Acesso negado a bancos e https

1. Acesso negado a bancos e https

jocemir
(usa Red Hat)

Enviado em 03/12/2013 - 13:41h

oi pessoal,

sou novo aqui quem puder me ajudar a resolver esse problema ficarei agradecido.]
Tenho um proxy squid configurado e funcionando, quando tento acessar os sites, google, bancos tudo que utiliza https, da acesso negado. já fiz de tudo para tentar resolver esse erro, segue abaixo a configuração do meu squid, iptables, e access.log.

SQUID.

http_port 8080
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
#cache dir ufs /var/spool/squid 100 16 256
#cache_men 164 MB
cache_access_log /var/log/squid/access.log
auth_param basic children 5
auth_param basic realm squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl ssl_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 53 # tcp
acl Safe_ports port 2631 # conectividade
acl Safe_ports port 21 # ftp
acl Safe_ports port 389 # lDP
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 110 # pop
acl Safe_ports port 587 # smtp
acl Safe_ports port 5900 # vnc
acl CONNECT method CONNECT
acl purge method PURGE
#
#
#################
#Redes SJT ######
#################
acl rede_sjt src 192.168.100.0/24
#
#
##########################
# Usuários da Rede SJT #####
##########################
acl jgomes src 192.168.100.26
acl tjorge src 192.168.100.45
acl teste1 src 192.168.100.37
#########################
# Rede Visitante DHCP ###
#########################
acl visitante0 src 192.168.100.233
acl visitante1 src 192.168.100.234
acl visitante2 src 192.168.100.235
acl visitante3 src 192.168.100.236
acl visitante4 src 192.168.100.237
##############################
# Servidores #################
##############################
acl sjtarq src 192.168.100.201
acl sjtsql src 192.168.100.200
acl win2008bkp src 192.168.100.204
#######################################
# Regras de negação e liberaçãç ######
#######################################
acl [*****] url_regex "/etc/squid/[*****]"
acl noporn url_regex "/etc/squid/noporn"
#acl talk url_regex "/etc/squid/talk"
#acl notalk url_regex "/etc/squid/notalk"
#
####################################
# Regras para bloquear downloads ###
####################################
## ACL que bloqueia Downloads com as seguintes extensões
acl downloads urlpath_regex ^ftp \.exe$ \.scr$ \vba$ \.pif$ \.avi$ \.mp3$ \.mlv$ \.mp2$ \.mp2v$ \.mpa$ \.mov$ \.mpe$ \.mpeg$ \.ogg$ \.pls$ \.ram$ \.snd$ \.wma$ \.wvx$ \.mid$ \.midi$ \.rmi$ \.img$ \.rar$ \.bin$ \.wav$ \.iso$
acl exe url_regex -i.*.exe$
acl scr url_regex -i.*.scr$
acl vbs url_regex -i.*.vbl$
acl pif url_regex -i.*.pif$
acl avi url_regex -i.*.avi$
acl mp3 url_regex -i.*.mp3$
acl mlv url_regex -i.*.mlv$
acl mp2 url_regex -i.*.mp2$
acl mp2v url_regex -i.*.mp2v$
acl mpa url_regex -i.*.mpa$
acl mov url_regex -i.*.mov$
acl mpe url_regex -i.*.mpe$
acl mpeg url_regex -i.*.mpeg$
acl mpg url_regex -i.*.mpg$
acl ogg url_regex -i.*.ogg$
acl pls url_regex -i.*.pls$
acl ram url_regex -i.*.ram$
acl ra url_regex -i.*.ra$
acl ram url_regex -i.*.ram$
acl snd url_regex -i.*.snd$
acl wma url_regex -i.*.wma$
acl wmv url_regex -i.*.wmv$
acl wvx url_regex -i.*.wvx$
acl mid url_regex -i.*.mid$
acl midi url_regex -i.*.midi$
acl rml url_regex -i.*.rmll$
acl img url_regex -i.*.img$
acl rar url_regex -i.*.rar$
acl zip url_regex -i.*.zip$
acl bin url_regex -i.*.bin$
acl wav url_regex -i.*.wav$
acl iso url_regex -i.*.iso$
acl nodownloads urlpath_regex \webmail.exe \.windowsupdate\.microsoft.com
########################
# Regras de acesso######
########################
#
http_access allow manager localhost
http_access deny manager
http_access allow PURGE localhost
http_access deny PURGE
#
########################################
# Inicio das Regras de acesso Empresa###
########################################
#
http_access allow localhost
http_access allow noporn
http_access deny [*****]
#http_access deny talk
http_access allow rede_sjt
httpd_accel_port 21
#
#############################
# Usuários fora do bloqueio##
#############################
http_access allow sjtarq
#ttp_access allow jgomes-ti
#ttp_access allow tjorge-ti
#
###########################################
# Libera o notalk para todos os Usuários ##
###########################################
#http_access allow notalk
#
############################
# Libera o Windows update ##
############################
#
http_access allow nodownloads
http_access allow SJTARQ
http_access allow SJTSQL
http_access allow WIN2008BKP
#
###################################
# Inicio do bloqueio de Downloads##
###################################
#
http_access deny downloads
http_access deny exe
http_access deny scr
http_access deny vbs
http_access deny pif
http_access deny avi
http_access deny mp3
http_access deny mlv
http_access deny mp2
http_access deny mp2v
http_access deny mpa
http_access deny mov
http_access deny mpe
http_access deny mpeg
http_access deny mpg
http_access deny ogg
http_access deny pls
http_access deny ram
http_access deny ra
http_access deny ram
http_access deny snd
http_access deny wma
http_access deny wmv
http_access deny wvx
http_access deny mid
http_access deny midi
http_access deny img
http_access deny rar
http_access deny zip
http_access deny bin
http_access deny wav
http_access deny iso
#
######################################################################
# Inicio do cadastro de usuários com acesso a internet sem Downloads##
######################################################################
#
http_access allow jgomes
http_access allow teste1
#http_access allow tjorge-ti
###Visitantes#######
http_access allow visitante0
http_access allow visitante1
http_access allow visitante2
http_access allow visitante3
http_access allow visitante4
#
#
#############################
http_access allow CONNECT
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname FW-SJT
httpd_accel_host virtual
httpd_accel_host port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
#ie refresh on
# linguagem dos erros
error_directory /usr/share/squid/errors/Portuguese
logfile_rotate 10
coredump_dir /var/spool/squid

