Riroxi
(usa CentOS)
Enviado em 19/05/2008 - 09:26h
Bom dia Pessoal, tudo jóia?
bom, sou iniciante com linux (bem iniciante)
Estou montando um server com Dans + squid + bigbllacklist...
ta tudo ok... execo pq o Dansqguardian repassa os pacotes para o squid com o ip do loopback... ele não deveria filtrar e passar com o ip do cliente que o acessou?
Se ele passa pelo ip do loopback meu filtro do squid mesmo não funciona...
Se alguem puder me ajudaar... agradeço... tenho certa urgência...
se preferirem, podem entrar em contato através de meu e-mail: riroxi@gmail.com
Vou postar aki em baixo minhas confs:
Linhas de redirecionamento de pacotes para o Dans:
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>squid.conf
#SQUID.CONF FAEX
#Porta
http_port 3128
#Nome do servidor
visible_hostname faex.edu.br
#Memória utilizada para objetos em trânsito – Não mexer
cache_mem 64 MB
#Não altetar as linhas abaixo
maximum_object_size_in_memory 4096 KB
maximum_object_size 100 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
#Local onde sera armazenado o cache do squid
#O valor 2000 indica a quantidade em Mb que o cache do squid vai utilizar
#6 partições de cache com 2Gb cada uma.
cache_dir ufs /var/spool/squid/cache1 2000 16 256
cache_dir ufs /var/spool/squid/cache2 2000 16 256
cache_dir ufs /var/spool/squid/cache3 2000 16 256
cache_dir ufs /var/spool/squid/cache4 2000 16 256
cache_dir ufs /var/spool/squid/cache5 2000 16 256
cache_dir ufs /var/spool/squid/cache6 2000 16 256
#Local onde sera guardado os logs do squid
cache_access_log /var/log/squid/access.log
#Converte as mensagens geradas pelo squid par o Português
error_directory /usr/share/squid/errors/Portuguese
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#BLOQUEIO SQUID
acl hora_semana time MTWHF 17:00-23:59
#acl hora_sabado time MTWHF 08:00-17:00
acl ip_liberado src "/etc/squid/ip_liberado"
acl ip_restrito src "/etc/squid/ip_restrito"
acl download url_regex -i "/etc/squid/download"
acl bloqueado url_regex -i "/etc/squid/bloqueado"
http_access allow localhost
http_access allow acesso_total
http_access deny download
http_access deny bloqueado
http_access alow aceso_restrito !hora_semana
http_access deny all
deny_info
http://www.faex.edu.br/bloqueado.htm all
# Proxy Transparente
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>dansguardian.conf
# DansGuardian config file for version 2.6.1
# Web Access Denied Reporting (does not affect logging)
#
# -1 = log, but do not block - Stealth mode
# 0 = just say 'Access Denied'
# 1 = report why but not what denied phrase
# 2 = report fully
# 3 = use HTML template file (accessdeniedaddress ignored)
#
reportinglevel = 3
# HTML Template file path.
# Only used when reportinglevel is set to 3.
# When used, DansGuardian will display the HTML file instead of
# using the perl cgi script. This option is faster, cleaner
# and easier to customise the access denied page.
#
htmltemplate = '/etc/dansguardian/template.html'
# Logging Settings
#
# 0 = none 1 = just denied 2 = all text based 3 = all requests
loglevel = 2
# Log Exception Hits
# Log if an exception (user, ip, URL, phrase) is matched and so
# the page gets let through. Can be useful for diagnosing
# why a site gets through the filter. on | off
logexceptionhits = on
# Log File Format
# 1 = DansGuardian format 2 = CSV-style format
# 3 = Squid Log File Format 4 = Tab delimited
logfileformat = 1
# Network Settings
#
# the IP that DansGuardian listens on. If left blank DansGuardian will
# listen on all IPs. That would include all NICs, loopback, modem, etc.
# Normally you would have your firewall protecting this, but if you want
# you can limit it to only 1 IP. Yes only one.
filterip =
# the port that DansGuardian listens to
# It needs to be greater than 1024
filterport = 8080
# the ip of the proxy (default is the loopback - i.e. this server)
proxyip = 127.0.0.1
# the port DansGuardian connects to proxy on
proxyport = 3128
# accessdeniedaddress is the address of your web server to which the cgi
# dansguardian reporting script was copied
#
accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'
# Content filtering files location
bannedphraselist = '/etc/dansguardian/bannedphraselist'
exceptionphraselist = '/etc/dansguardian/exceptionphraselist'
weightedphraselist = '/etc/dansguardian/weightedphraselist'
bannedsitelist = '/etc/dansguardian/bannedsitelist'
exceptionsitelist = '/etc/dansguardian/exceptionsitelist'
exceptionurllist = '/etc/dansguardian/exceptionurllist'
bannedurllist = '/etc/dansguardian/bannedurllist'
bannedregexpurllist = '/etc/dansguardian/bannedregexpurllist'
bannedextensionlist = '/etc/dansguardian/bannedextensionlist'
bannedmimetypelist = '/etc/dansguardian/bannedmimetypelist'
bannediplist = '/etc/dansguardian/bannediplist'
exceptioniplist = '/etc/dansguardian/exceptioniplist'
banneduserlist = '/etc/dansguardian/banneduserlist'
exceptionuserlist = '/etc/dansguardian/exceptionuserlist'
picsfile = '/etc/dansguardian/pics'
contentregexplist = '/etc/dansguardian/contentregexplist'
# messages file for internationalisation.
languagefile = '/etc/dansguardian/messages'
# Weighted phrase mode
# There are 3 possible modes of operation:
# 0 = off = do not use the weighted phrase feature.
# 1 = on, normal = normal weighted phrase operation.
# 2 = on, singular = each weighted phrase found only counts once on a page.
#
weightedphrasemode = 0
# Naughtyness limit
# This the limit over which the page will be blocked. Each weighted phrase is given
# a value either positive or negative and the values added up. Phrases to do with
# good subjects will have negative values, and bad subjects will have positive
# values. See the weightedphraselist file for examples.
# As a guide:
# 50 is for young children, 100 for old children, 160 for young adults.
naughtynesslimit = 160
# Show weighted phrases found
# If enabled then the phrases found that made up the total which excedes
# the naughtyness limit will be logged and, if the reporting level is
# high enough, reported. on | off
showweightedfound = on
# Positive result caching for text URLs
# Caches good pages so they don't need to be scanned again
# 0 = off (recommended for ISPs with users with disimilar browsing)
# 1000 = recommended for most users
# 5000 = suggested max upper limit
urlcachenumber = 1000
#
# Age before they are stale and should be ignored in seconds
# 0 = never
# 900 = recommended
urlcacheage = 900
# Reverse lookups for banned site and URLs.
# If set to on, DansGuardian will look up the forward DNS for an IP URL
# address and search for both in the banned site and URL lists. This would
# prevent a user from simply entering the IP for a banned address.
# It will reduce searching speed somewhat so unless you have a local caching
# DNS server, leave it off and use the Blanket IP Block option in the
# bannedsitelist file instead.
reverseaddresslookups = off
# Build bannedsitelist and bannedurllist cache files.
# This will compare the date stamp of the list file with the date stamp of
# the cache file and will recreate as needed.
# If a bsl or bul .processed file exists, then that will be used instead.
# It will increase process start speed by 300%. On slow computers this will
# be significant. Fast computers do not need this option. on | off
createlistcachefiles = on
# POST protection (web upload and forms)
# does not block forms without any file upload, i.e. this is just for
# blocking or limiting uploads
# measured in kilobytes after MIME encoding and header bumph
# use 0 for a complete block
# use higher (e.g. 512 = 512Kbytes) for limiting
# use -1 for no blocking
#maxuploadsize = 512
#maxuploadsize = 0
maxuploadsize = -1
# Max content filter page size
# Sometimes web servers label binary files as text which can be very
# large which causes a huge drain on memory and cpu resources.
# To counter this, you can limit the size of the document to be
# filtered and get it to just pass it straight through.
# This setting also applies to content regular expression modification.
# The size is in Megabytes - eg 2 = 2048Kb
# use 0 for no limit
maxcontentfiltersize = 2
# Username identification methods (used in logging)
# You can have as many methods as you want and not just one. The first one
# will be used then if no username is found, the next will be used.
# * proxyauth is for when basic proxy authentication is used (no good for
# transparent proxying).
# * ntlm is for when the proxy supports the MS NTLM authentication
# protocol. (Only works with IE5.5 sp1 and later). **NOT IMPLEMENTED**
# * ident is for when the others don't work. It will contact the computer
# that the connection came from and try to connect to an identd server
# and query it for the user owner of the connection.
usernameidmethodproxyauth = on
usernameidmethodntlm = off # **NOT IMPLEMENTED**
usernameidmethodident = off
# Misc settings
# if on it adds an X-Forwarded-For: <clientip> to the HTTP request
# header. This may help solve some problem sites that need to know the
# source ip. on | off
forwardedfor = off
# if on it uses the X-Forwarded-For: <clientip> to determine the client
# IP. This is for when you have squid between the clients and DansGuardian.
# Warning - headers are easily spoofed. on | off
usexforwardedfor = off
# sets the maximum number of processes to sporn to handle the incomming
# connections. This will prevent DoS attacks killing the server with
# too many spawned processes.
# On large sites you might want to double or triple this number.
maxchildren = 120
# if on it logs some debug info regarding fork()ing and accept()ing which
# can usually be ignored. These are logged by syslog. It is safe to leave
# it on or off
logconnectionhandlingerrors = on
ABRAÇOS!