PFSense 2.3 + Squid + SquidGuard + Ntlm

thallesleonel

Olá a todos.

Tenho um servidor PFSense 2.3 + Squid + SquidGuard + Ntlm quase funcional.

Toda a parte de http funciona blz, autenticado via Winbind NTLM.

Estou com problemas de https, quando bloqueado.

Por exemplo, quando tenho um usuario com permissão restrita, que pode acessar o terra.com.br, quando ele acessa o site, no squid aparece o seguinte:

1461179266.690      3 192.168.1 TAG_NONE/200 0 CONNECT s1.trrsf.com:443 thallesleonel HIER_NONE/- -

Já aconteceu isso com vocês?

No squidGuard criei uma Target categories liberando esse  dominio e o erro persiste.

No squid em acl, coloquei esse mesmo dominio e o erro persiste.

Segue copia do meu squid.conf

This file is automatically generated by pfSense

Do not edit manually !

http_port 192.168.1.4:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE

icp_port 0
dns_v4_first off
pid_filename /var/run/squid/squid.pid
cache_effective_user squid
cache_effective_group proxy
error_default_language pt-br
icon_directory /usr/local/etc/squid/icons
visible_hostname spmf071
cache_mgr thallesleonel@yahoo.com.br
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/local/libexec/squid/pinger
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048
sslcrtd_children 5
sslproxy_capath /usr/local/share/certs/
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

logfile_rotate 0
debug_options rotate=0
shutdown_lifetime 3 seconds

Allow local network(s) on interface(s)

acl localnet src  192.168.1.0/24
forwarded_for on
httpd_suppress_version_string on
uri_whitespace strip

acl dynamic urlpath_regex cgi-bin ?
cache deny dynamic

cache_mem 64 MB
maximum_object_size_in_memory 256 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 4 MB
cache_dir ufs /var/squid/cache 100 16 256
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all

Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:    1440  20%  10080
refresh_pattern ^gopher:  1440  0%  1440
refresh_pattern -i (/cgi-bin/|?) 0  0%  0
refresh_pattern .    0  20%  4320

#Remote proxies

Setup some default acls

From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.

acl localhost src 127.0.0.1/32

acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3129 1025-65535 80 443
acl sslports port 443 563  446

From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.

#acl manager proto cache_object

acl purge method PURGE
acl connect method CONNECT

Define protocols used for redirects

acl HTTP proto HTTP
acl HTTPS proto HTTPS
acl allowed_subnets src 192.168.1.0/24
acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

Always allow localhost connections

From 3.2 further configuration cleanups have been done to make things easier and safer.

The manager, localhost, and to_localhost ACL definitions are now built-in.

http_access allow localhost

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

Reverse Proxy settings

always_direct allow whitelist
ssl_bump none whitelist

Package Integration

url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
url_rewrite_bypass off
url_rewrite_children 16 startup=8 idle=4 concurrency=0

Custom options before auth

always_direct allow all; ssl_bump server-first all

Always allow access to whitelist domains

http_access allow whitelist
acl sglog url_regex -i sgr=ACCESSDENIED
auth_param ntlm program /usr/local/libexec/squid/ntlm_auth –helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 20
auth_param ntlm keep_alive off
auth_param basic program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Please enter your credentials to access the proxy
auth_param basic credentialsttl 5 minutes
acl password proxy_auth REQUIRED

Custom options after auth

always_direct allow all
ssl_bump server-first all
http_access deny password sglog
http_access allow password localnet
http_access allow password allowed_subnets

Default block all to be sure

http_access deny allsrc

Desde já agradeço

thallesleonel

Olá pessoal,

Mudei a opção X-Forwarded Header Mode para off e o erro sumiu.

hibandx

vc usa samba? se sim como instalou?