Problemas com SQUID e SQUIDGUARD autenticando no AD
-
limpou o cache do squid?
-
Não Limpei, é via Shell Console ? ou da pra fazer com a interface WEB
-
prefiro via shell, va no diretorio do cache, pare o squid, remova todos os arquivos (rm -R *), mais antes verifique se esta no local correto, depois de remover digite squid -z para recriar o cache e inicie novamente o squid, limpe o cache do navegador tb
-
Olá Lucas
fiz os seguintes comados via console e limpei o cache do browser
E também não rolo ate parei o serviço do squidguard e subi novamente e nada
/usr/local/etc/rc.d/squid.sh stop
rm -rf /var/squid/cache/
mkdir -p /var/squid/cache/
chown proxy:proxy /var/squid/cache/
chmod 750 /var/squid/cache/
squid -z/usr/local/etc/rc.d/squid.sh start
-
a porta esta aberta no seu firewall?
-
Eu desabilitei o Firewall do Windows Server 2012 r2
-
firewall do pfsense..
-
Como o pfsense nao esta em producao ainda ta tudo liberado
Wan e Lanto mandando print
-
verifica os logs se aparece algum erro ao reiniciar o squid+squidguard
-
SquidGuard
Show top 50 entries. List from the line: << 0 >>
16.06.2014 15:16:03 [squid_reconfigure] Add new redirector options to Squid config.
16.06.2014 15:16:03 [squid_reconfigure] Remove old redirector options from Squid config.
16.06.2014 15:16:03 [sg_reconfigure] Save squidGuard config to '/usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf'.
16.06.2014 15:16:03 [sg_redirector_base_url] Select redirector base url (http://192.168.1.240:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u)
16.06.2014 15:16:03 [sg_create_config] Add Default
16.06.2014 15:16:03 [sg_create_config] Add ACL's: bloqueado;
16.06.2014 15:16:02 [sg_create_config] Add rewrites: safesearch;
16.06.2014 15:16:02 [sg_create_config] Add destinations: Bloqueia_Sites;
16.06.2014 15:16:02 [sg_create_config] Add sources: bloqueado
16.06.2014 15:16:02 [squidguard_rebuild_db] Start rebuild DB.
16.06.2014 15:15:52 [squidguard_rebuild_db] Create rebuild config '/usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard__usrdbrebuild.conf'.
16.06.2014 15:15:52 [sg_redirector_base_url] Select redirector base url (http://192.168.1.240:80/sgerror.php?url=403%20404&a=%a&n=%n&;i=%i&s=%s&t=%t&u=%u)
16.06.2014 15:15:52 [sg_create_simple_config] Added item 'Bloqueia_Sites' = '/var/db/squidGuard/Bloqueia_Sites'.
16.06.2014 15:15:52 [sg_create_simple_config] Begin with dbhome='/var/db/squidGuard'.
16.06.2014 15:15:52 [squidguard_rebuild_db] Begin with path '/var/db/squidGuard'.
16.06.2014 15:15:51 [sg_reconfigure_user_db] Add Bloqueia_Sites domains 'terra.com.br globo.com';
16.06.2014 15:15:51 [sg_reconfigure_user_db] Add user entries
16.06.2014 15:15:51 [sg_reconfigure_user_db] Begin with '/var/db/squidGuard'
16.06.2014 15:15:14 [squid_reconfigure] Add new redirector options to Squid config.
16.06.2014 15:15:14 [sg_reconfigure] Save squidGuard config to '/usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf'.
16.06.2014 15:15:14 [sg_redirector_base_url] Select redirector base url (http://192.168.1.240:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u)
16.06.2014 15:15:14 [sg_create_config] Add Default
16.06.2014 15:15:14 [sg_create_config] Add ACL's: bloqueado;
16.06.2014 15:15:14 [sg_create_config] Add rewrites: safesearch;
16.06.2014 15:15:14 [sg_create_config] Add destinations: Bloqueia_Sites;
16.06.2014 15:15:14 [sg_create_config] Add sources: bloqueado
16.06.2014 15:15:14 [squidguard_rebuild_db] Start rebuild DB.
16.06.2014 15:14:51 [squidguard_rebuild_db] Create rebuild config '/usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard__usrdbrebuild.conf'.
16.06.2014 15:14:51 [sg_redirector_base_url] Select redirector base url (http://192.168.1.240:80/sgerror.php?url=403%20404&a=%a&n=%n&;i=%i&s=%s&t=%t&u=%u)
16.06.2014 15:14:51 [sg_create_simple_config] Added item 'Bloqueia_Sites' = '/var/db/squidGuard/Bloqueia_Sites'.
16.06.2014 15:14:51 [sg_create_simple_config] Begin with dbhome='/var/db/squidGuard'.
16.06.2014 15:14:51 [squidguard_rebuild_db] Begin with path '/var/db/squidGuard'.
16.06.2014 15:14:51 [sg_reconfigure_user_db] Add Bloqueia_Sites domains 'terra.com.br globo.com';
16.06.2014 15:14:51 [sg_reconfigure_user_db] Add user entries
16.06.2014 15:14:51 [sg_reconfigure_user_db] Begin with '/var/db/squidGuard'
16.06.2014 15:13:57 [squid_reconfigure] Remove old redirector options from Squid config.
16.06.2014 15:13:57 [sg_reconfigure] Save squidGuard config to '/usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf'.
16.06.2014 15:13:57 [sg_redirector_base_url] Select redirector base url (http://192.168.1.240:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u)
16.06.2014 15:13:57 [sg_create_config] Add Default
16.06.2014 15:13:57 [sg_create_config] Add ACL's: bloqueado;
16.06.2014 15:13:57 [sg_create_config] Add rewrites: safesearch;
16.06.2014 15:13:57 [sg_create_config] Add destinations: Bloqueia_Sites;
16.06.2014 15:13:57 [sg_create_config] Add sources: bloqueado
16.06.2014 15:13:57 [squidguard_rebuild_db] Start rebuild DB.
16.06.2014 15:13:46 [squidguard_rebuild_db] Create rebuild config '/usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard__usrdbrebuild.conf'.
16.06.2014 15:13:46 [sg_redirector_base_url] Select redirector base url (http://192.168.1.240:80/sgerror.php?url=403%20404&a=%a&n=%n&;i=%i&s=%s&t=%t&u=%u)
16.06.2014 15:13:46 [sg_create_simple_config] Added item 'Bloqueia_Sites' = '/var/db/squidGuard/Bloqueia_Sites'.
16.06.2014 15:13:46 [sg_create_simple_config] Begin with dbhome='/var/db/squidGuard'.
16.06.2014 15:13:46 [squidguard_rebuild_db] Begin with path '/var/db/squidGuard'.
16.06.2014 15:13:45 [sg_reconfigure_user_db] Add Bloqueia_Sites domains 'terra.com.br globo.com'; -
eu dei um tail dentro de cd /var/squid/logs tinha o arquivo cache.log
só tinha esse arquivo
[2.1.3-RELEASE][root@pfsense.localdomain]/var/squid/logs(36): tail -f cache.log
2014-06-16 15:16:03 [78648] New setting: ldapbindpass: SENHA
2014-06-16 15:16:03 [78648] syntax error in configfile /usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf line 11
2014-06-16 15:16:03 [78648] Going into emergency mode
2014/06/16 15:16:03| Accepting proxy HTTP connections at 192.168.1.240, port 3128, FD 27.
2014/06/16 15:16:03| Accepting proxy HTTP connections at 192.168.21.240, port 3128, FD 28.
2014/06/16 15:16:03| Accepting HTCP messages on port 4827, FD 30.
2014/06/16 15:16:03| Accepting SNMP messages on port 3401, FD 31.
2014/06/16 15:16:03| WCCP Disabled.
2014/06/16 15:16:03| Loaded Icons.
2014/06/16 15:16:03| Ready to serve requests. -
Log do SquidGuard
[2.1.3-RELEASE][root@pfsense.localdomain]/var/squidGuard/log(44): tail -f sg_configurator.log
16.06.2014 15:16:02 : [squidguard_rebuild_db] Start rebuild DB.
16.06.2014 15:16:02 : [sg_create_config] Add sources: bloqueado
16.06.2014 15:16:02 : [sg_create_config] Add destinations: Bloqueia_Sites;
16.06.2014 15:16:02 : [sg_create_config] Add rewrites: safesearch;
16.06.2014 15:16:03 : [sg_create_config] Add ACL's: bloqueado;
16.06.2014 15:16:03 : [sg_create_config] Add Default
16.06.2014 15:16:03 : [sg_redirector_base_url] Select redirector base url (http://192.168.1.240:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u)
16.06.2014 15:16:03 : [sg_reconfigure] Save squidGuard config to '/usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf'.
16.06.2014 15:16:03 : [squid_reconfigure] Remove old redirector options from Squid config.
16.06.2014 15:16:03 : [squid_reconfigure] Add new redirector options to Squid config. -
Parece que tem um erro na conf do squidguard
vou mandar a conf aqui
logdir /var/squidGuard/log
dbhome /var/db/squidGuard
ldapbinddn cn=administrator,cn=Users,dc=dominio,dc=srv
ldapbindpass senha do administrator
ldapprotover 3src bloqueado {
ldapusersearch ldap://192.168.1.208:3268/DC=meudominio,DC=srv?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=bloqueado%2cCN=Users%2cDC=meudominio%2cDC=srv))
log block.log
}dest Bloqueia_Sites {
domainlist Bloqueia_Sites/domains
log block.log
}rew safesearch {
s@(google../search?.q=.)@\1&safe=active@i
s@(google../images.q=.)@\1&safe=active@i
s@(google../groups.q=.)@\1&safe=active@i
s@(google../news.q=.)@\1&safe=active@i
s@(yandex../yandsearch?.text=.)@\1&fyandex=1@i
s@(search.yahoo../search.p=.)@\1&vm=r&v=1@i
s@(search.live../.q=.)@\1&adlt=strict@i
s@(search.msn../.q=.)@\1&adlt=strict@i
s@(.bing..*/.q=.)@\1&adlt=strict@i
log block.log
}acl {
#
bloqueado {
pass !Bloqueia_Sites all
log block.log
}
#
default {
pass none
redirect http://192.168.1.240:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
log block.log -
BOM DIA A TODOS FUNCIONOUUUUUUUUUUUUUU, DEPOIS ALGUNS DIAS DE TEXTES O PROBLEMA ERA A COISA MAIS BESTA DO MUNDO MEU CENARIO WINDOWS SERVER 2012 R2 PFSENSE 2.1.3 SQUID E SQUIDGUARD EU PRECISO BLOQUEAR GRUPOS DE USUARIOS DO ACTIVE DIRECTORY EM ALGUNS SITES E NAO FUNCIONAVA PELO SQUIDGUARD E PELO SQUID FUNCIONA A BLACKLIST NORMAL, O QUE REALMENTE ERA!!!!!!, É QUE A SENHA DO ADMINISTRATOR DO ACTIVE DIRETORY TINHA XXXX@XXXX O SQUID PASSAVA NUMA BOA PEGAVA OS USUARIOS DIREITINHO AGORA O SQUIDGUARD NAO PEGAVA, POR QUE O SQUIDGUARD NAO ACEITA A SENHA DO ADMINISTRADOR COM @ TROQUEI A SENHA NO WINDOWS SERVER E FUNCIONOU PERFEITAMENTE AS ACL DE BLOQUEIO QUERO AGRADECER O HENRIQUE E LUCAS QUE ME AJUDARAM MUITO MAIS MUITO MESMO COM O TEMPO DELES E O CONHECIMENTO DEUS ABENCOE A VCS POIS COMO EU DISSE PARA O HENRIQUE HOJE EM DIA É DIFICIL AS PESSOAS SEREM PRESTATIVOS
-
Boa noite pessoal,
Estou com um problema parecido com o apresentado neste post, o Squid está autenticando no meu AD, dentro dos logs consigo ver o usuário. Criei 3 grupos no AD e repliquei eles no Group ACL do SquidGuard, porém nele os logs não aparecem as informações de usuário.
Grupos criados:
-
Liberado
-
Bloqueado
-
Restrito
Configuração do SquidGuard
# ============================================================ # SquidGuard configuration file # This file generated automaticly with SquidGuard configurator # (C)2006 Serg Dvoriancev # email: dv_serg@mail.ru # ============================================================ logdir /var/squidGuard/log dbhome /var/db/squidGuard ldapbinddn CN=squid,OU=Internet,DC=blumenau,DC=dominio,DC=local ldapbindpass senha ldapprotover 3 # Acesso Bloqueado a Internet src Bloqueado { ldapusersearch ldap://192.168.16.250:389/DC=blumenau,DC=dominio,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Bloqueado%2cOU=Internet%2cDC=blumenau%2cDC=dominio%2cDC=local)) log block.log } # Acesso Restrito a Internet src Restrito { ldapusersearch ldap://192.168.16.250:389/DC=blumenau,DC=dominio,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Restrito%2cOU=Internet%2cOU=MyBusiness%2cDC=blumenau%2cDC=dominio%2cDC=local)) log block.log } # Acesso Liberado a Internet src Liberado { ldapusersearch ldap://192.168.16.250:389/DC=blumenau,DC=dominio,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Liberado%2cOU=Internet%2cDC=blumenau%2cDC=dominio%2cDC=local)) log block.log } # dest blk_BL_adv { domainlist blk_BL_adv/domains urllist blk_BL_adv/urls log block.log } # dest blk_BL_aggressive { domainlist blk_BL_aggressive/domains urllist blk_BL_aggressive/urls log block.log } # dest blk_BL_alcohol { domainlist blk_BL_alcohol/domains urllist blk_BL_alcohol/urls log block.log } # dest blk_BL_anonvpn { domainlist blk_BL_anonvpn/domains urllist blk_BL_anonvpn/urls log block.log } # dest blk_BL_automobile_bikes { domainlist blk_BL_automobile_bikes/domains urllist blk_BL_automobile_bikes/urls log block.log } # dest blk_BL_automobile_boats { domainlist blk_BL_automobile_boats/domains urllist blk_BL_automobile_boats/urls log block.log } # dest blk_BL_automobile_cars { domainlist blk_BL_automobile_cars/domains urllist blk_BL_automobile_cars/urls log block.log } # dest blk_BL_automobile_planes { domainlist blk_BL_automobile_planes/domains urllist blk_BL_automobile_planes/urls log block.log } # dest blk_BL_chat { domainlist blk_BL_chat/domains urllist blk_BL_chat/urls log block.log } # dest blk_BL_costtraps { domainlist blk_BL_costtraps/domains urllist blk_BL_costtraps/urls log block.log } # dest blk_BL_dating { domainlist blk_BL_dating/domains urllist blk_BL_dating/urls log block.log } # dest blk_BL_downloads { domainlist blk_BL_downloads/domains urllist blk_BL_downloads/urls log block.log } # dest blk_BL_drugs { domainlist blk_BL_drugs/domains urllist blk_BL_drugs/urls log block.log } # dest blk_BL_dynamic { domainlist blk_BL_dynamic/domains urllist blk_BL_dynamic/urls log block.log } # dest blk_BL_education_schools { domainlist blk_BL_education_schools/domains urllist blk_BL_education_schools/urls log block.log } # dest blk_BL_finance_banking { domainlist blk_BL_finance_banking/domains urllist blk_BL_finance_banking/urls log block.log } # dest blk_BL_finance_insurance { domainlist blk_BL_finance_insurance/domains urllist blk_BL_finance_insurance/urls log block.log } # dest blk_BL_finance_moneylending { domainlist blk_BL_finance_moneylending/domains urllist blk_BL_finance_moneylending/urls log block.log } # dest blk_BL_finance_other { domainlist blk_BL_finance_other/domains urllist blk_BL_finance_other/urls log block.log } # dest blk_BL_finance_realestate { domainlist blk_BL_finance_realestate/domains urllist blk_BL_finance_realestate/urls log block.log } # dest blk_BL_finance_trading { domainlist blk_BL_finance_trading/domains urllist blk_BL_finance_trading/urls log block.log } # dest blk_BL_fortunetelling { domainlist blk_BL_fortunetelling/domains urllist blk_BL_fortunetelling/urls log block.log } # dest blk_BL_forum { domainlist blk_BL_forum/domains urllist blk_BL_forum/urls log block.log } # dest blk_BL_gamble { domainlist blk_BL_gamble/domains urllist blk_BL_gamble/urls log block.log } # dest blk_BL_government { domainlist blk_BL_government/domains urllist blk_BL_government/urls log block.log } # dest blk_BL_hacking { domainlist blk_BL_hacking/domains urllist blk_BL_hacking/urls log block.log } # dest blk_BL_hobby_cooking { domainlist blk_BL_hobby_cooking/domains urllist blk_BL_hobby_cooking/urls log block.log } # dest blk_BL_hobby_games-misc { domainlist blk_BL_hobby_games-misc/domains urllist blk_BL_hobby_games-misc/urls log block.log } # dest blk_BL_hobby_games-online { domainlist blk_BL_hobby_games-online/domains urllist blk_BL_hobby_games-online/urls log block.log } # dest blk_BL_hobby_gardening { domainlist blk_BL_hobby_gardening/domains urllist blk_BL_hobby_gardening/urls log block.log } # dest blk_BL_hobby_pets { domainlist blk_BL_hobby_pets/domains urllist blk_BL_hobby_pets/urls log block.log } # dest blk_BL_homestyle { domainlist blk_BL_homestyle/domains urllist blk_BL_homestyle/urls log block.log } # dest blk_BL_hospitals { domainlist blk_BL_hospitals/domains urllist blk_BL_hospitals/urls log block.log } # dest blk_BL_imagehosting { domainlist blk_BL_imagehosting/domains urllist blk_BL_imagehosting/urls log block.log } # dest blk_BL_isp { domainlist blk_BL_isp/domains urllist blk_BL_isp/urls log block.log } # dest blk_BL_jobsearch { domainlist blk_BL_jobsearch/domains urllist blk_BL_jobsearch/urls log block.log } # dest blk_BL_library { domainlist blk_BL_library/domains urllist blk_BL_library/urls log block.log } # dest blk_BL_military { domainlist blk_BL_military/domains urllist blk_BL_military/urls log block.log } # dest blk_BL_models { domainlist blk_BL_models/domains urllist blk_BL_models/urls log block.log } # dest blk_BL_movies { domainlist blk_BL_movies/domains urllist blk_BL_movies/urls log block.log } # dest blk_BL_music { domainlist blk_BL_music/domains urllist blk_BL_music/urls log block.log } # dest blk_BL_news { domainlist blk_BL_news/domains urllist blk_BL_news/urls log block.log } # dest blk_BL_podcasts { domainlist blk_BL_podcasts/domains urllist blk_BL_podcasts/urls log block.log } # dest blk_BL_politics { domainlist blk_BL_politics/domains urllist blk_BL_politics/urls log block.log } # dest blk_BL_porn { domainlist blk_BL_porn/domains urllist blk_BL_porn/urls log block.log } # dest blk_BL_radiotv { domainlist blk_BL_radiotv/domains urllist blk_BL_radiotv/urls log block.log } # dest blk_BL_recreation_humor { domainlist blk_BL_recreation_humor/domains urllist blk_BL_recreation_humor/urls log block.log } # dest blk_BL_recreation_martialarts { domainlist blk_BL_recreation_martialarts/domains urllist blk_BL_recreation_martialarts/urls log block.log } # dest blk_BL_recreation_restaurants { domainlist blk_BL_recreation_restaurants/domains urllist blk_BL_recreation_restaurants/urls log block.log } # dest blk_BL_recreation_sports { domainlist blk_BL_recreation_sports/domains urllist blk_BL_recreation_sports/urls log block.log } # dest blk_BL_recreation_travel { domainlist blk_BL_recreation_travel/domains urllist blk_BL_recreation_travel/urls log block.log } # dest blk_BL_recreation_wellness { domainlist blk_BL_recreation_wellness/domains urllist blk_BL_recreation_wellness/urls log block.log } # dest blk_BL_redirector { domainlist blk_BL_redirector/domains urllist blk_BL_redirector/urls log block.log } # dest blk_BL_religion { domainlist blk_BL_religion/domains urllist blk_BL_religion/urls log block.log } # dest blk_BL_remotecontrol { domainlist blk_BL_remotecontrol/domains urllist blk_BL_remotecontrol/urls log block.log } # dest blk_BL_ringtones { domainlist blk_BL_ringtones/domains urllist blk_BL_ringtones/urls log block.log } # dest blk_BL_science_astronomy { domainlist blk_BL_science_astronomy/domains urllist blk_BL_science_astronomy/urls log block.log } # dest blk_BL_science_chemistry { domainlist blk_BL_science_chemistry/domains urllist blk_BL_science_chemistry/urls log block.log } # dest blk_BL_searchengines { domainlist blk_BL_searchengines/domains urllist blk_BL_searchengines/urls log block.log } # dest blk_BL_sex_education { domainlist blk_BL_sex_education/domains urllist blk_BL_sex_education/urls log block.log } # dest blk_BL_sex_lingerie { domainlist blk_BL_sex_lingerie/domains urllist blk_BL_sex_lingerie/urls log block.log } # dest blk_BL_shopping { domainlist blk_BL_shopping/domains urllist blk_BL_shopping/urls log block.log } # dest blk_BL_socialnet { domainlist blk_BL_socialnet/domains urllist blk_BL_socialnet/urls log block.log } # dest blk_BL_spyware { domainlist blk_BL_spyware/domains urllist blk_BL_spyware/urls log block.log } # dest blk_BL_tracker { domainlist blk_BL_tracker/domains urllist blk_BL_tracker/urls log block.log } # dest blk_BL_updatesites { domainlist blk_BL_updatesites/domains urllist blk_BL_updatesites/urls log block.log } # dest blk_BL_urlshortener { domainlist blk_BL_urlshortener/domains urllist blk_BL_urlshortener/urls log block.log } # dest blk_BL_violence { domainlist blk_BL_violence/domains urllist blk_BL_violence/urls log block.log } # dest blk_BL_warez { domainlist blk_BL_warez/domains urllist blk_BL_warez/urls log block.log } # dest blk_BL_weapons { domainlist blk_BL_weapons/domains urllist blk_BL_weapons/urls log block.log } # dest blk_BL_webmail { domainlist blk_BL_webmail/domains urllist blk_BL_webmail/urls log block.log } # dest blk_BL_webphone { domainlist blk_BL_webphone/domains urllist blk_BL_webphone/urls log block.log } # dest blk_BL_webradio { domainlist blk_BL_webradio/domains urllist blk_BL_webradio/urls log block.log } # dest blk_BL_webtv { domainlist blk_BL_webtv/domains urllist blk_BL_webtv/urls log block.log } # rew safesearch { s@(google..*/search?.*q=.*)@&safe=active@i s@(google..*/images.*q=.*)@&safe=active@i s@(google..*/groups.*q=.*)@&safe=active@i s@(google..*/news.*q=.*)@&safe=active@i s@(yandex..*/yandsearch?.*text=.*)@&fyandex=1@i s@(search.yahoo..*/search.*p=.*)@&vm=r&v=1@i s@(search.live..*/.*q=.*)@&adlt=strict@i s@(search.msn..*/.*q=.*)@&adlt=strict@i s@(.bing..*/.*q=.*)@&adlt=strict@i log block.log } # acl { # Acesso Bloqueado a Internet Bloqueado { pass none log block.log } # Acesso Restrito a Internet Restrito { pass all log block.log } # Acesso Liberado a Internet Liberado { pass !blk_BL_socialnet all redirect http://192.168.32.254:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u log block.log } # default { pass none redirect http://192.168.32.254:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u log block.log } }
Configuração do Squid
# This file is automatically generated by pfSense # Do not edit manually ! http_port 192.168.32.254:3128 icp_port 7 dns_v4_first off pid_filename /var/run/squid.pid cache_effective_user proxy cache_effective_group proxy error_default_language pt-br icon_directory /usr/pbi/squid-amd64/etc/squid/icons visible_hostname srvnas-fw01.blumenau.dominio.local cache_mgr suporte@dominio.com.br access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log none sslcrtd_children 0 logfile_rotate 0 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src 192.168.32.0/24 httpd_suppress_version_string on uri_whitespace strip acl dynamic urlpath_regex cgi-bin ? cache deny dynamic cache_mem 8 MB maximum_object_size_in_memory 32 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA cache_dir ufs /var/squid/cache 100 16 256 minimum_object_size 0 KB maximum_object_size 10 KB offline_mode off # No redirector configured #Remote proxies # Setup some default acls acl allsrc src all acl localhost src 127.0.0.1/32 acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 1025-65535 acl sslports port 443 563 acl manager proto cache_object acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections http_access allow localhost request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc # Reverse Proxy settings # Package Integration redirect_program /usr/pbi/squidguard-squid3-amd64/bin/squidGuard -c /usr/pbi/squidguard-squid3-amd64/etc/squidGuard/squidGuard.conf redirector_bypass off url_rewrite_children 5 # Custom options auth_param basic program /usr/pbi/squid-amd64/libexec/squid/squid_ldap_auth -v 3 -b DC=blumenau,DC=dominio,DC=local -D CN=squid,OU=Internet,DC=blumenau,DC=dominio,DC=local -w senha -f '(sAMAccountName=%s)' -u uid -P 192.168.16.250:389 auth_param basic children 5 auth_param basic realm Informe Credencial auth_param basic credentialsttl 60 minutes acl password proxy_auth REQUIRED http_access allow password localnet # Default block all to be sure http_access deny allsrc
Eu já bati muito a cabeça para tentar descobrir e não achei os erros, alguns erros já filtrei, a minha senha por exemplo está dentro dos padrões, consegui validar a pesquisa LDAP do Squid, mas não sei como validar a pesquisa do SquidGuard. Alguém consegue ver algo que posso estar deixando passar despercebido. Se vocês perceberam existem 2 redes distintas:
192.168.16.0/24 - Rede da Matriz
192.168.32.0/24 - Rede da FilialAs quais interliguei elas com o OpenVPN e as regras do firewall estão 100% liberadas entre elas, tanto é que a autenticação no AD funciona, o que descarta um problema de comunicação.
Obrigado,
Bruno
-
-
É QUE A SENHA DO ADMINISTRATOR DO ACTIVE DIRETORY TINHA XXXX@XXXX O SQUID PASSAVA NUMA BOA PEGAVA OS USUARIOS DIREITINHO AGORA O SQUIDGUARD NAO PEGAVA, POR QUE O SQUIDGUARD NAO ACEITA A SENHA DO ADMINISTRADOR COM @ TROQUEI A SENHA NO WINDOWS SERVER E FUNCIONOU PERFEITAMENTE
Tambem passei por essa dificuldade (muitos dias :D), o pior disso é que está explicito no squidguard informando a respeito :p
(Password must be initialize with letters (Ex: Change123), valid format: [a-zA-Z/][a-zA-Z0-9/_-./:%+?=&] )
abraços.
Bruno Pinheiro.
-
@brf:
Estou com um problema parecido com o apresentado neste post, o Squid está autenticando no meu AD, dentro dos logs consigo ver o usuário. Criei 3 grupos no AD e repliquei eles no Group ACL do SquidGuard, porém nele os logs não aparecem as informações de usuário.
Boa tarde Bruno,
Se você validou os usuários no squid, então o problema pode ser pesquisa recursiva no A.D.. Eu tive dois problemas com isso:
1- Como mencionado no meu post anterior, senha com o caractere @
2- A porta 389 não me permitia fazer pesquisa recursiva no A.D., somente a porta 3268, com isso obtive sucesso.Faça esse teste e report aqui.
att,
Bruno Pinheiro.