saludos lista
hace unos dias instale mi servidor proxy squid 2.7 en debian 7 y
integrado a active directory es decir la autentificacion es por los
usuarios de active directory 2008 pero tengo unos problemas los usuarios
con navegacion limitada a .cu le pide autorizacion a cada 2 seg y no
deja navegar y a los de navegacion total no pide autentificacion... aca
les dejo la configuracion que tengo
# ------------- Puerto de conexion
http_port 10.16.1.1:3128
httpd_accel_host virtual
httpd_accel_port 3128
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
#NTLM Autentificacion
#========================
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param negotiate keep_alive on
#===================================================
#BASIC Autentificacion
#===========================
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 10
auth_param basic realm Servidor de Navegacion GEIA
auth_param basic credentialsttl 30 minute
auth_param basic casesensitive off
#Plazo para que las IP sean recordadas
#====================================
authenticate_ip_ttl 1 hours
#==========================
#Autorizando AD
#===============
external_acl_type adgroup %LOGIN /usr/lib/squid/wbinfo_group.pl
#=================================#==========================================
# DISK CACHE OPTIONS
#
-----------------------------------------------------------------------------
# TAG: cache_dir
cache_dir aufs /var/spool/squid 1024 16 256
# TAG: cache mem
cache_mem 256 MB
cache_mrg adrian.marti...@geia.telemar.cu
# Object Options
maximum_object_size 400 MB
# LOGFILE OPTIONS
#
-----------------------------------------------------------------------------
# TAG: access_log
access_log /var/log/squid/access.log squid
cache_access_log /var/log/squid/access.log
# TAG: cache_log
cache_log /var/log/squid/cache.log
debug_options ALL,1 33,2
# TAG: cache_store_log
cache_store_log /var/log/squid/store.log
# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
#
-----------------------------------------------------------------------------
# TAG: cache_peer
cache_peer 192.168.100.4 parent 3128 0 no-query default
# TAG: hierarchy_stoplist
hierarchy_stoplist cgi-bin ?
# TAG: cache
acl QUERY urlpath_regex cgi-bin \?
# TAG: client_netmask
client_netmask 255.255.252.0
# OPTIONS FOR FTP GATEWAYING
#
-----------------------------------------------------------------------------
# TAG: ftp_user
ftp_user sq...@geia.cu
# TAG: ftp_list_width
ftp_list_width 32
# TAG: ftp_passive
ftp_passive on
# TAG: ftp_sanitycheck
ftp_sanitycheck on
# OPTIONS FOR TUNING THE CACHE
#
-----------------------------------------------------------------------------
# TAG: refresh_pattern
refresh_pattern ^ftp: 1440 200% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern .gif 4320 200% 10080 override-expire
override-lastmod ignore-no-cache ignore-private
refresh_pattern .jpg 4320 200% 10080 override-expire
override-lastmod ignore-no-cache ignore-private
refresh_pattern .png 4320 200% 10080 override-expire
override-lastmod ignore-no-cache ignore-private
refresh_pattern .swf 4320 200% 10080 override-expire
override-lastmod ignore-no-cache ignore-private
refresh_pattern ^http: 2880 200% 10080 override-expire
override-lastmod
refresh_pattern ^https: 2880 200% 10080 override-expire
override-lastmod
logfile_rotate 3
max_filedescriptors 65536
max_open_disk_fds 65536
relaxed_header_parser on
reload_into_ims on
quick_abort_min 0 KB
quick_abort_max 0 KB
client_lifetime 15 minutes
read_timeout 5 minutes
request_timeout 30 minutes
#extension_methods NICK
ie_refresh on
ignore_expect_100 on
vary_ignore_expire on
#Acls por Defecto
#==================
acl auth proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/255.255.255.255
acl apache rep_header Server ^Apache
acl SSL_ports port 443 563 80 22
acl Safe_ports port 80 21 22 443 563 873 2082 2083 3000
acl all src all
acl purge method PURGE
acl CONNECT method CONNECT
#Limitando Navegacion a IP
#==========================
acl maxuser max_user_ip -s 1
######access group_ldap#######
acl total external adgroup total
acl nacional external adgroup nacional
acl surftime time SMTWHFA 00:00-23:59
#acls GEIA
#=================
acl redlocal src 10.16.0.0/22
acl geia dstdomain .geia.cu
acl webserver src 10.16.0.0/22
####acl jabber#########
acl jabber dstdomain jabber.geia.cu
#######access to domain#######
acl cuba dstdomain .cu
acl sitios url_regex "/etc/squid/nacional"
acl porno url_regex "/etc/squid/prohibidos"
acl social url_regex "/etc/squid/red_social"
acl ip dstdomain 0.0.0.0/24
####Delay pool#### agregadas por mi
#++++++++++++++++++++++++++++++++++++++++++++++++++
delay_pools 1
delay_class 1 1
delay_parameters 1 25120/21004
acl magic_word url_regex \.mp3 .vqf .tar.gz .gz .rpm .avi .mpeg .ram
.rm .iso .raw .wav .mp4 .flv .mov$
delay_access 1 allow magic_word
#delay_pools 1
#delay_class 1 2
#delay_parameters 1 100960/840960 80480/60480
#acl publicidad url_regex http://*
#delay_access 1 allow publicidad
# Restringe la cantidad de conexiones (Limita -> IDA, DAP, downthemall, etc)
acl descargas urlpath_regex -i \.avi$ \.mp4$ \.mp3$ \.mpg$ \.mpeg$
\.mov$ \.ram$ \.vob$
acl maxcon maxconn 1
http_access deny descargas maxcon
#+++++++++++++++++++++++++++++++++++++++++++++++++++++
# TAG: http_access
#always_direct allow chat
always_direct allow geia
always_direct allow jabber
always_direct deny all
#
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access allow manager webserver
http_access allow purge localhost
http_access allow localhost
http_access allow geia
#http_access deny manager
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#
#+++++++++++ HTTP_ACCESS ++++++++++++++++++++++++++++++++++++++++++
######control de acceso a sitios######
http_access allow total auth !porno
http_access allow nacional auth cuba
http_access allow localhost
http_access deny social
http_access deny porno
http_access deny !total
http_access deny !nacional
http_access deny ip
http_access deny !redlocal
http_access deny maxuser
http_access deny to_localhost
http_access deny all
#broken_vary_encoding allow apache
icp_access deny all
miss_access allow all
# ERROR PAGE OPTIONS
#
-----------------------------------------------------------------------------
# TAG: error_directory
error_directory /usr/share/squid/errors/Spanish/
# OPTIONS INFLUENCING REQUEST FORWARDING
#
-----------------------------------------------------------------------------
# TAG: nonhierarchical_direct
nonhierarchical_direct off
# DNS OPTIONS
#
-----------------------------------------------------------------------------
# TAG: dns_nameservers
dns_nameservers 192.168.100.2
# MISCELLANEOUS
#
-----------------------------------------------------------------------------
forwarded_for off
half_closed_clients off
icon_directory /usr/share/squid/icons
# TAG: coredump_dir
#coredump_dir c:/squid/var/cache
cache deny QUERY
hostname_aliases proxy.geia.cu
#icp_port 0
agradecido de ante mano
--
Este mensaje ha sido analizado por MailScanner
en busca de virus y otros contenidos peligrosos,
y se considera que está limpio.
______________________________________________________________________
Lista de correos del Grupo de Usuarios de Tecnologías Libres de Cuba.
Gutl-l@jovenclub.cu
https://listas.jovenclub.cu/cgi-bin/mailman/listinfo/gutl-l
