<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><span id="result_box" class="" lang="en"><span class="">Thanks
for answering Mr. Jeffries, I just applied his
recommendations, I changed the "allow basic_ldap_auth" rule to
"deny! Basic_ldap_auth", I also left the acl names denied and
removed their respective "acl deny rule" and the rule
"http_access deny</span> <span>I left it on the last line.</span>
<span class="">Although I did not give problems the "squid3 -k
parse".</span> <span class="">But the link to the ldap
suddenly stopped working, searching at
<a class="moz-txt-link-rfc2396E" href="http://www.squid-cache.org/Doc/config/">"http://www.squid-cache.org/Doc/config/"</a> I saw that I had to
change the parameter "external_acl_type Group" to
"external_acl_type ldap_group"</span> <span class="">.</span>
<span class="">The Ldap user password has not change and there
are other applications that are using the ldap correctly at
this time, any sugestions?</span></span></p>
<p><span id="result_box" class="" lang="en"><span class=""><span
id="result_box" class="" lang="en"><span class="">Here is a
copy of my current configuration file</span></span></span></span></p>
<p><span id="result_box" class="" lang="en"><span class=""><span
id="result_box" class="" lang="en"><span class=""><br>
</span></span></span></span></p>
<span id="result_box" class="" lang="en"><span class=""><span
id="result_box" class="" lang="en"><span class="">#Escondemos
la version del squid<br>
httpd_suppress_version_string on<br>
#nombre que queremos que muestre el squid como nuestro host<br>
visible_hostname Hermes<br>
#no permitimos que nada pase por nuestro proxy<br>
via off<br>
forwarded_for off<br>
follow_x_forwarded_for deny all<br>
#puertos que permitiremos<br>
acl SSL_ports port 443<br>
acl Safe_ports port 80 # http<br>
acl Safe_ports port 21 # ftp<br>
acl Safe_ports port 443 # https<br>
acl Safe_ports port 70 # gopher<br>
acl Safe_ports port 210 # wais<br>
acl Safe_ports port 1025-65535 # unregistered ports<br>
acl Safe_ports port 280 # http-mgmt<br>
acl Safe_ports port 488 # gss-http<br>
acl Safe_ports port 591 # filemaker<br>
acl Safe_ports port 777 # multiling http<br>
acl CONNECT method CONNECT<br>
http_access allow localhost manager<br>
http_access deny manager<br>
# Permitimos los puertos inseguros<br>
http_access allow !Safe_ports<br>
http_access allow CONNECT !SSL_ports<br>
debug_options ALL,9<br>
########################################################<br>
#auth ldap#<br>
########################################################<br>
auth_param basic program /usr/lib/squid3/basic_ldap_auth
-P -R -b "dc=empresa,dc=cuba,dc=cu" -D
cn=ldap,ou=squid,dc=empresa,dc=cuba,dc=cu -W
/etc/squid3/clave.txt -f sAMAccountName=%s -v 3 -s sub -h
172.16.4.10<br>
external_acl_type Group %LOGIN
/usr/lib/squid3/ext_ldap_group_acl -R -b
"dc=empresa,dc=cuba,dc=cu" -D
cn=cn=ldap,ou=squid,dc=empresa,dc=cuba,dc=cu -W
/etc/squid3/clave.txt -f
"(&(objectclass=user)(sAMAccountName=%u)
(memberof=cn=%g,dc=empresa,dc=cuba,dc=cu))" -h 172.16.4.10<br>
#######################################################<br>
#auth que no funcionan y deben arreglarse<br>
##########################################################<br>
auth_param basic children 10<br>
auth_param basic realm hermes.empresa.cuba.cu<br>
auth_param basic credentialsttl 2 hour<br>
acl basic_ldap_auth proxy_auth REQUIRED<br>
http_access deny !basic_ldap_auth<br>
#http_access deny all<br>
########################################################<br>
#restricciones selectivas#<br>
########################################################<br>
acl dmz src 172.16.4.0/27<br>
acl navegacion src 192.168.9.0/24<br>
acl full external Group InternetFull<br>
acl limitado external Group InternetLimitado<br>
acl sociales dstdomain -n "/etc/squid3/bloqueo/sociales"<br>
acl extensiones urlpath_regex -i
"/etc/squid3/bloqueo/listaextensiones"<br>
http_access deny !full sociales<br>
http_access deny !full !limitado navegacion<br>
http_access deny !full dmz<br>
########################################################<br>
#restricciones obligadas#<br>
########################################################<br>
#acl blacklist url_regex -i "/etc/squid3/listanegra"<br>
#http_access deny blacklist<br>
acl bl7 dstdomain -n "/etc/squid3/bloqueo/correos"<br>
#http_access allow full !limitado bl7<br>
acl bl1 url_regex -i "/etc/squid3/bloqueo/porno"<br>
#http_access deny bl1<br>
acl bl2 url_regex -i "/etc/squid3/bloqueo/android"<br>
#http_access deny bl2<br>
acl bl3 url_regex -i "/etc/squid3/bloqueo/prox1"<br>
#http_access deny bl3<br>
acl bl4 url_regex -i "/etc/squid3/bloqueo/prox2"<br>
#http_access deny bl4<br>
acl bl5 url_regex -i "/etc/squid3/bloqueo/prox3"<br>
#http_access deny bl5<br>
acl bl6 url_regex -i "/etc/squid3/bloqueo/prox4"<br>
