[squid-users] Proxy Parent

Jonathan Filogna jonathan.filogna at tasso.com.ar
Fri Jun 12 19:27:26 UTC 2015


Hi all, here's my new situation (still on squid 2.7)

i want to send by DIRECT uservipstr, uservip
i want to send by PARENT userti, userlimitado, user200mb, userinternet

i want to send by DIRECT all the NTLM users that don't belong to any list
of above

(ikr, my english sucks)

i want to block streaming (blockstr, blockstr2, audyvid, vidyaud) for all
but uservipstr

if i remove the line "always_direct allow ntlm" DIRECT/PARENT tules works
but doesn't streaming rules

if i let that line, streaming works but doesn't DIRECT/PARENT

here's my squid.conf. I'll put here all because can't find where's my error


########################

##NOMBRE VISIBLE DEL PROXY

visible_hostname prana

##NTLM
#
##DECLARADO

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5
auth_param ntlm keep_alive off

##DECLARACION DE NTLM EXTERNO PARA BLOQUEO DE DESCARGA DE ARCHIVOS
##BALANCEO DE CARGA Y TAMAÑOS DE ARCHIVOS DESCARGADOS
#
##DECLARADO

external_acl_type ntlm_group ttl=3600 children=100 %LOGIN /usr/lib/squid/
wbinfo_group.pl

##ACA DECLARO LISTAS DE ACCESO DE ROEMMERS
#
##DECLARADO

acl porno url_regex -i "/etc/squid/listas/porno.lst"
acl permitidos dstdomain -i "/etc/squid/listas/permitidos.lst"
acl directo url_regex -i "/etc/squid/listas/direct.lst"
acl vidyaud rep_mime_type -i "/etc/squid/listas/blockstr.lst"
acl useragent browser -i "/etc/squid/blockejec/browser.lst"
acl blockstr req_mime_type -i "/etc/squid/blockejec/blocstreaming.lst"
acl blockejec url_regex -i "/etc/squid/blockejec/blockejec.lst"
acl audyvid req_mime_type -i "/etc/squid/listas/blockstr.lst"
acl blockstr2 rep_mime_type -i "/etc/squid/blockejec/blocstreaming.lst"
acl destinolimitado dstdomain -i "/etc/squid/listas/limitado.lst"

###ACL DE SKYPE
acl skype external ntlm_group "/etc/squid/listas/skype.lst"
acl numeric_ips dstdom_regex
^(([0-9]+.[0-9]+.[0-9]+.[0-9]+)|([([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?])):443
acl skype_ua browser ^skype
acl validuseragent browser \S+
#
##DECLARADO
acl all src all
acl CONNECT method CONNECT
##DECLARO SQSTAT
##ACL SQSTAT
acl manager proto cache_object
acl webserver src 192.168.8.121/255.255.255.255
http_access allow manager webserver
http_reply_access allow manager webserver
http_access deny manager

#REGLAS DE NAVEGACION
http_access deny porno all
http_reply_access deny porno all
deny_info http://www.pranaglobal.com.ar/restringidos/roemmers porno
deny_info http://www.pranaglobal.com.ar/restringidos/roemmers porno
acl uservipstr external ntlm_group "/etc/squid/listas/uservipstr.lst"
http_access deny blockejec uservipstr
http_access allow uservipstr
http_reply_access allow uservipstr
http_access deny blockstr !uservipstr all
http_reply_access deny blockstr !uservipstr all
http_access deny blockstr2 !uservipstr all
http_reply_access deny blockstr2 !uservipstr all
http_access deny audyvid !uservipstr all
http_access deny vidyaud !uservipstr all
http_reply_access deny audyvid !uservipstr all
http_reply_access deny vidyaud !uservipstr all
reply_body_max_size 9999999999999999999999999999999 deny uservipstr
acl uservip external ntlm_group "/etc/squid/listas/uservip.lst"
http_access deny blockejec uservip
http_access allow uservip
reply_body_max_size 9999999999999999999999999999999 deny uservip
http_reply_access allow uservip
always_direct allow uservip
acl userti external ntlm_group "/etc/squid/listas/userti.lst"
http_access deny blockejec !userti
http_access allow userti
http_reply_access allow userti

reply_body_max_size 9999999999999999999999999999999 deny userti
acl user200mb external ntlm_group "/etc/squid/listas/user200mb.lst"
http_access allow user200mb
http_reply_access allow user200mb
reply_body_max_size 500000000 deny user200mb
acl userinternet external ntlm_group "/etc/squid/listas/userinternet.lst"
http_access allow userinternet
http_reply_access allow userinternet
reply_body_max_size 45000000 deny userinternet
acl userlimitado external ntlm_group "/etc/squid/listas/userlimitado.lst"
http_access deny userlimitado !destinolimitado
http_reply_access deny userlimitado !destinolimitado
never_direct allow userlimitado
#deny
deny_info http://www.pranaglobal.com.ar/restringidos/roemmers
destinolimitado
reply_body_max_size 45000000 deny userlimitado
##DECLARO LISTAS DE ACCESO EXTRAS



##LISTO

##ACL COMUNES
acl localnet src 192.168.0.0/16
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 78 69 #Spotify

##SRC'S DECLARADAS
#
##ACA DECLARO ACCESOS HTTP Y FILTRADO POR GRUPO DE AD



# Deny requests to unknown ports
#http_access allow Safe_ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
##ACCESOS HTTP DECLARADOS
#
##ACA INICIA SSO
acl ntlm proxy_auth REQUIRED
#http_access deny !ntlm
########################################## DESCOMENTAR SI VAMOS CON
BLACKLIST
http_access deny numeric_ips !skype
http_access deny skype_ua !skype
http_access deny !validuseragent !skype
##########################################
http_access allow permitidos ntlm
http_reply_access allow permitidos ntlm
http_access allow permitidos !userlimitado
http_reply_access allow permitidos !userlimitado
http_access deny all
http_reply_access deny all
reply_body_max_size 500000 deny all
##ACA TERMINA
#
##Allow ICP queries from local networks only
icp_access allow localnet
icp_access deny all
##
#
## Squid normally listens to port 3128
http_port 3128
##PUERTO SQUID DECLARADO
#
##LOG
access_log /var/log/squid/access.log squid
##HECHO
#
#LIMITANDO DESCARGA A 40 MB
#reply_body_max_size 0 allow userti
#reply_body_max_size 0 allow uservip
#reply_body_max_size 0 allow uservipstr
#reply_body_max_size 4000000 allow user200mb
#reply_body_max_size 4000  allow userinternet
#reply_body_max_size 4000 allow userlimitado
#reply_body_max_size 0 deny all
##HECHO

##PROXY PARENT!! EN CASO DE QUE SE CAIGA EL PROXY PARENT
## O AL MOMENTO DE REEMPLAZAR EL FIREWALL POR UN ACTIVO-ACTIVO
##COMENTAR ESTAS LINEAS
cache_peer 192.168.26.15 parent 3128 0 no-digest proxy-only no-delay
no-query

dead_peer_timeout 30 seconds
#
#HECHO

##EN QUE CASOS ES DIRECT?
##
##EL RESTO NAVEGARA POR PARENT
always_direct allow uservipstr
always_direct allow uservip
always_direct allow directo
always_direct allow blockejec
always_direct deny blockstr
always_direct allow permitidos all
never_direct allow blockstr
never_direct allow userti
always_direct allow ntlm
always_direct deny all
never_direct allow all


##LLAMADO A SQUIDGUARD
url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
url_rewrite_children 50

##############################

Thanks for your attention
-- 
Jonathan Filogna
It Senior
Tasso SRL
4702 1910
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150612/16aef73c/attachment.html>


More information about the squid-users mailing list