tiagopaulista
(usa Debian)
Enviado em 08/07/2011 - 17:02h
Boa tarde senhores,
Estou precisando tirar algumas duvidas referente ao squid, segue abaixo:
Tenho 2 ips:
eth0 192.168.1.250 mask 255.255.255.0 gt 192.168.1.254 (rede local)
eth1 192.168.0.250 mask 255.255.255.0 gt 0.0.0.0 (modem)
no Firewall estou usando a seguinte regra:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.250:3128
sudo modprobe iptable_nat
sudo modprobe ip_nat_ftp
sudo echo 1 > /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
Mais as regras do squid não estao funcionando, segue abaixo o squid.conf
##########################################################
# Detalhes das configurações
# Desenvolvido por: TJT Tecnologia - Soluções em T.I.
# Data: 04/06/2011
##########################################################
##########################################################
# http_port: determina a porta que será usada pelo servidor.
# visible_hostname: defina o nome de exibição do servidor.
# cache_mgr: defina o e-mail do administrador para receber mensagem em casos graves.
##########################################################
http_port 127.0.0.1:3128 transparent
#http_port 3128
#ic_port 0
visible_hostname server
cache_mgr suporte@tjttecnologia.com.br
##########################################################
# Defini o idioma das páginas de mensagem de erros em português brasileiro.
##########################################################
error_directory /usr/share/squid3/errors/pt-br
##########################################################
# hierarchy_stoplist: defina palavras que se for encontradas na url, a página irá ser carregada direto do cache.
# cache_mem: defina a quantidade de memória que o servidor irá usar para o cache.
# maximum_object_size_in_memory: defina o tamanho máximo do objeto que poderá ser armazenado na memória, senão será armazenado no disco rígido.
# maximum_object_size: defina o tamanho máximo do objeto que poderá ser armazenado no disco rígido, senão será descartado o objeto.
##########################################################
hierarchy_stoplist cgi-bin ?
#cache_men 32 MB
#maximun_object_size_in_memory 64 KB
#maximun_object_size 100 MB
##########################################################
# Especificar o diretório do cache, aonde será armazenado os objetos e atribuir 2GB de espaço de armazenamento no cache.
##########################################################
cache_dir ufs /var/spool/squid3 2048 16 256
##########################################################
# Agora vamos definir o tempo de vida dos objetos no cache, para que sempre o Squid for verificá-los, saber se é necessário atualizá-los ou não.
#
# 1ª coluna: defina o tempo em minutos, em cada acesso, quando deve verificar se houve modificação no objeto.
# 2ª coluna: defina a porcentagem mínima da modificação do objeto que deve ter para ser atualizado.
# 3ª coluna: defina o tempo em minutos, quando deve efetuar uma atualização mesmo não ter sido modificado.
##########################################################
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
##########################################################
# Especificar o caminho do Log de acesso do Squid
##########################################################
access_log /var/log/squid3/access.log
##########################################################
# Criação de duas acl com o tipo src (IP de origem) adicionando o IP do servidor e o IP da rede.
##########################################################
#acl all 0.0.0.0/0.0.0.0
acl re src 192.168.0.0/192.168.0.255
acl redelocal src 127.0.0.1/255.255.255.255
#acl all 0.0.0.0/0.0.0.0
#acl localhost src 127.0.0.0/32
#acl limite src 192.168.0.0/192.168.0.255
#acl rede2 src 192.198.0.0/24
#acl to_localhost 127.0.0.0/32
##########################################################
# Parte de autenticação com o SAMBA.
##########################################################
auth_param basic program /usr/lib/squid3/pam_auth
auth_param basic children 40
auth_param basic realm Acesso Restrito
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwd
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
##########################################################
# Criação de uma acl com o tipo proto (protocolo) e adicione o protocolo "cache_object".
# O protocolo "cache_object" é usado para obter informações sobre o estado do Squid.
# Só o servidor pode obter as informações do Squid
##########################################################
acl manager proto cache_object
http_access allow manager localhost
http_access deny manager
##########################################################
# Bloqueios por usuarios
##########################################################
acl USUARIOS proxy_auth REQUIRED
acl USUARIOS_NAO_ORKUT proxy_auth "/etc/squid3/rules/users-orkut.rules"
acl USUARIOS_NAO_YOUTUBE proxy_auth "/etc/squid3/rules/users-youtube.rules"
acl USUARIOS_NAO_TWITTER proxy_auth "/etc/squid3/rules/users-twitter.rules"
acl USUARIOS_NAO_GMAIL proxy_auth "/etc/squid3/rules/users-gmail.rules"
acl USUARIOS_NAO_EVOSERVER proxy_auth "/etc/squid3/rules/users-evoserver.rules"
acl USUARIOS_NAO_MEEBO proxy_auth "/etc/squid3/rules/users-meebo.rules"
acl USUARIOS_NAO_LIVE proxy_auth "/etc/squid3/rules/users-live.rules"
acl ORKUT url_regex orkut
acl GMAIL url_regex gmail
acl EVOSERVER url_regex evoserver
acl YOUTUBE url_regex youtube
acl TWITTER url_regex twitter
acl MEEBO url_regex meebo
acl LIVE url_regex live
##########################################################
# Criação de uma acl do tipo port (porta) e adicione as portas que serão liberadas.
##########################################################
acl SSL_ports port 433 563
acl Safe_ports port 21 # ftp
acl Safe_ports port 70 # gopher
acl Safe_ports port 80 # http
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # swat
acl Safe_ports port 1025-65535 # unregistered ports
##########################################################
# Criação de uma acl do tipo method (método de requisição) e adicione o método PURGE.
# O método de requisição PURGE serve para limpar/excluir objetos armazenados no cache.
# Para permitir que apenas o servidor possa exclua objetos, adicione a seguinte regra.
##########################################################
acl purge method PURGE
acl CONNECT method CONNECT
http_access deny ORKUT USUARIOS_NAO_ORKUT
http_access deny YOUTUBE USUARIOS_NAO_YOUTUBE
http_access deny GMAIL USUARIOS_NAO_GMAIL
http_access deny EVOSERVER USUARIOS_NAO_EVOSERVER
http_access deny TWITTER USUARIOS_NAO_TWITTER
http_access deny MEEBO USUARIOS_NAO_MEEBO
http_access deny LIVE USUARIOS_NAO_LIVE
##########################################################
# Criação de uma acl do tipo method (método de requisição) e adicione o método CONNECT, que permite fazer conexão direta.
##########################################################
acl connect method CONNECT
##########################################################
# Criação de uma acl do tipo port (porta) e adicione as portas dos protocolos com SSL que foram adicionadas na acl "Safe_ports"
# e devem ser liberadas para conexão direta.
##########################################################
acl SSL_ports port 443 # https
acl SSL_ports port 563 # nntps
acl SSL_ports port 873 # rsync
##########################################################
# Para bloquear o acesso em portas que não foram liberadas para conexão direta.
##########################################################
http_access deny connect !SSL_ports
##########################################################
# Bloqueios por IP's
##########################################################
#acl ipsparcial src "/etc/squid3/ips_parcial"
#http_access deny ipsparcial
##########################################################
# Bloqueios por Dominios
##########################################################
acl domains dstdomain "/etc/squid3/domains"
http_access deny domains
##########################################################
# Bloqueios por Palavras
##########################################################
acl words url_regex -i "/etc/squid3/words"
http_access deny words
##########################################################
# Bloqueios por Extenções
##########################################################
acl extensions urlpath_regex -i "/etc/squid3/extensions"
http_access deny extensions
##########################################################
# Para bloquear o acesso em portas que não foram liberadas, adicione a seguinte regra.
##########################################################
http_access allow SSL_ports
http_access allow Safe_ports
#http_access allow all
http_access allow manager localhost
#http_access denny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl redelocal src 192.168.0.0/24
http_access allow localhost
http_access allow redelocal
http_access deny redelocal
##########################################################
# Sem mais acl para criar, adicione a seguinte regra para permitir que apenas as máquinas da
# rede e o servidor sejam liberados para acessar a Internet.
##########################################################
http_access allow localhost
http_access deny all
#httpd_accel_port 80
#httpd_accel_host virtual
Gostaria de saber onde estou errando.
Att,