On 31/08/2016 1:55 p.m., hibandx wrote: > So, i have an squid configured and ok with ad 2012, but the acl > Proxy_restrito is not working... > > This acl is for > > any solution? What version of Squid are you using? the "squid -v" command will show that detail. > > This is my conf is for deny all sites, and allow just some sites on file > proxy_restrito_whitelist... > Your http_access rules allow a lot of things to go through the proxy before proxy_restrito_whitelist is every considered as a limitation. After those allows there is no rule allowing access to clients that do get past the rule involving proxy_restrito_whitelistd. > follow: > > #Porta padrão do proxy > http_port 3128 > > #Endereco de E-mail do administrador do proxy > cache_mgr suporte@dominio.local > >From here ... > #Nao faz cache de dados de formularios html,em de resultados de programas > cgi > #hierarchy_stoplist cgi-bin ? > > #Cria uma access control list, baseando-se na url e utilizando exp. > regulares nesta situacao > #foi criado uma exp. regular para cgi e ?. > acl QUERY urlpath_regex cgi-bin \? > > #Nao faz cache da acl QUERY > cache deny QUERY .. to here can be removed completely. Your config contains the refresh_pattern necessary to handle dynamic content properly. <snip a lot of directives mostly set to default values> If you have a Squid-3.1 or later you can remove any config options which are set to the default values. That will help clarify the non-normal things your Squid is doing. > #Maquinas que nao precisaram de autenticacao > acl liberados dstdomain "/etc/squid/regras/liberados" > http_access allow liberados > > #liberar o acesso ao site da caixa que está com problemas > #acl caixa dstdomain caixa.gov.br > #always_direct allow caixa > #cache deny caixa > > #MACS que estão liberados. > acl macliberado arp "/etc/squid/regras/mac_liberado" > http_access allow macliberado > Please place custom http_access rules down .... > > ### ACL Padroes > acl SSL_ports port 443 # https > acl SSL_ports port 563 # snews > acl SSL_ports port 873 # rsync > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 563 # https, snews > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl Safe_ports port 631 # cups > acl Safe_ports port 873 # rsync > acl Safe_ports port 901 # SWAT > acl Safe_ports port 1080 > acl Safe_ports port 1863 > acl Safe_ports port 8443 # https > acl Safe_ports port 5222 # gTalk > acl Safe_ports port 5223 # gTalk > acl Safe_ports port 47057 # torrent > > acl purge method PURGE > acl CONNECT method CONNECT > > http_access allow manager localhost > http_access deny manager > http_access allow purge localhost > http_access deny purge > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > ... here after the security default http_access rules. > #Limita conexeos HTTP > #acl connect_abertas maxconn 8 > > #sites que não serão feito cache geralmente bancos > acl NOCACHE dstdomain "/etc/squid/regras/direto" \? > no_cache deny NOCACHE Remove the "no_" part from the above line. > > #### Autenticao no Windows 2008/2012/Samba 4 via WINBIND > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 30 > auth_param basic program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-basic > auth_param basic children 5 > auth_param basic realm Squid proxy server > auth_param basic credentialsttl 2 hours > #Note que abaixo o meu sistema é 64 então as minhas libs estão em /usr/lib64 > caso esteja utilizando sistema 32 troque para /usr/lib > external_acl_type ad_group ttl=1800 children=200 %LOGIN > /usr/lib64/squid/ext_wbinfo_group_acl > > #-----------------------------------------------------------------------------------# > # Nome ACL TIPO Nome Grupo AD > # > #-----------------------------------------------------------------------------------# > > acl proxy_livre external ad_group proxy_livre > acl proxy_geral external ad_group proxy_geral > acl proxy_restrito external ad_group proxy_restrito > > > # Whitelists / Blacklists > acl downloads urlpath_regex -i "/etc/squid/regras/downloads" > acl proxy_restrito_whitelist url_regex -i > "/etc/squid/regras/proxy_restrito_whitelist" > acl proxy_geral_bracklist url_regex -i > "/etc/squid/regras/proxy_geral_blacklist" > acl proxy_livre_proibidos url_regex -i > "/etc/squid/regras/proxy_livre_proibidos" > > #Bloquear determinados usuários autenticados > acl usuarios_bloqueados proxy_auth "/etc/squid/regras/usuarios_bloqueados" > > #Controle de acesso por horário aqui, vamos liberar o acesso no horário do > almoço > #aqui os usuário vão poder acessar alguns sites diferenciados entre as 12:00 > até as 13:00 > #acl almoco time MTWHFAS 12:30-13:30 > > #Agora vamos criar uma regra para garantir que os usuários que vão acessar > no almoço estão autenticados > acl autenticados proxy_auth REQUIRED > > #Agora vamos criar uma lista de sites que eles vão poder acessar no horário > do almoço > acl sites-almoco url_regex -i "/etc/squid/regras/sites_almoco" > > # Permissoes de Acesso > http_access allow proxy_livre !proxy_livre_proibidos > http_access deny downloads > http_access deny usu_bloqueados > http_access allow proxy_geral !proxy_geral_bracklist > http_access deny proxy_restrito !proxy_restrito_whitelist Any "http_access deny" rule folowed by "http_access deny all" is almost guaraneed to be useless waste of CPU and config file text. > ############################################################ > http_access deny all > http_reply_access allow all > icp_access allow all > miss_access allow all > visible_hostname proxy > error_directory /usr/share/squid/errors/pt-br > #cache_effective_group squid > cache_effective_user squid > coredump_dir /var/spool/squid > Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
