Posta o log do Squid pra vermos. []'s Rocha
A história atesta que Deuzenildo F. Nascimento passou por aqui e deixou escrito abaixo o seguinte: > Boa tarde estimada lista, > > eu estou tentando fazer rodar o squid de acordo no Fedora 10, mas tem > algumas coisas erradas, nao consigo descobrir onde está o erro, veja o > que fiz. > > instalei o squid, setei algumas regras, ele funciona, faz proxy, as > maquinas da rede funcionam certinho, mas quando reinicio o servidor, o > proxy para, mesmo estando inserido na inicialização do sistema, eu > tenho que entrar no terminal como root e executar service squid > restart e restartar tambem o firewall, , daí ele funciona. > > quero tambem ter um controle melhor das ACL´s, por ex: a maquina com > ip final 3 acessar somente um site, e nada mais, as demais da rede, > podem acessar o que quizer. veja o arquivo de configuração: > > # The port on which squid will listen for requests > http_port IP_Servidor:Porta > # If 'cgi-bin' or '?' is in query, squid should not check with > neighbours'/parents' cache > # and should go to target web-server. > hierarchy_stoplist cgi-bin ? > # If url contains 'cgi-bin' or '?', then it must not be cached > acl QUERY urlpath_regex cgi-bin \? > cache deny QUERY > acl apache rep_header Server ^Apache > broken_vary_encoding allow apache > # Absolute path to squid access log. > access_log /var/log/squid/access.log squid > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern . 0 20% 4320 > # Access control list to control every IP address > acl all src 0.0.0.0/0.0.0.0 > # Access control list for source machine in LAN > acl lan_src src 192.168.0.0/16 > # Access control list for destination machine in LAN > acl lan_dst dst 192.168.0.0/16 > # Access control list to manage squid cache > acl manager proto cache_object > # Access control list to define IP address allowed for source localhost > acl localhost src 127.0.0.1/255.255.255.255 > # Access control list to define IP addresses allowed for localhost as > destination > acl to_localhost dst 127.0.0.0/8 > # Access control list to define Safe ports that should be allowed by default > acl SSL_ports port 443 563 1863 5190 5222 5050 6667 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > # Allow cache management only from localhost > http_access allow manager localhost > # Deny cache management from remote hosts > http_access deny manager > # Deny http access via all the ports which are not listed as safe > http_access deny !Safe_ports > # Deny all connections via all ports which are not listed as safe > http_access deny CONNECT !SSL_ports > # Allow http access from localhost > http_access allow localhost > # Allow http access from machines on LAN > http_access allow lan_src > http_access deny all > http_reply_access allow all > icp_access allow all > # Deny caching for everyone so that there is not caching at all > cache deny all > coredump_dir /var/spool/squid > # Never allow direct connection to machines on the internet > prefer_direct off > never_direct allow all > # Allow direct connetion if the destination machine is on LAN > always_direct allow lan_dst > # Delete this line if you don't have /etc/hosts file > hosts_file /etc/hosts > # Allow AIM connections > > # Allow connections to MSN > # Delete the following 6 lines if you don't want people to connect to > Google Talk > acl MSN_ports port 1863 443 1503 > acl MSN_domains dstdomain .microsoft.com .hotmail.com .live.com > .msft.net .msn.com .passport.com > acl MSN_hosts dstdomain messenger.hotmail.com > acl MSN_nets dst 207.46.111.0/255.255.255.0 > acl MSN_methods method CONNECT > http_access allow MSN_methods MSN_ports MSN_hosts > > # IP's dos funcionários q tem acesso total > acl ip_liberados src "/etc/squid/ip_liberados.txt" > # Arquivo c/ IP's dos funcionários restrito > acl ip_restrito src "/etc/squid/ip_restrito.txt" > # lista de sites do ip_restrito > acl ip_restrito_sites dstdomain "/etc/squid/ip_restrito_sites.txt" > # Arquivo c/ IP's dos funcionários que acessa bancos > acl bancos src "/etc/squid/ip_bancos.txt" > # bancos liberados pra bancos.txt > acl BANCOS_SITES dstdomain "/etc/squid/ip_bancos_sites.txt" > #Default configuration: > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > # acl pra sites direto, não passar pelo cache > acl NOCACHE url_regex "/etc/squid/direto.txt" \? > no_cache deny NOCACHE > # acl pra bloquear palavras nos endereços e liberar excessões > acl negapalavra url_regex "/etc/squid/negapalavra.txt" > acl liberapalavra url_regex "/etc/squid/liberapalavra.txt" > http_access allow liberapalavra all > http_access deny negapalavra all > # Pra liberar a ACL que libera o ip interno 192.168.1.3 > #http_access allow ipinterno all > http_access allow ip_liberados > http_access allow ip_restrito ip_restrito_sites > http_access allow bancos BANCOS_SITES > http_access deny all > > com essas regras, depois de reinciado o squid e o firewall com usuario > root, todas as maquinas da rede acessam tudo. > > se alguem ja teve esse problema, agradeço qualquer comentario. > > > grato.. > > --------------------------------------------------------------------------- Esta lista é patrocinada pela Conectiva S.A. Visite http://www.conectiva.com.br Arquivo: http://bazar2.conectiva.com.br/mailman/listinfo/linux-br Regras de utilização da lista: http://linux-br.conectiva.com.br FAQ: http://www.zago.eti.br/menu.html
