Squid Pedindo autenticação para todos sites [RESOLVIDO]

1. Squid Pedindo autenticação para todos sites [RESOLVIDO]

Gustavo Garcez
gagarcez

(usa Kali)

Enviado em 07/12/2015 - 10:52h

Bom dia Galera.

Estou com um problema, semana passada meu squid funcionava lindamente. mas sexta feira ele começou a pedir autenticação para quase todos os sites que os usuários abriam, mas se vc atualiza-se a pagina algumas vezes ele parava de pedir(meus usuários são autenticados pelo login do windows no ad).

Não fiz nenhuma alteração do .conf do squid nem nd.

Percebi no log que tem um determinado padrão, meu squid fica bloqueando o site que é liberado caso eu não autentique, mas depois de um tempinho ele desbloqueia o acesso normalmente, e ele varia entre /404 e /407 ate liberar e ir para /200.

O que pode estar causando esse atraso no meu squid?

Preciso tirar essas solicitações de autenticação que ficam aparecendo para todos sites
OBS.: todos filtros são feitos via grupos do AD.

Obrigado galera

Segue meu .conf


#########################
## CONFIGURAÇÕES GERAIS ##
##########################

# Definindo Porta de Acesso
http_port 3128

visible_hostname proxysv
hierarchy_stoplist cgi-bin?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 256 MB
maximum_object_size_in_memory 100 KB
maximum_object_size 4096 KB
minimum_object_size 0 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
cache_replacement_policy lru
memory_replacement_policy lru
#logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt

# Define caminho para arquivo de log de acesso
access_log /var/log/squid3/access.log squid

cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid3 3000 16 256
cache_access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
cache_swap_log /var/spool/squid3/swap.log
cache_mgr proxysv@gdbr-tg.local
#error_directory /192.168.100.221/sysvol/ErrorPages
error_directory /usr/share/squid3/errors/pt-br
error_default_language pt-br
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
logfile_rotate 4

###############################
## DEFINICAO DAS ACLS GERAIS ##
###############################

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localnet src 192.168.100.0/24
acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 563 # snews
acl SSL_ports port 10000 # SAP
acl SSL_ports port 10001 # SAP
acl SSL_ports port 30000 # SAP
acl SSL_ports port 30001 # SAP
acl SSL_ports port 30010 # SAP
acl SSL_ports port 1433 # SQL
acl SSL_ports port 8443 # Print Add GDBR 09-06-2015
acl SSL_ports port 4343 # Trend Micro Add GDBR 09-06-2015
acl SSL_ports port 442 # Portal Toyota Argentina
acl SSL_ports port 5003 # Porta NFe
acl SSL_ports port 81 # Porta Inovar AUTO
acl SSL_ports port 441 # TASA

acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 407 # msn
acl Safe_ports port 25 # smtp
acl Safe_ports port 110 # pop

acl Safe_ports port 10000 # SAP
acl Safe_ports port 10001 # SAP
acl Safe_ports port 30000 # SAP
acl Safe_ports port 30001 # SAP
acl Safe_ports port 30010 # SAP
acl Safe_ports port 1433 # SQL
acl Safe_ports port 4343 # TrendMicro
acl Safe_ports port 8443 # Canon 5235
acl Safe_ports port 442 # Portal DST Toyota Argentina - TASA
acl Safe_ports port 5003 # Porta NFe
acl Safe_ports port 81 # Porta Inovar AUTO
acl Safe_ports port 441 # TASA

acl purge method PURGE
acl CONNECT method CONNECT

####################################
## DEFINICAO DAS ACLS ESPECIFICAS ##
####################################

# Libearcao MS Office 2013
acl msoffice_allow url_regex -i "/etc/squid3/acl/msoffice.allow"
acl msoffice_domain dstdomain -i "/etc/squid3/acl/msoffice.domain"

# Servidores SAP
acl sapservers_allow url_regex -i "/etc/squid3/acl/sapservers.allow"

# Servidores NFe
acl nfeservers_allow url_regex -i "/etc/squid3/acl/nfeservers.allow"

http_access allow msoffice_allow
http_access allow msoffice_domain
http_access allow nfeservers_allow
http_access allow sapservers_allow

##################
## AUTENTICACAO ##
##################

# Sem POPUP
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm GDBR-TG PROXY SERVER
auth_param basic credentialsttl 12 hours
acl autenticacao proxy_auth REQUIRED

##############################
# Bloqueios Por Grupos do AD #
##############################

external_acl_type grupo_ad ipv4 ttl=60 children=5 %LOGIN /usr/lib/squid3/wbinfo_group.pl

# PLANT MANAGEMENT #

acl grp_adm external grupo_ad administration # ADMINISTRATION
acl grp_all external grupo_ad all # ALL
acl grp_sales external grupo_ad sales_production # SALES_PRODUCTION
#-----------------------------------------------------------------------

# IT TEAM #

acl grp_it external grupo_ad it # IT
acl grp_it_sup external grupo_ad it_support # IT_SUPPORT
#-----------------------------------------------------------------------

# PROXY NIVEL #

acl grp_nivel01 external grupo_ad proxy_nivel01 # PROXY_NIVEL01
acl grp_nivel02 external grupo_ad proxy_nivel02 # PROXY_NIVEL02
acl grp_nivel03 external grupo_ad proxy_nivel03 # PROXY_NIVEL03
#-----------------------------------------------------------------------

################################
# ACLs de Bloqueio de DOMINIOS #
################################

# Axcessões de ACESSO #
acl excessao_face dstdomain -i "/etc/squid3/acl/acl.grupos/excessao.face" # EXCESSAO FACE

# Ordem de permissões, quanto maior o nivel maior o acesso #
acl bloqueio_interno dstdomain -i "/etc/squid3/acl/acl.grupos/bloqueio.interno" # BLOQUEIO INTERNO
acl bloqueio_nivel01 dstdomain -i "/etc/squid3/acl/acl.grupos/bloqueio.nivel01" # BLOQUEIO NIVEL01
acl bloqueio_nivel02 dstdomain -i "/etc/squid3/acl/acl.grupos/bloqueio.nivel02" # BLOQUEIO NIVEL02
acl bloqueio_nivel03 dstdomain -i "/etc/squid3/acl/acl.grupos/bloqueio.nivel03" # BLOQUEIO NIVEL03

#acl liberado_geral dstdomain -i "/etc/squid3/acl/acl.grupos/liberado.geral" # LIBERADO PARA TODOS



####################################
# Ativando ACLs de Bloqueio/Acesso #
####################################

http_access allow grp_adm
http_access allow grp_all
http_access allow grp_sales
http_access allow grp_it_sup
http_access allow grp_it !excessao_face
http_access deny bloqueio_interno
http_access deny bloqueio_nivel03
http_access allow grp_nivel03
http_access deny bloqueio_nivel02
http_access allow grp_nivel02
http_access deny bloqueio_nivel01
http_access allow grp_nivel01
#http_access allow liberado_geral
#http_access deny bloqueio_download

#############################
## ATIVANDO AS ACLS PADRAO ##
#############################

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny to_localhost

######################################
# ATIVANDO ACL USUARIOS AUTENTICADOS #
######################################

http_access allow autenticacao

http_access allow localnet
http_access deny all



  






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts