_policy lru

# maximum_object_size 4 MB

#cache_dir ufs /var/spool/squid3 100 16 256

# store_dir_select_algorithm least-load
# cache_swap_low 90
# cache_swap_high 95

# access_log daemon:/var/log/squid3/access.log squid
# logfile_daemon /usr/lib/squid3/log_file_daemon
# Store the journal inside its cache_dir
# logfile_rotate 0
# mime_table /usr/share/squid3/mime.conf
# log_mime_hdrs off
# pid_filename /var/run/squid3.pid
# Log full client IP address
# strip_query_terms on
# buffered_logs off
# netdb_filename stdio:/var/log/squid3/netdb.state
# cache_log /var/log/squid3/cache.log

coredump_dir /var/spool/squid3

# ftp_passive on
# ftp_epsv_all off
# ftp_epsv on
# ftp_eprt on
# ftp_sanitycheck on
# ftp_telnet_protocol on

# diskd_program /usr/lib/squid3/diskd
# unlinkd_program /usr/lib/squid3/unlinkd
# pinger_program /usr/lib/squid3/pinger
# pinger_enable on

# url_rewrite_children 20 startup=0 idle=1 concurrency=0
# url_rewrite_host_header on
# url_rewrite_bypass off

# store_id_children 20 startup=0 idle=1 concurrency=0
# store_id_bypass on
# max_stale 1 week
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

# quick_abort_min 16 KB
# quick_abort_max 16 KB
# quick_abort_pct 95
# read_ahead_gap 16 KB
# negative_ttl 0 seconds
# positive_dns_ttl 6 hours
# negative_dns_ttl 1 minutes

# minimum_expiry_time 60 seconds
# store_avg_object_size 13 KB
# store_objects_per_bucket 20

# request_header_max_size 64 KB
# reply_header_max_size 64 KB

# client_request_buffer_max_size 512 KB
# chunked_request_body_max_size 64 KB

MEU FIREWALL

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p udp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


  


2. Tópico: BLOQUEAR TUDO PELO SQUID E LIBERAR SOMENTE ALGUNS SITES

Fernanda Montovani Albuquerk
fernanda_mon

(usa Debian)

Enviado em 23/06/2017 - 13:26h

Crie grupo, listas de acessos:

#grupo 1
acl grupo1 proxy_auth "/etc/squid3/users/listausuarios1" ### aqui vc coloca os usuarios
acl url_usuarios1 url_regex "/etc/squid3/sites/url_usuarios1" ### sites que vc quer liberar
http_access allow grupo1 url_usuarios1 ### aqui sera a politica usuarios que estão no grupo1 acessaram apenas sites da lista usuarios1

http_access deny all #### nega todo o resto.

assim por diante vc cria quantos grupos quiser e suas respectivas listas

:)


3. Re: BLOQUEAR TUDO PELO SQUID E LIBERAR SOMENTE ALGUNS SITES [RESOLVIDO]

Rogerio Pereira Rosa Morilha
rogercars

(usa Outra)

Enviado em 23/06/2017 - 19:14h

fernanda_mon escreveu:

Crie grupo, listas de acessos:

#grupo 1
acl grupo1 proxy_auth "/etc/squid3/users/listausuarios1" ### aqui vc coloca os usuarios
acl url_usuarios1 url_regex "/etc/squid3/sites/url_usuarios1" ### sites que vc quer liberar
http_access allow grupo1 url_usuarios1 ### aqui sera a politica usuarios que estão no grupo1 acessaram apenas sites da lista usuarios1

http_access deny all #### nega todo o resto.

assim por diante vc cria quantos grupos quiser e suas respectivas listas

:)


MAIS NO CASO TENHO QUE CRIAR GRUPOS PARA CASA ORGANIZAÇÃO DA EMPRESA?







4. Re: BLOQUEAR TUDO PELO SQUID E LIBERAR SOMENTE ALGUNS SITES [RESOLVIDO]

Rogerio Pereira Rosa Morilha
rogercars

(usa Outra)

Enviado em 23/06/2017 - 20:21h

Galera obrigado a todos consegui aqui....vou mostrar como eu fiz...

http_port 3128
visible_hostname Servidor Debian
cache_mem 8 MB
cache_dir ufs /var/cache/squid3 2048 16 256
cache_access_log /var/log/squid3/access.log
cache_store_log /var/log/squid3/store.log
cache_log /var/log/squid3/cache.log
cache_mgr [email protected]
cache_effective_user proxy
cache_effective_group proxy
acl redelocal src 192.168.0.0/24
acl ip_adm src '/etc/squid3/ips'
acl liberado url_regex -i '/etc/squid3/liberado'
http_access allow ip_adm
http_access allow liberado
http_access deny redelocal
http_access deny all

em LIBERADO eu coloquei os sites que quero liberar e em IPS coloquei os ips que quero liberar acesso total.....e o mais impressionante que ele bloqueou tambem os https mais nao mostrar a tela de erros do squid infelizmente rsrsrs só mostra acesso negado...ja para os sites em http ele mostra a tela de erro normalmente.....


5. BLOQUEAR TUDO PELO SQUID E LIBERAR SOMENTE ALGUNS SITES [RESOLVIDO]

Fernanda Montovani Albuquerk
fernanda_mon

(usa Debian)

Enviado em 26/06/2017 - 15:37h

Que bom que conseguiu...

:)






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner
Linux banner
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts