Problemas com SQUID e SQUIDGUARD autenticando no AD

davidjrsp

Lucas também não funcionou vc acredita !!!!!

lucaspolli

deixe a Bloqueia Sites como –- nessa pagina vc nao altera nada, somente se for colocar um whitelist

davidjrsp

Coloquei o –----- e também não funcionou

lucaspolli

limpou o cache do squid?

davidjrsp

Não Limpei, é via Shell Console ? ou da pra fazer com a interface WEB

lucaspolli

prefiro via shell, va no diretorio do cache, pare o squid, remova todos os arquivos (rm -R *), mais antes verifique se esta no local correto, depois de remover digite squid -z para recriar o cache e inicie novamente o squid, limpe o cache do navegador tb

davidjrsp

Olá Lucas

fiz os seguintes comados via console e limpei o cache do browser

E também não rolo ate parei o serviço do squidguard e subi novamente e nada

/usr/local/etc/rc.d/squid.sh stop

rm -rf /var/squid/cache/

mkdir -p /var/squid/cache/

chown proxy:proxy /var/squid/cache/

chmod 750 /var/squid/cache/
squid -z

/usr/local/etc/rc.d/squid.sh start

lucaspolli

a porta esta aberta no seu firewall?

davidjrsp

Eu desabilitei o Firewall do Windows Server 2012 r2

lucaspolli

firewall do pfsense..

davidjrsp

Como o pfsense nao esta em producao ainda ta tudo liberado
Wan e Lan

to mandando print

lucaspolli

verifica os logs se aparece algum erro ao reiniciar o squid+squidguard

davidjrsp

SquidGuard

Show top 50 entries. List from the line: << 0 >>
16.06.2014 15:16:03 [squid_reconfigure] Add new redirector options to Squid config.
16.06.2014 15:16:03 [squid_reconfigure] Remove old redirector options from Squid config.
16.06.2014 15:16:03 [sg_reconfigure] Save squidGuard config to '/usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf'.
16.06.2014 15:16:03 [sg_redirector_base_url] Select redirector base url (http://192.168.1.240:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u)
16.06.2014 15:16:03 [sg_create_config] Add Default
16.06.2014 15:16:03 [sg_create_config] Add ACL's: bloqueado;
16.06.2014 15:16:02 [sg_create_config] Add rewrites: safesearch;
16.06.2014 15:16:02 [sg_create_config] Add destinations: Bloqueia_Sites;
16.06.2014 15:16:02 [sg_create_config] Add sources: bloqueado
16.06.2014 15:16:02 [squidguard_rebuild_db] Start rebuild DB.
16.06.2014 15:15:52 [squidguard_rebuild_db] Create rebuild config '/usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard__usrdbrebuild.conf'.
16.06.2014 15:15:52 [sg_redirector_base_url] Select redirector base url (http://192.168.1.240:80/sgerror.php?url=403%20404&a=%a&n=%n&;i=%i&s=%s&t=%t&u=%u)
16.06.2014 15:15:52 [sg_create_simple_config] Added item 'Bloqueia_Sites' = '/var/db/squidGuard/Bloqueia_Sites'.
16.06.2014 15:15:52 [sg_create_simple_config] Begin with dbhome='/var/db/squidGuard'.
16.06.2014 15:15:52 [squidguard_rebuild_db] Begin with path '/var/db/squidGuard'.
16.06.2014 15:15:51 [sg_reconfigure_user_db] Add Bloqueia_Sites domains 'terra.com.br globo.com';
16.06.2014 15:15:51 [sg_reconfigure_user_db] Add user entries
16.06.2014 15:15:51 [sg_reconfigure_user_db] Begin with '/var/db/squidGuard'
16.06.2014 15:15:14 [squid_reconfigure] Add new redirector options to Squid config.
16.06.2014 15:15:14 [sg_reconfigure] Save squidGuard config to '/usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf'.
16.06.2014 15:15:14 [sg_redirector_base_url] Select redirector base url (http://192.168.1.240:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u)
16.06.2014 15:15:14 [sg_create_config] Add Default
16.06.2014 15:15:14 [sg_create_config] Add ACL's: bloqueado;
16.06.2014 15:15:14 [sg_create_config] Add rewrites: safesearch;
16.06.2014 15:15:14 [sg_create_config] Add destinations: Bloqueia_Sites;
16.06.2014 15:15:14 [sg_create_config] Add sources: bloqueado
16.06.2014 15:15:14 [squidguard_rebuild_db] Start rebuild DB.
16.06.2014 15:14:51 [squidguard_rebuild_db] Create rebuild config '/usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard__usrdbrebuild.conf'.
16.06.2014 15:14:51 [sg_redirector_base_url] Select redirector base url (http://192.168.1.240:80/sgerror.php?url=403%20404&a=%a&n=%n&;i=%i&s=%s&t=%t&u=%u)
16.06.2014 15:14:51 [sg_create_simple_config] Added item 'Bloqueia_Sites' = '/var/db/squidGuard/Bloqueia_Sites'.
16.06.2014 15:14:51 [sg_create_simple_config] Begin with dbhome='/var/db/squidGuard'.
16.06.2014 15:14:51 [squidguard_rebuild_db] Begin with path '/var/db/squidGuard'.
16.06.2014 15:14:51 [sg_reconfigure_user_db] Add Bloqueia_Sites domains 'terra.com.br globo.com';
16.06.2014 15:14:51 [sg_reconfigure_user_db] Add user entries
16.06.2014 15:14:51 [sg_reconfigure_user_db] Begin with '/var/db/squidGuard'
16.06.2014 15:13:57 [squid_reconfigure] Remove old redirector options from Squid config.
16.06.2014 15:13:57 [sg_reconfigure] Save squidGuard config to '/usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf'.
16.06.2014 15:13:57 [sg_redirector_base_url] Select redirector base url (http://192.168.1.240:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u)
16.06.2014 15:13:57 [sg_create_config] Add Default
16.06.2014 15:13:57 [sg_create_config] Add ACL's: bloqueado;
16.06.2014 15:13:57 [sg_create_config] Add rewrites: safesearch;
16.06.2014 15:13:57 [sg_create_config] Add destinations: Bloqueia_Sites;
16.06.2014 15:13:57 [sg_create_config] Add sources: bloqueado
16.06.2014 15:13:57 [squidguard_rebuild_db] Start rebuild DB.
16.06.2014 15:13:46 [squidguard_rebuild_db] Create rebuild config '/usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard__usrdbrebuild.conf'.
16.06.2014 15:13:46 [sg_redirector_base_url] Select redirector base url (http://192.168.1.240:80/sgerror.php?url=403%20404&a=%a&n=%n&;i=%i&s=%s&t=%t&u=%u)
16.06.2014 15:13:46 [sg_create_simple_config] Added item 'Bloqueia_Sites' = '/var/db/squidGuard/Bloqueia_Sites'.
16.06.2014 15:13:46 [sg_create_simple_config] Begin with dbhome='/var/db/squidGuard'.
16.06.2014 15:13:46 [squidguard_rebuild_db] Begin with path '/var/db/squidGuard'.
16.06.2014 15:13:45 [sg_reconfigure_user_db] Add Bloqueia_Sites domains 'terra.com.br globo.com';

davidjrsp

eu dei um tail dentro de cd /var/squid/logs tinha o arquivo cache.log

só tinha esse arquivo

[2.1.3-RELEASE][root@pfsense.localdomain]/var/squid/logs(36): tail -f cache.log
2014-06-16 15:16:03 [78648] New setting: ldapbindpass: SENHA
2014-06-16 15:16:03 [78648] syntax error in configfile /usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf line 11
2014-06-16 15:16:03 [78648] Going into emergency mode
2014/06/16 15:16:03| Accepting proxy HTTP connections at 192.168.1.240, port 3128, FD 27.
2014/06/16 15:16:03| Accepting proxy HTTP connections at 192.168.21.240, port 3128, FD 28.
2014/06/16 15:16:03| Accepting HTCP messages on port 4827, FD 30.
2014/06/16 15:16:03| Accepting SNMP messages on port 3401, FD 31.
2014/06/16 15:16:03| WCCP Disabled.
2014/06/16 15:16:03| Loaded Icons.
2014/06/16 15:16:03| Ready to serve requests.

