Erro no bloqueio do Squid3

dreamphonyx
(usa Ubuntu)

Enviado em 08/08/2012 - 17:09h

Olá amigos!

Esse é meu primeiro post de duvidas que crio.

Não tenho muitos conhecimentos no Squid, e fiz uma pesquisa muito ampla para conseguir montar um proxy para um cliente que eu tenho.

O que acontece!? Fiz uma configuração do SQUID com autenticação e bloqueios. O meu problema é que tenho as linhas de bloqueio não permitem que o squid funcione. Quando comento as linhas, o navegador me permite acessar qualquer site com qualquer usuário.

Dei uma boa pesquisada, li vááários artigos relacionados... Fiz vários testes, porém, não consegui. Gostaria de saber se alguém pode me ajudar dando uma olhada na minha configuração do squid.conf?!

Desde já, agradeço!



#########################################
###### Porta, Nome e Cache ##############
#########################################
#
http_port 5005
visible_hostname Darkside
#
cache_mem 150 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 256 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
#
#########################################
###### Log ##############################
#########################################
#
cache_access_log /var/log/squid3/access.log
cache_store_log /var/log/squid3/store.log
cache_log /var/squid3/logs/cache.log
cache_dir ufs /var/spool/squid3 20000 16 256
#
#########################################
##### ACLs ##############################
#########################################
#
#acl all src "0.0.0.0/0.0.0.0"
acl manager proto cache_object
acl localhost src 127.0.0.1/32
#acl SSL_ports port port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # swat
acl Safe_ports port 1025-65535 # portas altas
acl purge method PURGE
acl CONNECT method CONNECT
#
#########################################
### Direitos de Acesso ##################
#########################################
#
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
#
#########################################
##### USANDO NCSA_AUTH ##################
#########################################
#
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/squid_passwd
auth_param basic realm Entre com o Usuario e Senha.
auth_param basic children 5
#
#########################################
##### AUTENTICACAO ######################
#########################################
#
acl autenticados proxy_auth REQUIRED
#
#########################################
##### BLOQUEAR PALAVRAS #################
#########################################
#
acl accesso_full proxy_auth "/etc/squid3/acessos/acesso_full"
acl bloquear_palavras url_regex -i "/etc/squid3/bloqueio/bloquear_palavras"
deny_info http://www.vivaolinux.com.br/~jpaulo_farias bloquear_palavras
#
#########################################
##### BLOQUEIA O MESSENGER ##############
#########################################
#
acl bloquear_msn dstdomain "/etc/squid3/bloqueio/bloquear_msn"
acl acesso_msn proxy_auth "/etc/squid3/acessos/acesso_msn
http_access allow acesso_msn bloquear_msn
http_access deny bloquear_msn
deny_info http://www.vivaolinux.com.br/~jpaulo_farias bloquear_msn
#
#########################################
##### BLOQUEIA ORKUT ####################
#########################################
#
acl bloquear_orkut url_regex -i "/etc/squid3/bloqueio/bloquear_orkut"
acl acesso_orkut proxy_auth "/etc/squid3/acessos/acesso_orkut"
http_access allow acesso_orkut bloquear_orkut
http_access deny bloquear_orkut
deny_info http://www.vivaolinux.com.br/~jpaulo_farias bloquear_orkut
#
#
#########################################
##### BLOQUEIA ORKUT ####################
#########################################
#
acl bloquear_orkut url_regex -i "/etc/squid3/bloqueio/bloquear_orkut"
acl acesso_orkut proxy_auth "/etc/squid3/acessos/acesso_orkut"
http_access allow acesso_orkut bloquear_orkut
http_access deny bloquear_orkut
deny_info http://www.vivaolinux.com.br/~jpaulo_farias bloquear_orkut
#
#########################################
##### BLOQUEIA GOOGLE TALK ##############
#########################################
#
acl bloquear_googletalk url_regex -i "/etc/squid3/bloqueio/bloquear_googletalk"
acl acesso_googletalk proxy_auth "/etc/squid3/acessos/acesso_googletalk"
http_access allow acesso_googletalk bloquear_googletalk
http_access deny bloquear_googletalk
deny_info http://www.vivaolinux.com.br/~jpaulo_farias bloquear_googletalk
#
#########################################
##### CONTROLE DE BANDA #################
#########################################
#
#acl livre proxy_auth "/etc/squid3/acessos/acesso_banda
#acl block src 192.168.181.0/24 # Alterar conforme a rede
#delay_pools 2
#
# Classe 1 - Acesso a Internet a 512k
#
#delay_class 1 2
#delay_parameters 1 -1/-1 69000/69000
#
# Classe 2 Acesso a Internet a 180k
#
#delay_class 2 2
#delay_parameters 2 -1/-1 22500/22500
#delay_access 1 allow livre
#delay_access 2 allow block
#
######## ---- Quando comento essas linhas, consigo autenticar os usuarios ----- ########
http_access allow autenticados acesso_full
http_access allow acesso_full bloquear_palavras
http_access deny bloquear_palavras
###########################################################
acl redelocal src 192.168.181.0/24
http_access allow localhost
http_access allow redelocal
#
http_access deny all



