Squidguard não está funcionando.



  • Olá pessoal!

    Estou com problema para fazer o squidGuard funcionar no PFSense 2.4.4 (p1, p2 e p3).

    O squid está funcionando perfeitamente, porém quando eu integro com o squidGuard ele não bloqueia nada. Está autenticando no AD normalmente.

    Em Common ACl eu bloqueei tudo, para testar, depois crio as regras para liberar alguns sites. Acho q deveria bloquear o acesso a qualquer site independente de quem autenticou.

    Já reinstalei várias vezes o PFsense.

    Segue as configurações do squid e squidGuard.

    squid.conf

    # Do not edit manually !
    
    http_port 10.0.8.3:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=30MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
    
    icp_port 0
    digest_generation off
    dns_v4_first on
    pid_filename /var/run/squid/squid.pid
    cache_effective_user squid
    cache_effective_group proxy
    error_default_language pt-br
    icon_directory /usr/local/etc/squid/icons
    visible_hostname Intranet
    cache_mgr ti@dominio.local
    access_log /var/squid/logs/access.log
    cache_log /var/squid/logs/cache.log
    cache_store_log none
    netdb_filename /var/squid/logs/netdb.state
    pinger_enable on
    pinger_program /usr/local/libexec/squid/pinger
    sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048
    sslcrtd_children 15
    sslproxy_capath /usr/local/share/certs/
    sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
    sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS
    
    logfile_rotate 90
    debug_options rotate=90
    shutdown_lifetime 3 seconds
    # Allow local network(s) on interface(s)
    acl localnet src  10.0.8.0/24
    forwarded_for on
    httpd_suppress_version_string on
    uri_whitespace strip
    
    acl dynamic urlpath_regex cgi-bin \?
    cache deny dynamic
    
    cache_mem 64 MB
    maximum_object_size_in_memory 256 KB
    memory_replacement_policy heap GDSF
    cache_replacement_policy heap LFUDA
    minimum_object_size 0 KB
    maximum_object_size 4 MB
    cache_dir ufs /var/squid/cache 5000 16 256
    offline_mode off
    cache_swap_low 90
    cache_swap_high 95
    cache allow all
    # Add any of your own refresh_pattern entries above these.
    refresh_pattern ^ftp:    1440  20%  10080
    refresh_pattern ^gopher:  1440  0%  1440
    refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
    refresh_pattern .    0  20%  4320
    
    
    #Remote proxies
    
    
    # Setup some default acls
    # ACLs all, manager, localhost, and to_localhost are predefined.
    acl allsrc src all
    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3129 1025-65535 
    acl sslports port 443 563  
    
    acl purge method PURGE
    acl connect method CONNECT
    
    # Define protocols used for redirects
    acl HTTP proto HTTP
    acl HTTPS proto HTTPS
    
    # SslBump Peek and Splice
    # http://wiki.squid-cache.org/Features/SslPeekAndSplice
    # http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
    # Match against the current step during ssl_bump evaluation [fast]
    # Never matches and should not be used outside the ssl_bump context.
    #
    # At each SslBump step, Squid evaluates ssl_bump directives to find
    # the next bumping action (e.g., peek or splice). Valid SslBump step
    # values and the corresponding ssl_bump evaluation moments are:
    #   SslBump1: After getting TCP-level and HTTP CONNECT info.
    #   SslBump2: After getting TLS Client Hello info.
    #   SslBump3: After getting TLS Server Hello info.
    # These ACLs exist even when 'SSL/MITM Mode' is set to 'Custom' so that
    # they can be used there for custom configuration.
    acl step1 at_step SslBump1
    acl step2 at_step SslBump2
    acl step3 at_step SslBump3
    acl blacklist dstdom_regex -i "/var/squid/acl/blacklist.acl"
    http_access allow manager localhost
    
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !safeports
    http_access deny CONNECT !sslports
    
    # Always allow localhost connections
    http_access allow localhost
    
    request_body_max_size 0 KB
    delay_pools 1
    delay_class 1 2
    delay_parameters 1 -1/-1 -1/-1
    delay_initial_bucket_level 100
    delay_access 1 allow allsrc
    
    # Reverse Proxy settings
    
    
    # Package Integration
    url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf;url_rewrite_bypass off;url_rewrite_children 16 startup=8 idle=4 concurrency=0
    
    # Custom options before auth
    
    
    # Block access to blacklist domains
    http_access deny blacklist
    auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b DC=dominio,DC=local -R -D CN=Administrador,CN=Users,DC=dominio,DC=local -w 123456 -f "sAMAccountName=%s" -u uid -P 10.0.8.3:389
    auth_param basic children 10
    auth_param basic realm Entre com suas credênciais
    auth_param basic credentialsttl 480 minutes
    acl password proxy_auth REQUIRED
    # Custom options after auth
    
    
    ssl_bump peek step1
    ssl_bump bump all
    http_access allow password localnet
    # Default block all to be sure
    http_access deny allsrc
    
    
    code_text
    

    squidGuard.conf

    # ============================================================
    # SquidGuard configuration file
    # This file generated automaticly with SquidGuard configurator
    # (C)2006 Serg Dvoriancev
    # email: dv_serg@mail.ru
    # ============================================================
    
    logdir /var/squidGuard/log
    dbhome /var/db/squidGuard
    ldapbinddn cn=Administrador,cn=Users,dc=dominio,dc=local
    ldapbindpass 123456
    ldapprotover 3
    
    # 
    dest Bloqueio {
    	domainlist Bloqueio/domains
    	redirect http://127.0.0.1:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
    }
    
    # 
    rew safesearch {
    	s@(google\..*/search?.*q=.*)@\1\&safe=active@i
    	s@(google\..*/images.*q=.*)@\1\&safe=active@i
    	s@(google\..*/groups.*q=.*)@\1\&safe=active@i
    	s@(google\..*/news.*q=.*)@\1\&safe=active@i
    	s@(yandex\..*/yandsearch?.*text=.*)@\1\&fyandex=1@i
    	s@(search\.yahoo\..*/search.*p=.*)@\1\&vm=r&v=1@i
    	s@(search\.live\..*/.*q=.*)@\1\&adlt=strict@i
    	s@(search\.msn\..*/.*q=.*)@\1\&adlt=strict@i
    	s@(\.bing\..*/.*q=.*)@\1\&adlt=strict@i
    	log block.log
    }
    
    # 
    acl  {
    	# 
    	default  {
    		pass !all
    		redirect http://127.0.0.1:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
    	}
    }
    


  • O problema esta com o LDAP, pq configurei o proxy transparente e o squidGuard respeitou as regras.



  • Resolvido.

    No meu caso era a senha que setei no LDAP do squidguard. Não pode ter caracteres especiais... Estava testando com Administrador. Criei um usuário e coloquei a senha 123456, tbm nao serviu (acho pq é muito facíl) mudei para uma alfanumérica e funfou...

    Mas dei mole, coisa de quem é faixa branca ainda kkk, se tivesse ido desde o inicio no log acharia o problema rapidinho....


Log in to reply