davidjrsp

Log do SquidGuard

[2.1.3-RELEASE][root@pfsense.localdomain]/var/squidGuard/log(44): tail -f sg_configurator.log
16.06.2014 15:16:02 : [squidguard_rebuild_db]  Start rebuild DB.
16.06.2014 15:16:02 : [sg_create_config]  Add sources:  bloqueado
16.06.2014 15:16:02 : [sg_create_config]  Add destinations:  Bloqueia_Sites;
16.06.2014 15:16:02 : [sg_create_config]  Add rewrites:  safesearch;
16.06.2014 15:16:03 : [sg_create_config]  Add ACL's:  bloqueado;
16.06.2014 15:16:03 : [sg_create_config]  Add Default
16.06.2014 15:16:03 : [sg_redirector_base_url]  Select redirector base url (http://192.168.1.240:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u)
16.06.2014 15:16:03 : [sg_reconfigure]  Save squidGuard config to '/usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf'.
16.06.2014 15:16:03 : [squid_reconfigure]  Remove old redirector options from Squid config.
16.06.2014 15:16:03 : [squid_reconfigure]  Add new redirector options to Squid config.

davidjrsp

Parece que tem um erro na conf do squidguard

vou mandar a conf aqui

logdir /var/squidGuard/log
dbhome /var/db/squidGuard
ldapbinddn cn=administrator,cn=Users,dc=dominio,dc=srv
ldapbindpass senha do administrator
ldapprotover 3

src bloqueado {
        ldapusersearch ldap://192.168.1.208:3268/DC=meudominio,DC=srv?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=bloqueado%2cCN=Users%2cDC=meudominio%2cDC=srv))
        log block.log
}

dest Bloqueia_Sites {
        domainlist Bloqueia_Sites/domains
        log block.log
}

rew safesearch {
        s@(google../search?.q=.)@\1&safe=active@i
        s@(google../images.q=.)@\1&safe=active@i
        s@(google../groups.q=.)@\1&safe=active@i
        s@(google../news.q=.)@\1&safe=active@i
        s@(yandex../yandsearch?.text=.)@\1&fyandex=1@i
        s@(search.yahoo../search.p=.)@\1&vm=r&v=1@i
        s@(search.live../.q=.)@\1&adlt=strict@i
        s@(search.msn../.q=.)@\1&adlt=strict@i
        s@(.bing..*/.q=.)@\1&adlt=strict@i
        log block.log
}

acl  {
        #
        bloqueado  {
                pass !Bloqueia_Sites all
                log block.log
        }
        #
        default  {
                pass none
                redirect http://192.168.1.240:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
                log block.log

davidjrsp

BOM DIA A TODOS FUNCIONOUUUUUUUUUUUUUU, DEPOIS ALGUNS DIAS DE TEXTES O PROBLEMA ERA A COISA MAIS BESTA DO MUNDO MEU CENARIO WINDOWS SERVER 2012 R2 PFSENSE 2.1.3 SQUID E SQUIDGUARD EU PRECISO BLOQUEAR GRUPOS DE USUARIOS DO ACTIVE DIRECTORY EM ALGUNS SITES E NAO FUNCIONAVA PELO SQUIDGUARD E PELO SQUID FUNCIONA A BLACKLIST NORMAL, O QUE REALMENTE ERA!!!!!!, É QUE A SENHA DO ADMINISTRATOR DO ACTIVE DIRETORY TINHA XXXX@XXXX O SQUID PASSAVA NUMA BOA PEGAVA OS USUARIOS DIREITINHO AGORA O SQUIDGUARD NAO PEGAVA, POR QUE O SQUIDGUARD NAO ACEITA A SENHA DO ADMINISTRADOR COM @ TROQUEI A SENHA NO WINDOWS SERVER E FUNCIONOU PERFEITAMENTE AS ACL DE BLOQUEIO QUERO AGRADECER O HENRIQUE E LUCAS QUE ME AJUDARAM MUITO MAIS MUITO MESMO COM O TEMPO DELES E O CONHECIMENTO DEUS ABENCOE A VCS POIS COMO EU DISSE PARA O HENRIQUE HOJE EM DIA É DIFICIL AS PESSOAS SEREM PRESTATIVOS

brf

Boa noite pessoal,

Estou com um problema parecido com o apresentado neste post, o Squid está autenticando no meu AD, dentro dos logs consigo ver o usuário. Criei 3 grupos no AD e repliquei eles no Group ACL do SquidGuard, porém nele os logs não aparecem as informações de usuário.

Grupos criados:

• Liberado

• Bloqueado

• Restrito

Configuração do SquidGuard

# ============================================================
# SquidGuard configuration file
# This file generated automaticly with SquidGuard configurator
# (C)2006 Serg Dvoriancev
# email: dv_serg@mail.ru
# ============================================================

logdir /var/squidGuard/log
dbhome /var/db/squidGuard
ldapbinddn CN=squid,OU=Internet,DC=blumenau,DC=dominio,DC=local
ldapbindpass senha
ldapprotover 3

# Acesso Bloqueado a Internet
src Bloqueado {
	ldapusersearch ldap://192.168.16.250:389/DC=blumenau,DC=dominio,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Bloqueado%2cOU=Internet%2cDC=blumenau%2cDC=dominio%2cDC=local))
	log block.log
}

# Acesso Restrito a Internet
src Restrito {
	ldapusersearch ldap://192.168.16.250:389/DC=blumenau,DC=dominio,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Restrito%2cOU=Internet%2cOU=MyBusiness%2cDC=blumenau%2cDC=dominio%2cDC=local))
	log block.log
}

# Acesso Liberado a Internet
src Liberado {
	ldapusersearch ldap://192.168.16.250:389/DC=blumenau,DC=dominio,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Liberado%2cOU=Internet%2cDC=blumenau%2cDC=dominio%2cDC=local))
	log block.log
}

# 
dest blk_BL_adv {
	domainlist blk_BL_adv/domains
	urllist blk_BL_adv/urls
	log block.log
}

# 
dest blk_BL_aggressive {
	domainlist blk_BL_aggressive/domains
	urllist blk_BL_aggressive/urls
	log block.log
}

# 
dest blk_BL_alcohol {
	domainlist blk_BL_alcohol/domains
	urllist blk_BL_alcohol/urls
	log block.log
}

# 
dest blk_BL_anonvpn {
	domainlist blk_BL_anonvpn/domains
	urllist blk_BL_anonvpn/urls
	log block.log
}

# 
dest blk_BL_automobile_bikes {
	domainlist blk_BL_automobile_bikes/domains
	urllist blk_BL_automobile_bikes/urls
	log block.log
}

# 
dest blk_BL_automobile_boats {
	domainlist blk_BL_automobile_boats/domains
	urllist blk_BL_automobile_boats/urls
	log block.log
}

# 
dest blk_BL_automobile_cars {
	domainlist blk_BL_automobile_cars/domains
	urllist blk_BL_automobile_cars/urls
	log block.log
}

# 
dest blk_BL_automobile_planes {
	domainlist blk_BL_automobile_planes/domains
	urllist blk_BL_automobile_planes/urls
	log block.log
}

# 
dest blk_BL_chat {
	domainlist blk_BL_chat/domains
	urllist blk_BL_chat/urls
	log block.log
}

# 
dest blk_BL_costtraps {
	domainlist blk_BL_costtraps/domains
	urllist blk_BL_costtraps/urls
	log block.log
}

# 
dest blk_BL_dating {
	domainlist blk_BL_dating/domains
	urllist blk_BL_dating/urls
	log block.log
}

# 
dest blk_BL_downloads {
	domainlist blk_BL_downloads/domains
	urllist blk_BL_downloads/urls
	log block.log
}

# 
dest blk_BL_drugs {
	domainlist blk_BL_drugs/domains
	urllist blk_BL_drugs/urls
	log block.log
}

# 
dest blk_BL_dynamic {
	domainlist blk_BL_dynamic/domains
	urllist blk_BL_dynamic/urls
	log block.log
}

# 
dest blk_BL_education_schools {
	domainlist blk_BL_education_schools/domains
	urllist blk_BL_education_schools/urls
	log block.log
}

# 
dest blk_BL_finance_banking {
	domainlist blk_BL_finance_banking/domains
	urllist blk_BL_finance_banking/urls
	log block.log
}

# 
dest blk_BL_finance_insurance {
	domainlist blk_BL_finance_insurance/domains
	urllist blk_BL_finance_insurance/urls
	log block.log
}

# 
dest blk_BL_finance_moneylending {
	domainlist blk_BL_finance_moneylending/domains
	urllist blk_BL_finance_moneylending/urls
	log block.log
}

# 
dest blk_BL_finance_other {
	domainlist blk_BL_finance_other/domains
	urllist blk_BL_finance_other/urls
	log block.log
}

# 
dest blk_BL_finance_realestate {
	domainlist blk_BL_finance_realestate/domains
	urllist blk_BL_finance_realestate/urls
	log block.log
}

# 
dest blk_BL_finance_trading {
	domainlist blk_BL_finance_trading/domains
	urllist blk_BL_finance_trading/urls
	log block.log
}

# 
dest blk_BL_fortunetelling {
	domainlist blk_BL_fortunetelling/domains
	urllist blk_BL_fortunetelling/urls
	log block.log
}

# 
dest blk_BL_forum {
	domainlist blk_BL_forum/domains
	urllist blk_BL_forum/urls
	log block.log
}

# 
dest blk_BL_gamble {
	domainlist blk_BL_gamble/domains
	urllist blk_BL_gamble/urls
	log block.log
}

# 
dest blk_BL_government {
	domainlist blk_BL_government/domains
	urllist blk_BL_government/urls
	log block.log
}

# 
dest blk_BL_hacking {
	domainlist blk_BL_hacking/domains
	urllist blk_BL_hacking/urls
	log block.log
}

# 
dest blk_BL_hobby_cooking {
	domainlist blk_BL_hobby_cooking/domains
	urllist blk_BL_hobby_cooking/urls
	log block.log
}

# 
dest blk_BL_hobby_games-misc {
	domainlist blk_BL_hobby_games-misc/domains
	urllist blk_BL_hobby_games-misc/urls
	log block.log
}

# 
dest blk_BL_hobby_games-online {
	domainlist blk_BL_hobby_games-online/domains
	urllist blk_BL_hobby_games-online/urls
	log block.log
}

# 
dest blk_BL_hobby_gardening {
	domainlist blk_BL_hobby_gardening/domains
	urllist blk_BL_hobby_gardening/urls
	log block.log
}

# 
dest blk_BL_hobby_pets {
	domainlist blk_BL_hobby_pets/domains
	urllist blk_BL_hobby_pets/urls
	log block.log
}

# 
dest blk_BL_homestyle {
	domainlist blk_BL_homestyle/domains
	urllist blk_BL_homestyle/urls
	log block.log
}

# 
dest blk_BL_hospitals {
	domainlist blk_BL_hospitals/domains
	urllist blk_BL_hospitals/urls
	log block.log
}

# 
dest blk_BL_imagehosting {
	domainlist blk_BL_imagehosting/domains
	urllist blk_BL_imagehosting/urls
	log block.log
}

# 
dest blk_BL_isp {
	domainlist blk_BL_isp/domains
	urllist blk_BL_isp/urls
	log block.log
}

# 
dest blk_BL_jobsearch {
	domainlist blk_BL_jobsearch/domains
	urllist blk_BL_jobsearch/urls
	log block.log
}

# 
dest blk_BL_library {
	domainlist blk_BL_library/domains
	urllist blk_BL_library/urls
	log block.log
}

# 
dest blk_BL_military {
	domainlist blk_BL_military/domains
	urllist blk_BL_military/urls
	log block.log
}

# 
dest blk_BL_models {
	domainlist blk_BL_models/domains
	urllist blk_BL_models/urls
	log block.log
}

# 
dest blk_BL_movies {
	domainlist blk_BL_movies/domains
	urllist blk_BL_movies/urls
	log block.log
}

# 
dest blk_BL_music {
	domainlist blk_BL_music/domains
	urllist blk_BL_music/urls
	log block.log
}

# 
dest blk_BL_news {
	domainlist blk_BL_news/domains
	urllist blk_BL_news/urls
	log block.log
}

# 
dest blk_BL_podcasts {
	domainlist blk_BL_podcasts/domains
	urllist blk_BL_podcasts/urls
	log block.log
}

# 
dest blk_BL_politics {
	domainlist blk_BL_politics/domains
	urllist blk_BL_politics/urls
	log block.log
}

# 
dest blk_BL_porn {
	domainlist blk_BL_porn/domains
	urllist blk_BL_porn/urls
	log block.log
}

# 
dest blk_BL_radiotv {
	domainlist blk_BL_radiotv/domains
	urllist blk_BL_radiotv/urls
	log block.log
}

# 
dest blk_BL_recreation_humor {
	domainlist blk_BL_recreation_humor/domains
	urllist blk_BL_recreation_humor/urls
	log block.log
}

# 
dest blk_BL_recreation_martialarts {
	domainlist blk_BL_recreation_martialarts/domains
	urllist blk_BL_recreation_martialarts/urls
	log block.log
}

# 
dest blk_BL_recreation_restaurants {
	domainlist blk_BL_recreation_restaurants/domains
	urllist blk_BL_recreation_restaurants/urls
	log block.log
}

# 
dest blk_BL_recreation_sports {
	domainlist blk_BL_recreation_sports/domains
	urllist blk_BL_recreation_sports/urls
	log block.log
}

# 
dest blk_BL_recreation_travel {
	domainlist blk_BL_recreation_travel/domains
	urllist blk_BL_recreation_travel/urls
	log block.log
}

# 
dest blk_BL_recreation_wellness {
	domainlist blk_BL_recreation_wellness/domains
	urllist blk_BL_recreation_wellness/urls
	log block.log
}

# 
dest blk_BL_redirector {
	domainlist blk_BL_redirector/domains
	urllist blk_BL_redirector/urls
	log block.log
}

# 
dest blk_BL_religion {
	domainlist blk_BL_religion/domains
	urllist blk_BL_religion/urls
	log block.log
}

# 
dest blk_BL_remotecontrol {
	domainlist blk_BL_remotecontrol/domains
	urllist blk_BL_remotecontrol/urls
	log block.log
}

# 
dest blk_BL_ringtones {
	domainlist blk_BL_ringtones/domains
	urllist blk_BL_ringtones/urls
	log block.log
}

# 
dest blk_BL_science_astronomy {
	domainlist blk_BL_science_astronomy/domains
	urllist blk_BL_science_astronomy/urls
	log block.log
}

# 
dest blk_BL_science_chemistry {
	domainlist blk_BL_science_chemistry/domains
	urllist blk_BL_science_chemistry/urls
	log block.log
}

# 
dest blk_BL_searchengines {
	domainlist blk_BL_searchengines/domains
	urllist blk_BL_searchengines/urls
	log block.log
}

# 
dest blk_BL_sex_education {
	domainlist blk_BL_sex_education/domains
	urllist blk_BL_sex_education/urls
	log block.log
}

# 
dest blk_BL_sex_lingerie {
	domainlist blk_BL_sex_lingerie/domains
	urllist blk_BL_sex_lingerie/urls
	log block.log
}

# 
dest blk_BL_shopping {
	domainlist blk_BL_shopping/domains
	urllist blk_BL_shopping/urls
	log block.log
}

# 
dest blk_BL_socialnet {
	domainlist blk_BL_socialnet/domains
	urllist blk_BL_socialnet/urls
	log block.log
}

# 
dest blk_BL_spyware {
	domainlist blk_BL_spyware/domains
	urllist blk_BL_spyware/urls
	log block.log
}

# 
dest blk_BL_tracker {
	domainlist blk_BL_tracker/domains
	urllist blk_BL_tracker/urls
	log block.log
}

# 
dest blk_BL_updatesites {
	domainlist blk_BL_updatesites/domains
	urllist blk_BL_updatesites/urls
	log block.log
}

# 
dest blk_BL_urlshortener {
	domainlist blk_BL_urlshortener/domains
	urllist blk_BL_urlshortener/urls
	log block.log
}

# 
dest blk_BL_violence {
	domainlist blk_BL_violence/domains
	urllist blk_BL_violence/urls
	log block.log
}

# 
dest blk_BL_warez {
	domainlist blk_BL_warez/domains
	urllist blk_BL_warez/urls
	log block.log
}

# 
dest blk_BL_weapons {
	domainlist blk_BL_weapons/domains
	urllist blk_BL_weapons/urls
	log block.log
}

# 
dest blk_BL_webmail {
	domainlist blk_BL_webmail/domains
	urllist blk_BL_webmail/urls
	log block.log
}

# 
dest blk_BL_webphone {
	domainlist blk_BL_webphone/domains
	urllist blk_BL_webphone/urls
	log block.log
}

# 
dest blk_BL_webradio {
	domainlist blk_BL_webradio/domains
	urllist blk_BL_webradio/urls
	log block.log
}

# 
dest blk_BL_webtv {
	domainlist blk_BL_webtv/domains
	urllist blk_BL_webtv/urls
	log block.log
}

# 
rew safesearch {
	s@(google..*/search?.*q=.*)@
&safe=active@i
	s@(google..*/images.*q=.*)@
&safe=active@i
	s@(google..*/groups.*q=.*)@
&safe=active@i
	s@(google..*/news.*q=.*)@
&safe=active@i
	s@(yandex..*/yandsearch?.*text=.*)@
&fyandex=1@i
	s@(search.yahoo..*/search.*p=.*)@
&vm=r&v=1@i
	s@(search.live..*/.*q=.*)@
&adlt=strict@i
	s@(search.msn..*/.*q=.*)@
&adlt=strict@i
	s@(.bing..*/.*q=.*)@
&adlt=strict@i
	log block.log
}

# 
acl  {
	# Acesso Bloqueado a Internet
	Bloqueado  {
		pass none
		log block.log
	}
	# Acesso Restrito a Internet
	Restrito  {
		pass all
		log block.log
	}
	# Acesso Liberado a Internet
	Liberado  {
		pass !blk_BL_socialnet all
		redirect http://192.168.32.254:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
		log block.log
	}
	# 
	default  {
		pass none
		redirect http://192.168.32.254:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
		log block.log
	}
}

Configuração do Squid

# This file is automatically generated by pfSense
# Do not edit manually !
http_port 192.168.32.254:3128
icp_port 7
dns_v4_first off
pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_default_language pt-br
icon_directory /usr/pbi/squid-amd64/etc/squid/icons
visible_hostname srvnas-fw01.blumenau.dominio.local
cache_mgr suporte@dominio.com.br
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
sslcrtd_children 0
logfile_rotate 0
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  192.168.32.0/24
httpd_suppress_version_string on
uri_whitespace strip

acl dynamic urlpath_regex cgi-bin ?
cache deny dynamic
cache_mem 8 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir ufs /var/squid/cache 100 16 256
minimum_object_size 0 KB
maximum_object_size 10 KB
offline_mode off
# No redirector configured

#Remote proxies

# Setup some default acls
acl allsrc src all
acl localhost src 127.0.0.1/32
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 1025-65535 
acl sslports port 443 563  
acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECT

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS

http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
http_access allow localhost

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

# Reverse Proxy settings

# Package Integration
redirect_program /usr/pbi/squidguard-squid3-amd64/bin/squidGuard -c /usr/pbi/squidguard-squid3-amd64/etc/squidGuard/squidGuard.conf
redirector_bypass off
url_rewrite_children 5

# Custom options

auth_param basic program /usr/pbi/squid-amd64/libexec/squid/squid_ldap_auth -v 3 -b DC=blumenau,DC=dominio,DC=local -D CN=squid,OU=Internet,DC=blumenau,DC=dominio,DC=local -w senha -f '(sAMAccountName=%s)' -u uid -P 192.168.16.250:389
auth_param basic children 5
auth_param basic realm Informe Credencial
auth_param basic credentialsttl 60 minutes
acl password proxy_auth REQUIRED
http_access allow password localnet
# Default block all to be sure
http_access deny allsrc

Eu já bati muito a cabeça para tentar descobrir e não achei os erros, alguns erros já filtrei, a minha senha por exemplo está dentro dos padrões, consegui validar a pesquisa LDAP do Squid, mas não sei como validar a pesquisa do SquidGuard. Alguém consegue ver algo que posso estar deixando passar despercebido. Se vocês perceberam existem 2 redes distintas:

192.168.16.0/24 - Rede da Matriz
192.168.32.0/24 - Rede da Filial

As quais interliguei elas com o OpenVPN e as regras do firewall estão 100% liberadas entre elas, tanto é que a autenticação no AD funciona, o que descarta um problema de comunicação.

Obrigado,

Bruno

brunopinheiro

@davidjrsp:

É QUE A SENHA DO ADMINISTRATOR DO ACTIVE DIRETORY TINHA XXXX@XXXX O SQUID PASSAVA NUMA BOA PEGAVA OS USUARIOS DIREITINHO AGORA O SQUIDGUARD NAO PEGAVA, POR QUE O SQUIDGUARD NAO ACEITA A SENHA DO ADMINISTRADOR COM @ TROQUEI A SENHA NO WINDOWS SERVER E FUNCIONOU PERFEITAMENTE

Tambem passei por essa dificuldade (muitos dias :D), o pior disso é que está explicito no squidguard informando a respeito :p

(Password must be initialize with letters (Ex: Change123), valid format: [a-zA-Z/][a-zA-Z0-9/_-./:%+?=&] )

abraços.

Bruno Pinheiro.

brunopinheiro

@brf:

Estou com um problema parecido com o apresentado neste post, o Squid está autenticando no meu AD, dentro dos logs consigo ver o usuário. Criei 3 grupos no AD e repliquei eles no Group ACL do SquidGuard, porém nele os logs não aparecem as informações de usuário.

Boa tarde Bruno,

Se você validou os usuários no squid, então o problema pode ser pesquisa recursiva no A.D.. Eu tive dois problemas com isso:

1- Como mencionado no meu post anterior, senha com o caractere @
2- A porta 389 não me permitia fazer pesquisa recursiva no A.D., somente a porta 3268, com isso obtive sucesso.

Faça esse teste e report aqui.

att,

Bruno Pinheiro.