Depois digito o comando squid3 -z e me retorna o segunte erro:

root@ubuntu:/etc/squid3# squid3 -z
2012/08/06 17:01:07| aclParseAclList: ACL name 'acesso_full' not found.
FATAL: Bungled squid.conf line 130: http_access allow autenticados acesso_full
Squid Cache (Version 3.1.19): Terminated abnormally.
CPU Usage: 0.032 seconds = 0.000 user + 0.032 sys
Maximum Resident Size: 15664 KB
Page faults with physical i/o: 0



Estou usando o ubuntu 12.04 e squid3
Mais uma vez, agradeço!

johnnyb
(usa Fedora)

Enviado em 08/08/2012 - 21:33h

Amigo ta errado aqui vc nao ta bloqueando vc ta permitindo tudo por isso que nao bloqueia

acl bloquear_msn dstdomain "/etc/squid3/bloqueio/bloquear_msn"
acl acesso_msn proxy_auth "/etc/squid3/acessos/acesso_msn
http_access allow acesso_msn bloquear_msn
http_access deny bloquear_msn
deny_info http://www.vivaolinux.com.br/~jpaulo_farias bloquear_msn


o certo seria assim

### Bloqueio
acl bloquear_msn dstdomain "/etc/squid3/bloqueio/bloquear_msn"

### usuarios com msn desbloqueados
acl acesso_msn proxy_auth "/etc/squid3/acessos/acesso_msn"

## aqui vc bloqueia e o simbolo ! que dizer exceção
http_access deny bloquear_msn !acesso_msn

### pagina de bloqueio personalixada
deny_info http://www.vivaolinux.com.br/~jpaulo_farias bloquear_msn

uma dica porque vc nao faz isso la na pagina de erro do squid assim vc nao prescisa fica colocando esse tanto de deny_info ?

tenta e ai posta o resultado pra nois

dreamphonyx
(usa Ubuntu)

Enviado em 09/08/2012 - 19:22h

Opa... Muito obrigado pela resposta!


Então, eu fiz o que vc sugeriu... Ficou assim:


#########################################
##### BLOQUEIA O MESSENGER ##############
#########################################
#
acl bloquear_msn dstdomain "/etc/squid3/bloqueio/bloquear_msn"
acl acesso_msn proxy_auth "/etc/squid3/acessos/acesso_msn
#http_access allow acesso_msn bloquear_msn
http_access deny bloquear_msn !acesso_msn
#deny_info http://www.vivaolinux.com.br/~jpaulo_farias bloquear_msn
#
#########################################
##### BLOQUEIA ORKUT ####################
#########################################
#
acl bloquear_orkut url_regex -i "/etc/squid3/bloqueio/bloquear_orkut"
acl acesso_orkut proxy_auth "/etc/squid3/acessos/acesso_orkut"
#http_access allow acesso_orkut bloquear_orkut
http_access deny bloquear_orkut !acesso_orkut
#deny_info http://www.vivaolinux.com.br/~jpaulo_farias bloquear_orkut
#
#########################################
##### BLOQUEIA GOOGLE TALK ##############
#########################################
#
acl bloquear_googletalk url_regex -i "/etc/squid3/bloqueio/bloquear_googletalk"
acl acesso_googletalk proxy_auth "/etc/squid3/acessos/acesso_googletalk"
#http_access allow acesso_googletalk bloquear_googletalk
http_access deny bloquear_googletalk !acesso_googletalk
#deny_info http://www.vivaolinux.com.br/~jpaulo_farias bloquear_googletalk

