Problema com autenticacão e acl para bloqueio no squid. [RESOLVIDO]

1. Problema com autenticacão e acl para bloqueio no squid. [RESOLVIDO]

jose claudio
LinuxTec

(usa Debian)

Enviado em 27/04/2009 - 15:07h

Pessoal preciso de ajuda urgente se alguém poder me ajudar até o fim ficarei muito agradecido.
Bem vamos la o problema é o seguinte peguei um squid pra montar na empresa quero apenas configurar o squid e o sarg squid para controlar apenas as autenticacòes de quem esta navegando e o sarg para gerar os relatorios de acesso e apenas uma acl bloquear sites certo nem preciso de firewall mais se eu terminar logo meu proxy claro que irei implemantar o firewall conseguentemente mais minha maior urgencia é o proxy cache e o sarg:

1 Instalei o squid 2.7 configurei ele numa boa ta rodando normal fim a autenticacào com o ncsa_auth e start o squid tranquilo os problemas sáo quando eu logo pelo browser ele navega numa boa mais nào pede a autenticacão nem com reza e quando eu crio a acl de bloqueio da pau no squid diz que a acl bloqueio nào existe detalhe eu configurei o proxy nos browser certinho apenas navega sem pedir autenticacào e nem uma regra ele aceita toda acl que eu crio da erro. desculpem os erros ortograficos pois meu teclado está sem "c" cedilha estarei no aguarde..

ERRO SQUID COM A ACL BLOQUEAR

proxy-server:/etc/squid# touch bloquear
proxy-server:/etc/squid# squid -k reconfigure
2009/04/27 14:47:15| strtokFile: /etc/squid/bloqueios not found
2009/04/27 14:47:15| squid.conf line 30: http_access bloquear deny
2009/04/27 14:47:15| aclParseAccessLine: expecting 'allow' or 'deny', got 'bloquear'.


SQUID COM A ACL COMENTADA FUNCIONANDO SEM A AUTENTICACÃO E CLARO:

http_port 192.168.1.9:3128
visible_hostname WEB-PROXY
acl all src 0.0.0.0/0.0.0.0
acl manage proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
http_access allow all
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_posts port 21 # ftp
acl Safe_posts port 443 563 # https,snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # swat
#acl bloquear dstdomain -i "/etc/squid/bloqueios"
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl redelocal src 192.168.1.0/24
http_access allow localhost
http_access allow redelocal
#http_access bloquear deny
http_access deny all
cache_mem 40 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 2048 16 256
cache_access_log /var/log/squid/access.log
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 29% 2280i
auth_param basic program /usr/bin/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Digite sua senha
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

Assim com as acl comentadas funciona numa boa olhem:

proxy-server:/etc/squid# squid -k reconfigure
proxy-server:/etc/squid#


Estarei no aguarde de qualquer ajuda desde já..


  


2. Re: Problema com autenticacão e acl para bloqueio no squid. [RESOLVIDO]

Toth BR
TothBR

(usa Debian)

Enviado em 27/04/2009 - 16:14h

Boa tarde!

Se vc analizar o fechamento da acl:

http_access bloquear deny

vc inverteu as bolas o correto seria

http_access deny bloquear

Abraços


3. Re: Problema com autenticacão e acl para bloqueio no squid. [RESOLVIDO]

Rafael Arcanjo
ST. RaLF

(usa Arch Linux)

Enviado em 27/04/2009 - 16:21h

E sobre a "strtokFile: /etc/squid/bloqueios not found" cria o arquivo /etc/squid/bloqueios mesmo ficando vazio, que a mensagem para de aparecer.


4. Re: Problema com autenticacão e acl para bloqueio no squid. [RESOLVIDO]

Toth BR
TothBR

(usa Debian)

Enviado em 27/04/2009 - 16:35h

Ola ST. RaLF!

Não entendi sua pergunta preciso ver a conf de sua acl e como vc esta colocando os sites no arquivo de bloqueio, pelo que vi é devido ao tipo de acl que vc ta usando por exemplo:

acl bloquear dstdomain -i "/etc/squid/bloqueios" somente dominios não aceita url exemplo .uol.com.br
acl bloquear urlregex -i "/etc/squid/bloqueios" vc pode tratar ambos

Abraços


5. squid sem autenticar e problema com acl

jose claudio
LinuxTec

(usa Debian)

Enviado em 27/04/2009 - 18:11h

Bem amigos eu tinha invertido mesmo as bolas na acl mais ainda não barra nada sera q está errada essa regra

acl bloquear dstdomain -i "/etc/squid/bloquear"

http_access deny bloquear

Meu squid agora roda sem erro mais não barra nada e continua sem pedir a bentida autenticacão segue o squid.conf

http_port 192.168.1.9:3128
visible_hostname Lan-House Grif Rotulos e Etiquetas Adesivas
acl all src 0.0.0.0/0.0.0.0
acl manage proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
http_access allow all
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_posts port 21 # ftp
acl Safe_posts port 443 563 # https,snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # swat
acl bloquear dstdomain -i "/etc/squid/bloquear"
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl redelocal src 192.168.1.0/24
http_access allow localhost
http_access allow redelocal
http_access deny bloquear
http_access deny all
cache_mem 40 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 2048 16 256
cache_access_log /var/log/squid/access.log
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 29% 2280i
auth_param basic program /usr/bin/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Digite sua senha
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off





6. Re: Problema com autenticacão e acl para bloqueio no squid. [RESOLVIDO]

Toth BR
TothBR

(usa Debian)

Enviado em 28/04/2009 - 08:06h

Bom dia!

Vc tem que inverter a ordem do fechamento das acl segue abaixo:

http_access deny bloquear
http_access allow localhost
http_access allow redelocal

Como as suas regras estavam para liberar primeiramente e depois bloquear no squid ele vai executando uma linha depois a outra se a primeira esta liberando ele não executa o restante.

Abraços


7. Re: Problema com autenticacão e acl para bloqueio no squid. [RESOLVIDO]

Dênis Wallace de Souza
comfaa

(usa Debian)

Enviado em 28/04/2009 - 08:36h

cara, inverte a localização de algumas linhas do seu conf ....
tipo:

http_port 192.168.1.9:3128
visible_hostname Lan-House Grif Rotulos e Etiquetas Adesivas

cache_mem 40 MB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 2048 16 256
cache_access_log /var/log/squid/access.log

maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 0 KB

refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 29% 2280i

auth_param basic program /usr/bin/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Digite sua senha
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

acl all src 0.0.0.0/0.0.0.0
acl manage proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
http_access allow all
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_posts port 21 # ftp
acl Safe_posts port 443 563 # https,snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # swat
acl bloquear dstdomain -i "/etc/squid/bloquear"
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl redelocal src 192.168.1.0/24
http_access allow localhost
http_access allow redelocal
http_access deny bloquear
http_access deny all



tem aí .... e avisa se deu boa .... a ordem dela tmb é leva em conta, pelo menos comigo aqui faz muita diferença ....

abraços


8. Squid Resolvido + Problema com Sarg ..

jose claudio
LinuxTec

(usa Debian)

Enviado em 29/04/2009 - 11:58h

Bem pessoal agradeço a colaboração de todos consegui finalizar meu squid esta rodando de boa criei a bendita acl do proxy erá ela q estava falntando para autenticar mais está tudo blz agora vou post o squid comentado se por acaso alguém precisar de um squid configuradinho e comentado pode ser q ajudem ..........

Mas o Problema agora é o seguinte quero usar o sarg para gerencial os relatorios no entanto li bastante a respeito o arquivo de configuração do sarg nas distribuições debia lenny e ubuntu estão no /etc/sarg/sarg.conf certo..

