Squid SSL_ports
13. Re: Squid SSL_ports
fcmorini
(usa Debian)
Enviado em 10/09/2013 - 16:57h
Buckminster escreveu:
acl numeric_IPs dstdom_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443
acl Skype_UA browser ^skype
http_access allow CONNECT localnet numeric_IPs Skype_UA << veja bem, tem um erro aqui... o 's' de IPs deve ser minúsculo, pois a acl criada é numeric_IPs. O erro é do próprio site do Squid, esqueci de falar.
#
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
Tu tem 3 redes locais?
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
Veja bem, no Iptables tua rede local está 192.168.1.0/24 e no Squid está 192.168.0.0/16.
Coloque assim no Squid:
acl localnet src 192.168.1.0/24 e comente as outras duas.
Não esqueça de reiniciar o Squid após cada alteração no squid.conf
acl numeric_IPs dstdom_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443
acl Skype_UA browser ^skype
http_access allow CONNECT localnet numeric_IPs Skype_UA << veja bem, tem um erro aqui... o 's' de IPs deve ser minúsculo, pois a acl criada é numeric_IPs. O erro é do próprio site do Squid, esqueci de falar.
#
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
Tu tem 3 redes locais?
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
Veja bem, no Iptables tua rede local está 192.168.1.0/24 e no Squid está 192.168.0.0/16.
Coloque assim no Squid:
acl localnet src 192.168.1.0/24 e comente as outras duas.
Não esqueça de reiniciar o Squid após cada alteração no squid.conf
Cara, não consegui fazer funcionar com essa configuração!
Mas passei a tarde toda minerando url's e ip's no log do iptables e access.log do squid, em fim, fiz funcionar!
mas acredito ter uma forma mais inteligente para isso, pois acabei liberando cerca de 140 urls/ips para que pudesse fazer o skype passar pelo proxy... detalhe: foi muito mais dificil fazer funcionar utilizando uma conta microsoft
fiz as modificações sugeridas... vou postar aqui o resultado! No arquivo squid.conf deixei comentado sua sugestão para você poder ver que tentei utilizar!
peço desculpas pelo tamanho do post!
obrigado a todos pela ajuda!
#arquivo firewall
#!/bin/bash
##### DECLARACAO DE VARIAVEIS #####
IPTABLES="/sbin/iptables"
################################################################################
##### LIMPAR TODAS AS REGRAS #####
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -F -t nat
$IPTABLES -X -t nat
$IPTABLES -Z -t nat
################################################################################
##### ALTERA POLITICAS PARA DROP #####
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
################################################################################
##### REGRAS DE INPUT #####
# LOGAR TODAS AS ENTRADAS
$IPTABLES -A INPUT -j LOG --log-prefix "INPUT: " -m limit --limit 5/m --limit-burst 5
# LIBERAR PORTAS
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -i eth1 -s 10.1.1.0/24 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -i eth1 -s 10.1.1.0/24 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 3128 -i eth1 -s 10.1.1.0/24 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 5351 -i eth1 -s 10.1.1.0/24 -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
################################################################################
##### REGRAS DE FORWARD #####
# LOGAR CONEXOES QUE PASSAM PELO FIREWALL
$IPTABLES -A FORWARD -j LOG --log-prefix "FORWARD: " -m limit --limit 5/m --limit-burst 5
################################################################################
##### REGRAS DE NAT #####
## LOGAR CONEXOES NA TABELA NAT CHAIN PREROUTING
$IPTABLES -t nat -A PREROUTING -j LOG --log-prefix "NAT-PREROUTING: " -m limit --limit 5/m --limit-burst 5
# LOGAR CONEXOES NA TABELA NAT CHAIN POSTROUTING
$IPTABLES -t nat -A POSTROUTING -j LOG --log-prefix "NAT-POSTROUTING: " -m limit --limit 5/m --limit-burst 5
# REDIRECIONAR CONEXOES PARA O PROXY
$IPTABLES -t nat -A PREROUTING -p tcp -m multiport --dport 80,443 -i eth1 -s 10.1.1.0/24 -j REDIRECT --to-port 3128
# LIBERAR ACESSO A INTERNET
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 10.1.1.0/24 -j MASQUERADE
################################################################################
#####arquivo squid.conf#####
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.1.1.0/24 # RFC1918 possible internal network
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
#####Regras para liberar skype
#acl numeric_IPs dstdom_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443
#acl Skype_UA browser ^skype
#http_access allow CONNECT localnet numeric_IPs Skype_UA
#################################################################
#liberar ips do skype
acl ips_skype url_regex "/root/ips_skype.txt"
http_access allow localnet ips_skype
##################################################
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny localnet
http_access allow localhost
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
coredump_dir /var/spool/squid
########################################################################
#####arquivo ips_skype.txt#####
1.172.231.200
128.69.34.19
128.72.42.189
129.15.115.137
129.21.131.77
129.2.217.220
129.241.137.174
131.151.159.126
131.253.61.102
131.253.61.80
131.253.61.82
131.253.61.96
131.253.61.98
134.170.19.113
134.170.24.140
134.170.24.142
134.170.24.175
134.170.24.224
149.13.32.15
149.169.162.237
152.3.242.59
157.55.130.142
157.55.130.162
157.55.130.175
157.55.235.149
157.56.106.210
157.56.108.82
157.56.194.23
165.123.132.204
177.84.106.134
186.205.111.111
186.210.249.128
186.218.176.81
186.218.37.56
187.126.210.65
187.14.23.223
187.38.121.230
187.61.201.237
187.6.140.217
188.115.233.44
188.50.90.102
189.0.123.137
189.26.123.15
189.41.35.124
189.70.13.230
193.120.199.14
193.120.199.16
193.120.199.17
193.95.154.38
193.95.154.39
195.114.250.233
200.144.116.143
201.27.70.176
201.63.213.170
201.79.150.214
204.9.163.184
212.142.69.228
212.161.8.36
212.187.172.78
212.8.166.35
212.8.166.36
213.166.51.4
216.46.46.145
37.208.199.151
46.233.214.16
64.4.23.174
64.4.25.230
65.184.50.78
65.55.142.165
65.55.142.37
65.55.223.16
65.55.223.21
65.55.246.20
65.55.246.22
67.249.88.141
68.183.50.93
70.27.221.28
71.197.47.114
71.47.255.237
72.39.188.10
75.70.214.2
76.120.161.202
76.170.29.203
76.211.208.94
76.235.182.180
77.122.114.101
77.98.186.52
78.141.179.11
78.141.179.12
78.141.179.13
78.141.179.16
78.141.179.17
78.141.179.18
83.10.196.218
83.25.226.190
8.8.8.8
89.133.142.43
90.33.124.119
91.152.217.9
91.190.216.38
91.190.216.66
91.190.218.20
91.190.218.52
91.190.218.56
91.190.218.59
91.190.218.60
91.190.218.62
91.190.218.64
91.190.218.65
92.155.15.234
95.58.75.53
96.16.95.139
96.224.32.247
97.75.251.5
98.103.19.82
98.218.120.32
ads1.msads.net
aidps.atdmt.com
ajax.aspnetcdn.com
api.skype.com
apps.skypeassets.com
apps.skype.com
auth.gfx.ms
az361816.vo.msecnd.net
c.msn.com
connect.facebook.net
flex.msn.com
login.live.com
m.hotmail.com
secure.skypeassets.com
skype.com
s-static.ak.facebook.com
static.skypeassets.com
text/html
ui.skype.com
www.facebook.com