Problema com autenticacão e acl para bloqueio no squid. [RESOLVIDO]

LinuxTec
(usa Debian)

Enviado em 27/04/2009 - 15:07h

Pessoal preciso de ajuda urgente se alguém poder me ajudar até o fim ficarei muito agradecido.
Bem vamos la o problema é o seguinte peguei um squid pra montar na empresa quero apenas configurar o squid e o sarg squid para controlar apenas as autenticacòes de quem esta navegando e o sarg para gerar os relatorios de acesso e apenas uma acl bloquear sites certo nem preciso de firewall mais se eu terminar logo meu proxy claro que irei implemantar o firewall conseguentemente mais minha maior urgencia é o proxy cache e o sarg:

1 Instalei o squid 2.7 configurei ele numa boa ta rodando normal fim a autenticacào com o ncsa_auth e start o squid tranquilo os problemas sáo quando eu logo pelo browser ele navega numa boa mais nào pede a autenticacão nem com reza e quando eu crio a acl de bloqueio da pau no squid diz que a acl bloqueio nào existe detalhe eu configurei o proxy nos browser certinho apenas navega sem pedir autenticacào e nem uma regra ele aceita toda acl que eu crio da erro. desculpem os erros ortograficos pois meu teclado está sem "c" cedilha estarei no aguarde..

ERRO SQUID COM A ACL BLOQUEAR

proxy-server:/etc/squid# touch bloquear
proxy-server:/etc/squid# squid -k reconfigure
2009/04/27 14:47:15| strtokFile: /etc/squid/bloqueios not found
2009/04/27 14:47:15| squid.conf line 30: http_access bloquear deny
2009/04/27 14:47:15| aclParseAccessLine: expecting 'allow' or 'deny', got 'bloquear'.


SQUID COM A ACL COMENTADA FUNCIONANDO SEM A AUTENTICACÃO E CLARO:

http_port 192.168.1.9:3128
visible_hostname WEB-PROXY
acl all src 0.0.0.0/0.0.0.0
acl manage proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
http_access allow all
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_posts port 21 # ftp
acl Safe_posts port 443 563 # https,snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # swat
#acl bloquear dstdomain -i "/etc/squid/bloqueios"
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl redelocal src 192.168.1.0/24
http_access allow localhost
http_access allow redelocal
#http_access bloquear deny
http_access deny all
cache_mem 40 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 2048 16 256
cache_access_log /var/log/squid/access.log
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 29% 2280i
auth_param basic program /usr/bin/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Digite sua senha
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

Assim com as acl comentadas funciona numa boa olhem:

proxy-server:/etc/squid# squid -k reconfigure
proxy-server:/etc/squid#


Estarei no aguarde de qualquer ajuda desde já..

TothBR
(usa Debian)

Enviado em 27/04/2009 - 16:14h

Boa tarde!

Se vc analizar o fechamento da acl:

http_access bloquear deny

vc inverteu as bolas o correto seria

http_access deny bloquear

Abraços

ST. RaLF
(usa Arch Linux)

Enviado em 27/04/2009 - 16:21h

E sobre a "strtokFile: /etc/squid/bloqueios not found" cria o arquivo /etc/squid/bloqueios mesmo ficando vazio, que a mensagem para de aparecer.

TothBR
(usa Debian)

Enviado em 27/04/2009 - 16:35h

Ola ST. RaLF!

Não entendi sua pergunta preciso ver a conf de sua acl e como vc esta colocando os sites no arquivo de bloqueio, pelo que vi é devido ao tipo de acl que vc ta usando por exemplo:

acl bloquear dstdomain -i "/etc/squid/bloqueios" somente dominios não aceita url exemplo .uol.com.br
acl bloquear urlregex -i "/etc/squid/bloqueios" vc pode tratar ambos

Abraços

LinuxTec
(usa Debian)

Enviado em 27/04/2009 - 18:11h

Bem amigos eu tinha invertido mesmo as bolas na acl mais ainda não barra nada sera q está errada essa regra

acl bloquear dstdomain -i "/etc/squid/bloquear"

http_access deny bloquear

Meu squid agora roda sem erro mais não barra nada e continua sem pedir a bentida autenticacão segue o squid.conf

http_port 192.168.1.9:3128
visible_hostname Lan-House Grif Rotulos e Etiquetas Adesivas
acl all src 0.0.0.0/0.0.0.0
acl manage proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
http_access allow all
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_posts port 21 # ftp
acl Safe_posts port 443 563 # https,snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # swat
acl bloquear dstdomain -i "/etc/squid/bloquear"
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl redelocal src 192.168.1.0/24
http_access allow localhost
http_access allow redelocal
http_access deny bloquear
http_access deny all
cache_mem 40 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 2048 16 256
cache_access_log /var/log/squid/access.log
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 29% 2280i
auth_param basic program /usr/bin/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Digite sua senha
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

TothBR
(usa Debian)

Enviado em 28/04/2009 - 08:06h

Bom dia!

Vc tem que inverter a ordem do fechamento das acl segue abaixo:

http_access deny bloquear
http_access allow localhost
http_access allow redelocal

Como as suas regras estavam para liberar primeiramente e depois bloquear no squid ele vai executando uma linha depois a outra se a primeira esta liberando ele não executa o restante.

Abraços

comfaa
(usa Debian)

Enviado em 28/04/2009 - 08:36h

cara, inverte a localização de algumas linhas do seu conf ....
tipo:

http_port 192.168.1.9:3128
visible_hostname Lan-House Grif Rotulos e Etiquetas Adesivas

cache_mem 40 MB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 2048 16 256
cache_access_log /var/log/squid/access.log

maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 0 KB

refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 29% 2280i

auth_param basic program /usr/bin/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Digite sua senha
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

acl all src 0.0.0.0/0.0.0.0
acl manage proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
http_access allow all
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_posts port 21 # ftp
acl Safe_posts port 443 563 # https,snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # swat
acl bloquear dstdomain -i "/etc/squid/bloquear"
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl redelocal src 192.168.1.0/24
http_access allow localhost
http_access allow redelocal
http_access deny bloquear
http_access deny all



tem aí .... e avisa se deu boa .... a ordem dela tmb é leva em conta, pelo menos comigo aqui faz muita diferença ....

abraços

LinuxTec
(usa Debian)

Enviado em 29/04/2009 - 11:58h

Bem pessoal agradeço a colaboração de todos consegui finalizar meu squid esta rodando de boa criei a bendita acl do proxy erá ela q estava falntando para autenticar mais está tudo blz agora vou post o squid comentado se por acaso alguém precisar de um squid configuradinho e comentado pode ser q ajudem ..........

Mas o Problema agora é o seguinte quero usar o sarg para gerencial os relatorios no entanto li bastante a respeito o arquivo de configuração do sarg nas distribuições debia lenny e ubuntu estão no /etc/sarg/sarg.conf certo..

Só que quando eu dou um apt-get install sarg instala numa boa.
Ae vem o q não deixa eu durmi eu não acho o conf do sarg dentro do meu /etc não tem sarg a unica coisa q tem do sarg é quando eu executo um whereis olhem onde achas..

proxy-server:~# whereis sarg
sarg: /usr/bin/sarg /usr/share/sarg /usr/share/man/man1/sarg.1.gz
proxy-server:~#

Me ajudem com o sarg pessoal quando finalizado posto a conf dele tbm segue o meu squid rodando normal para aproveitos...

#################################################################################################
############### WELCOME TO SQUID 2.7.STABLE4 (claudio.linux@uol.com.br) ################
#################################################################################################

#################################################################################################
############### Autenticacao do usuario #############################################
#################################################################################################
auth_param basic program /usr/bin/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Digite seu login LAN-HOUSE
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

#################################################################################################
############## Porta padrao Hosta Name e acl ##############################################
#################################################################################################
http_port 3128
visible_hostname proxy-web claudio.linux@uol.com.br
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
################################################################################################
############# Pagina de erro do squid em acessos bloqueados ##############################
################################################################################################
error_directory /usr/share/squid/errors/Portuguese

################################################################################################
############ Bloqueio de sites #########################################################
################################################################################################
acl proibir_sites dstdomain "/etc/squid/sites"
acl proibir_palavras url_regex -i "/etc/squid/palavras"

################################################################################################
########## Acl password proxy #######################################################
################################################################################################
acl password proxy_auth REQUIRED

################################################################################################
######### Liberacao e bloqueio das acl ################################################
################################################################################################
http_access deny proibir_palavras
http_access deny proibir_sites
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow password
http_access allow localhost
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
hierarchy_stoplist cgi-bin ?

###############################################################################################
######## Arquivo de log do squi #############################################################
###############################################################################################
access_log /var/log/squid/access.log squid

###############################################################################################
######### Refresh na pagina ###############################################################
###############################################################################################
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

###############################################################################################
######### Evitando conflito com o Apache ###################################################
###############################################################################################
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
coredump_dir /var/spool/squid

comfaa
(usa Debian)

Enviado em 29/04/2009 - 12:19h

então cara, o conf do SARG fica dentro do diretorio so Squid
se nao me engano fica assim ....

/etc/squid/sarg.conf


Obs.: Despois de resolvido, nao esqueça de marcar o Topico como resolvido e nao esqueça e escolher a melhor resposta ok ??

Abraços

LinuxTec
(usa Debian)

Enviado em 29/04/2009 - 13:05h

Entendo amigo..

Mais não esta dentro do squid não dentro do squid só tem o meu squid meu backup minhas regras o que pode ser entçao não esta instalando o sarg ..

comfaa
(usa Debian)

Enviado em 29/04/2009 - 13:08h

desinstala o sarg e intala denovo ....

# apt-get remove sarg
.
.
.
# apt-get install sarg

e da uma olhada lá, ele "tem" que estar lá !!

abraços

LinuxTec
(usa Debian)

Enviado em 30/04/2009 - 23:13h

Já tentei desistala-lo e intalar novamente e sem exito.
Inclusiveu atualizei os mirros mudei meu sources.list e atualizei novamente meu distro e nada.
Também tentei instalar via make install copilando e também sem exito.
A minha dificuldade é onde está o sarg.conf pois não esta instalando dentro do /etc

Procurei com find / -iname sarg

e so encontrou dentro do /usr/sbin
/usr/sbin/share

Muito estranho porque posso garantir que o sistema está atualizado uso debia lenny 5.0

Alguém teria alguma ideia !!!!!!