Squid (squid.conf)

Autenticação LDAP e Delay Pools

Categoria: Segurança

Software: Squid

[ Hits: 11.485 ]

Por: Alan Cota


Arquivo de configuração do Squid com autenticação LDAP e Delay Pools para download de arquivos .exe e .zip.

Para trocar o servidor LDAP, basta trocar pelo IP do servidor e a porta de acesso clear text, do LDAP.


#Define a porta listner do Proxy
http_port 3128

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

#Tamanho da memoria utilizada pelo Proxy
cache_mem 156 MB

#Caminho do Cache, tamanho, subpastas e subpastas das subpastas
cache_dir ufs /etc/squid/cache 1000 64 64

#Caminho do Log de cache
cache_log /var/log/squid/cache.log

#Configura time out para autenticacao
client_persistent_connections on
server_persistent_connections on

#Autenticacao de usuarios
auth_param basic program /usr/lib/squid/squid_ldap_auth -P -u cn -b o=NE <LDAP_SERVER:PORT>
#auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/auth/passwd
#auth_param basic children 30
#auth_param basic realm Digite seu Login para Acesso a Internet
#auth_param basic credentialsttl 2 hours


refresh_pattern ^ftp:      1440   20%   10080
refresh_pattern ^gopher:   1440   0%   1440
refresh_pattern .      0   20%   4320

#Configuracao das ACLS
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object

#<------ACL da Rede Interna - Alan Cota
acl rede_interna src 192.168.2.0/24
acl rede_dmz src 192.168.1.2
acl antivirus src 192.168.2.30
acl ldap_auth proxy_auth REQUIRED
#----------------------------------->

#Configuracao de ACLS de sites bloqueados e permitidos
acl blockedsites url_regex -i "/etc/squid/acls/denied.txt"
acl allowedsites url_regex -i "/etc/squid/acls/allowed.txt"

acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 3128 88   # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443 563   # https, snews
acl Safe_ports port 70      # gopher
acl Safe_ports port 210      # wais
acl Safe_ports port 1025-65535   # unregistered ports
acl Safe_ports port 280      # http-mgmt
acl Safe_ports port 488      # gss-http
acl Safe_ports port 591      # filemaker
acl Safe_ports port 777      # multiling http
acl CONNECT method CONNECT

#Permissao das ACLs 
http_access deny !Safe_ports
http_access allow localhost

#<------Modificado por Alan Cota em 10/01/2004------->
http_access allow antivirus
http_access allow ldap_auth
http_access deny blockedsites !allowedsites
http_access allow rede_dmz
http_access allow rede_interna
#<--------------------------------------------------->

#Tudo que nao for liberado nas regras acima sera barrado por Default
#http_access deny all

http_reply_access allow all
icp_access allow all
visible_hostname caribe.novaeraes.com.br
coredump_dir /var/spool/squid

#Adicionado por Alan Cota - Configuracoes do Transparent Proxy
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

#Habilitacao para rotacao de logs
logfile_rotate 10

#Troca o manager do cache para Infra Estrutura
cache_mgr infraestrutura@novaeraes.com.br

#-------------------------------#
# Habilita a Limitacao de Banda #
#-------------------------------#

#ACL para nao limitar download na rede interna
acl sem_limite url_regex -i ftpav.ca.com

#ACL para limitar trafego de downloads pesados
acl magic_words2 url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .mov .bin .Z .pps .xls .pdf .doc

#Define delay 2 delay pools
delay_pools 2

#Configuracao do primeiro delay pool
delay_class 1 2
#Sem limites
delay_parameters 1 -1/-1 -1/-1

#magic words1: 192.168.2 sera setado depois
delay_access 1 allow sem_limite

#We want to limit bandwidth during the day, and allow
#full bandwidth during the night
#Caution! with the acl below your downloads are likely to break
#at 23:59. Read the FAQ in this bandwidth if you want to avoid it.
acl day time M T W H F 09:00-20:00

#Configuracoes do segundo delay pool

#Limitando a banda dos downloads contidos na acl magic_words2
delay_class 1 1

#The numbers here are values in bytes;
#we must remember that Squid doesn't consider start/stop bits
#5000/150000 are values for the whole network
#5000/120000 are values for the single IP
#after downloaded files exceed about 150000 bytes,
#(or even twice or three times as much)
#they will continue to download at about 5000 bytes/s
 
#delay_parameters 2 10000/150000 10000/120000
delay_parameters 1 100000/5000
#We have set day to 09:00-23:59 before.
delay_access 2 allow day
delay_access 2 deny !day
delay_access 2 allow magic_words2 !sem_limite

#Tudo que nao for liberado nas regras acima sera barrado por Default
http_access deny all
  


Comentários
[1] Comentário enviado por rodrigopereira em 18/09/2009 - 09:45h

Amigo... seguinte...na parte que voce citou no seu squid...


#Configura time out para autenticacao
client_persistent_connections on <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
server_persistent_connections on <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

#Autenticacao de usuarios
auth_param basic program /usr/lib/squid/squid_ldap_auth -P -u cn -b o=NE <LDAP_SERVER:PORT>
#auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/auth/passwd
#auth_param basic children 30
#auth_param basic realm Digite seu Login para Acesso a Internet
#auth_param basic credentialsttl 2 hours <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<


estas linhas destacadas são para determinar o tempo de reload da autenticação????

Obrigado


Contribuir com comentário

  



Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts