Liberar um unico IP para um unico Site

douglaspauli
(usa Ubuntu)

Enviado em 26/12/2011 - 12:58h

Boa Tarde, Sou novo em linux e estou com uma enorme dificuldade em libarar o Youtube para exclusivamente um único IP. Possuo um Squid 2.5 e tenho instalado recentemente o Webmin 1.570 para me auxiliar nas regras, pois sou novo ainda com ACL e demais funcoes...
Meu proxy não é transparente. Tem como principal caracteristica trabalhar com todos os sites liberados, passando apenas por sitesbloqueados (cadastrado manuamente), bloqueio por palavras (cadastrado manualmente)... consigo liberar o ip dela para todos os site, porem nao quero isso, somente quero que esse usuário apenas possua o acesso ao youtube.
Tem muita coisa no squid.conf que nem sei para que serve...só sei que entrei e peguei assim as configurações... tem umas configurações de bloqueio de radio tab que não funciona...
Sei que necessito fazer um curso de linux urgente, mas agradeço se alguem conseguir me ajudar em relação a esse problema.

Obrigado a todos e boas festas.

abaixo o meu squid.conf:

http_port 10.6.76.2:3128

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

cache_mem 64 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 128 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 64 KB

cache_dir ufs /var/spool/squid 2048 16 256

hosts_file /etc/hosts

#Squid Ldap
#auth_param basic realm (Sao José): Autenticação de Usuário para Internet
#auth_param basic program /usr/lib/squid/ldap_auth -R -b "dc=sefloripa,dc=com,dc=br" -h 172.20.209.250
#auth_param basic children 3
#auth_param basic casesensitive off
#auth_param basic credentialsttl 15 minutes

# autenticacao ldap
auth_param basic children 2
auth_param basic realm **Informe seu usuario e senha para liberar o acesso a internet**
#auth_param basic realm SQUID - LDAP PROTECTED RESOURCES
auth_param basic credentialsttl 2 hours
#auth_param basic casesensitive off
#auth_param basic program /usr/lib/squid/ldap_auth -b "dc=****,dc=local" -f "uid=%s" 10.6.76.13
auth_param basic program /usr/lib/squid/ldap_auth -R -b "dc=uossj,dc=local" -D "cn=Administrador,cn=Users,dc=*****,dc=local" -w "*****" -f sAMAccountName=%s -h 10.6.76.13
#acl PWD_LDAP proxy_auth REQUIRED
#http_access allow PWD_LDAP

#auth_param basic program <uncomment and complete this line>
#auth_param basic children 5
#auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours
#auth_param basic casesensitive off

# proxy transparente
#httpd_accel_port 80
#httpd_accel_host virtual
#httpd_accel_with_proxy on
#httpd_accel_with_proxy on
#httpd_accel_uses_host_header on
# se o redirecionamento for para uma máquina diferente
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.16.10:3128
# se o redirecionamento for para a mesma máquina
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 81
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
#acl Safe_ports port 10030
#acl Safe_ports port 10031
#acl Safe_ports port 10032
#acl Safe_ports port 10033
#acl Safe_ports port 10034
#acl Safe_ports port 10035
#acl Safe_ports port 10036
#acl Safe_ports port 10037
#acl Safe_ports port 10038
#acl Safe_ports port 10039
#acl Safe_ports port 10040
#acl Safe_ports port 10041
#acl Safe_ports port 10042
#acl Safe_ports port 10043
#acl Safe_ports port 10044
#acl Safe_ports port 10045
#acl Safe_ports port 10046
#acl Safe_ports port 10047
#acl Safe_ports port 10048
#acl Safe_ports port 10049
#acl Safe_ports port 10051
#acl Safe_ports port 10050
#acl Safe_ports port 3900
#acl Safe_ports port 10054
#acl Safe_ports port 10030
#acl Safe_ports port 10030
#acl Safe_ports port 10030
#acl Safe_ports port 10030
#acl Safe_ports port 10030
#acl Safe_ports port 10030
#acl Safe_ports port 10030
#acl Safe_ports port 10030
#acl Safe_ports port 10030
#acl Safe_ports port 10030
#acl Safe_ports port 10030
#acl Safe_ports port 10030
#acl Safe_ports port 10030
#acl Safe_ports port 52717
#acl Safe_ports port 52718
#acl Safe_ports port 52725
#acl Safe_ports port 52726
#acl Safe_ports port 52727
#acl Safe_ports port 52728
#acl Safe_ports port 52729
acl purge method PURGE
acl CONNECT method CONNECT

# skype
#acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
#acl connect method CONNECT
#http_access deny connect numeric_IPs all

#acl REDE_LOCAL src 10.6.76.0/22
#acl jakrieger proxy_auth REQUIRED

acl PWD_LDAP proxy_auth REQUIRED

acl IP_LIBERADO dst "/etc/squid/ipliberado"
acl SITES_LIBERADOS dstdomain "/etc/squid/sitesliberados"
acl SITES_BLOQUEADOS dstdomain "/etc/squid/sitesbloqueados"
acl PALAVRAS_BLOQUEADAS url_regex "/etc/squid/palavrasbloqueadas"
acl GINASTICA dst 10.5.0.0/24

# msn
acl MSN_DOMAIN dstdomain "/etc/squid/msndomain"
acl MSN_URL url_regex "/etc/squid/msnurl"
acl MSN url_regex -i /gateway/gateway.dll

# Libera acesso a site sem passar por proxy
acl site url_regex -i sesiesporte.com.br
http_access allow site

acl sesisj url_regex -i www.sesisj.com.br
http_access allow sesisj

acl site url_regex -i pesquisaonline.sesisc.org.br
http_access allow site

acl ndd url_regex -i ndd.fiescnet.com.br
http_access allow ndd

acl smd url_regex -i scni-sist-teste.cni.org.br
http_access allow smd

acl ftp url_regex -i ftp.sesisc.org.br
http_access allow ftp

acl site url_regex -i 189.50.84.20
http_access allow site

acl ipinterno dst 10.6.0.0/24
http_access allow ipinterno all

acl site url_regex -i av.fiescnet.com.br:2221
http_access allow site


## WINDOWS UPDATE ##
acl win_update1 url_regex windowsupdate.microsoft.com
acl win_update2 url_regex v4.windowsupdate.microsoft.com
acl win_update3 url_regex v5.windowsupdate.microsoft.com
acl microsoft1 url_regex microsoft.com
acl microsoft2 url_regex microsoft.com.br
http_access allow win_update1
http_access allow win_update2
http_access allow win_update3
http_access allow microsoft1
http_access allow microsoft2

#INSTALADOR NINITE.COM
acl ninite url_regex ninite.com
http_access allow ninite

# controle de acesso de IM (Instant Messenger)
#acl MESSENGERS dstdomain -i "/etc/squid/messengers.txt"

# horario
#acl ALMOCO time MTWHF 12:00-13:00
#acl SAIDA time MTWHF 17:30-24:00
#acl ENTRADA time MTWHF 00:00-08:00

# controle de download por extansao de arquivo (no arquivo, \.src)
#acl DOWNLOAD urlpath_regex \.(cmd|bat|pif|scr)([-?+=&/_]|$)
#acl EXTENSAO url_regex -i "/etc/squid/extensao"

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

#Bloqueando Gtalk
acl url_gtalk url_regex -i "/etc/squid/url_gtalk.txt"
http_access deny url_gtalk all


# msn
http_access deny MSN_DOMAIN
http_access deny MSN_URL
http_access deny MSN

#http_access allow GINASTICA

#http_access deny grasiela.marcelino
#http_access allow !PALAVRAS_BLOQUEADAS !SITES_BLOQUEADOS REDE_LOCAL
http_access allow IP_LIBERADO
http_access allow !PALAVRAS_BLOQUEADAS !SITES_BLOQUEADOS PWD_LDAP

http_access allow localhost
#http_access allow PWD_LDAP
http_access deny all
# Bloqueando arquivos de streaming Radio Online:
acl streaming req_mime_type ^video/x-ms-asf
acl streaming req_mime_type -i application/x-mplayer2
acl streaming req_mime_type -i ^application/x-mplayer2$
acl mimeblockq req_mime_type -i application/x-mplayer2
acl mimeblockq req_mime_type -i ^application/x-mplayer2$
acl proibir_musica urlpath_regex -i "/etc/squid/proibir_musica.txt"

http_access deny proibir_musica
http_reply_access deny streaming

#Nova regra de bloqueio de musica e video
# streaming download
#acl fails rep_mime_type ^.*mms.*
#acl fails rep_mime_type ^.*ms-hdr.*
#acl fails rep_mime_type ^.*x-fcs.*
#acl fails rep_mime_type ^.*x-ms-asf.*
#acl fails2 urlpath_regex dvrplayer mediastream mms://
#acl fails2 urlpath_regex \.asf$ \.afx$ \.flv$
#acl deny_rep_mime_flashvideo rep_mime_type -i video/flv
#acl deny_rep_mime_shockwave rep_mime_type -i ^application/x-shockwave-flash$
#acl x-type req_mime_type -i ^application/octet-stream$
#acl x-type req_mime_type -i application/octet-stream
#acl x-type req_mime_type -i ^application/x-mplayer2$
#acl x-type req_mime_type -i application/x-mplayer2
#acl x-type req_mime_type -i ^application/x-oleobject$
#acl x-type req_mime_type -i application/x-oleobject
#acl x-type req_mime_type -i application/x-pncmd
#acl x-type req_mime_type -i ^video/x-ms-asf$
#acl x-type2 rep_mime_type -i ^application/octet-stream$
#acl x-type2 rep_mime_type -i application/octet-stream
#acl x-type2 rep_mime_type -i ^application/x-mplayer2$
#acl x-type2 rep_mime_type -i application/x-mplayer2
#acl x-type2 rep_mime_type -i ^application/x-oleobject$
#acl x-type2 rep_mime_type -i application/x-oleobject
#acl x-type2 rep_mime_type -i application/x-pncmd
#acl x-type2 rep_mime_type -i ^video/x-ms-asf$
#http_reply_access deny deny_rep_mime_flashvideo
#http_reply_access deny deny_rep_mime_shockwave

#streaming files
#http_access deny fails
#http_reply_access deny fails
#http_access deny fails2
#http_reply_access deny fails2
#http_reply_access deny fails2
#http_access deny x-type
#http_reply_access deny x-type
#http_access deny x-type2
#http_reply_access deny x-type2


#NOVO Bloqueio de audio 3

#acl StreamingRequest1 req_mime_type -i ^video/x-ms-asf$
#acl StreamingRequest2 req_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
#acl StreamingRequest3 req_mime_type -i ^application/x-mms-framed$
#acl StreamingRequest4 req_mime_type -i ^audio/x-pn-realaudio$
#acl StreamingReply1 rep_mime_type -i ^video/x-ms-asf$
#acl StreamingReply2 rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
#acl StreamingReply3 rep_mime_type -i ^application/x-mms-framed$
#acl StreamingReply4 rep_mime_type -i ^audio/x-pn-realaudio$

#http_access deny StreamingRequest1 all
#http_access deny StreamingRequest2 all
#http_access deny StreamingRequest3 all
#http_access deny StreamingRequest4 all

#http_reply_access deny StreamingReply1 all
#http_reply_access deny StreamingReply2 all
#http_reply_access deny StreamingReply3 all
#http_reply_access deny StreamingReply4 all

#NOVA ACL DE BLOQUEIO DE STREAMING
#acl negar_streaming url_regex -i "/etc/squid/negar_streaming.txt"


# Regra para bloqueio de radios online / arquivos de streaming:
#acl streaming req_mime_type ^video/x-ms-asf
#acl proibir_musica url_regex -i \.aif$ \.aifc$ \.aiff$ \.asf$ \.asx$ \.avi$ \.au$ \.m3u$ \.med$ \.mp3$ \.m1v$ \.mp2$ \.mp2v$ \.mpa$ \.mov$ \.mpe$ \.mpg$ \.mpeg$ \.ogg$ \.pls$ \.ram$ \.ra$ \.ram$ \.snd$ \.wma$ \.wmv$ \.wvx$ \.mid$ \.midi$ \.rmi$

#http_access deny proibir_musica
#http_reply_access deny streaming

http_reply_access allow all
icp_access allow all
cache_mgr rodrigo.gregorio@fln.sesisc.org.br
visible_hostname proxy_cache_SESI_UOS
error_directory /usr/share/squid/errors/Portuguese
coredump_dir /var/spool/squid

phrich
(usa Slackware)

Enviado em 26/12/2011 - 19:45h

Bom, primeiro vc precisa atualizar seu squid...

depois vc precisa dar uma limpada na sua conf. pq ela está meio poluída...

Seria interessante vc dar uma estudada linha por linha para que cada uma serve, pois ai poderiamos lhe ajudar melhor.

Mas seria algo assim:

criar uma acl do tipo src com o IP que vc quer e uma acl do tipo dstdomain com o(s) site(s) que vc quer liberar para o IP.

Depois vc vai as regras:

http_access deny acl_do_IP !acl_dos_sites

Assim ele bloqueia o IP e libera apenas ao site que vc quer.