Denuncie   Favoritos   Indicar  

squid... qual o problema e solução?

1. squid... qual o problema e solução?

Ailton Fernandes
red_slack
(usa Slackware)

Enviado em 17/06/2010 - 20:49h

Pessoal tenho uma rede com +/- 60 computadores e tenho um server Debian 5.0.4 com o Squid + ThunderCache3 rodando normal, squid com o cache estatico e o TC com o dinamico, a administração me incubiu de fazer o seguinte:

1- Acesso total de alguns computadores.
2- Bloqueio total de alguns computadores.
3- Bloqueio de alguns sites a determinados computadores.
4- Bloqueio de msn em alguns computadores.

Meu atual squid:
============================================================
################################################## ##################
### ###
### AILTON FERNANDES FARIAS ###
### ###
################################################## ##################

http_port 3128 transparent
visible_hostname PrefeituraMunicipal
error_directory /usr/share/squid/errors/Portuguese/

#================================================= ==================#
# SERVIDORES DNS E POLITICA
#================================================= ==================#
dns_nameservers 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
dns_retransmit_interval 5 seconds
dns_timeout 2 minutes

#================================================= ==================#
# ACESSO DIRETO A DETERMINADOS SITES
#================================================= ==================#
acl directd dstdomain url_regex -i "/etc/squid/nocache.lst"
acl directd dstdomain .siteacessodireto.net
always_direct allow directd
cache deny directd

refresh_pattern -i \.jpg$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.gif$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.png$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.jpeg$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.bmp$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.tif$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.tiff$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.swf$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.html$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.htm$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.shtml$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.shtm$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.nub$ 2880 80% 21600 reload-into-ims
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 8640
refresh_pattern -i exe$ 0 50% 999999
refresh_pattern -i zip$ 0 50% 999999

#================================================= ==================#
# LIBERAR / BLOQUEAR IPS / SITES
#================================================= ==================#
acl sitesbloqueados dstdomain url_regex -i "/etc/squid/acls/bloqueados/sites"
http_access deny sitesbloqueados

acl ipsbloqueados url_regex -i "/etc/squid/acls/bloqueados/ips"
http_access deny ipsbloqueados

#================================================= ==================#
# BLOQUEAR/LIBERAR MSN
#================================================= ==================#
#acl ipsbloqueados url_regex -i "/etc/squid/acls/bloqueados/msn"
#acl msn url_regex -i gateway.messenger.com
#acl ipsliberados url_regex -i "/etc/squid/acls/liberados/msn"

#http_access allow ipsliberados
#http_access deny msn
#http_access deny ipsbloqueados

#================================================= ==================#
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl proxy src 192.168.10.0/24
http_access allow proxy
acl purge method PURGE
acl CONNECT method CONNECT
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 1863 # MSN
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access allow localhost
http_access deny all
http_reply_access allow all
#icp_access allow all

#================================================= ==================#
# NEGA CACHE DE ARQUIVOS ASX E ASF - STREAMING
#================================================= ==================#
acl asx url_regex -i \.asx$
cache deny asx
acl asf url_regex -i \.asf$
cache deny asf

#================================================= ==================#
# BLOQUEIO DE ARQUIVOS SUSPEITOS
#================================================= ==================#
acl vbs url_regex -i .*\.VBS$
http_access deny vbs
acl scr url_regex -i .*\.SCR$
http_access deny scr
acl cmd url_regex -i .*\.CMD$
http_access deny cmd
acl pif url_regex -i .*\.PIF$
http_access deny pif

#================================================= ==================#
# USO DA MEMORIA E DISCO PELO SQUID
#================================================= ==================#
cache_mem 400 MB
cache_swap_low 80
cache_swap_high 95

#================================================= ==================#
# TAMANHO DOS ARQUIVOS EM CACHE
#================================================= ==================#
maximum_object_size 300 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 32 KB

#================================================= ==================#
# POLITICA DE SUBSTITUIÇO DO CACHE
#================================================= ==================#
cache_replacement_policy heap LFUDA
memory_replacement_policy lru

ipcache_size 4096
ipcache_low 90
ipcache_high 95

fqdncache_size 1024
max_filedescriptors 1024

cache_dir aufs /thunder 10000 16 256

cache_effective_user proxy
ftp_user anonymous@anonymous.com.br

#================================================= ==================#
# LOG DOS ACESSOS PELO CACHE PARA USO COM SARG
#================================================= ==================#
access_log /var/log/squid/access.log

acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts

coredump_dir /var/spool/squid

server_persistent_connections off
zph_mode tos
zph_local 0x30

#================================================= ==================#
# THUNDERCACHE 3.X - REGEX
#================================================= ==================#
acl thunder_lst url_regex -i "/etc/thunder/thunder.lst"
cache deny thunder_lst
cache_peer 192.168.10.250 parent 8080 0 proxy-only no-digest
dead_peer_timeout 2 seconds
cache_peer_access 192.168.10.250 allow thunder_lst
cache_peer_access 192.168.10.250 deny all

#================================================= ==================#
# FIM
#================================================= ==================#

Dessa forma ai o bloqueio de site esta funcionando, mas bloqueia todos os computadores da rede. O Bloqueio por IP não esta funcionando. O que devo fazer para ter as quanto opções que me pediram?

0 0
  • Quote

    •   


    2. Re: squid... qual o problema e solução?

    Jefferson Diego
    Diede
    (usa Debian)

    Enviado em 17/06/2010 - 21:31h

    Ok, tente assim:

    http_port 3128 transparent
    visible_hostname PrefeituraMunicipal
    error_directory /usr/share/squid/errors/Portuguese/
    dns_nameservers 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
    dns_retransmit_interval 5 seconds
    dns_timeout 2 minutes
    acl directd dstdomain url_regex -i "/etc/squid/nocache.lst"
    acl directd dstdomain .siteacessodireto.net
    always_direct allow directd
    cache deny directd
    refresh_pattern -i \.jpg$ 0 50% 21600 reload-into-ims
    refresh_pattern -i \.gif$ 0 50% 21600 reload-into-ims
    refresh_pattern -i \.png$ 0 50% 21600 reload-into-ims
    refresh_pattern -i \.jpeg$ 0 50% 21600 reload-into-ims
    refresh_pattern -i \.bmp$ 0 50% 21600 reload-into-ims
    refresh_pattern -i \.tif$ 0 50% 21600 reload-into-ims
    refresh_pattern -i \.tiff$ 0 50% 21600 reload-into-ims
    refresh_pattern -i \.swf$ 0 50% 21600 reload-into-ims
    refresh_pattern -i \.html$ 0 20% 1440 reload-into-ims
    refresh_pattern -i \.htm$ 0 20% 1440 reload-into-ims
    refresh_pattern -i \.shtml$ 0 20% 1440 reload-into-ims
    refresh_pattern -i \.shtm$ 0 20% 1440 reload-into-ims
    refresh_pattern -i \.nub$ 2880 80% 21600 reload-into-ims
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern . 0 20% 8640
    refresh_pattern -i exe$ 0 50% 999999
    refresh_pattern -i zip$ 0 50% 999999

    #================================================= ==================#
    # LIBERAR / BLOQUEAR IPS / SITES
    #================================================= ==================#
    acl sitesbloqueados dstdomain url_regex -i "/etc/squid/acls/bloqueados/sites"
    acl ipsbloqueados url_regex -i "/etc/squid/acls/bloqueados/ips"


    acl all src 0.0.0.0/0.0.0.0
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl to_localhost dst 127.0.0.0/8
    acl proxy src 192.168.10.0/24
    acl purge method PURGE
    acl CONNECT method CONNECT
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl Safe_ports port 631 # cups
    acl Safe_ports port 873 # rsync
    acl Safe_ports port 901 # SWAT
    acl Safe_ports port 1863 # MSN
    acl SSL_ports port 443 # https
    acl SSL_ports port 563 # snews
    acl SSL_ports port 873 # rsync
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports

    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access allow localhost
    http_access allow proxy
    http_access allow !ipsbloqueados !sitesbloqueados
    http_reply_access allow all
    acl asx url_regex -i \.asx$
    cache deny asx
    acl asf url_regex -i \.asf$
    cache deny asf
    acl vbs url_regex -i .*\.VBS$
    http_access deny vbs
    acl scr url_regex -i .*\.SCR$
    http_access deny scr
    acl cmd url_regex -i .*\.CMD$
    http_access deny cmd
    acl pif url_regex -i .*\.PIF$
    http_access deny pif
    cache_mem 400 MB
    cache_swap_low 80
    cache_swap_high 95
    maximum_object_size 300 MB
    minimum_object_size 0 KB
    maximum_object_size_in_memory 32 KB
    cache_replacement_policy heap LFUDA
    memory_replacement_policy lru
    ipcache_size 4096
    ipcache_low 90
    ipcache_high 95
    fqdncache_size 1024
    max_filedescriptors 1024
    cache_dir aufs /thunder 10000 16 256
    cache_effective_user proxy
    ftp_user anonymous@anonymous.com.br
    access_log /var/log/squid/access.log
    acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
    upgrade_http0.9 deny shoutcast
    acl apache rep_header Server ^Apache
    broken_vary_encoding allow apache
    extension_methods REPORT MERGE MKACTIVITY CHECKOUT
    hosts_file /etc/hosts
    coredump_dir /var/spool/squid
    server_persistent_connections off
    zph_mode tos
    zph_local 0x30
    acl thunder_lst url_regex -i "/etc/thunder/thunder.lst"
    cache deny thunder_lst
    cache_peer 192.168.10.250 parent 8080 0 proxy-only no-digest
    dead_peer_timeout 2 seconds
    cache_peer_access 192.168.10.250 allow thunder_lst
    cache_peer_access 192.168.10.250 deny all

    0 0
  • Quote

    • 3. Re: squid... qual o problema e solução?

    Ailton Fernandes
    red_slack
    (usa Slackware)

    Enviado em 18/06/2010 - 22:38h

    Obrigado pela dica, já tenho 03 das 04 situações resolvidas (1, 2 e 3) só me resta a 4ª a do msn, meu squid ficou assim:

    ####################################################################
    ### ###
    ### AILTON FERNANDES FARIAS ###
    ### ###
    ####################################################################

    http_port 3128 transparent
    visible_hostname PrefeituraMunicipal
    error_directory /usr/share/squid/errors/Portuguese/

    #===================================================================#
    # SERVIDORES DNS E POLITICA
    #===================================================================#
    dns_nameservers 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
    dns_retransmit_interval 5 seconds
    dns_timeout 2 minutes

    #===================================================================#
    # ACESSO DIRETO A DETERMINADOS SITES
    #===================================================================#
    acl directd dstdomain url_regex -i "/etc/squid/nocache.lst"
    acl directd dstdomain .siteacessodireto.net
    always_direct allow directd
    cache deny directd

    refresh_pattern -i \.jpg$ 0 50% 21600 reload-into-ims
    refresh_pattern -i \.gif$ 0 50% 21600 reload-into-ims
    refresh_pattern -i \.png$ 0 50% 21600 reload-into-ims
    refresh_pattern -i \.jpeg$ 0 50% 21600 reload-into-ims
    refresh_pattern -i \.bmp$ 0 50% 21600 reload-into-ims
    refresh_pattern -i \.tif$ 0 50% 21600 reload-into-ims
    refresh_pattern -i \.tiff$ 0 50% 21600 reload-into-ims
    refresh_pattern -i \.swf$ 0 50% 21600 reload-into-ims
    refresh_pattern -i \.html$ 0 20% 1440 reload-into-ims
    refresh_pattern -i \.htm$ 0 20% 1440 reload-into-ims
    refresh_pattern -i \.shtml$ 0 20% 1440 reload-into-ims
    refresh_pattern -i \.shtm$ 0 20% 1440 reload-into-ims
    refresh_pattern -i \.nub$ 2880 80% 21600 reload-into-ims
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern . 0 20% 8640
    refresh_pattern -i exe$ 0 50% 999999
    refresh_pattern -i zip$ 0 50% 999999

    #===================================================================#
    # LIBERAR / BLOQUEAR / IPS / SITES
    #===================================================================#
    #-----SITES E IPS PARCIALMENTE BLOQUEADOS-----#
    acl sites_pro_1 url_regex -i "/etc/squid/acls/bloqueados/sites_proibidos1"
    acl ips_sites_proibidos src "/etc/squid/acls/bloqueados/ips_sites_proibidos"
    http_access deny ips_sites_proibidos sites_pro_1

    #-----IPS 100% LIBERADOS-----#
    acl ipsliberados src "/etc/squid/acls/liberados/ips"
    http_access allow ipsliberados

    #-----IP'S 100% BLOQUEADOS----#
    acl ipsbloqueados src "/etc/squid/acls/bloqueados/ips"
    http_access deny ipsbloqueados

    #===================================================================#
    # BLOQUEAR/LIBERAR MSN
    #===================================================================#
    #acl ipsbloqueados url_regex -i "/etc/squid/acls/bloqueados/msn"
    #acl msn url_regex -i gateway.messenger.com
    #acl ipsliberados url_regex -i "/etc/squid/acls/liberados/msn"

    #http_access allow ipsliberados
    #http_access deny msn
    #http_access deny ipsbloqueados

    #===================================================================#
    acl all src 0.0.0.0/0.0.0.0
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl to_localhost dst 127.0.0.0/8
    acl proxy src 192.168.10.0/24
    http_access allow proxy
    acl purge method PURGE
    acl CONNECT method CONNECT
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl Safe_ports port 631 # cups
    acl Safe_ports port 873 # rsync
    acl Safe_ports port 901 # SWAT
    acl Safe_ports port 1863 # MSN
    acl SSL_ports port 443 # https
    acl SSL_ports port 563 # snews
    acl SSL_ports port 873 # rsync
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports

    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access allow localhost
    http_access deny all
    http_reply_access allow all
    #icp_access allow all

    #===================================================================#
    # NEGA CACHE DE ARQUIVOS ASX E ASF - STREAMING
    #===================================================================#
    acl asx url_regex -i \.asx$
    cache deny asx
    acl asf url_regex -i \.asf$
    cache deny asf

    #===================================================================#
    # BLOQUEIO DE ARQUIVOS SUSPEITOS
    #===================================================================#
    acl vbs url_regex -i .*\.VBS$
    http_access deny vbs
    acl scr url_regex -i .*\.SCR$
    http_access deny scr
    acl cmd url_regex -i .*\.CMD$
    http_access deny cmd
    acl pif url_regex -i .*\.PIF$
    http_access deny pif

    #===================================================================#
    # USO DA MEMORIA E DISCO PELO SQUID
    #===================================================================#
    cache_mem 400 MB
    cache_swap_low 80
    cache_swap_high 95

    #===================================================================#
    # TAMANHO DOS ARQUIVOS EM CACHE
    #===================================================================#
    maximum_object_size 300 MB
    minimum_object_size 0 KB
    maximum_object_size_in_memory 32 KB

    #===================================================================#
    # POLITICA DE SUBSTITUIÇO DO CACHE
    #===================================================================#
    cache_replacement_policy heap LFUDA
    memory_replacement_policy lru

    ipcache_size 4096
    ipcache_low 90
    ipcache_high 95

    fqdncache_size 1024
    max_filedescriptors 1024

    cache_dir aufs /thunder 10000 16 256

    cache_effective_user proxy
    ftp_user anonymous@anonymous.com.br

    #===================================================================#
    # LOG DOS ACESSOS PELO CACHE PARA USO COM SARG
    #===================================================================#
    access_log /var/log/squid/access.log

    acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
    upgrade_http0.9 deny shoutcast

    acl apache rep_header Server ^Apache
    broken_vary_encoding allow apache

    extension_methods REPORT MERGE MKACTIVITY CHECKOUT
    hosts_file /etc/hosts

    coredump_dir /var/spool/squid

    server_persistent_connections off
    zph_mode tos
    zph_local 0x30

    #===================================================================#
    # THUNDERCACHE 3.X - REGEX
    #===================================================================#
    acl thunder_lst url_regex -i "/etc/thunder/thunder.lst"
    cache deny thunder_lst
    cache_peer 192.168.10.250 parent 8080 0 proxy-only no-digest
    dead_peer_timeout 2 seconds
    cache_peer_access 192.168.10.250 allow thunder_lst
    cache_peer_access 192.168.10.250 deny all

    #===================================================================#
    # FIM
    #===================================================================#

    Tem como me ajudar no item 4? Bloqueios de msn em alguns computadores. Preciso também de uma forma de amarrar o IP ao MAC, o que me sujerem???

    Desde já grato


    0 0
  • Quote





    • Patrocínio

    Site hospedado pelo provedor RedeHost.
    Linux banner

    Destaques

    Artigos

    Instalar certificado digital Safesign, fornecido pela Certisign e utilizado pela OAB-SP, em qualquer distribuição Linux usando distrobox

    Manutenção de sistemas Linux Debian e derivados com apt-get, apt, aptitude e dpkg

    Criatividade para TI parte 1

    Melhorando o tempo de boot do Fedora e outras distribuições

    Como instalar as extensões Dash To Dock e Hide Top Bar no Gnome 45/46

    Dicas

    Como Atualizar Fedora 39 para 40

    Instalar Google Chrome no Debian e derivados

    Consertando o erro do Sushi e Wayland no Opensuse Leap 15

    Instalar a última versão do PostgreSQL no Lunix mantendo atualizado

    Flathub na sua distribuição Linux e comandos básicos de gerenciamento

    Tópicos

    Agora temos uma assistente virtual no fórum!!! (247)

    iso de sistema 32 bit em atividade (12)

    Como adicionar módulo de saúde da bateria dos notebooks Acer ao kernel... (27)

    Lançado Ubuntu 24.04 Final (4)

    ASRock H310CM-HG4 vs Linux (15)

    Top 10 do mês

    Scripts

    [Python] Adicione a opção Redimensionar e rotacionar imagens ao Nautilus

    [Shell Script] Script para desinstalar pacotes desnecessários no OpenSuse

    [Shell Script] Script para criar certificados de forma automatizada no OpenVpn

    [Shell Script] Conversor de vídeo com opção de legenda

    [C/C++] BRT - Bulk Renaming Tool

    A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.

    Site hospedado por: