[squid-users] Squid and site ryanair.com

masterx81 gecom at tubosider.it
Mon Jan 19 18:29:07 UTC 2015 

Still have problems... I've tried in different ways and i'm unable to get it
work...
This is my config:

#
# Recommended minimum configuration:
#

### cache manager
cache_mgr cachemgr at domain.com

visible_hostname        Serv07.domain.com

authenticate_ip_ttl 1 hour

### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN
--kerberos /usr/local/bin/squid_kerb_auth -s GSS_C_NO_NAME
auth_param negotiate children 50
auth_param negotiate keep_alive off

### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth -d
--helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN
auth_param ntlm children 50
auth_param ntlm keep_alive off

### provide basic authentication via ldap for clients not authenticated via
kerberos/ntlm
auth_param basic program /usr/local/squid/libexec/basic_ldap_auth -v 3 -R -b
"dc=domain,dc=local" -D squid at domain.local -W /etc/squid/ldappass.txt -d -f
sAMAccountName=%s -h srv-dc1.domain.local
auth_param basic children 50 
#startup=0 idle=1
auth_param basic realm Proxy Domain
##auth_param basic credentialsttl 1 minute
##auth_param basic casesensitive off

### Kerb authorization
#external_acl_type memberof ttl=30 %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -d -g "%g" -D "DOMAIN.LOCAL"

### ldap authorisation
external_acl_type memberof ttl=30 %LOGIN
/usr/local/squid/libexec/ext_ldap_group_acl -v 3 -R -K -b
"dc=domain,dc=local" -D squid at domain.local -W /etc/squid/ldappass.txt -f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=SQUID,ou=OU
Domain,dc=domain,dc=local))" -h srv-dc1.domain.local

### acl for proxy auth and ldap authorizations
acl auth proxy_auth REQUIRED
#   aclname             acltype  typename activedirectorygroup
acl InternetBloccato    external memberof "/etc/squid/Internet_bloccato.txt"
acl InternetCentralino  external memberof
"/etc/squid/Internet_centralino.txt"
acl InternetLimitato    external memberof "/etc/squid/Internet_limitato.txt"
acl InternetLibero      external memberof "/etc/squid/Internet_libero.txt"
acl InternetVIP         external memberof "/etc/squid/Internet_VIP.txt"

acl consentiti_tutti    dstdomain "/etc/squid/block/consentiti_tutti.txt"

acl consentiti          dstdomain "/etc/squid/block/consentiti.txt"
acl nonconsentiti       dstdomain "/etc/squid/block/nonconsentiti.txt"

acl bypass dstdomain .sistri.it

acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com

acl java_jvm browser Java/1.4 Java/1.5 Java/1.6 Java/1.7 Java/1.8


## Disable ssl interception for dropbox.com and hotmail.com (and localhost)
acl no_ssl_interception dstdomain .dropbox.com .hotmail.com .sistri.it
.office365.com .officineciola.it .adobe.com .adobelogin.com
ssl_bump none localhost
ssl_bump none no_ssl_interception
## Add the rest of your ssl-bump rules below
## e.g ssl_bump server-first all
## etc

### squid defaults
#acl manager proto cache_object
#acl localhost src 127.0.0.1/32 ::1
#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443
acl SSL_ports port 7071
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com

http_access allow CONNECT wuCONNECT
http_access allow windowsupdate

http_access allow java_jvm

http_access allow localhost

# Permetti FTP
acl ftp proto FTP
acl ftp_port port 21
http_access allow ftp_port CONNECT
http_access allow ftp

# ACL per limiti utenti Internet_limitato
acl giorni time T W H

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
ftp_epsv off


#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports


# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#


### http_access rules

http_access allow bypass
always_direct allow bypass

# allow unrestricted access to prioritysites
http_access allow consentiti_tutti
# enforce authentication, order of rules is important for authorization
levels
http_access deny !auth
# prevent access to basic auth prompt for BlockedAccess users
http_access deny  InternetBloccato all

# Permetto l'accesso VIP
http_access allow InternetVIP auth

http_access deny  nonconsentiti
http_access allow consentiti

#http_access allow consentiti_tutti
http_access deny  InternetCentralino all

http_access allow InternetLibero auth

http_access deny giorni

http_access allow InternetLimitato auth


# DO NOT REMOVE THE FOLLOWING LINE
http_access deny all


# Definisco i limiti di banda
#delay_pools 1
#delay_class 1 1

#delay_access 1 allow InternetLimitato InternetLibero InternetCentralino
!CONNECT

#delay_parameters 1 500000/500000



### logging
# don't log allowedsites, prioritysites, AnonymousAccess
access_log /var/log/squid/access.log squid
#!allowedsites !prioritysites !AnonymousAccess
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
cache_swap_log /var/log/squid/swap.log

logfile_rotate 10

# Squid normally listens to port 3128
http_port 8080

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:		1440	20%	10080	
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320

#
maximum_object_size 3000 KB

#cache_effective_user squid
#cache_effective_group squid

Any ideas why i can't get it work?
Thanks!



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-and-site-ryanair-com-tp4669105p4669201.html
Sent from the Squid - Users mailing list archive at Nabble.com.

More information about the squid-users mailing list