Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squidguard não está funcionando.

    Portuguese
    1
    3
    306
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      William Martins
      last edited by

      Olá pessoal!

      Estou com problema para fazer o squidGuard funcionar no PFSense 2.4.4 (p1, p2 e p3).

      O squid está funcionando perfeitamente, porém quando eu integro com o squidGuard ele não bloqueia nada. Está autenticando no AD normalmente.

      Em Common ACl eu bloqueei tudo, para testar, depois crio as regras para liberar alguns sites. Acho q deveria bloquear o acesso a qualquer site independente de quem autenticou.

      Já reinstalei várias vezes o PFsense.

      Segue as configurações do squid e squidGuard.

      squid.conf

      # Do not edit manually !

http_port 10.0.8.3:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=30MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE

icp_port 0
digest_generation off
dns_v4_first on
pid_filename /var/run/squid/squid.pid
cache_effective_user squid
cache_effective_group proxy
error_default_language pt-br
icon_directory /usr/local/etc/squid/icons
visible_hostname Intranet
cache_mgr ti@dominio.local
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/local/libexec/squid/pinger
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048
sslcrtd_children 15
sslproxy_capath /usr/local/share/certs/
sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS

logfile_rotate 90
debug_options rotate=90
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  10.0.8.0/24
forwarded_for on
httpd_suppress_version_string on
uri_whitespace strip

acl dynamic urlpath_regex cgi-bin \?
cache deny dynamic

cache_mem 64 MB
maximum_object_size_in_memory 256 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 4 MB
cache_dir ufs /var/squid/cache 5000 16 256
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:    1440  20%  10080
refresh_pattern ^gopher:  1440  0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
refresh_pattern .    0  20%  4320


#Remote proxies


# Setup some default acls
# ACLs all, manager, localhost, and to_localhost are predefined.
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3129 1025-65535 
acl sslports port 443 563  

acl purge method PURGE
acl connect method CONNECT

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS

# SslBump Peek and Splice
# http://wiki.squid-cache.org/Features/SslPeekAndSplice
# http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
# Match against the current step during ssl_bump evaluation [fast]
# Never matches and should not be used outside the ssl_bump context.
#
# At each SslBump step, Squid evaluates ssl_bump directives to find
# the next bumping action (e.g., peek or splice). Valid SslBump step
# values and the corresponding ssl_bump evaluation moments are:
#   SslBump1: After getting TCP-level and HTTP CONNECT info.
#   SslBump2: After getting TLS Client Hello info.
#   SslBump3: After getting TLS Server Hello info.
# These ACLs exist even when 'SSL/MITM Mode' is set to 'Custom' so that
# they can be used there for custom configuration.
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl blacklist dstdom_regex -i "/var/squid/acl/blacklist.acl"
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
http_access allow localhost

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

# Reverse Proxy settings


# Package Integration
url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf;url_rewrite_bypass off;url_rewrite_children 16 startup=8 idle=4 concurrency=0

# Custom options before auth


# Block access to blacklist domains
http_access deny blacklist
auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b DC=dominio,DC=local -R -D CN=Administrador,CN=Users,DC=dominio,DC=local -w 123456 -f "sAMAccountName=%s" -u uid -P 10.0.8.3:389
auth_param basic children 10
auth_param basic realm Entre com suas credênciais
auth_param basic credentialsttl 480 minutes
acl password proxy_auth REQUIRED
# Custom options after auth


ssl_bump peek step1
ssl_bump bump all
http_access allow password localnet
# Default block all to be sure
http_access deny allsrc


code_text

      squidGuard.conf

      # ============================================================
# SquidGuard configuration file
# This file generated automaticly with SquidGuard configurator
# (C)2006 Serg Dvoriancev
# email: dv_serg@mail.ru
# ============================================================

logdir /var/squidGuard/log
dbhome /var/db/squidGuard
ldapbinddn cn=Administrador,cn=Users,dc=dominio,dc=local
ldapbindpass 123456
ldapprotover 3

# 
dest Bloqueio {
	domainlist Bloqueio/domains
	redirect http://127.0.0.1:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
}

# 
rew safesearch {
	s@(google\..*/search?.*q=.*)@\1\&safe=active@i
	s@(google\..*/images.*q=.*)@\1\&safe=active@i
	s@(google\..*/groups.*q=.*)@\1\&safe=active@i
	s@(google\..*/news.*q=.*)@\1\&safe=active@i
	s@(yandex\..*/yandsearch?.*text=.*)@\1\&fyandex=1@i
	s@(search\.yahoo\..*/search.*p=.*)@\1\&vm=r&v=1@i
	s@(search\.live\..*/.*q=.*)@\1\&adlt=strict@i
	s@(search\.msn\..*/.*q=.*)@\1\&adlt=strict@i
	s@(\.bing\..*/.*q=.*)@\1\&adlt=strict@i
	log block.log
}

# 
acl  {
	# 
	default  {
		pass !all
		redirect http://127.0.0.1:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
	}
}
      1 Reply Last reply Reply Quote 0
      • W
        William Martins
        last edited by

        O problema esta com o LDAP, pq configurei o proxy transparente e o squidGuard respeitou as regras.

        1 Reply Last reply Reply Quote 0
        • W
          William Martins
          last edited by

          Resolvido.

          No meu caso era a senha que setei no LDAP do squidguard. Não pode ter caracteres especiais... Estava testando com Administrador. Criei um usuário e coloquei a senha 123456, tbm nao serviu (acho pq é muito facíl) mudei para uma alfanumérica e funfou...

          Mas dei mole, coisa de quem é faixa branca ainda kkk, se tivesse ido desde o inicio no log acharia o problema rapidinho....

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.