bloqueio de url [RESOLVIDO]

1. bloqueio de url [RESOLVIDO]

eduardo_jst
(usa Slackware)

Enviado em 08/03/2016 - 10:04h

Bom dia pessoal, tenho um proxy squid autenticado e peço uma dica neste problema:

a pagina https://programatopdelinha.com.br/ esta bloqueando, retornando a seguinte mensagem no navegador:

Conexão recusada pelo servidor proxy

O Firefox está configurado para usar um servidor proxy que está recusando conexões.

Verifique as configurações de proxy para certificar-se de que estejam corretas.
Contate seu administrador de rede para certificar-se de que o servidor proxy esteja funcionando.

logs:
ti@SERVER-NET:~# tail -f /var/log/squid3/access.log | grep 10.2.111.150
1457441848.641 0 10.2.111.150 TCP_DENIED/403 331 CONNECT programatopdelinha.com.br:443 teste HIER_NONE/- text/html
1457441848.906 0 10.2.111.150 TCP_DENIED/403 331 CONNECT programatopdelinha.com.br:443 teste HIER_NONE/- text/html
1457441849.115 0 10.2.111.150 TCP_DENIED/403 331 CONNECT programatopdelinha.com.br:443 teste HIER_NONE/- text/html
1457441849.304 0 10.2.111.150 TCP_DENIED/403 331 CONNECT programatopdelinha.com.br:443 teste HIER_NONE/- text/html
1457441849.497 0 10.2.111.150 TCP_DENIED/403 331 CONNECT programatopdelinha.com.br:443 teste HIER_NONE/- text/html
1457441849.705 0 10.2.111.150 TCP_DENIED/403 331 CONNECT programatopdelinha.com.br:443 teste HIER_NONE/- text/html
1457441850.088 0 10.2.111.150 TCP_DENIED/403 331 CONNECT programatopdelinha.com.br:443 teste HIER_NONE/- text/html
1457441850.305 0 10.2.111.150 TCP_DENIED/403 331 CONNECT programatopdelinha.com.br:443 teste HIER_NONE/- text/html

squid.conf
## PORTA ##
http_port 3801

## PARAMETRO AUTENTICACAO ##
auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/users/usuarios
auth_param basic children 10
auth_param basic realm | Grupo MOTAVEL
auth_param basic credentialsttl 1 hours
auth_param basic casesensitive off

visible_hostname srvnet-TI_MOTAVEL
cache_mgr suporte@motavel.com.br
error_directory /usr/share/squid3/errors/Portuguese
hierarchy_stoplist cgi-bin ?
cache_mem 2000 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 100 MB

debug_options ALL,1 33,2,28,9

### Tecnica de Tunning
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
half_closed_clients off

###################################################################################

cache_dir diskd /var/spool/squid3/squid0 20480 64 256 Q1=64 Q2=72

refresh_pattern ^ftp: 360 20% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log

dns_v4_first on
dns_nameservers 8.8.8.8
dns_nameservers 208.67.222.222

## AUTENTICACAO ##
acl usuarios proxy_auth REQUIRED
#http_access allow usuarios
acl purge method PURGE
#http_access allow purge localhost
http_access deny purge
acl Safe_ports port 21 # ftp
acl Safe_ports port 70 # gopher
acl Safe_ports port 80 # http
acl Safe_ports port 81 # http
acl Safe_ports port 82 # http nbs
acl Safe_ports port 85 # http nbs
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 365 # http-mgmt
acl Safe_ports port 443 # https
acl Safe_ports port 488 # gss-http
acl Safe_ports port 563 # mntps
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # filemaker
acl Safe_ports port 633 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 873 # rsync
acl Safe_ports port 809 #
acl Safe_ports port 8080
acl Safe_ports port 9090
acl Safe_ports port 901 # swat
acl Safe_ports port 1011
acl Safe_ports port 1012
acl Safe_ports port 3050 # bradesco
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 1158
acl Safe_ports port 1088
acl Safe_ports port 1707
acl Safe_ports port 1311
acl Safe_ports port 5001
acl Safe_ports port 4041

http_access deny !Safe_ports
acl connect method CONNECT
acl ssl_ports port 443 # https
acl ssl_ports port 563 # mntps
acl ssl_ports port 873 # rsync
acl ssl_ports port 3050 # bradesco
http_access deny connect !SSL_ports
#####################################################################

################# Bloqueia Streaming e download ##########

#Cache windowsupdate
refresh_pattern windowsupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern windowsupdate.microsoft.com.*\.(cab|exe|dll|msi|) 10080 100% 43200 reload-into-ims
refresh_pattern update.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern test.stats.update.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern ntservicepack.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern www.download.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern www.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
refresh_pattern download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
refresh_pattern www.download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
refresh_pattern ssw.live.com/.*\.(cab|exe|dll|msi|aspx) 4320 100% 43200 reload-into-ims

# ---- Windows Update ----
acl microsoft url_regex "/etc/squid3/regras/ms-update"
acl domain_watson dstdomain "/etc/squid3/regras/ms-update"
http_access allow microsoft
http_access allow domain_watson

#Cache avast
refresh_pattern avast.com/.*\.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-ims

### teste site por fora do proxy
acl url_porforasquid url_regex -i "/etc/squid3/regras/url_porforasquid"
always_direct allow url_porforasquid

acl rede_interna src 10.2.0.0/24
acl usuarios proxy_auth /etc/squid3/users/usuarios

acl android url_regex -i "/etc/squid3/regras/url_android"
always_direct allow android

acl CONEXOES maxconn 1
http_access deny CONEXOES rede_interna

## ACESSO SEM PASSAR PELO PROXY
acl autopartners url_regex -i "/etc/squid3/regras/autopartners"
http_access allow all autopartners

#### REGRAS PERSONALIZADAS
### SERVIDOR TERMINAL SERVER #################################
acl acessopulsar src "/etc/squid3/regras/ip_bloqueado"
acl site_pulsar url_regex -i "/etc/squid3/regras/site_pulsar"
http_access allow site_pulsar
http_access deny acessopulsar !site_pulsar
#http_access allow usuarios acessopulsar

### TABLET GM #################################################
acl acessotablet src "/etc/squid3/regras/ip_tablet_gm"
acl tablet_gm url_regex -i "/etc/squid3/regras/tablet_gm"
http_access allow tablet_gm
http_access deny acessotablet !tablet_gm
#http_access allow usuarios acessotablet

#############################################################
acl acesso_ti proxy_auth "/etc/squid3/regras/usr_ti"
http_access allow acesso_ti

#############################################################
## ACESSO SEM PASSAR PELO PROXY
acl win url_regex -i "/etc/squid3/regras/win"
http_access allow all win

#############################################################
#queio por MAC
#acl perm_mac arp "/etc/suid3/regras/macs_perm"
#http_access deny perm_mac

#############################################################
# Navegacao sem cache do squid
acl NOCACHE dstdomain "/etc/squid3/regras/semcache"
no_cache deny NOCACHE

acl dinamico dstdomain "/etc/squid3/regras/win"
cache allow dinamico

acl webmail dstdomain webmail-seguro.com.br
cache allow webmail

############################################################
# palavra bloqueada
acl url_video dstdomain -i "/etc/squid3/regras/url_video"
http_access deny url_video

#############################################################
# palavra bloqueada
acl url_negada_video url_regex -i "/etc/squid3/regras/url_negada_video"
http_access deny url_negada_video

#############################################################
# ---- Acesso gerente
acl acesso_gerente proxy_auth "/etc/squid3/regras/usr_gerente"
http_access allow acesso_gerente

#############################################################
acl maxlogin max_user_ip -s 1
http_access deny maxlogin