IPTABLES

#!/bin/bash
#
Rede Local="192.168.100.0/24"
MSN1="207.46.104.20"
MSN2="207.46.107.141"
MSN3="207.46.110.100"
MSN4="207.68.177.126"
ICQ1="64.12.164.248"
ICQ2="64.12.202.217"
ICQ3="205.188.251.88"
ICQ4="205.188.241.121"
#
#
###################
## NAT ############
###################
#
#
# Limpa as regras da tabela filter
iptables -F
#
# Limpa as regras da tabela nat
iptables -t nat -F
#
# Exclui as chains da tabela nat
iptables -t nat -X
#
# Aplica politicas padrões para as chains
#
iptables -p OUTPUT ACCEPT
iptables -p INPUT DROP
iptables -p FORWARD DROP
#
# Mantem as conexões já estabelecidas
iptables -A INPUT -i lo ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Libera acesso da rede local a internet
iptables -A INPUT -i eth0 -s $Rede Local -j ACCEPT
iptables -t nat -A POSTROUTING -S $Rede Local -o -j MASQUERADE
#
#
# Obriga a Rede Local a passar pelo squid - bloqueando sites [*****]
#
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
#
##TESTANDO
iptables -A FORWARD -p tcp -m multiport --dport 80,443 -j ACCEPT
# Bradesco
iptables -t nat -I PREROUTING -i $INTRA -d 200.155.0.0/16 -j ACCEPT

# Banco do Brasil
iptables -t nat -I PREROUTING -i $INTRA -d 170.66.0.0/16 -j ACCEPT

# Itau
iptables -t nat -I PREROUTING -i $INTRA -d 200.196.152.0/24 -j ACCEPT

# Caixa
iptables -t nat -I PREROUTING -i $INTRA -d 200.201.160.0/24 -j ACCEPT
iptables -t nat -I PREROUTING -i $INTRA -d 200.201.166.0/24 -j ACCEPT
iptables -t nat -I PREROUTING -i $INTRA -d 200.201.173.0/24 -j ACCEPT
iptables -t nat -I PREROUTING -i $INTRA -d 200.201.174.0/24 -j ACCEPT
#
####################
### FORWARD ########
####################
#
#
# Bloqueando Ping da Morte
#=========================
/usr/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit--limit l/s -j ACCEPT
#
#
#
#Proteção contra pacotes danificados, suspeitos ou mal formados
#===============================================================
/usr/sbin/iptables -A FORWARD -m unclean -j DROP
#
#
#
# Bloqueando MSN
#===============
/usr/sbin/iptables -A FORWARD -o Rede local -d $MSN1 -J DROP
/usr/sbin/iptables -A FORWARD -o Rede local -d $MSN2 -J DROP
/usr/sbin/iptables -A FORWARD -o Rede local -d $MSN3 -J DROP
/usr/sbin/iptables -A FORWARD -o Rede local -d $MSN4 -J DROP
#
# Bloqueando ICQ
================
#
/usr/sbin/iptables -A FORWARD -o Rede local -d $ICQ1 -J DROP
/usr/sbin/iptables -A FORWARD -o Rede local -d $ICQ2 -J DROP
/usr/sbin/iptables -A FORWARD -o Rede local -d $ICQ3 -J DROP
/usr/sbin/iptables -A FORWARD -o Rede local -d $ICQ4 -J DROP
#
#
# Libera algumas portas http/https/pop3/smtp/ ssl
iptables -A FORWARD -s $Rede Local -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s $Rede Local -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -s $Rede Local -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -s $Rede Local -p tcp --dport 995 -j ACCEPT
iptables -A FORWARD -s $Rede Local -p tcp --dport 587 -j ACCEPT
#
#
# ip firewall mangle
add chain=prerouting src-address=200.201.174.0/24 protocol=tcp dst-port=80 action=mark-packet new-packet-mark=semproxy passthrough=yes comment="." disabled=no
# ip firewall nat
add chain=dstnat in-interface="REDE LOCAL" protocol=tcp dst-port=80 packet-mark=!semproxy action=redirect to-ports=3128 comment="" disabled=no
add chain=dstnat dst-address=200.201.174.0/24 action=accept comment="Conectividade Social Caixa Economia Federal" disabled=no
add chain=dstnat dst-address=200.201.173.0/24 action=accept comment="Conectividade Social Caixa Economia Federal 2" disabled=no
add chain=dstnat protocol=tcp dst-port=80 dst-address-list=noproxy action=accept comment="conectividade sem proxy" disabled=no
add chain=dstnat protocol=tcp src-port=80 action=dst-nat to-addresses=200.201.174.0-200.201.174.255 to-ports=3128 comment="" disabled=no
add chain=dstnat dst-address=200.201.173.0/24 action=return comment="" disabled=no
add chain=dstnat dst-address=200.201.174.0/24 action=return comment="" disabled=no
add chain=dstnat dst-address=200.201.166.0/24 action=return comment="" disabled=no
add chain=dstnat protocol=tcp src-port=80 action=dst-nat to-addresses=200.201.173.0-200.201.173.255 to-ports=3128 comment="" disabled=no
add chain=dstnat protocol=tcp src-port=80 action=dst-nat to-addresses=200.201.166.0-200.201.166.255 to-ports=3128 comment="" disabled=no
add chain=dstnat dst-address=200.201.160.0/24 action=return comment="" disabled=no
add chain=dstnat protocol=tcp src-port=80 action=dst-nat to-addresses=200.201.160.0-200.201.160.255 to-ports=3128 comment="" disabled=no
#
# ip web-proxy cache
add url="cmt.caixa.gov.br/" action=deny comment="" disabled=no
add url="cmt.caixa.gov.br/cse" action=deny comment="" disabled=no
add dst-address=200.201.174.207/32 dst-port=2631 action=deny comment="conectividade sem cache" disabled=no
add dst-address=200.201.174.204/32 dst-port=2631 action=deny comment="" disabled=no
#
# ip web-proxy direct
add dst-address=200.201.166.0/24 dst-port=80 action=allow comment="" disabled=no
add dst-address=200.201.173.0/24 dst-port=80 action=allow comment="" disabled=no
add dst-address=200.201.174.0/24 dst-port=80 action=allow comment="" disabled=no
add dst-port=80 url="cmt.caixa.gov.br" action=allow comment="" disabled=no
add url="cmt.caixa.gov.br/cse" action=allow comment="" disabled=no
add dst-port=80 url="caixa.gov.br/fgts/index.asp" action=deny comment="" disabled=no
#
# ip web-proxy access
add src-address=192.168.100.0/24 url="cmt.caixa.gov.br" action=allow comment="" disabled=no
add src-address=192.168.100.0/24 url="cmt.caixa.gov.br/cse" action=allow comment="" disabled=no

echo 1 > /proc/sys/net/ipv4/ip_forward

####
ACCESS.LOG
####
1386084318.776 227 192.168.100.37 TCP_DENIED/403 2157 GET http://www.playboy.com.br/ - NONE/- text/html
1386084318.837 61 192.168.100.37 TCP_DENIED/403 2157 GET http://www.playboy.com.br/selo_Final.gif - NONE/- text/html
1386084318.941 12 192.168.100.37 TCP_DENIED/403 2157 CONNECT urs.microsoft.com:443 - NONE/- text/html
1386084318.986 13 192.168.100.37 TCP_DENIED/403 2157 CONNECT urs.microsoft.com:443 - NONE/- text/html
1386084319.046 13 192.168.100.37 TCP_DENIED/403 2157 CONNECT urs.microsoft.com:443 - NONE/- text/html
1386084319.098 14 192.168.100.37 TCP_DENIED/403 2157 CONNECT urs.microsoft.com:443 - NONE/- text/html
1386084319.428 302 192.168.100.37 TCP_DENIED/403 2157 GET http://www.playboy.com.br/ - NONE/- text/html
1386084319.484 55 192.168.100.37 TCP_DENIED/403 2157 GET http://www.playboy.com.br/selo_Final.gif - NONE/- text/html
1386084319.619 14 192.168.100.37 TCP_DENIED/403 2157 CONNECT urs.microsoft.com:443 - NONE/- text/html
1386084319.709 12 192.168.100.37 TCP_DENIED/403 2157 CONNECT urs.microsoft.com:443 - NONE/- text/html
1386084319.985 146 192.168.100.37 TCP_DENIED/403 2157 CONNECT urs.microsoft.com:443 - NONE/- text/html
1386084320.032 11 192.168.100.37 TCP_DENIED/403 2157 CONNECT urs.microsoft.com:443 - NONE/- text/html
1386084320.110 78 192.168.100.37 TCP_DENIED/403 2157 GET http://www.playboy.com.br/ - NONE/- text/html
1386084320.164 53 192.168.100.37 TCP_DENIED/403 2157 GET http://www.playboy.com.br/selo_Final.gif - NONE/- text/html
1386084320.269 12 192.168.100.37 TCP_DENIED/403 2157 CONNECT urs.microsoft.com:443 - NONE/- text/html
1386084320.312 13 192.168.100.37 TCP_DENIED/403 2157 CONNECT urs.microsoft.com:443 - NONE/- text/html
1386084320.360 11 192.168.100.37 TCP_DENIED/403 2157 CONNECT urs.microsoft.com:443 - NONE/- text/html
1386084320.404 11 192.168.100.37 TCP_DENIED/403 2157 CONNECT urs.microsoft.com:443 - NONE/- text/html
1386084320.858 59 192.168.100.37 TCP_DENIED/403 2157 GET http://www.playboy.com.br/ - NONE/- text/html
1386084320.911 52 192.168.100.37 TCP_DENIED/403 2157 GET http://www.playboy.com.br/selo_Final.gif - NONE/- text/html
1386084321.017 11 192.168.100.37 TCP_DENIED/403 2157 CONNECT urs.microsoft.com:443 - NONE/- text/html
1386084321.058 41 192.168.100.37 TCP_DENIED/403 2157 CONNECT urs.microsoft.com:443 - NONE/- text/html
1386084321.107 11 192.168.100.37 TCP_DENIED/403 2157 CONNECT urs.microsoft.com:443 - NONE/- text/html
1386084321.391 279 192.168.100.37 TCP_DENIED/403 2157 CONNECT urs.microsoft.com:443 - NONE/- text/html
1386084402.156 308 192.168.100.37 TCP_MISS/302 578 GET http://www.google.com.br/ - DIRECT/173.194.42.223 text/html
1386084402.752 17 192.168.100.37 TCP_DENIED/403 2157 CONNECT www.google.com.br:443 - NONE/- text/html
1386084404.800 31 192.168.100.37 TCP_DENIED/403 2157 GET http://www.orkut.com.br/ - NONE/- text/html
1386084405.122 164 192.168.100.37 TCP_DENIED/403 2157 GET http://www.orkut.com.br/selo_Final.gif - NONE/- text/html

0 0

Quote

2. Re: Acesso negado a bancos e https

Buckminster
(usa Debian)

Enviado em 03/12/2013 - 16:44h

Acrescente as duas regras abaixo no local indicado e reinicie o Squid e teste:

acl purge method PURGE
http_access deny !Safe_ports << acrescente esta regra.
http_access deny CONNECT !SSL_ports << acrescente esta regra.

E mude esta regra

http_access allow manager localhost

para

http_access allow localhost manager

Execute squid -v ou squid --version e posta aqui qual a versão do teu Squid.

0 0

Quote

3. resposta

jocemir
(usa Red Hat)

Enviado em 04/12/2013 - 08:08h

Bom dia,

Meu amigo fiz o que vc pediu para fazer. Mais ainda continua bloqueando o acesso ...
segui abaixo o squid alterado conforme solicitado. Mesmo colocando no noporn para não bloquear ele esta bloqueando.
é muito obrigado pela sua ajuda!!!!

Squid

http_port 8080
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
#cache dir ufs /var/spool/squid 100 16 256
#cache_men 164 MB
cache_access_log /var/log/squid/access.log
auth_param basic children 5
auth_param basic realm squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl ssl_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 53 # tcp
acl Safe_ports port 2631 # conectividade
acl Safe_ports port 21 # ftp
acl Safe_ports port 389 # lDP
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 110 # pop
acl Safe_ports port 587 # smtp
acl Safe_ports port 5900 #vnc
acl CONNECT method CONNECT
acl purge method PURGE
http_access deny !Safe_ports << acrescente esta regra
http_access deny CONNECT !SSL_ports << acrescente esta regra
#
#
##############
#Redes SJT ###
##############
acl rede_sjt src 192.168.100.0/24
#
#
############################
# Usuários da Rede SJT ####
###########################
acl jgomes src 192.168.100.26
acl tjorge src 192.168.100.45
acl teste1 src 192.168.100.37
#
#########################
# Rede Visitante DHCP ###
#########################
acl visitante0 src 192.168.100.233
acl visitante1 src 192.168.100.234
acl visitante2 src 192.168.100.235
acl visitante3 src 192.168.100.236
acl visitante4 src 192.168.100.237
##############################
# Servidores #################
##############################
acl sjtarq src 192.168.100.xxx
acl sjtsql src 192.168.100.xxx
acl win2008bkp src 192.168.100.xxx

