SQUID Deixa passar sem filtro [RESOLVIDO]

1. SQUID Deixa passar sem filtro [RESOLVIDO]

laket
(usa Ubuntu)

Enviado em 23/10/2009 - 15:06h

Bom Dia,
Estou com a seguente situação:
Estou usando Dansguardian 2.9.9.4 + Squid 2.7 no Debian Lenny. O Dansguardian é configurado com 5 grupos com autenticação pelo IP, que deve filtrar todo trafego http.
Meu problema é que quando eu deixo um navegador sem um proxy configurado, ele consegue navegar sem filtro nenhum. Acredito que estou perdido no squid. Eu gostaria que o squid não deixasse ninguém passar se não for filtrado primeiro pelo Dansguardian. Algumas maquinas que vão ter acesso totalmente liberado, eu acredito posso deixar passa usando IPTABLES.
Por favor alguem pode ajudar?

********** Meu squid.conf ***************************************************************************************************

# WELCOME TO SQUID 2.7.STABLE3

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

http_access allow purge localhost
http_access deny purge

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access deny to_localhost

http_access allow localhost

http_access allow all

http_access deny all

icp_access allow localnet
icp_access deny all

follow_x_forwarded_for allow localhost
follow_x_forwarded_for allow all

http_port 127.0.0.1:3128 transparent

hierarchy_stoplist cgi-bin ?

access_log /var/log/squid/access.log squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320

acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

extension_methods REPORT MERGE MKACTIVITY CHECKOUT

cache_effective_group proxy

visible_hostname ALGO_MEU

hosts_file /etc/hosts

# forwarded_for on
forwarded_for delete

coredump_dir /var/spool/squid

*********** final do meu squid.conf **************
#######################################################################
#######################################################################
#######################################################################

***************para duvidas meu dansguardian.conf*********************************************************************************
# DansGuardian config file for version 2.9.9.4

#
reportinglevel = 3
languagedir = '/etc/dansguardian/languages'
language = 'ptbrazilian'

loglevel = 2

logexceptionhits = 2
logfileformat = 1

loglocation = '/var/log/dansguardian/access.log'
statlocation = '/var/log/dansguardian/stats'

filterip =10.2.1.10
filterip =127.0.0.1

filterport = 8080

proxyip = 127.0.0.1

proxyport = 3128
accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'

nonstandarddelimiter = on

usecustombannedimage = on
custombannedimagefile = '/usr/share/dansguardian/transparent1x1.gif'

filtergroups = 5
filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'

bannediplist = '/etc/dansguardian/lists/bannediplist'
exceptioniplist = '/etc/dansguardian/lists/exceptioniplist'

showweightedfound = on

weightedphrasemode = 2

urlcachenumber = 5000
urlcacheage = 900

scancleancache = on

phrasefiltermode = 2

preservecase = 0

hexdecodecontent = off

forcequicksearch = off

reverseaddresslookups = off

reverseclientiplookups = on

logclienthostnames = off

createlistcachefiles = on

maxuploadsize = -1

maxcontentfiltersize = 2000

maxcontentramcachescansize = 2000

maxcontentfilecachescansize = 20000

filecachedir = '/tmp'

deletedownloadedtempfiles = on

initialtrickledelay = 20

trickledelay = 10

downloadmanager = '/etc/dansguardian/downloadmanagers/fancy.conf'
downloadmanager = '/etc/dansguardian/downloadmanagers/default.conf'

contentscanner = '/etc/dansguardian/contentscanners/clamav.conf'
contentscanner = '/etc/dansguardian/contentscanners/commandlinescan.conf'

contentscannertimeout = 60

contentscanexceptions = off

authplugin = '/etc/dansguardian/authplugins/ip.conf'

recheckreplacedurls = off

forwardedfor = on

usexforwardedfor = on

logconnectionhandlingerrors = on

logchildprocesshandling = off

maxchildren = 120

minchildren = 8

minsparechildren = 4
preforkchildren = 6

maxsparechildren = 32

maxagechildren = 500

maxips = 0

ipcfilename = '/tmp/.dguardianipc'

urlipcfilename = '/tmp/.dguardianurlipc'

ipipcfilename = '/tmp/.dguardianipipc'

nodaemon = off

nologger = off

logadblocks = off

loguseragent = off

daemonuser = 'dansguardian'
daemongroup = 'dansguardian'

softrestart = off

mailer = '/usr/sbin/sendmail -t'

********final do dansguardian.conf************************
##########################################################

0 0

Quote

2. Re: SQUID Deixa passar sem filtro [RESOLVIDO]

construidor
(usa Arch Linux)

Enviado em 23/10/2009 - 15:50h

Talvez amigo, quando o computador nao esta com o prxi configurado ele se acessa direto na internet, voce pode redirecionar o trafego de internet para o squid, atravez do iptable, com o seguinte comando:

$ iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

* eth1 é a saída para a rede interna
* 3128 é a porta usada pelo Squid

assim mesmo que um computador esteja sem o proxy configurado ele vai para o squid

0 0

Quote