##############################################################
acl url_negada_telepecas url_regex -i "/etc/squid3/regras/url_negada_telepecas"
http_access deny url_negada_telepecas

##################################################################
# ---- Acesso Tele-pecas
acl acesso_telepecas proxy_auth "/etc/squid3/regras/usr_telepecas"
http_access allow acesso_telepecas

###########################################################
### Regras aplicativos google
acl url_google url_regex -i "/etc/squid3/regras/url_google"
http_access allow url_google

acl url_negada url_regex -i "/etc/squid3/regras/url_negada"
http_access deny url_negada

# ---- Usuarios com acesso livre
acl acesso_livre proxy_auth "/etc/squid3/regras/usr_livre"
http_access allow acesso_livre

############################################################
# Grupo geral
acl wz proxy_auth "/etc/squid3/regras/usr_wz"
acl url_liberado_wz url_regex -i "/etc/squid3/regras/url_liberado_wz"
http_access allow url_liberado_wz
#http_access deny grupogeral !url_liberado

### bloqueio de acesso news bing ####
acl bloqueio_bing url_regex -i ^htt[p]?://www.bing.com/explorer\?FORM=Z9LH4.*$
http_access deny bloqueio_bing

# Grupo geral
acl grupogeral proxy_auth "/etc/squid3/regras/usr_bloqueado"
acl url_liberado url_regex -i "/etc/squid3/regras/url_liberado"
http_access allow url_liberado
http_access deny grupogeral !url_liberado

# * Acessos Finais *
http_access deny all
http_access deny !rede_interna

Alguem sabe me dizer porque esta bloqueando?

0 0

Quote

2. Re: bloqueio de url [RESOLVIDO]

Buckminster
(usa Debian)

Enviado em 08/03/2016 - 12:53h

Não está faltando essa ACL?

http_access allow usuarios

0 0

Quote

3. Re: bloqueio de url

Buckminster
(usa Debian)

Enviado em 08/03/2016 - 13:04h

acl usuarios proxy_auth /etc/squid3/users/usuarios <<< essa ACl não é necessária, comente ela e coloque a ACL de liberação dos usuarios na seguinte posição

http_access allow usuarios
http_access deny all

Os usuários tu vai cadastrar no arquivo

auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/users/usuarios <<< nesse arquivo; tu deve criar esse arquivo no caminho especificado e cadastrar os usuários com

# htpasswd [caminho do arquivo de autenticação] [nome do usuário] e quando pedir senha, digite-a.

para isso tu deve ter o Apache2 instalado.

0 0

Quote

4. Re: bloqueio de url [RESOLVIDO]

eduardo_jst
(usa Slackware)

Enviado em 08/03/2016 - 15:32h

Obrigado pela ajuda Buckminster, não coloquei esta acl devido a estrutura deste squid.conf, mas adicionei conforme sua informação e ainda não acessa, um detalhe que nao mencionei foi que os usuarios do grupo usr_livre e usr_gerente acessa normalmente, apenas
o grupo usr_bloqueado e o log do access nao da muito detalhes.

0 0

Quote

5. Re: bloqueio de url

Buckminster
(usa Debian)

Enviado em 08/03/2016 - 15:37h

eduardo_jst escreveu:

Obrigado pela ajuda Buckminster, não coloquei esta acl devido a estrutura deste squid.conf, mas adicionei conforme sua informação e ainda não acessa, um detalhe que nao mencionei foi que os usuarios do grupo usr_livre e usr_gerente acessa normalmente, apenas
o grupo usr_bloqueado e o log do access nao da muito detalhes.

Não entendi nada... quem acessa e quem não acessa o quê?

Essa ACL não tem necessidade também: acl grupogeral proxy_auth "/etc/squid3/regras/usr_bloqueado"

Faça como a ACL liberado, use url_regex.

O que tem dentro do arquivo usr_bloqueado?
Seja mais explícito, por gentileza.

0 0

Quote