Squid.conf

joaoafricano
(usa Outra)

Enviado em 25/11/2015 - 17:16h

Segui um tutorial do squid aqui do Viva o Linux e funcionou perfeito por muito tempo, cheguei a esquecer que tinha configurado um squid na mão.
Porem de uns tempos para cá, um dos grupos do AD que deveria ter acesso total a todas as paginas parou de ser filtrado, como já mexi em quase tudo e não consegui resolver o problema, peço a ajuda dos amigos aqui do fórum para resolver.

Coloco abaixo o meu arquivo do squid.conf

=================================================================================================
http_port 3128
cache_mem 1000 MB
cache_swap_low 50
cache_swap_high 55
cache_effective_user proxy

memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA

maximum_object_size 200000 KB
maximum_object_size_in_memory 40000 KB
minimum_object_size 1 KB maximum_object_size 5000 MB

cache_dir aufs /var/cache/squid3 1000 64 16
cache allow all

access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log
pid_filename /var/log/squid3/squid3.pid
mime_table /usr/share/squid3/mime.conf
cache_store_log none

cache_mgr joao@alwaystec.com.br

diskd_program /usr/lib/squid3/diskd
unlinkd_program /usr/lib/squid3/unlinkd

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
quick_abort_max 16 KB
quick_abort_pct 95
quick_abort_min 16 KB
request_header_max_size 20 KB
reply_header_max_size 20 KB
request_body_max_size 0 KB

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.254.0/24

#=========================================================================================
acl webserver src 192.168.254.250/32
#=========================================================================================

acl SSL_ports port 443 448 563 30000
acl ssl_ports port 8443 # Transit do Brasil
acl safe_ports port 8080 # TYSSEN
acl Safe_ports port 88 89 90 91 92 # http intranet bervel
acl Safe_ports port 80 # http
acl safe_ports port 3127 # http cidadao
acl safe_ports port 81
acl safe_ports port 82
acl safe_ports port 83
acl safe_ports port 84
acl safe_ports port 85
acl safe_ports port 202
acl safe_ports port 100
acl safe_ports port 146
acl safe_ports port 443 448 563 1863
acl Safe_ports port 21 # ftp
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-29999 # unregistered ports
acl Safe_ports port 30001-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager webserver
http_access allow manager localhost
http_access allow manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# Autenticação no Windows 2008
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 80
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 10 second
acl AuthorizedUsers proxy_auth REQUIRED

external_acl_type ADGroup %LOGIN /usr/lib/squid3/wbinfo_group.pl

acl TOTAL external ADGroup AcessoTotal
acl RESTRITO external ADGroup AcessoRestrito
acl PADRAO external ADGroup AcessoPadrao

#acl NOSQUID url_regex -i "/etc/squid3/acls/sites-semcache.txt"
#always_direct allow NOSQUID

acl dominios_liberados dstdomain -i "/etc/squid3/acls/sites_liberados.txt"
acl dominios_bloqueados dstdomain -i "/etc/squid3/acls/sites_bloqueados.txt"
acl palavras_bloqueadas url_regex -i "/etc/squid3/acls/palavras_bloqueadas.txt"
acl urls_bloqueadas url_regex -i "/etc/squid3/acls/urls_bloqueadas.txt"
acl urls_liberadas url_regex -i "/etc/squid3/acls/urls_liberadas.txt"


http_access allow dominios_liberados
http_access allow urls_liberadas
http_access allow TOTAL
http_access allow PADRAO !dominios_bloqueados !palavras_bloqueadas !urls_bloqueadas
http_access deny RESTRITO
#http_access allow localnet
http_access deny all

cache_mgr webmaster
mail_program mail
cache_effective_user proxy
cache_effective_group proxy
httpd_suppress_version_string off
visible_hostname proxysrv

dns_nameservers 192.168.254.5

#emulate_httpd_log off
logfile_rotate 1
error_directory /usr/share/squid3/errors/pt-br
=================================================================================================

O problema é com a ACL "acl TOTAL external ADGroup AcessoTotal"

que não é liberada na linha "http_access allow TOTAL", já coloquei ela como sendo a primeira ACL para ver se era alguma ordem, mas nada resolve, o resto esta funcionando perfeitamente.