[FUG-BR] TCP_DENIED/407

Welinaldo Lopes Nascimento welinaldo em bsd.com.br
Terça Setembro 4 09:16:02 BRT 2012 

Segue o squid.conf:

####################################################################
http_port 3128
icp_port 0

cache_dir aufs /usr/local/squid/cache 10000 16 256

cache_access_log /usr/local/squid/logs/access.log
cache_log /usr/local/squid/logs/cache.log
cache_log /dev/null
cache_store_log /usr/local/squid/logs/store.log
cache_store_log /dev/null
cache_swap_log /usr/local/squid/logs/cache_swap.log
access_log /usr/local/squid/logs/access.log squid

cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF

hierarchy_stoplist cgi-bin ?

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
acl apache rep_header Server ^Apache
coredump_dir /usr/local/squid/cache


cache_mem 1200 MB
cache_swap_low 80
cache_swap_high 85
maximum_object_size 2000 KB
minimum_object_size 0
maximum_object_size_in_memory 256 KB
ipcache_size 1024
fqdncache_size 1024
ipcache_low 90
ipcache_high 95


auth_param ntlm program /usr/local/libexec/squid/ntlm_auth
xxxxxx.com.br/servidor-ad


auth_param ntlm children 100
authenticate_ttl 2 hours
auth_param ntlm keep_alive off
authenticate_ip_ttl 3600 seconds
authenticate_cache_garbage_interval 1 hour
#external_acl_type NT_global_group %LOGIN /usr/local/libexec/squid/
wbinfo_group.pl



redirect_program /usr/local/bin/squidGuard -c
/usr/local/etc/squid/squidGuard.conf

error_directory /usr/local/etc/squid/errors/Portuguese

acl all src all
acl QUERY urlpath_regex cgi-bin \?
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl rede_interna src 10.1.1.0/8 # RFC1918 Rede Interna
acl rede_servidores src 10.1.1.5 10.1.1.152 # Servidor AD /BD



acl int_almoco time 12:00-14:00
acl int_noite time 18:00-19:00

#acl block_arq urlpath_regex -i  .com$ .scr$ .mpeg$ .wma$ .avi$ .pif$
.rmvb$ .wmv$ .rar$ .iso$ .mp3$ .mp4$ .torrent$


#acl Java browser Java/1.4 Java/1.5 Java/1.6

acl autenticados proxy_auth REQUIRED


acl chats url_regex -i "/usr/local/etc/squid/acls/chats/chats.txt"
acl downloads url_regex -i
"/usr/local/etc/squid/acls/downloads/downloads.txt"
acl jogos url_regex -i "/usr/local/etc/squid/acls/jogos/jogos.txt"
acl multimidia url_regex -i
"/usr/local/etc/squid/acls/multimidia/multimidia.txt"
acl porn url_regex -i "/usr/local/etc/squid/acls/porn/porn.txt"
acl redes_sociais url_regex -i
"/usr/local/etc/squid/acls/redes_sociais/redes_sociais.txt"
acl tvs_radios_filmes url_regex -i
"/usr/local/etc/squid/acls/tvs_radios_filmes/tvs_radios_filmes.txt"
acl youtube url_regex -i "/usr/local/etc/squid/acls/youtube/youtube.txt"

acl sites_gov url_regex -i
"/usr/local/etc/squid/acls/sites_gov/sites_gov.txt"
acl sites_liberados url_regex -i
"/usr/local/etc/squid/acls/sites_liberados/sites_liberados.txt"
acl sites_bancos url_regex -i
"/usr/local/etc/squid/acls/sites_bancos/sites_bancos.txt"

acl usuarios_restritos_msn proxy_auth
"/usr/local/etc/squid/grupos/usuarios_restritos_com_msn.txt"
acl usuarios_restritos proxy_auth
"/usr/local/etc/squid/grupos/usuarios_restritos.txt"
acl usuarios_liberados proxy_auth
"/usr/local/etc/squid/grupos/usuarios_liberados.txt"
acl usuarios_bloqueados proxy_auth
"/usr/local/etc/squid/grupos/usuarios_bloqueados.txt"

acl ips_liberados src "/usr/local/etc/squid/grupos/ips_liberados.txt"
acl ips_proibidos src "/usr/local/etc/squid/grupos/ips_proibidos.txt"

#acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+

reply_body_max_size 314572800 deny !usuarios_liberados
request_body_max_size 314572800 deny !usuarios_liberados

acl emailsd dstdomain "/usr/local/etc/squid/acls/emailsd/emailsd.txt"

acl msn-dll url_regex -i gateway.dll sqmserver.dll ADSAdClient31.dll
acl msn-web dst 212.26.216.247/32 82.98.251.0/24 212.26.216.242/32
85.184.4.3/32 65.54.175.250/32
acl msnd url_regex loginnet.passport.com e-messenger.net rad.msn.com
tdy.br.msn.com udc.msn.com messenger.hotmail.com messenger.live.com
messenger.services.live.com messenger.msn.com gateway.messenger.hotmail.com
config.messenger.msn.com .contacts.msn.com webmessenger.msn.com cs.yahoo.com
csa.yahoo.com csb.yahoo.com scsa.yahoo.com go.icq.com login.icq.com
acl msnapp req_mime_type application/x-msn-messenger


acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl purge method PURGE
acl CONNECT method CONNECT


no_cache deny QUERY

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports


http_access allow rede_servidores

http_access allow sites_liberados

http_access allow sites_gov

http_access allow sites_bancos
no_cache deny sites_bancos

http_access deny !autenticados !Safe_ports !SSL_ports

http_access deny usuarios_bloqueados

http_access allow usuarios_liberados

http_access allow usuarios_restritos_msn !downloads !jogos !multimidia
!porn !redes_sociais !tvs_radios_filmes !youtube !chats

http_access allow usuarios_restritos_gtalk !downloads !jogos !multimidia
!porn !redes_sociais !tvs_radios_filmes !youtube !chats !msn-dll !msnd
!msnapp !msn-web

http_access allow usuarios_restritos !downloads !jogos !multimidia !porn
!redes_sociais !tvs_radios_filmes !youtube !chats !msn-dll !msnd !msnapp
!msn-web !gtalk

#http_access deny connect numeric_IPs

http_access allow msn-dll msnd msnapp msn-web chats gtalk emailsd

http_access deny all


pid_filename /var/run/squid.pid
debug_options ALL,1
log_fqdn off

connect_timeout 120 seconds
read_timeout 15 minutes
request_timeout 30 seconds
client_lifetime 1 day
pconn_timeout 120 seconds
shutdown_lifetime 30 seconds

cache_effective_user squid

cache_mgr welinaldo em bsd.com.br
visible_hostname Proxy

logfile_rotate 0

####################################################################



Em 4 de setembro de 2012 08:32, Saul Figueiredo
<saulfelipecf em gmail.com>escreveu:

> Em 3 de setembro de 2012 23:52, Welinaldo Lopes Nascimento <
> welinaldo em bsd.com.br> escreveu:
>
> > Olá pessoal,
> >
> > Tenho servidores com squid autenticando ao AD, mas frequentemente,
> > dependendo do site, abre-se a caixinha de login para autenticação;
> > Verificando o access.log, mesmo com usuário tendo permissões de acesso
> > total ainda ocorre o erro TCP_DENIED/407, que se refere a autenticação;
> > Inclusive, até na regra que bloqueia tudo o que não for autenticado,
> > informei também exceções para  !Safe_ports !SSL_ports mas o problema
> > persiste.
> > O que estou fazendo de errado?
> >
> > --
> >
> >
> > .ılı..ılı.
> > *
> > *
> > -------------------------
> > Histórico: http://www.fug.com.br/historico/html/freebsd/
> > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
> >
>
>
> Opa!
>
> Mande-nos seu squid.conf pra gente dar uma olhada.
>
> --
> "Deve-se aprender sempre, até mesmo com um inimigo."
> (Isaac Newton)
>
> Atenciosamente,
> Saul Figueiredo
> Analista FreeBSD/Linux
> Linux Professional Institute Certification Level 2
> Linux User: #554651
> saulfelipecf em gmail.com
> <saul-felipe em hotmail.com>
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>



-- 


.ılı..ılı.
*Welinaldo Lopes Nascimento*
Estudante de Desenvolvimento de Sistemas
FreeBSD Community Member #BSD/OS
*P Antes de imprimir pense em seu compromisso com o Meio Ambiente.*

Mais detalhes sobre a lista de discussão freebsd