Só que quando eu dou um apt-get install sarg instala numa boa.
Ae vem o q não deixa eu durmi eu não acho o conf do sarg dentro do meu /etc não tem sarg a unica coisa q tem do sarg é quando eu executo um whereis olhem onde achas..

proxy-server:~# whereis sarg
sarg: /usr/bin/sarg /usr/share/sarg /usr/share/man/man1/sarg.1.gz
proxy-server:~#

Me ajudem com o sarg pessoal quando finalizado posto a conf dele tbm segue o meu squid rodando normal para aproveitos...

#################################################################################################
############### WELCOME TO SQUID 2.7.STABLE4 (claudio.linux@uol.com.br) ################
#################################################################################################

#################################################################################################
############### Autenticacao do usuario #############################################
#################################################################################################
auth_param basic program /usr/bin/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Digite seu login LAN-HOUSE
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

#################################################################################################
############## Porta padrao Hosta Name e acl ##############################################
#################################################################################################
http_port 3128
visible_hostname proxy-web claudio.linux@uol.com.br
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
################################################################################################
############# Pagina de erro do squid em acessos bloqueados ##############################
################################################################################################
error_directory /usr/share/squid/errors/Portuguese

################################################################################################
############ Bloqueio de sites #########################################################
################################################################################################
acl proibir_sites dstdomain "/etc/squid/sites"
acl proibir_palavras url_regex -i "/etc/squid/palavras"

################################################################################################
########## Acl password proxy #######################################################
################################################################################################
acl password proxy_auth REQUIRED

################################################################################################
######### Liberacao e bloqueio das acl ################################################
################################################################################################
http_access deny proibir_palavras
http_access deny proibir_sites
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow password
http_access allow localhost
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
hierarchy_stoplist cgi-bin ?

###############################################################################################
######## Arquivo de log do squi #############################################################
###############################################################################################
access_log /var/log/squid/access.log squid

###############################################################################################
######### Refresh na pagina ###############################################################
###############################################################################################
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

###############################################################################################
######### Evitando conflito com o Apache ###################################################
###############################################################################################
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
coredump_dir /var/spool/squid




9. Re: Problema com autenticacão e acl para bloqueio no squid. [RESOLVIDO]

Dênis Wallace de Souza
comfaa

(usa Debian)

Enviado em 29/04/2009 - 12:19h

então cara, o conf do SARG fica dentro do diretorio so Squid
se nao me engano fica assim ....

/etc/squid/sarg.conf


Obs.: Despois de resolvido, nao esqueça de marcar o Topico como resolvido e nao esqueça e escolher a melhor resposta ok ??

Abraços


10. Sarg

jose claudio
LinuxTec

(usa Debian)

Enviado em 29/04/2009 - 13:05h

Entendo amigo..

Mais não esta dentro do squid não dentro do squid só tem o meu squid meu backup minhas regras o que pode ser entçao não esta instalando o sarg ..


11. Re: Problema com autenticacão e acl para bloqueio no squid. [RESOLVIDO]

Dênis Wallace de Souza
comfaa

(usa Debian)

Enviado em 29/04/2009 - 13:08h

desinstala o sarg e intala denovo ....

# apt-get remove sarg
.
.
.
# apt-get install sarg

e da uma olhada lá, ele "tem" que estar lá !!

abraços


12. Sarg

jose claudio
LinuxTec

(usa Debian)

Enviado em 30/04/2009 - 23:13h

Já tentei desistala-lo e intalar novamente e sem exito.
Inclusiveu atualizei os mirros mudei meu sources.list e atualizei novamente meu distro e nada.
Também tentei instalar via make install copilando e também sem exito.
A minha dificuldade é onde está o sarg.conf pois não esta instalando dentro do /etc

Procurei com find / -iname sarg

e so encontrou dentro do /usr/sbin
/usr/sbin/share

Muito estranho porque posso garantir que o sistema está atualizado uso debia lenny 5.0

Alguém teria alguma ideia !!!!!!



01 02



Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts