[squid-users] Acl to deny all sites, and allow some sites
Amos Jeffries
squid3 at treenet.co.nz
Sun Sep 4 15:54:21 UTC 2016
On 31/08/2016 1:55 p.m., hibandx wrote:
> So, i have an squid configured and ok with ad 2012, but the acl
> Proxy_restrito is not working...
>
> This acl is for
>
> any solution?
What version of Squid are you using?
the "squid -v" command will show that detail.
>
> This is my conf is for deny all sites, and allow just some sites on file
> proxy_restrito_whitelist...
>
Your http_access rules allow a lot of things to go through the proxy
before proxy_restrito_whitelist is every considered as a limitation.
After those allows there is no rule allowing access to clients that do
get past the rule involving proxy_restrito_whitelistd.
> follow:
>
> #Porta padrão do proxy
> http_port 3128
>
> #Endereco de E-mail do administrador do proxy
> cache_mgr suporte at dominio.local
>
>From here ...
> #Nao faz cache de dados de formularios html,em de resultados de programas
> cgi
> #hierarchy_stoplist cgi-bin ?
>
> #Cria uma access control list, baseando-se na url e utilizando exp.
> regulares nesta situacao
> #foi criado uma exp. regular para cgi e ?.
> acl QUERY urlpath_regex cgi-bin \?
>
> #Nao faz cache da acl QUERY
> cache deny QUERY
.. to here can be removed completely.
Your config contains the refresh_pattern necessary to handle dynamic
content properly.
<snip a lot of directives mostly set to default values>
If you have a Squid-3.1 or later you can remove any config options which
are set to the default values. That will help clarify the non-normal
things your Squid is doing.
> #Maquinas que nao precisaram de autenticacao
> acl liberados dstdomain "/etc/squid/regras/liberados"
> http_access allow liberados
>
> #liberar o acesso ao site da caixa que está com problemas
> #acl caixa dstdomain caixa.gov.br
> #always_direct allow caixa
> #cache deny caixa
>
> #MACS que estão liberados.
> acl macliberado arp "/etc/squid/regras/mac_liberado"
> http_access allow macliberado
>
Please place custom http_access rules down ....
>
> ### ACL Padroes
> acl SSL_ports port 443 # https
> acl SSL_ports port 563 # snews
> acl SSL_ports port 873 # rsync
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 631 # cups
> acl Safe_ports port 873 # rsync
> acl Safe_ports port 901 # SWAT
> acl Safe_ports port 1080
> acl Safe_ports port 1863
> acl Safe_ports port 8443 # https
> acl Safe_ports port 5222 # gTalk
> acl Safe_ports port 5223 # gTalk
> acl Safe_ports port 47057 # torrent
>
> acl purge method PURGE
> acl CONNECT method CONNECT
>
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
... here after the security default http_access rules.
> #Limita conexeos HTTP
> #acl connect_abertas maxconn 8
>
> #sites que não serão feito cache geralmente bancos
> acl NOCACHE dstdomain "/etc/squid/regras/direto" \?
> no_cache deny NOCACHE
Remove the "no_" part from the above line.
>
> #### Autenticao no Windows 2008/2012/Samba 4 via WINBIND
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 30
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Squid proxy server
> auth_param basic credentialsttl 2 hours
> #Note que abaixo o meu sistema é 64 então as minhas libs estão em /usr/lib64
> caso esteja utilizando sistema 32 troque para /usr/lib
> external_acl_type ad_group ttl=1800 children=200 %LOGIN
> /usr/lib64/squid/ext_wbinfo_group_acl
>
> #-----------------------------------------------------------------------------------#
> # Nome ACL TIPO Nome Grupo AD
> #
> #-----------------------------------------------------------------------------------#
>
> acl proxy_livre external ad_group proxy_livre
> acl proxy_geral external ad_group proxy_geral
> acl proxy_restrito external ad_group proxy_restrito
>
>
> # Whitelists / Blacklists
> acl downloads urlpath_regex -i "/etc/squid/regras/downloads"
> acl proxy_restrito_whitelist url_regex -i
> "/etc/squid/regras/proxy_restrito_whitelist"
> acl proxy_geral_bracklist url_regex -i
> "/etc/squid/regras/proxy_geral_blacklist"
> acl proxy_livre_proibidos url_regex -i
> "/etc/squid/regras/proxy_livre_proibidos"
>
> #Bloquear determinados usuários autenticados
> acl usuarios_bloqueados proxy_auth "/etc/squid/regras/usuarios_bloqueados"
>
> #Controle de acesso por horário aqui, vamos liberar o acesso no horário do
> almoço
> #aqui os usuário vão poder acessar alguns sites diferenciados entre as 12:00
> até as 13:00
> #acl almoco time MTWHFAS 12:30-13:30
>
> #Agora vamos criar uma regra para garantir que os usuários que vão acessar
> no almoço estão autenticados
> acl autenticados proxy_auth REQUIRED
>
> #Agora vamos criar uma lista de sites que eles vão poder acessar no horário
> do almoço
> acl sites-almoco url_regex -i "/etc/squid/regras/sites_almoco"
>
> # Permissoes de Acesso
> http_access allow proxy_livre !proxy_livre_proibidos
> http_access deny downloads
> http_access deny usu_bloqueados
> http_access allow proxy_geral !proxy_geral_bracklist
> http_access deny proxy_restrito !proxy_restrito_whitelist
Any "http_access deny" rule folowed by "http_access deny all" is almost
guaraneed to be useless waste of CPU and config file text.
> ############################################################
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> miss_access allow all
> visible_hostname proxy
> error_directory /usr/share/squid/errors/pt-br
> #cache_effective_group squid
> cache_effective_user squid
> coredump_dir /var/spool/squid
>
Amos
More information about the squid-users
mailing list