Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    SquidGuard não bloqueia Download HTTPS

    Portuguese
    2
    4
    2813
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      catatau77 last edited by

      Boa tarde a todos.
      Uso o PFSense em modo Não Transparente + Squid + SquidGuard, até aí funcionando perfeitamente bloqueando sites HTTS com base na blacklist do SquidGuard.
      Criei uma categoria no SquidGuard para bloquear download de certos tipos de arquivos e funciona perfeitamente quando a URL é HTTP, mas quando é HTTS não faz o bloqueio.

      Categoria Bloqueio Extensao
      Expressions: (./..(zip|rar|tar|gz|cab|msi|exe|asf|wm|wma|wmv|midi|mov|vob|cab|mkv|3gp|mp3|mp4|avi|mpg|mpeg|mpv|vpu|rmvb))

      Ex.: A URL na estação é https://dominio.com/arquivo.exe

      Log do Squid:
      172.24.0.200 TCP_MISS/200 583502 CONNECT dominio.com:443 - DIRECT/72.21.215.100 -

      Como fazer para o Squid + SquidGuard bloquear Downloads???

      Obrigado

      1 Reply Last reply Reply Quote 0
      • marcelloc
        marcelloc last edited by

        Coloca no squid, se a acl que libera o SSL connect estiver antes das chamadas dosquidguard

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • C
          catatau77 last edited by

          Marcelloc,  dá uma olhada por favor se está correto.

          Do not edit manually !

          http_port 172.24.0.254:3128
          icp_port 0

          pid_filename /var/run/squid.pid
          cache_effective_user proxy
          cache_effective_group proxy
          error_directory /usr/local/etc/squid/errors/Portuguese
          icon_directory /usr/local/etc/squid/icons
          visible_hostname localhost
          cache_mgr admin@localhost
          access_log /var/squid/log/access.log
          cache_log /var/squid/log/cache.log
          cache_store_log none
          logfile_rotate 30
          shutdown_lifetime 3 seconds

          Allow local network(s) on interface(s)

          acl localnet src  172.24.0.0/255.255.255.0
          httpd_suppress_version_string on
          uri_whitespace strip

          cache_mem 1024 MB
          maximum_object_size_in_memory 32 KB
          memory_replacement_policy heap GDSF
          cache_replacement_policy heap LFUDA
          cache_dir ufs /var/squid/cache 3000 16 256
          minimum_object_size 0 KB
          maximum_object_size 4 KB
          offline_mode off
          cache_swap_low 90
          cache_swap_high 95

          No redirector configured

          Setup some default acls

          acl all src 0.0.0.0/0.0.0.0
          acl localhost src 127.0.0.1/255.255.255.255
          acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 8080 3128 1025-65535
          acl sslports port 443 563 8080
          acl manager proto cache_object
          acl purge method PURGE
          acl connect method CONNECT
          acl dynamic urlpath_regex cgi-bin ?
          acl allowed_subnets src 172.24.0.0/24 172.24.1.0/24 172.24.2.0/24 172.24.3.1/32 172.24.3.2/32 172.24.3.3/32 172.24.4.2/32
          acl blacklist dstdom_regex -i '/var/squid/acl/blacklist.acl'
          cache deny dynamic
          http_access allow manager localhost

          Allow external cache managers

          acl ext_manager_1 src 127.0.0.1
          http_access allow manager ext_manager_1
          acl ext_manager_2 src 172.24.0.254
          http_access allow manager ext_manager_2
          acl ext_manager_3 src  
          http_access allow manager ext_manager_3

          http_access deny manager
          http_access allow purge localhost
          http_access deny purge
          http_access deny !safeports
          http_access deny CONNECT !sslports

          Always allow localhost connections

          http_access allow localhost

          request_body_max_size 0 KB
          reply_body_max_size 0 deny all
          delay_pools 1
          delay_class 1 2
          delay_parameters 1 -1/-1 -1/-1
          delay_initial_bucket_level 100
          delay_access 1 allow all

          Custom options

          redirect_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
          redirector_bypass on
          redirect_children 3

          Block access to blacklist domains

          http_access deny blacklist

          Setup allowed acls

          Allow local network(s) on interface(s)

          http_access allow allowed_subnets
          http_access allow localnet

          Default block all to be sure

          http_access deny all

          1 Reply Last reply Reply Quote 0
          • C
            catatau77 last edited by

            Alguém tem alguma idéia de porque o squid + squidguard funciona corretamente bloqueando downloads pela extensão quando o link é HTTP e não bloqueia quando é HTTPS? O Proxy não é Transparente, fixado no navegador.
            Obrigado.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post