[squid-users] Proxy Parent

Luis Daniel Lucio Quiroz luis.daniel.lucio at gmail.com
Fri Jun 12 21:05:03 UTC 2015 

Quieres que te hagan el trabajo :) jejeje

mandame email

Luis Daniel Lucio Quiroz
CISSP, CISM, CISA
Linux, VoIP and much more fun
www.okay.com.mx

Need LCR? Check out LCR for FusionPBX with FreeSWITCH
Need Billing? Check out Billing for FusionPBX with FreeSWITCH

2015-06-12 15:27 GMT-04:00 Jonathan Filogna <jonathan.filogna at tasso.com.ar>:

> Hi all, here's my new situation (still on squid 2.7)
>
> i want to send by DIRECT uservipstr, uservip
> i want to send by PARENT userti, userlimitado, user200mb, userinternet
>
> i want to send by DIRECT all the NTLM users that don't belong to any list
> of above
>
> (ikr, my english sucks)
>
> i want to block streaming (blockstr, blockstr2, audyvid, vidyaud) for all
> but uservipstr
>
> if i remove the line "always_direct allow ntlm" DIRECT/PARENT tules works
> but doesn't streaming rules
>
> if i let that line, streaming works but doesn't DIRECT/PARENT
>
> here's my squid.conf. I'll put here all because can't find where's my error
>
>
> ########################
>
> ##NOMBRE VISIBLE DEL PROXY
>
> visible_hostname prana
>
> ##NTLM
> #
> ##DECLARADO
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5
> auth_param ntlm keep_alive off
>
> ##DECLARACION DE NTLM EXTERNO PARA BLOQUEO DE DESCARGA DE ARCHIVOS
> ##BALANCEO DE CARGA Y TAMAÑOS DE ARCHIVOS DESCARGADOS
> #
> ##DECLARADO
>
> external_acl_type ntlm_group ttl=3600 children=100 %LOGIN /usr/lib/squid/
> wbinfo_group.pl
>
> ##ACA DECLARO LISTAS DE ACCESO DE ROEMMERS
> #
> ##DECLARADO
>
> acl porno url_regex -i "/etc/squid/listas/porno.lst"
> acl permitidos dstdomain -i "/etc/squid/listas/permitidos.lst"
> acl directo url_regex -i "/etc/squid/listas/direct.lst"
> acl vidyaud rep_mime_type -i "/etc/squid/listas/blockstr.lst"
> acl useragent browser -i "/etc/squid/blockejec/browser.lst"
> acl blockstr req_mime_type -i "/etc/squid/blockejec/blocstreaming.lst"
> acl blockejec url_regex -i "/etc/squid/blockejec/blockejec.lst"
> acl audyvid req_mime_type -i "/etc/squid/listas/blockstr.lst"
> acl blockstr2 rep_mime_type -i "/etc/squid/blockejec/blocstreaming.lst"
> acl destinolimitado dstdomain -i "/etc/squid/listas/limitado.lst"
>
> ###ACL DE SKYPE
> acl skype external ntlm_group "/etc/squid/listas/skype.lst"
> acl numeric_ips dstdom_regex
> ^(([0-9]+.[0-9]+.[0-9]+.[0-9]+)|([([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?])):443
> acl skype_ua browser ^skype
> acl validuseragent browser \S+
> #
> ##DECLARADO
> acl all src all
> acl CONNECT method CONNECT
> ##DECLARO SQSTAT
> ##ACL SQSTAT
> acl manager proto cache_object
> acl webserver src 192.168.8.121/255.255.255.255
> http_access allow manager webserver
> http_reply_access allow manager webserver
> http_access deny manager
>
> #REGLAS DE NAVEGACION
> http_access deny porno all
> http_reply_access deny porno all
> deny_info http://www.pranaglobal.com.ar/restringidos/roemmers porno
> deny_info http://www.pranaglobal.com.ar/restringidos/roemmers porno
> acl uservipstr external ntlm_group "/etc/squid/listas/uservipstr.lst"
> http_access deny blockejec uservipstr
> http_access allow uservipstr
> http_reply_access allow uservipstr
> http_access deny blockstr !uservipstr all
> http_reply_access deny blockstr !uservipstr all
> http_access deny blockstr2 !uservipstr all
> http_reply_access deny blockstr2 !uservipstr all
> http_access deny audyvid !uservipstr all
> http_access deny vidyaud !uservipstr all
> http_reply_access deny audyvid !uservipstr all
> http_reply_access deny vidyaud !uservipstr all
> reply_body_max_size 9999999999999999999999999999999 deny uservipstr
> acl uservip external ntlm_group "/etc/squid/listas/uservip.lst"
> http_access deny blockejec uservip
> http_access allow uservip
> reply_body_max_size 9999999999999999999999999999999 deny uservip
> http_reply_access allow uservip
> always_direct allow uservip
> acl userti external ntlm_group "/etc/squid/listas/userti.lst"
> http_access deny blockejec !userti
> http_access allow userti
> http_reply_access allow userti
>
> reply_body_max_size 9999999999999999999999999999999 deny userti
> acl user200mb external ntlm_group "/etc/squid/listas/user200mb.lst"
> http_access allow user200mb
> http_reply_access allow user200mb
> reply_body_max_size 500000000 deny user200mb
> acl userinternet external ntlm_group "/etc/squid/listas/userinternet.lst"
> http_access allow userinternet
> http_reply_access allow userinternet
> reply_body_max_size 45000000 deny userinternet
> acl userlimitado external ntlm_group "/etc/squid/listas/userlimitado.lst"
> http_access deny userlimitado !destinolimitado
> http_reply_access deny userlimitado !destinolimitado
> never_direct allow userlimitado
> #deny
> deny_info http://www.pranaglobal.com.ar/restringidos/roemmers
> destinolimitado
> reply_body_max_size 45000000 deny userlimitado
> ##DECLARO LISTAS DE ACCESO EXTRAS
>
>
>
> ##LISTO
>
> ##ACL COMUNES
> acl localnet src 192.168.0.0/16
> acl SSL_ports port 443 # https
> acl SSL_ports port 563 # snews
> acl SSL_ports port 873 # rsync
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 631 # cups
> acl Safe_ports port 873 # rsync
> acl Safe_ports port 901 # SWAT
> acl Safe_ports port 78 69 #Spotify
>
> ##SRC'S DECLARADAS
> #
> ##ACA DECLARO ACCESOS HTTP Y FILTRADO POR GRUPO DE AD
>
>
>
> # Deny requests to unknown ports
> #http_access allow Safe_ports
> http_access deny !Safe_ports
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
> ##ACCESOS HTTP DECLARADOS
> #
> ##ACA INICIA SSO
> acl ntlm proxy_auth REQUIRED
> #http_access deny !ntlm
> ########################################## DESCOMENTAR SI VAMOS CON
> BLACKLIST
> http_access deny numeric_ips !skype
> http_access deny skype_ua !skype
> http_access deny !validuseragent !skype
> ##########################################
> http_access allow permitidos ntlm
> http_reply_access allow permitidos ntlm
> http_access allow permitidos !userlimitado
> http_reply_access allow permitidos !userlimitado
> http_access deny all
> http_reply_access deny all
> reply_body_max_size 500000 deny all
> ##ACA TERMINA
> #
> ##Allow ICP queries from local networks only
> icp_access allow localnet
> icp_access deny all
> ##
> #
> ## Squid normally listens to port 3128
> http_port 3128
> ##PUERTO SQUID DECLARADO
> #
> ##LOG
> access_log /var/log/squid/access.log squid
> ##HECHO
> #
> #LIMITANDO DESCARGA A 40 MB
> #reply_body_max_size 0 allow userti
> #reply_body_max_size 0 allow uservip
> #reply_body_max_size 0 allow uservipstr
> #reply_body_max_size 4000000 allow user200mb
> #reply_body_max_size 4000  allow userinternet
> #reply_body_max_size 4000 allow userlimitado
> #reply_body_max_size 0 deny all
> ##HECHO
>
> ##PROXY PARENT!! EN CASO DE QUE SE CAIGA EL PROXY PARENT
> ## O AL MOMENTO DE REEMPLAZAR EL FIREWALL POR UN ACTIVO-ACTIVO
> ##COMENTAR ESTAS LINEAS
> cache_peer 192.168.26.15 parent 3128 0 no-digest proxy-only no-delay
> no-query
>
> dead_peer_timeout 30 seconds
> #
> #HECHO
>
> ##EN QUE CASOS ES DIRECT?
> ##
> ##EL RESTO NAVEGARA POR PARENT
> always_direct allow uservipstr
> always_direct allow uservip
> always_direct allow directo
> always_direct allow blockejec
> always_direct deny blockstr
> always_direct allow permitidos all
> never_direct allow blockstr
> never_direct allow userti
> always_direct allow ntlm
> always_direct deny all
> never_direct allow all
>
>
> ##LLAMADO A SQUIDGUARD
> url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
> url_rewrite_children 50
>
> ##############################
>
> Thanks for your attention
> --
> Jonathan Filogna
> It Senior
> Tasso SRL
> 4702 1910
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150612/08667c56/attachment.html>

More information about the squid-users mailing list