Re: Proxy Parent

[Luis Daniel Lucio Quiroz <luis.daniel.lucio@xxxxxxxxx>]

Quieres que te hagan el trabajo :) jejeje

mandame email

Luis Daniel Lucio Quiroz
CISSP, CISM, CISA
Linux, VoIP and much more fun
www.okay.com.mx

Need LCR? Check out LCR for FusionPBX with FreeSWITCH
Need Billing? Check out Billing for FusionPBX with FreeSWITCH

2015-06-12 15:27 GMT-04:00 Jonathan Filogna <jonathan.filogna@xxxxxxxxxxxx>:

Hi all, here's my new situation (still on squid 2.7)

i want to send by DIRECT uservipstr, uservip

i want to send by PARENT userti, userlimitado, user200mb, userinternet

i want to send by DIRECT all the NTLM users that don't belong to any list of above

(ikr, my english sucks)

i want to block streaming (blockstr, blockstr2, audyvid, vidyaud) for all but uservipstr

if i remove the line "always_direct allow ntlm" DIRECT/PARENT tules works but doesn't streaming rules

if i let that line, streaming works but doesn't DIRECT/PARENT

here's my squid.conf. I'll put here all because can't find where's my error

########################

##NOMBRE VISIBLE DEL PROXY

visible_hostname prana

##NTLM

#

##DECLARADO

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5

auth_param ntlm keep_alive off

##DECLARACION DE NTLM EXTERNO PARA BLOQUEO DE DESCARGA DE ARCHIVOS

##BALANCEO DE CARGA Y TAMAÑOS DE ARCHIVOS DESCARGADOS

#

##DECLARADO

external_acl_type ntlm_group ttl=3600 children=100 %LOGIN /usr/lib/squid/wbinfo_group.pl

##ACA DECLARO LISTAS DE ACCESO DE ROEMMERS

#

##DECLARADO

acl porno url_regex -i "/etc/squid/listas/porno.lst"

acl permitidos dstdomain -i "/etc/squid/listas/permitidos.lst"

acl directo url_regex -i "/etc/squid/listas/direct.lst"

acl vidyaud rep_mime_type -i "/etc/squid/listas/blockstr.lst"

acl useragent browser -i "/etc/squid/blockejec/browser.lst"

acl blockstr req_mime_type -i "/etc/squid/blockejec/blocstreaming.lst"

acl blockejec url_regex -i "/etc/squid/blockejec/blockejec.lst"

acl audyvid req_mime_type -i "/etc/squid/listas/blockstr.lst"

acl blockstr2 rep_mime_type -i "/etc/squid/blockejec/blocstreaming.lst"

acl destinolimitado dstdomain -i "/etc/squid/listas/limitado.lst"

###ACL DE SKYPE

acl skype external ntlm_group "/etc/squid/listas/skype.lst"

acl numeric_ips dstdom_regex ^(([0-9]+.[0-9]+.[0-9]+.[0-9]+)|([([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?])):443

acl skype_ua browser ^skype

acl validuseragent browser \S+

#

##DECLARADO

acl all src all

acl CONNECT method CONNECT

##DECLARO SQSTAT

##ACL SQSTAT

acl manager proto cache_object

acl webserver src 192.168.8.121/255.255.255.255

http_access allow manager webserver

http_reply_access allow manager webserver

http_access deny manager

#REGLAS DE NAVEGACION

http_access deny porno all

http_reply_access deny porno all

deny_info http://www.pranaglobal.com.ar/restringidos/roemmers porno

deny_info http://www.pranaglobal.com.ar/restringidos/roemmers porno

acl uservipstr external ntlm_group "/etc/squid/listas/uservipstr.lst"

http_access deny blockejec uservipstr

http_access allow uservipstr

http_reply_access allow uservipstr

http_access deny blockstr !uservipstr all

http_reply_access deny blockstr !uservipstr all

http_access deny blockstr2 !uservipstr all

http_reply_access deny blockstr2 !uservipstr all

http_access deny audyvid !uservipstr all

http_access deny vidyaud !uservipstr all

http_reply_access deny audyvid !uservipstr all

http_reply_access deny vidyaud !uservipstr all

reply_body_max_size 9999999999999999999999999999999 deny uservipstr

acl uservip external ntlm_group "/etc/squid/listas/uservip.lst"

http_access deny blockejec uservip

http_access allow uservip

reply_body_max_size 9999999999999999999999999999999 deny uservip

http_reply_access allow uservip

always_direct allow uservip

acl userti external ntlm_group "/etc/squid/listas/userti.lst"

http_access deny blockejec !userti

http_access allow userti

http_reply_access allow userti

reply_body_max_size 9999999999999999999999999999999 deny userti

acl user200mb external ntlm_group "/etc/squid/listas/user200mb.lst"

http_access allow user200mb

http_reply_access allow user200mb

reply_body_max_size 500000000 deny user200mb

acl userinternet external ntlm_group "/etc/squid/listas/userinternet.lst"

http_access allow userinternet

http_reply_access allow userinternet

reply_body_max_size 45000000 deny userinternet

acl userlimitado external ntlm_group "/etc/squid/listas/userlimitado.lst"

http_access deny userlimitado !destinolimitado

http_reply_access deny userlimitado !destinolimitado

never_direct allow userlimitado

#deny

deny_info http://www.pranaglobal.com.ar/restringidos/roemmers destinolimitado

reply_body_max_size 45000000 deny userlimitado

##DECLARO LISTAS DE ACCESO EXTRAS

##LISTO

##ACL COMUNES

acl localnet src 192.168.0.0/16

acl SSL_ports port 443 # https

acl SSL_ports port 563 # snews

acl SSL_ports port 873 # rsync

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl Safe_ports port 631 # cups

acl Safe_ports port 873 # rsync

acl Safe_ports port 901 # SWAT

acl Safe_ports port 78 69 #Spotify

##SRC'S DECLARADAS

#

##ACA DECLARO ACCESOS HTTP Y FILTRADO POR GRUPO DE AD

# Deny requests to unknown ports

#http_access allow Safe_ports

http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports

http_access deny CONNECT !SSL_ports

##ACCESOS HTTP DECLARADOS

#

##ACA INICIA SSO

acl ntlm proxy_auth REQUIRED

#http_access deny !ntlm

########################################## DESCOMENTAR SI VAMOS CON BLACKLIST

http_access deny numeric_ips !skype

http_access deny skype_ua !skype

http_access deny !validuseragent !skype

##########################################

http_access allow permitidos ntlm

http_reply_access allow permitidos ntlm

http_access allow permitidos !userlimitado

http_reply_access allow permitidos !userlimitado

http_access deny all

http_reply_access deny all

reply_body_max_size 500000 deny all

##ACA TERMINA

#

##Allow ICP queries from local networks only

icp_access allow localnet

icp_access deny all

##

#

## Squid normally listens to port 3128

http_port 3128

##PUERTO SQUID DECLARADO

#

##LOG

access_log /var/log/squid/access.log squid

##HECHO

#

#LIMITANDO DESCARGA A 40 MB

#reply_body_max_size 0 allow userti

#reply_body_max_size 0 allow uservip

#reply_body_max_size 0 allow uservipstr

#reply_body_max_size 4000000 allow user200mb

#reply_body_max_size 4000  allow userinternet

#reply_body_max_size 4000 allow userlimitado

#reply_body_max_size 0 deny all

##HECHO

##PROXY PARENT!! EN CASO DE QUE SE CAIGA EL PROXY PARENT

## O AL MOMENTO DE REEMPLAZAR EL FIREWALL POR UN ACTIVO-ACTIVO

##COMENTAR ESTAS LINEAS

cache_peer 192.168.26.15 parent 3128 0 no-digest proxy-only no-delay no-query

dead_peer_timeout 30 seconds

#

#HECHO

##EN QUE CASOS ES DIRECT?

##

##EL RESTO NAVEGARA POR PARENT

always_direct allow uservipstr

always_direct allow uservip

always_direct allow directo

always_direct allow blockejec

always_direct deny blockstr

always_direct allow permitidos all

never_direct allow blockstr

never_direct allow userti

always_direct allow ntlm

always_direct deny all

never_direct allow all

##LLAMADO A SQUIDGUARD

url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf

url_rewrite_children 50

##############################

Thanks for your attention

--

Jonathan Filogna

It Senior

Tasso SRL
4702 1910

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users