Comentei as linhas erradas e as de deny_info.


Agora o que acontece!?

Se eu mantenho as linhas abaixo comentadas o navegador não pede mais autenticação e só vai pedir para algum usuario autenticar quando algum site bloqueado for solicitado e não aparece mensagem de erro... fica pedindo pra logar "repetidamente", antes da modificação que você sugeriu, o navegador pedia autenticação, porém não bloqueava nada:

#http_access allow autenticados acesso_full
#http_access allow acesso_full bloquear_palavras
#http_access deny bloquear_palavras

Se eu descomentar essas linhas, o navegador me diz que está recusando pedido de acesso:

http_access allow autenticados acesso_full
http_access allow acesso_full bloquear_palavras
http_access deny bloquear_palavras



Outra duvida. Como chamo a pagina de erros do squid no squid.conf?!

Será que conseguiu entender o que eu quis dizer? rsrsrs

Mais uma vez, Obrigado.

fed suco
(usa Fedora)

Enviado em 10/08/2012 - 10:03h

o diretorio onde fica as paginas de errors: /usr/share/squid/errors/
parametro no squid: deny_info /usr/share/squid/errors/nomedapagina

saitam
(usa Slackware)

Enviado em 10/08/2012 - 10:34h

da uma olhada nesse how-to squid - proxy autenticado
http://mundodacomputacaointegral.blogspot.com.br/2011/12/configurando-servidor-proxy-autenticado.htm...

johnnyb
(usa Fedora)

Enviado em 10/08/2012 - 20:08h

amigo tente esse squid
e poste os erros aqui blz

e o conteudo do deny_info vc pode colocar no diretorio padrao do seu squid que deve ser esse
/usr/share/squid/errors/pt-br caso nao seja explore essas pastas :D


#########################################
# Porta,Nome e Cache #
#########################################
http_port 5005
visible_hostname Darkside
cache_mem 150 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 256 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280

#########################################
# Paginas de bloqueio #
#########################################
error_directory /usr/local/squid/share/errors/pt-br

#########################################
# Log #
#########################################

cache_access_log /var/log/squid3/access.log
cache_store_log /var/log/squid3/store.log
cache_log /var/squid3/logs/cache.log
cache_dir ufs /var/spool/squid3 20000 16 256

#########################################
# Range de ip darede #
#########################################

acl redelocal src 192.168.181.0/24

#########################################
# ACLs #
#########################################
acl manager proto cache_object
acl localhost src 127.0.0.1/32
#acl SSL_ports port port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # swat
acl Safe_ports port 1025-65535 # portas altas
acl purge method PURGE
acl CONNECT method CONNECT

#########################################
# Direitos de Acesso #
#########################################

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge

#########################################
# USANDO NCSA_AUTH #
#########################################

auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/squid_passwd
auth_param basic realm Entre com o Usuario e Senha.
auth_param basic children 5
auth_param basic casesensitive off
acl autenticados proxy_auth REQUIRED

#########################################
# usuarios com tudo liberado #
#########################################
acl accesso_full proxy_auth "/etc/squid3/acessos/acesso_full"
http_access allow accesso_full

#########################################
# Bloqueios #
#########################################

acl bloquear_palavras url_regex -i "/etc/squid3/bloqueio/bloquear_palavras"
acl bloquear_msn dstdomain "/etc/squid3/bloqueio/bloquear_msn"
acl acesso_msn proxy_auth "/etc/squid3/acessos/acesso_msn
http_access deny bloquear_msn !acesso_msn

#########################################
# BLOQUEIA ORKUT #
#########################################

acl bloquear_orkut url_regex -i "/etc/squid3/bloqueio/bloquear_orkut"
acl acesso_orkut proxy_auth "/etc/squid3/acessos/acesso_orkut"
http_access deny bloquear_orkut !acesso_orkut

#########################################
##### BLOQUEIA GOOGLE TALK ##############
#########################################

acl bloquear_googletalk url_regex -i "/etc/squid3/bloqueio/bloquear_googletalk"
acl acesso_googletalk proxy_auth "/etc/squid3/acessos/acesso_googletalk"
http_access deny bloquear_googletalk !acesso_googletalk


http_access deny bloquear_palavras
http_access allow autenticados
http_access allow localhost
http_access allow redelocal
http_access deny all

dreamphonyx
(usa Ubuntu)

Enviado em 11/08/2012 - 10:53h

Fala cara, beleza?

Brigadão pela resposta!

Aparentemente, tá funcionando esse squid.conf que vc me passou... a unica coisa que ainda não tá dando certo é que o usuario que não tem acesso, não ta recebendo a mensagem de acesso negado. Ao inves de aparecer a mensagem, fica voltando a tela de login e senha.

Isso esta relacionado com aquelas paginas de deny_info?

Mas mesmo assim, obrigado... tá praticamente rodando tudo!

=D

johnnyb
(usa Fedora)

Enviado em 12/08/2012 - 13:34h

Amigo verifica se esse diretorio existe

#########################################
# Paginas de bloqueio #
#########################################
error_directory /usr/local/squid/share/errors/pt-br

caso nao exista, procure o local das suas paginas de erro blz.

quando vc start o squid ele da algum alerta

dreamphonyx
(usa Ubuntu)

Enviado em 13/08/2012 - 18:45h

Olá!

Então, verifiquei o caminho da pagina de erros mas mesmo assim a tela de acesso negado não aparece, o que continua acontecendo é que quando o usuario que já se logou se depara com uma pagina que tá bloqueada, a tela de autenticação volta ao invés da tela de acesso negado!
Já procurei um monte de coisa na net, mas não consegui exito!

Mas mesmo assim, muito obrigado pela boa vontade de ajudar! Se não fossem vocês, meu proxy não estaria nem rodando... hehehe!

johnnyb
(usa Fedora)

Enviado em 13/08/2012 - 21:25h

Amigo o diretorio ta certo intao, e o mesmo ?

amigo tente adicionar a deny_info em um deles e veja se da certo

os nomes dos usuarios nos ficheiros vc coloco com ou sem senha ?

dreamphonyx
(usa Ubuntu)

Enviado em 13/08/2012 - 22:10h

Olá!

Então! O diretório de erros é esse:

error_directory /usr/share/squid3/errors/pt-br/

Os nomes de usuario eu criei com o comando:

Primeiro usuário:

htpasswd -c /etc/squid3/squid_passwd everton.oliveira

Demais usuarios:

htpasswd /etc/squid3/squid_passwd michell.martins
htpasswd /etc/squid3/squid_passwd daniel.reis

e assim por diante....

Em todos coloquei senha.


Agora o meu squid.conf tá assim ó:

#########################################
# Porta,Nome e Cache #
#########################################
http_port 3128
visible_hostname Darkside
cache_mem 150 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 256 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280

########################################
# Paginas de bloqueio #
#########################################
#error_directory /usr/local/squid3/share/errors/pt-br
error_directory /usr/share/squid3/errors/pt-br/

#########################################
# Log #
#########################################

cache_access_log /var/log/squid3/access.log
cache_store_log /var/log/squid3/store.log
cache_log /var/squid3/logs/cache.log
cache_dir ufs /var/spool/squid3 20000 16 256

#########################################
# Range de ip darede #
#########################################

acl redelocal src 172.16.0.0/24

#########################################
# ACLs #
#########################################
acl manager proto cache_object
acl localhost src 127.0.0.1/32
#acl SSL_ports port port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # swat
acl Safe_ports port 1025-65535 # portas altas
acl purge method PURGE
acl CONNECT method CONNECT

#########################################
# Direitos de Acesso #
#########################################

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge

#########################################
# USANDO NCSA_AUTH #
#########################################

auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/squid_passwd
auth_param basic realm Entre com o Usuario e Senha.
auth_param basic children 5
auth_param basic casesensitive off
acl autenticados proxy_auth REQUIRED

#########################################
# usuarios com tudo liberado #
#########################################
acl accesso_full proxy_auth "/etc/squid3/acessos/acesso_full"
http_access allow accesso_full

#########################################
# Bloqueios #
#########################################

acl bloquear_palavras url_regex -i "/etc/squid3/bloqueio/bloquear_palavras"
acl bloquear_msn dstdomain "/etc/squid3/bloqueio/bloquear_msn"
acl acesso_msn proxy_auth "/etc/squid3/acessos/acesso_msn
http_access deny bloquear_msn !acesso_msn

#########################################
# BLOQUEIA ORKUT #
#########################################

acl bloquear_orkut url_regex -i "/etc/squid3/bloqueio/bloquear_orkut"
acl acesso_orkut proxy_auth "/etc/squid3/acessos/acesso_orkut"
http_access deny bloquear_orkut !acesso_orkut

#########################################
##### BLOQUEIA GOOGLE TALK ##############
#########################################

acl bloquear_googletalk url_regex -i "/etc/squid3/bloqueio/bloquear_googletalk"
acl acesso_googletalk proxy_auth "/etc/squid3/acessos/acesso_googletalk"
http_access deny bloquear_googletalk !acesso_googletalk

http_access deny bloquear_palavras
http_access allow autenticados
http_access allow localhost
http_access allow redelocal
http_access deny all


Percebi que quando eu executo o comando squid3 -z aparece o seguinte erro:

root@ubuntu:/etc/squid3# squid3 -z
WARNING: Cannot write log file: /var/squid3/logs/cache.log
/var/squid3/logs/cache.log: No such file or directory
messages will be sent to 'stderr'.
2012/08/13 22:09:11| Squid is already running! Process ID 3728

Será que isso tem relação com o que está acontecendo?

Mais uma vez, obrigado pela atenção.

johnnyb
(usa Fedora)

Enviado em 15/08/2012 - 13:40h

root@ubuntu:/etc/squid3# squid3 -z
WARNING: Cannot write log file: /var/squid3/logs/cache.log
/var/squid3/logs/cache.log: No such file or directory
messages will be sent to 'stderr'.
2012/08/13 22:09:11| Squid is already running! Process ID 3728

nao a mensagem acima ele ta falando que o diretorio nao existe, e depois ele ti mostra o numero do processo de execução do squid nao tem nada a ver com o erro nao

agora amigo tente fazer assim
mude as seguintes acls

assim

acl accesso_full proxy_auth "/etc/squid3/acessos/acesso_full"
acl acesso_msn proxy_auth "/etc/squid3/acessos/acesso_msn
acl acesso_orkut proxy_auth "/etc/squid3/acessos/acesso_orkut"
acl acesso_googletalk proxy_auth "/etc/squid3/acessos/acesso_googletalk"

para

acl accesso_full proxy_auth "/etc/squid3/acessos/acesso_full.txt"
acl acesso_msn proxy_auth "/etc/squid3/acessos/acesso_msn.txt"
acl acesso_orkut proxy_auth "/etc/squid3/acessos/acesso_orkut.txt"
acl acesso_googletalk proxy_auth "/etc/squid3/acessos/acesso_googletalk.txt"


e dentro de cada diretorio txt vc colocara apenas o nome do usuario exemplo
johnnyb
xxxxxxx
e depois de permissao 777 com esse comando
chmod 777 /etc/squid3/acessos/acesso_full.txt

tenta ai e posta o resultado pra nois blz