Pessoal:
Estou com o seguinte cenário:
virtual box com o ubuntu server 12.04 instalado e com a placa de rede em modo brigde
configurado o firewall e instalado o squid3(pro meu azar). até então não tinha instalado ele, mas somente com uma placa de rede em funcionamento o squid teria que funcionar normalmente como a versão anterior, mas não funcionou...
fiz os seguintes procedimentos:
criei o meu firewall:
#!/bin/bash
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
#PROXY TRANSPARENTE
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
baixei o squid:
apt-get install squid
porém veio o squid3, aí comecei a configurar normalmente com as políticas que eu sempre fiz uso e no squid.conf o diretório squid, modifiquei para o squid3. criei o diretório de cache do squid e apliquei o chmod 777. iniciei o squid e deu o primeiro problema:
root@squid:~# squid3 -k reconfigure
2012/07/26 01:16:21| ERROR: '0.0.0.0/0.0.0.0' needs to be replaced by the term 'all'.
2012/07/26 01:16:21| SECURITY NOTICE: Overriding config setting. Using 'all' instead.
2012/07/26 01:16:21| WARNING: (B) '::/0' is a subnetwork of (A) '::/0'
2012/07/26 01:16:21| WARNING: because of this '::/0' is ignored to keep splay tree searching predictable
2012/07/26 01:16:21| WARNING: You should probably remove '::/0' from the ACL named 'all'
2012/07/26 01:16:21| WARNING: Netmasks are deprecated. Please use CIDR masks instead.
2012/07/26 01:16:21| WARNING: IPv4 netmasks are particularly nasty when used to compare IPv6 to IPv4 ranges.
2012/07/26 01:16:21| WARNING: For now we will assume you meant to write /32
comentei a acl '0.0.0.0/0.0.0.0' e o problema sumiu:
squid.conf
# Regras do SQUID
# Dados do Squid
http_port 3128 transparent
visible_hostname Proxy.SQUID
# Configuração do cache
cache_mem 128 MB
maximum_object_size_in_memory 128 KB
maximum_object_size 300 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/cache/squid 2048 16 256
# Mensagens de erro do Squid em Português
error_directory /usr/share/squid/errors/Portuguese
# Localizacao do arquivo de log do Squid
cache_access_log /var/log/squid/access.log
# Atualizacao do Cache
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 20% 2280
refresh_pattern . 15 20% 2280
# IP's da rede local liberando todo o nivel de acesso
acl ip_liberado src "/etc/squid/ip_liberado"
http_access allow ip_liberado
# Sites Liberados
acl liberado url_regex -i "/etc/squid/sites_permitidos"
http_access allow liberado
#Palavras Liberadas
#acl liberados url_regex -i "/etc/squid/palavras_liberadas"
#http_access allow liberados
# Regras de bloqueio de site (por palavras)
acl palavra url_regex -i "/etc/squid/palavras_negadas"
http_access deny palavra
# Regras de bloqueio de site (por url)
acl site url_regex -i "/etc/squid/sites_negados"
http_access deny site
# IP's da rede local bloqueados
#acl ip_negado url_regex -i "/etc/squid/ip_negado"
#http_access deny ip_negado
#Bloqueando msn e webmessenger
#acl msn url_regex -i gateway.dll
#http_access deny msn
####BLOQUEIO PARA MSN############
#Regras para tratamento do MSN
acl msnmessenger url_regex -i gateway/gateway.dll? login.live.com
acl MSN rep_mime_type -i ^application/x-msn-messenger$
#Usuarios com acesso ao MSN
acl commsn src "/etc/squid/commsn"
http_access allow commsn MSN
http_access allow commsn msnmessenger
acl webmsn url_regex "/etc/squid/webmsn"
http_access allow commsn webmsn
http_access deny MSN
http_access deny msnmessenger
http_access deny webmsn
#acl bqmsn dstdomain passport.com
#http_access deny bqmsn
#Yahoo Messenger service
#acl Yahoo-Mess src "/etc/squid/yahoo"
#http_access deny Yahoo-Mess
#Limite de download
#acl down_ilimitado url_regex -i "/etc/squid/ilimitados"
#reply_body_max_size 20971520 deny all !down_ilimitado
#Liberacao gtalk
#acl ip_gtalk_google url_regex -i "/etc/squid/ip_gtalk_liberado"
#http_access allow ip_gtalk_google
#Bloqueio de google talk
#acl blocktlk url_regex -i chatenabled.gmail.com
#http_access deny blocktlk
#Bloqueio por download de arquivo
#acl download url_regex -i "/etc/squid/download"
#http_access deny download
#Autenticação
#auth_param basic realm Proxy Servidor
#auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
#acl autenticados proxy_auth REQUIRED
#http_access allow autenticados
#auth_param basic children 5
#auth_param basic realm Digite a sua senha
#auth_param basic credentialsttl 2 hours
#auth_param basic casesensitive off
# Media Streams
## Flash Video Format
#acl media rep_mime_type video/flv video/x-flv
#acl mediapr urlpath_regex \.flv(\?.*)?$
#http_access deny mediapr
#http_reply_access deny media
## MediaPlayer MMS Protocol
#acl mms rep_mime_type mms
#acl mmspr url_regex dvrplayer mediastream ^mms://
#http_access deny mmspr
#http_reply_access deny mms
## Active Stream Format (Windows Media Player)
#acl wmp rep_mime_type x-ms-asf
#acl wmppr urlpath_regex \.(afx|asf)(\?.*)?$
#http_access deny wmppr
#http_reply_access deny wmp
################## ACL for Radio / Video Stream ###########################
#acl StreamingRequest1 req_mime_type -i ^video/x-ms-asf$
#acl StreamingRequest2 req_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
#acl StreamingRequest3 req_mime_type -i ^application/x-mms-framed$
#acl StreamingRequest4 req_mime_type -i ^audio/x-pn-realaudio$
#acl StreamingReply1 rep_mime_type -i ^video/x-ms-asf$
#acl StreamingReply2 rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
#acl StreamingReply3 rep_mime_type -i ^application/x-mms-framed$
#acl StreamingReply4 rep_mime_type -i ^audio/x-pn-realaudio$
################## ACL for Radio / Video Stream ###########################
#Edit File in squid.conf above line in http_access Zone.
#################### Rules to block Radio / Video Stream #################
#http_access deny StreamingRequest1 all
#http_access deny StreamingRequest2 all
#http_access deny StreamingRequest3 all
#http_access deny StreamingRequest4 all
#http_reply_access deny StreamingReply1 all
#http_reply_access deny StreamingReply2 all
#http_reply_access deny StreamingReply3 all
#http_reply_access deny StreamingReply4 all
#################### Rules to block Radio / Video Stream #################
#[edit2] se vc quer ser o tecnico/suporte mais odiado use isso ( se bem que essas coisas sao pra evitar o uso da banda mas vc sera odiado por causa disso)
## Stop multimedia downloads ##
#acl useragent browser -i ^.*NSPlayer.*
#acl useragent browser -i ^.*player.*
#acl useragent browser -i ^.*Windows-Media-Player.*
#acl useragentq rep_mime_type ^.*video.*
#acl useragentq rep_mime_type ^.*audio.*
#http_access deny useragent
#http_access deny useragentq
# Regras de bloqueio (o IP x somente tem acesso aos sites y)
#acl site_restrito dstdomain "/etc/squid/site_restrito"
#acl ip_restrito src "/etc/squid/ip_restrito"
#http_access deny ip_restrito !site_restrito
# Regras de bloqueio (os IPs x não tem acesso aos sites por palavras y)
#acl palavras1 url_regex -i "/etc/squid/palavras_negadas1"
#acl ips_restritos src "/etc/squid/ips_restritos"
#http_access deny palavras1 ips_restritos
#Regras de gerais
#acl all src 0.0.0.0/0.0.0.0
http_access allow all
always_direct allow all
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 #http
acl Safe_ports port 21 #ftp
acl Safe_ports port 443 563 #https, news
acl Safe_ports port 70 #gopher
acl Safe_ports port 210 #wais
acl Safe_ports port 1025-65535 #unregistred ports
acl Safe_ports port 280 #http-mgmt
acl Safe_ports port 488 #gss-http
acl Safe_ports port 591 #filemaker
acl Safe_ports port 777 #multiling http
acl Safe_ports port 901 #swat
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# Libera para a rede local
acl redelocal src 192.168.0.0/24
http_access allow localhost
http_access allow redelocal
# Bloqueia o resto
#http_access deny all
# Paginas de Informacoes
#deny_info down.htm download
daí apareceu mais um problema:
apliquei o comando reconfigure e o resultado foi esse:
root@squid:~# squid3 -k reconfigure
2012/07/26 01:17:28| WARNING: Netmasks are deprecated. Please use CIDR masks instead.
2012/07/26 01:17:28| WARNING: IPv4 netmasks are particularly nasty when used to compare IPv6 to IPv4 ranges.
2012/07/26 01:17:28| WARNING: For now we will assume you meant to write /32
alguém ppode me dizer onde errei no procedimento? e que erros são esses?
Obrigado pela ajuda.
bfbicalho
Veterano
Registrado
1.1K Mensagens
53 Curtidas