Squidguard não está funcionando.
-
Olá pessoal!
Estou com problema para fazer o squidGuard funcionar no PFSense 2.4.4 (p1, p2 e p3).
O squid está funcionando perfeitamente, porém quando eu integro com o squidGuard ele não bloqueia nada. Está autenticando no AD normalmente.
Em Common ACl eu bloqueei tudo, para testar, depois crio as regras para liberar alguns sites. Acho q deveria bloquear o acesso a qualquer site independente de quem autenticou.
Já reinstalei várias vezes o PFsense.
Segue as configurações do squid e squidGuard.
squid.conf
# Do not edit manually ! http_port 10.0.8.3:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=30MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE icp_port 0 digest_generation off dns_v4_first on pid_filename /var/run/squid/squid.pid cache_effective_user squid cache_effective_group proxy error_default_language pt-br icon_directory /usr/local/etc/squid/icons visible_hostname Intranet cache_mgr ti@dominio.local access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log none netdb_filename /var/squid/logs/netdb.state pinger_enable on pinger_program /usr/local/libexec/squid/pinger sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048 sslcrtd_children 15 sslproxy_capath /usr/local/share/certs/ sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS logfile_rotate 90 debug_options rotate=90 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src 10.0.8.0/24 forwarded_for on httpd_suppress_version_string on uri_whitespace strip acl dynamic urlpath_regex cgi-bin \? cache deny dynamic cache_mem 64 MB maximum_object_size_in_memory 256 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA minimum_object_size 0 KB maximum_object_size 4 MB cache_dir ufs /var/squid/cache 5000 16 256 offline_mode off cache_swap_low 90 cache_swap_high 95 cache allow all # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 #Remote proxies # Setup some default acls # ACLs all, manager, localhost, and to_localhost are predefined. acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3129 1025-65535 acl sslports port 443 563 acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS # SslBump Peek and Splice # http://wiki.squid-cache.org/Features/SslPeekAndSplice # http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit # Match against the current step during ssl_bump evaluation [fast] # Never matches and should not be used outside the ssl_bump context. # # At each SslBump step, Squid evaluates ssl_bump directives to find # the next bumping action (e.g., peek or splice). Valid SslBump step # values and the corresponding ssl_bump evaluation moments are: # SslBump1: After getting TCP-level and HTTP CONNECT info. # SslBump2: After getting TLS Client Hello info. # SslBump3: After getting TLS Server Hello info. # These ACLs exist even when 'SSL/MITM Mode' is set to 'Custom' so that # they can be used there for custom configuration. acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 acl blacklist dstdom_regex -i "/var/squid/acl/blacklist.acl" http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections http_access allow localhost request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc # Reverse Proxy settings # Package Integration url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf;url_rewrite_bypass off;url_rewrite_children 16 startup=8 idle=4 concurrency=0 # Custom options before auth # Block access to blacklist domains http_access deny blacklist auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b DC=dominio,DC=local -R -D CN=Administrador,CN=Users,DC=dominio,DC=local -w 123456 -f "sAMAccountName=%s" -u uid -P 10.0.8.3:389 auth_param basic children 10 auth_param basic realm Entre com suas credênciais auth_param basic credentialsttl 480 minutes acl password proxy_auth REQUIRED # Custom options after auth ssl_bump peek step1 ssl_bump bump all http_access allow password localnet # Default block all to be sure http_access deny allsrc code_text
squidGuard.conf
# ============================================================ # SquidGuard configuration file # This file generated automaticly with SquidGuard configurator # (C)2006 Serg Dvoriancev # email: dv_serg@mail.ru # ============================================================ logdir /var/squidGuard/log dbhome /var/db/squidGuard ldapbinddn cn=Administrador,cn=Users,dc=dominio,dc=local ldapbindpass 123456 ldapprotover 3 # dest Bloqueio { domainlist Bloqueio/domains redirect http://127.0.0.1:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u } # rew safesearch { s@(google\..*/search?.*q=.*)@\1\&safe=active@i s@(google\..*/images.*q=.*)@\1\&safe=active@i s@(google\..*/groups.*q=.*)@\1\&safe=active@i s@(google\..*/news.*q=.*)@\1\&safe=active@i s@(yandex\..*/yandsearch?.*text=.*)@\1\&fyandex=1@i s@(search\.yahoo\..*/search.*p=.*)@\1\&vm=r&v=1@i s@(search\.live\..*/.*q=.*)@\1\&adlt=strict@i s@(search\.msn\..*/.*q=.*)@\1\&adlt=strict@i s@(\.bing\..*/.*q=.*)@\1\&adlt=strict@i log block.log } # acl { # default { pass !all redirect http://127.0.0.1:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u } }
-
O problema esta com o LDAP, pq configurei o proxy transparente e o squidGuard respeitou as regras.
-
Resolvido.
No meu caso era a senha que setei no LDAP do squidguard. Não pode ter caracteres especiais... Estava testando com Administrador. Criei um usuário e coloquei a senha 123456, tbm nao serviu (acho pq é muito facíl) mudei para uma alfanumérica e funfou...
Mas dei mole, coisa de quem é faixa branca ainda kkk, se tivesse ido desde o inicio no log acharia o problema rapidinho....