SquidGuard não está bloqueando sites.
-
Boa tarde ai Gente!
Eu não consigo fazer o SquidGuard bloquear sites. Aparentemente os usuários passam normalmente pelo squid, mas não pelo squidguard, já fiz testes de bloqueio somente pelo squid, e ai rola normal. Agora quando tenho criar uma regra de blacklist no squidguard, ele não bloqueia.
Versões:
Pfsense: 2.3.3 amd64
Squid: 0.4.36_3
SquidGuard: 1.16.2Uso proxy normal com autenticação via AD (Winbind NTLM) no Squid, e estou com a opção LDAP ativo no squidguard.
Detalhe é que usei um script pd2ad para fazer o squid autenticar no AD e não exigir usuário e senha no proxy para o usuário. (já usando as credenciais do AD)verifiquei a integração do squid com o squiguard, mas parece que os usuários não passam pelo squidguard.
Meu Squid.conf:
http_port 135.20.1.100:3128 icp_port 0 digest_generation off dns_v4_first on pid_filename /var/run/squid/squid.pid cache_effective_user squid cache_effective_group proxy error_default_language pt-br icon_directory /usr/local/etc/squid/icons visible_hostname Ramed cache_mgr wagner@ramed.com.br access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log none netdb_filename /var/squid/logs/netdb.state pinger_enable on pinger_program /usr/local/libexec/squid/pinger logfile_rotate 0 debug_options rotate=0 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src 135.20.1.0/24 forwarded_for on httpd_suppress_version_string on uri_whitespace strip cache_mem 64 MB maximum_object_size_in_memory 256 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA minimum_object_size 0 KB maximum_object_size 4 MB cache_dir ufs /var/squid/cache 1000 16 256 offline_mode off cache_swap_low 90 cache_swap_high 95 cache allow all # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|?) 0 0% 0 refresh_pattern . 0 20% 4320 #Remote proxies # Setup some default acls # ACLs all, manager, localhost, and to_localhost are predefined. acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3129 1025-65535 acl sslports port 443 563 acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections http_access allow localhost request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc # Reverse Proxy settings # Package Integration url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf url_rewrite_bypass off url_rewrite_children 16 startup=8 idle=4 concurrency=0 # Custom options before auth acl sglog url_regex -i sgr=ACCESSDENIED auth_param ntlm program /usr/local/libexec/squid/ntlm_auth --domain=ramed.com.br --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 auth_param ntlm keep_alive off auth_param basic program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 20 auth_param basic realm Please enter your credentials to access the proxy auth_param basic credentialsttl 5 minutes acl password proxy_auth REQUIRED # Custom options after auth http_access deny password sglog http_access allow password localnet # Default block all to be sure http_access deny allsrc icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squid_clamav bypass=off adaptation_access service_avi_req allow all icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/squid_clamav bypass=on adaptation_access service_avi_resp allow all
Mensagem no Cache Logs do Squid:
Date-Time Mensagem 08.05.2017 14:55:50 Starting new ntlmauthenticator helpers... 08.05.2017 14:55:50 Starting new ntlmauthenticator helpers... 08.05.2017 14:55:50 Starting new ntlmauthenticator helpers... 08.05.2017 14:55:45 Starting new ntlmauthenticator helpers... 08.05.2017 14:55:45 Starting new ntlmauthenticator helpers... 08.05.2017 14:55:45 Starting new ntlmauthenticator helpers...
no Cache logs do squid guard não tem nada :s
alguém tem alguma idéia do que esta acontecendo?
valeu!
-
Boa tarde ai Gente!
Eu não consigo fazer o SquidGuard bloquear sites. Aparentemente os usuários passam normalmente pelo squid, mas não pelo squidguard, já fiz testes de bloqueio somente pelo squid, e ai rola normal. Agora quando tenho criar uma regra de blacklist no squidguard, ele não bloqueia.
Versões:
Pfsense: 2.3.3 amd64
Squid: 0.4.36_3
SquidGuard: 1.16.2Uso proxy normal com autenticação via AD (Winbind NTLM) no Squid, e estou com a opção LDAP ativo no squidguard.
Detalhe é que usei um script pd2ad para fazer o squid autenticar no AD e não exigir usuário e senha no proxy para o usuário. (já usando as credenciais do AD)verifiquei a integração do squid com o squiguard, mas parece que os usuários não passam pelo squidguard.
Meu Squid.conf:
http_port 135.20.1.100:3128 icp_port 0 digest_generation off dns_v4_first on pid_filename /var/run/squid/squid.pid cache_effective_user squid cache_effective_group proxy error_default_language pt-br icon_directory /usr/local/etc/squid/icons visible_hostname Ramed cache_mgr wagner@ramed.com.br access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log none netdb_filename /var/squid/logs/netdb.state pinger_enable on pinger_program /usr/local/libexec/squid/pinger logfile_rotate 0 debug_options rotate=0 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src 135.20.1.0/24 forwarded_for on httpd_suppress_version_string on uri_whitespace strip cache_mem 64 MB maximum_object_size_in_memory 256 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA minimum_object_size 0 KB maximum_object_size 4 MB cache_dir ufs /var/squid/cache 1000 16 256 offline_mode off cache_swap_low 90 cache_swap_high 95 cache allow all # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|?) 0 0% 0 refresh_pattern . 0 20% 4320 #Remote proxies # Setup some default acls # ACLs all, manager, localhost, and to_localhost are predefined. acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3129 1025-65535 acl sslports port 443 563 acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections http_access allow localhost request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc # Reverse Proxy settings # Package Integration url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf url_rewrite_bypass off url_rewrite_children 16 startup=8 idle=4 concurrency=0 # Custom options before auth acl sglog url_regex -i sgr=ACCESSDENIED auth_param ntlm program /usr/local/libexec/squid/ntlm_auth --domain=ramed.com.br --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 auth_param ntlm keep_alive off auth_param basic program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 20 auth_param basic realm Please enter your credentials to access the proxy auth_param basic credentialsttl 5 minutes acl password proxy_auth REQUIRED # Custom options after auth http_access deny password sglog http_access allow password localnet # Default block all to be sure http_access deny allsrc icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squid_clamav bypass=off adaptation_access service_avi_req allow all icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/squid_clamav bypass=on adaptation_access service_avi_resp allow all
Mensagem no Cache Logs do Squid:
Date-Time Mensagem 08.05.2017 14:55:50 Starting new ntlmauthenticator helpers... 08.05.2017 14:55:50 Starting new ntlmauthenticator helpers... 08.05.2017 14:55:50 Starting new ntlmauthenticator helpers... 08.05.2017 14:55:45 Starting new ntlmauthenticator helpers... 08.05.2017 14:55:45 Starting new ntlmauthenticator helpers... 08.05.2017 14:55:45 Starting new ntlmauthenticator helpers...
no Cache logs do squid guard não tem nada :s
alguém tem alguma idéia do que esta acontecendo?
valeu!
Já foi respondido uma dúvida igual a sua aqui!!!
https://forum.pfsense.org/index.php?topic=129617.new;topicseen#new
-
Já foi respondido uma dúvida igual a sua aqui!!!
https://forum.pfsense.org/index.php?topic=129617.new;topicseen#new
Obrigado! mas mesmo executando todos os passos descritos ainda não resolveu,
deixei todos os campos de LDAP em branco, fiz testes usando 'nome.usuario' , usando apenas o IP da maquina e nada.veja o arquivo squidguard.conf :
logdir /var/squidGuard/log dbhome /var/db/squidGuard ldapbinddn ldapbindpass ldapprotover 2 # src Porno_facebook { ip 135.20.1.41 log block.log } # dest blk_BL_adv { domainlist blk_BL_adv/domains urllist blk_BL_adv/urls log block.log } # dest blk_BL_aggressive { domainlist blk_BL_aggressive/domains urllist blk_BL_aggressive/urls log block.log } # dest blk_BL_alcohol { domainlist blk_BL_alcohol/domains urllist blk_BL_alcohol/urls log block.log } # dest blk_BL_anonvpn { domainlist blk_BL_anonvpn/domains urllist blk_BL_anonvpn/urls log block.log } # dest blk_BL_automobile_bikes { domainlist blk_BL_automobile_bikes/domains urllist blk_BL_automobile_bikes/urls log block.log } # dest blk_BL_automobile_boats { domainlist blk_BL_automobile_boats/domains urllist blk_BL_automobile_boats/urls log block.log } # dest blk_BL_automobile_cars { domainlist blk_BL_automobile_cars/domains urllist blk_BL_automobile_cars/urls log block.log } # dest blk_BL_automobile_planes { domainlist blk_BL_automobile_planes/domains urllist blk_BL_automobile_planes/urls log block.log } # dest blk_BL_chat { domainlist blk_BL_chat/domains urllist blk_BL_chat/urls log block.log } # dest blk_BL_costtraps { domainlist blk_BL_costtraps/domains urllist blk_BL_costtraps/urls log block.log } # dest blk_BL_dating { domainlist blk_BL_dating/domains urllist blk_BL_dating/urls log block.log } # dest blk_BL_downloads { domainlist blk_BL_downloads/domains urllist blk_BL_downloads/urls log block.log } # dest blk_BL_drugs { domainlist blk_BL_drugs/domains urllist blk_BL_drugs/urls log block.log } # dest blk_BL_dynamic { domainlist blk_BL_dynamic/domains urllist blk_BL_dynamic/urls log block.log } # dest blk_BL_education_schools { domainlist blk_BL_education_schools/domains urllist blk_BL_education_schools/urls log block.log } # dest blk_BL_finance_banking { domainlist blk_BL_finance_banking/domains urllist blk_BL_finance_banking/urls log block.log } # dest blk_BL_finance_insurance { domainlist blk_BL_finance_insurance/domains urllist blk_BL_finance_insurance/urls log block.log } # dest blk_BL_finance_moneylending { domainlist blk_BL_finance_moneylending/domains urllist blk_BL_finance_moneylending/urls log block.log } # dest blk_BL_finance_other { domainlist blk_BL_finance_other/domains urllist blk_BL_finance_other/urls log block.log } # dest blk_BL_finance_realestate { domainlist blk_BL_finance_realestate/domains urllist blk_BL_finance_realestate/urls log block.log } # dest blk_BL_finance_trading { domainlist blk_BL_finance_trading/domains urllist blk_BL_finance_trading/urls log block.log } # dest blk_BL_fortunetelling { domainlist blk_BL_fortunetelling/domains urllist blk_BL_fortunetelling/urls log block.log } # dest blk_BL_forum { domainlist blk_BL_forum/domains urllist blk_BL_forum/urls log block.log } # dest blk_BL_gamble { domainlist blk_BL_gamble/domains urllist blk_BL_gamble/urls log block.log } # dest blk_BL_government { domainlist blk_BL_government/domains urllist blk_BL_government/urls log block.log } # dest blk_BL_hacking { domainlist blk_BL_hacking/domains urllist blk_BL_hacking/urls log block.log } # dest blk_BL_hobby_cooking { domainlist blk_BL_hobby_cooking/domains urllist blk_BL_hobby_cooking/urls log block.log } # dest blk_BL_hobby_games-misc { domainlist blk_BL_hobby_games-misc/domains urllist blk_BL_hobby_games-misc/urls log block.log } # dest blk_BL_hobby_games-online { domainlist blk_BL_hobby_games-online/domains urllist blk_BL_hobby_games-online/urls log block.log } # dest blk_BL_hobby_gardening { domainlist blk_BL_hobby_gardening/domains urllist blk_BL_hobby_gardening/urls log block.log } # dest blk_BL_hobby_pets { domainlist blk_BL_hobby_pets/domains urllist blk_BL_hobby_pets/urls log block.log } # dest blk_BL_homestyle { domainlist blk_BL_homestyle/domains urllist blk_BL_homestyle/urls log block.log } # dest blk_BL_hospitals { domainlist blk_BL_hospitals/domains urllist blk_BL_hospitals/urls log block.log } # dest blk_BL_imagehosting { domainlist blk_BL_imagehosting/domains urllist blk_BL_imagehosting/urls log block.log } # dest blk_BL_isp { domainlist blk_BL_isp/domains urllist blk_BL_isp/urls log block.log } # dest blk_BL_jobsearch { domainlist blk_BL_jobsearch/domains urllist blk_BL_jobsearch/urls log block.log } # dest blk_BL_library { domainlist blk_BL_library/domains urllist blk_BL_library/urls log block.log } # dest blk_BL_military { domainlist blk_BL_military/domains urllist blk_BL_military/urls log block.log } # dest blk_BL_models { domainlist blk_BL_models/domains urllist blk_BL_models/urls log block.log } # dest blk_BL_movies { domainlist blk_BL_movies/domains urllist blk_BL_movies/urls log block.log } # dest blk_BL_music { domainlist blk_BL_music/domains urllist blk_BL_music/urls log block.log } # dest blk_BL_news { domainlist blk_BL_news/domains urllist blk_BL_news/urls log block.log } # dest blk_BL_podcasts { domainlist blk_BL_podcasts/domains urllist blk_BL_podcasts/urls log block.log } # dest blk_BL_politics { domainlist blk_BL_politics/domains urllist blk_BL_politics/urls log block.log } # dest blk_BL_porn { domainlist blk_BL_porn/domains urllist blk_BL_porn/urls log block.log } # dest blk_BL_radiotv { domainlist blk_BL_radiotv/domains urllist blk_BL_radiotv/urls log block.log } # dest blk_BL_recreation_humor { domainlist blk_BL_recreation_humor/domains urllist blk_BL_recreation_humor/urls log block.log } # dest blk_BL_recreation_martialarts { domainlist blk_BL_recreation_martialarts/domains urllist blk_BL_recreation_martialarts/urls log block.log } # dest blk_BL_recreation_restaurants { domainlist blk_BL_recreation_restaurants/domains urllist blk_BL_recreation_restaurants/urls log block.log } # dest blk_BL_recreation_sports { domainlist blk_BL_recreation_sports/domains urllist blk_BL_recreation_sports/urls log block.log } # dest blk_BL_recreation_travel { domainlist blk_BL_recreation_travel/domains urllist blk_BL_recreation_travel/urls log block.log } # dest blk_BL_recreation_wellness { domainlist blk_BL_recreation_wellness/domains urllist blk_BL_recreation_wellness/urls log block.log } # dest blk_BL_redirector { domainlist blk_BL_redirector/domains urllist blk_BL_redirector/urls log block.log } # dest blk_BL_religion { domainlist blk_BL_religion/domains urllist blk_BL_religion/urls log block.log } # dest blk_BL_remotecontrol { domainlist blk_BL_remotecontrol/domains urllist blk_BL_remotecontrol/urls log block.log } # dest blk_BL_ringtones { domainlist blk_BL_ringtones/domains urllist blk_BL_ringtones/urls log block.log } # dest blk_BL_science_astronomy { domainlist blk_BL_science_astronomy/domains urllist blk_BL_science_astronomy/urls log block.log } # dest blk_BL_science_chemistry { domainlist blk_BL_science_chemistry/domains urllist blk_BL_science_chemistry/urls log block.log } # dest blk_BL_searchengines { domainlist blk_BL_searchengines/domains urllist blk_BL_searchengines/urls log block.log } # dest blk_BL_sex_education { domainlist blk_BL_sex_education/domains urllist blk_BL_sex_education/urls log block.log } # dest blk_BL_sex_lingerie { domainlist blk_BL_sex_lingerie/domains urllist blk_BL_sex_lingerie/urls log block.log } # dest blk_BL_shopping { domainlist blk_BL_shopping/domains urllist blk_BL_shopping/urls log block.log } # dest blk_BL_socialnet { domainlist blk_BL_socialnet/domains urllist blk_BL_socialnet/urls log block.log } # dest blk_BL_spyware { domainlist blk_BL_spyware/domains urllist blk_BL_spyware/urls log block.log } # dest blk_BL_tracker { domainlist blk_BL_tracker/domains urllist blk_BL_tracker/urls log block.log } # dest blk_BL_updatesites { domainlist blk_BL_updatesites/domains urllist blk_BL_updatesites/urls log block.log } # dest blk_BL_urlshortener { domainlist blk_BL_urlshortener/domains urllist blk_BL_urlshortener/urls log block.log } # dest blk_BL_violence { domainlist blk_BL_violence/domains urllist blk_BL_violence/urls log block.log } # dest blk_BL_warez { domainlist blk_BL_warez/domains urllist blk_BL_warez/urls log block.log } # dest blk_BL_weapons { domainlist blk_BL_weapons/domains urllist blk_BL_weapons/urls log block.log } # dest blk_BL_webmail { domainlist blk_BL_webmail/domains urllist blk_BL_webmail/urls log block.log } # dest blk_BL_webphone { domainlist blk_BL_webphone/domains urllist blk_BL_webphone/urls log block.log } # dest blk_BL_webradio { domainlist blk_BL_webradio/domains urllist blk_BL_webradio/urls log block.log } # dest blk_BL_webtv { domainlist blk_BL_webtv/domains urllist blk_BL_webtv/urls log block.log } # dest Facebook { domainlist Facebook/domains redirect http://135.20.1.100:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u log block.log } # rew safesearch { s@(google..*/search?.*q=.*)@&safe=active@i s@(google..*/images.*q=.*)@&safe=active@i s@(google..*/groups.*q=.*)@&safe=active@i s@(google..*/news.*q=.*)@&safe=active@i s@(yandex..*/yandsearch?.*text=.*)@&fyandex=1@i s@(search.yahoo..*/search.*p=.*)@&vm=r&v=1@i s@(search.live..*/.*q=.*)@&adlt=strict@i s@(search.msn..*/.*q=.*)@&adlt=strict@i s@(.bing..*/.*q=.*)@&adlt=strict@i log block.log } # acl { # Porno_facebook { pass !Facebook !blk_BL_porn all redirect http://135.20.1.100:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u rewrite safesearch log block.log } # default { pass all redirect http://135.20.1.100:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u } }
alguma outra sugestão????
att,
-
agora aparece um erro no log do squid:
08.05.2017 16:55:19 ERROR: URL-rewrite produces invalid request: GET ERR HTTP/1.1