#######################################
# Regras de negação e liberaçãç #######
#######################################
acl [*****] url_regex "/etc/squid/[*****]"
acl noporn url_regex "/etc/squid/noporn"
#
####################################
# Regras para bloquear downloads ###
####################################
## ACL que bloqueia Downloads com as seguintes extensões
acl downloads urlpath_regex ^ftp \.exe$ \.scr$ \vba$ \.pif$ \.avi$ \.mp3$ \.mlv$ \.mp2$ \.mp2v$ \.mpa$ \.mov$ \.mpe$ \.mpeg$ \.ogg$ \.pls$ \.ram$ \.snd$ \.wma$ \.wvx$ \.mid$ \.midi$ \.rmi$ \.img$ \.rar$ \.bin$ \.wav$ \.iso$
acl exe url_regex -i.*.exe$
acl scr url_regex -i.*.scr$
acl vbs url_regex -i.*.vbl$
acl pif url_regex -i.*.pif$
acl avi url_regex -i.*.avi$
acl mp3 url_regex -i.*.mp3$
acl mlv url_regex -i.*.mlv$
acl mp2 url_regex -i.*.mp2$
acl mp2v url_regex -i.*.mp2v$
acl mpa url_regex -i.*.mpa$
acl mov url_regex -i.*.mov$
acl mpe url_regex -i.*.mpe$
acl mpeg url_regex -i.*.mpeg$
acl mpg url_regex -i.*.mpg$
acl ogg url_regex -i.*.ogg$
acl pls url_regex -i.*.pls$
acl ram url_regex -i.*.ram$
acl ra url_regex -i.*.ra$
acl ram url_regex -i.*.ram$
acl snd url_regex -i.*.snd$
acl wma url_regex -i.*.wma$
acl wmv url_regex -i.*.wmv$
acl wvx url_regex -i.*.wvx$
acl mid url_regex -i.*.mid$
acl midi url_regex -i.*.midi$
acl rml url_regex -i.*.rmll$
acl img url_regex -i.*.img$
acl rar url_regex -i.*.rar$
acl zip url_regex -i.*.zip$
acl bin url_regex -i.*.bin$
acl wav url_regex -i.*.wav$
acl iso url_regex -i.*.iso$
acl nodownloads urlpath_regex \webmail.exe \.windowsupdate\.microsoft.com
########################
# Regras de acesso #####
########################
#
http_access allow localhost manager
http_access deny manager
http_access allow PURGE localhost
http_access deny PURGE
#
#######################################
# Inicio das Regras de acesso Empresa##
#######################################
#
http_access allow localhost
http_access allow noporn
http_access deny [*****]
http_access allow rede_sjt
httpd_accel_port 21
#
#############################
# Usuários fora do bloqueio##
#############################
http_access allow sjtarq
http_access allow jgomes
http_access allow tjorge
#
############################
# Libera o Windows update ##
############################
#
http_access allow nodownloads
http_access allow SJTARQ
http_access allow SJTSQL
http_access allow WIN2008BKP
#
###################################
# Inicio do bloqueio de Downloads##
###################################
#
http_access deny downloads
http_access deny exe
http_access deny scr
http_access deny vbs
http_access deny pif
http_access deny avi
http_access deny mp3
http_access deny mlv
http_access deny mp2
http_access deny mp2v
http_access deny mpa
http_access deny mov
http_access deny mpe
http_access deny mpeg
http_access deny mpg
http_access deny ogg
http_access deny pls
http_access deny ram
http_access deny ra
http_access deny ram
http_access deny snd
http_access deny wma
http_access deny wmv
http_access deny wvx
http_access deny mid
http_access deny midi
http_access deny img
http_access deny rar
http_access deny zip
http_access deny bin
http_access deny wav
http_access deny iso
#
######################################################################
# Inicio do cadastro de usuários com acesso a internet sem Downloads##
######################################################################
#
http_access allow jgomes
http_access allow teste1
http_access allow tjorge
###Visitantes#######
http_access allow visitante0
http_access allow visitante1
http_access allow visitante2
http_access allow visitante3
http_access allow visitante4
#
#
#############################
http_access allow CONNECT
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname FW-SJT
httpd_accel_host virtual
httpd_accel_host port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
#ie refresh on
#linguagem dos erros
error_directory /usr/share/squid/errors/Portuguese
logfile_rotate 10
coredump_dir /var/spool/squid

Log !!
tail: tail: Arquivo ou diretÃ³rio nÃ£o encontrado
1386151144.655 764 192.168.100.37 TCP_DENIED/403 2157 GET http://br.bing.com/fd/fb/mulmfg? - NONE/- text/html
1386151144.804 148 192.168.100.37 TCP_DENIED/403 2157 GET http://br.bing.com/fd/fb/mulmfg? - NONE/- text/html
1386151150.299 296 192.168.100.37 TCP_MISS/302 578 GET http://www.google.com.br/ - DIRECT/173.194.42.216 text/html
1386151150.355 11 192.168.100.37 TCP_DENIED/403 2157 CONNECT www.google.com.br:443 - NONE/- text/html
1386151153.993 662 192.168.100.37 TCP_MISS/302 578 GET http://www.google.com.br/ - DIRECT/173.194.42.216 text/html
1386151154.024 9 192.168.100.37 TCP_DENIED/403 2157 CONNECT www.google.com.br:443 - NONE/- text/html
1386151154.486 462 192.168.100.37 TCP_MISS/302 578 GET http://www.google.com.br/ - DIRECT/173.194.42.216 text/html
1386151154.517 10 192.168.100.37 TCP_DENIED/403 2157 CONNECT www.google.com.br:443 - NONE/- text/html
1386151155.079 308 192.168.100.37 TCP_MISS/302 578 GET http://www.google.com.br/ - DIRECT/173.194.42.216 text/html
1386151155.113 10 192.168.100.37 TCP_DENIED/403 2157 CONNECT www.google.com.br:443 - NONE/- text/html
1386151202.121 9 192.168.100.37 TCP_DENIED/403 2157 CONNECT itau.com.br:443 - NONE/- text/html

0 0

Quote