Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    PfSense 2.1.3 (i386)+squid+SquidGuard+AD (Bloqueio não funciona) [RESOLVIDO]

    Portuguese
    2
    4
    1270
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dbcg last edited by

      Olá pessoal!

      Configurei um ambiente de integração entre pfSense e Active Directory baseando-me nesse material:
      http://www.dev2infra.com/pfsense-squid-squidguard-autenticacao-transparente/

      A integração aparentemente está funcionando bem.
      Quando executo o "wbinfo -u" e o "wbinfo -g", consigo visualizar os usuários e grupos do AD.

      O problema é que o bloqueio do SquidGuard simplesmente não funciona.
      Mesmo se eu tentar bloquear pelo "Common ACL" e pelo "Groups ACL", colocando "deny" em todas as "Target Categories" o acesso funciona normalmente.

      Obs: O proxy está configurado no navegador.

      Dados do ambiente:
      pfSense: 2.1.3-RELEASE (i386)
      IP: 192.168.1.254

      Packages:
      Sarg: 2.3.6_2 pkg v.0.6.3
      squid: 2.7.9 pkg v.4.3.4
      squidGuard-devel: 1.5_1beta pkg v.1.5.6

      AD: Server 2012
      IP: 192.168.1.1

      Proxy Config:

      Do not edit manually !

      http_port 192.168.1.254:3128
      icp_port 0

      pid_filename /var/run/squid.pid
      cache_effective_user proxy
      cache_effective_group proxy
      error_directory /usr/pbi/squid-i386/etc/squid/errors/Portuguese
      icon_directory /usr/pbi/squid-i386/etc/squid/icons
      visible_hostname PROXYSERVER
      cache_mgr contato@dominio.com.br
      access_log /var/squid/logs/access.log
      cache_log /var/squid/logs/cache.log
      cache_store_log none
      logfile_rotate 0
      shutdown_lifetime 3 seconds

      Allow local network(s) on interface(s)

      acl localnet src  192.168.1.0/255.255.255.0
      uri_whitespace strip

      cache_mem 8 MB
      maximum_object_size_in_memory 32 KB
      memory_replacement_policy heap GDSF
      cache_replacement_policy heap LFUDA
      cache_dir ufs /var/squid/cache 100 16 256
      minimum_object_size 0 KB
      maximum_object_size 10 KB
      offline_mode off

      No redirector configured

      Setup some default acls

      acl all src 0.0.0.0/0.0.0.0
      acl localhost src 127.0.0.1/255.255.255.255
      acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 1025-65535 802
      acl sslports port 443 563 
      acl manager proto cache_object
      acl purge method PURGE
      acl connect method CONNECT
      acl dynamic urlpath_regex cgi-bin ?
      acl allowed_subnets src 192.168.1.0/24
      cache deny dynamic
      http_access allow manager localhost
       
      http_access deny manager
      http_access allow purge localhost
      http_access deny purge
      http_access deny !safeports
      http_access deny CONNECT !sslports

      Always allow localhost connections

      http_access allow localhost

      request_body_max_size 0 KB
      reply_body_max_size 0 deny all
      delay_pools 1
      delay_class 1 2
      delay_parameters 1 -1/-1 -1/-1
      delay_initial_bucket_level 100
      delay_access 1 allow all

      Custom options

      url_rewrite_program /usr/pbi/squidguard-devel-i386/bin/squidGuard -c /usr/pbi/squidguard-devel-i386/etc/squidGuard/squidGuard.conf
      url_rewrite_bypass off
      url_rewrite_children 16 startup=8 idle=4 concurrency=0
      auth_param ntlm program /usr/local/bin/ntlm_auth –domain=MEUDOMINIO --helper-protocol=squid-2.5-ntlmssp
      auth_param ntlm children 20
      auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
      auth_param basic children 5
      auth_param basic realm Please enter your credentials to access the proxy
      auth_param basic credentialsttl 60 minutes
      acl password proxy_auth REQUIRED
      http_access allow password localnet
      http_access allow password allowed_subnets

      Default block all to be sure

      http_access deny all

      Filter Config:

      ============================================================

      SquidGuard configuration file

      This file generated automaticly with SquidGuard configurator

      (C)2006 Serg Dvoriancev

      email: dv_serg@mail.ru

      ============================================================

      logdir /var/squidGuard/log
      dbhome /var/db/squidGuard
      ldapbinddn cn=Administrator,cn=Users,dc=MEUDOMINIO,dc=intranet
      ldapbindpass minhasenha
      ldapprotover 3
      stripntdomain true

      Sites bloqueados

      src Diretoria {
      ldapusersearch 'ldap://192.168.1.1/DC=MEUDOMINIO,DC=intranet?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Diretoria%2cOU=EMPRESA%2cDC=MEUDOMINIO%2cDC=intranet))'
      log block.log
      }

      SitesBloqueados

      dest Bloqueados {
      domainlist Bloqueados/domains
      redirect http://192.168.1.254:80/sgerror.php?url=403%20PAGINA%20BLOQUEADA&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
      log block.log
      }

      rew safesearch {
      s@(google../search?.q=.)@&safe=active@i
      s@(google..      /images.q=.)@&safe=active@i
      s@(google../groups.q=.)@&safe=active@i
      s@(google..      /news.q=.)@&safe=active@i
      s@(yandex../yandsearch?.text=.)@&fyandex=1@i
      s@(search.yahoo..      /search.p=.)@&vm=r&v=1@i
      s@(search.live../.q=.)@&adlt=strict@i
      s@(search.msn..      /.q=.)@&adlt=strict@i
      s@(.bing..*/.q=.)@&adlt=strict@i
      log block.log
      }

      acl  {

      Sites bloqueados

      Diretoria  {
      pass !Bloqueados none
      log block.log
      }

      default  {
      pass !Bloqueados none
      redirect http://192.168.1.254:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
      log block.log
      }
      }

      Alguém tem alguma ideia? Gastei bastante tempo revendo as configurações e não encontro o erro.

      1 Reply Last reply Reply Quote 0
      • D
        dbcg last edited by

        O problema foi solucionado!

        O que causou a falha é que a minha senha possui caractere especial, no caso uma exclamação (!) e isso estava causando erro de sintaxe no SquidGuard.conf

        Aproveitando o tópico, alguém sabe se existe alguma forma de inserir esse caractere de outra forma?

        Grato!

        1 Reply Last reply Reply Quote 0
        • I
          isaiasbertin last edited by

          caro colega vc esta usando ntlm ou ldap para seus bloqueios squidguard ?

          1 Reply Last reply Reply Quote 0
          • D
            dbcg last edited by

            @isaiasbertin:

            caro colega vc esta usando ntlm ou ldap para seus bloqueios squidguard ?

            Em Proxy filter / General settings estou usando as opções LDAP e em Proxy server / Auth Settings estou usando o Authentication Method: Winbind NTLM.

            Pra mais detalhes basta acessar essa página: http://www.dev2infra.com/pfsense-squid-squidguard-autenticacao-transparente/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post