#http_access deny bl6<br>
#acl ladmin src "/etc/squid3/ladmin"<br>
#########################################################################<br>
#proxy_padre #<br>
#########################################################################<br>
cache_peer 172.16.1.24 parent 8000 0<br>
#nunca permitimos conexiones directas, siempre a traves del
proxy<br>
never_direct allow all<br>
#######################################################################<br>
# puerto en que el proxy nos escuchara<br>
http_port 3128<br>
###############################################################################<br>
maximum_object_size 100 MB<br>
cache_dir aufs /var/cache/squid3 1024000 16 256<br>
cache_mem 128 MB<br>
cache_store_log /var/cache/squid3/cache_store.log<br>
coredump_dir /var/cache/squid3/dump<br>
#minimum_expiry_time 600 seconds<br>
############################<br>
client_db off<br>
offline_mode off<br>
cache_swap_low 5<br>
cache_swap_high 10<br>
cache_replacement_policy heap GDSF<br>
maximum_object_size_in_memory 256 KB<br>
chunked_request_body_max_size 4096 KB<br>
half_closed_clients off<br>
quick_abort_min 2 KB<br>
############################<br>
# establecemos los archivos de volcado en /var/cache/squid3/<br>
coredump_dir /var/cache/squid3/<br>
###############################################################################<br>
#Establecemos los patrones de refrescamiento de la cache #<br>
#patron de refrescamiento -- tipo de archivo -- tiempo del
objeto -- %de refrescamiento -- tiempo #<br>
#1440 minutos equivalen a 24 horas #<br>
###############################################################################<br>
refresh_pattern ^ftp: 1440 20% 10080<br>
refresh_pattern ^gopher: 1440 0% 1440<br>
refresh_pattern -i .(gif|png|jpg|jpeg|ico)$ 10080 20% 43200
override-expire ignore-no-store ignore-private<br>
refresh_pattern -i
.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 20% 432000
override-expire ignore-no-store ignore-private<br>
#refresh_pattern -i (/cgi-bin/|?) 0 0% 0<br>
refresh_pattern . 0 20% 4320<br>
max_filedescriptors 3200<br>
##cuanto el squid intenta cachear en mi nombre<br>
read_ahead_gap 256 KB<br>
#################<br>
#sqstat<br>
#################<br>
#acl manager proto cache_object<br>
# replace 10.0.0.1 with your webserver IP<br>
acl webserver src 172.16.4.25/27<br>
http_access allow manager webserver<br>
http_access allow localhost manager<br>
http_access deny manager<br>
###############################################################################<br>
#Delay#<br>
###############################################################################<br>
client_delay_initial_bucket_level 60<br>
delay_initial_bucket_level 75<br>
delay_pools 2<br>
memory_pools off<br>
<br>
#Canal 1 extensiones.<br>
delay_class 1 2<br>
delay_parameters 1 16384/32768 8192/16384<br>
delay_access 1 allow sociales extensiones<br>
delay_access 1 deny all<br>
<br>
#Canal 2 para usuarios.<br>
delay_class 2 2<br>
delay_parameters 2 65536/65536 32768/32768<br>
delay_access 2 allow navegacion<br>
delay_access 2 deny all<br>
</span></span></span></span><span id="result_box" class=""
lang="en"><span class=""><span id="result_box" class="" lang="en"><span
class=""><span id="result_box" class="" lang="en"><span
class=""><span id="result_box" class="" lang="en"><span
class="">http_access deny all</span></span></span></span></span></span></span></span><span
id="result_box" class="" lang="en"><span class=""><span
id="result_box" class="" lang="en"><span class=""><span
id="result_box" class="" lang="en"><span class=""><span
id="result_box" class="" lang="en"><span class=""><br>
</span></span></span></span></span></span></span></span><span
id="result_box" class="" lang="en"><span class=""><span
id="result_box" class="" lang="en"><span class=""><span
id="result_box" class="" lang="en"><span class=""><span
id="result_box" class="" lang="en"><span class="">#end
of line</span></span></span></span></span></span></span></span><span
id="result_box" class="" lang="en"><span class=""></span></span><br>
<span id="result_box" class="" lang="en"><span class=""></span></span><span
id="result_box" class="" lang="en"><span class="">####################################################################################</span></span><br>
<span id="result_box" class="" lang="en"><span class=""></span></span>
<p><span id="result_box" class="" lang="en"><span class=""><br>
</span></span></p>
<p><span id="result_box" class="" lang="en"><span class=""><br>
</span></span></p>
<p><br>
<span id="result_box" class="" lang="en"><span class=""><span
id="result_box" class="" lang="en"><span class="">PD: Please
forgive my english, it's no my native language.</span></span></span></span></p>
<pre class="moz-signature" cols="72">--
Saludos Cordiales
Lic. Alex Gutiérrez Martínez</pre>
</body>
</html>