Squid3 configurazione squid.conf —
Il primo anello della catena è squid3 che provvede all’autenticazione degli utenti, al servizio di caching vero e proprio, alla gestione delle ACL e delle eccezioni.
Di seguito il file squid.conf
auth_param ntlm program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 25
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 4 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 1 hour
authenticate_ttl 1 hour
acl my_lan src 192.168.2.0/24
acl localhost src 127.0.0.1/32
### windows update prima di autenticazione
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
http_access allow CONNECT wuCONNECT my_lan
http_access allow CONNECT wuCONNECT localhost
http_access allow windowsupdate my_lan
http_access allow windowsupdate localhost
### avast update prima di autenticazione
acl avast dstdomain .avast.com
http_access allow avast
### disperato tentativo per adobe
acl adobe dstdomain .adobe.com
http_access allow adobe
### acl per autocad exchange 2012
acl autodesk dstdomain .autodesk.com
http_access allow autodesk
acl ya dstdomain .yahoo.com
http_access allow ya
#acl macaddress arp 09:00:2b:23:45:67
#acl myexample dst_as 1241
acl password proxy_auth REQUIRED
##à test per mario brignoli accesso liceo
acl fileupload req_mime_type -i ^multipart/form-data$
acl javascript rep_mime_type -i ^application/x-javascript$
acl manager proto cache_object
acl to_localhost dst 127.0.0.0/8
#
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
acl gator browser Gator/5.0
acl blacklist url_regex “/jumper/etc/blacklist.txt”
acl malware_block_list url_regex -i “/jumper/etc/malware_block_list.txt”
acl reqmsn req_mime_type -i ^application/x-msn-messenger
acl repmsn rep_mime_type -i ^application/x-msn-messenger
http_access deny blacklist
http_access deny malware_block_list
deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list
http_access deny gator
http_access deny reqmsn
http_reply_access deny repmsn
http_access allow localhost
http_access allow password
http_access deny all
icp_access deny all
htcp_access deny all
htcp_clr_access deny all
http_port 192.168.2.241:3128
cache_peer 127.0.0.1 parent 8080 0 proxy-only no-query login=*:nopassword
cache_peer_access 127.0.0.1 allow password
hierarchy_stoplist cgi-bin ?
cache_mem 2000 MB
maximum_object_size_in_memory 350 KB
memory_replacement_policy lru
cache_replacement_policy lru
cache_dir aufs /cache 22000 16 256
max_open_disk_fds 0
minimum_object_size 0 KB
maximum_object_size 4096 KB
logformat combined %>a %ui %un [%tl] “%rm %ru HTTP/%rv” %>Hs %<st “%{Referer}>h” “%{User-Agent}>h” %Ss:%Sh
access_log jumper/var/log/squid3/access.log squid
cache_log /jumper/var/log/squid3/cache.log
cache_store_log jumper/var/log/squid3/store.log
logfile_rotate 0
emulate_httpd_log off
log_ip_on_direct on
mime_table /usr/share/squid3/mime.conf
log_mime_hdrs off
pid_filename /var/run/squid3.pid
debug_options ALL,1
log_fqdn on
buffered_logs on
ftp_user Squid@
ftp_list_width 32
ftp_passive on
ftp_sanitycheck on
ftp_telnet_protocol on
diskd_program /usr/lib/squid3/diskd
unlinkd_program /usr/lib/squid3/unlinkd
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
quick_abort_min 16 KB
quick_abort_max 16 KB
quick_abort_pct 95
read_ahead_gap 16 KB
positive_dns_ttl 6 hours
negative_dns_ttl 1 minutes
range_offset_limit 0 KB
minimum_expiry_time 60 seconds
store_avg_object_size 13 KB
store_objects_per_bucket 20
request_header_max_size 20 KB
reply_header_max_size 20 KB
request_body_max_size 0 KB
ie_refresh on
relaxed_header_parser on
forward_timeout 4 minutes
connect_timeout 1 minute
request_timeout 5 minutes
persistent_request_timeout 2 minutes
client_lifetime 600 minutes
half_closed_clients on
pconn_timeout 1 minute
ident_timeout 10 seconds
shutdown_lifetime 30 seconds
cache_mgr webmaster
mail_from squid@proxy
mail_program mail
cache_effective_user proxy
cache_effective_group proxy
httpd_suppress_version_string on
visible_hostname proxy
client_persistent_connections on
server_persistent_connections on
persistent_connection_after_error off
snmp_port 3401
icp_port 3130
icon_directory /usr/share/squid3/icons
global_internal_static on
error_directory /usr/share/squid3/errors/Italian
email_err_data on
acl FTP proto FTP
always_direct allow FTP
check_hostnames on
allow_underscore on
dns_retransmit_interval 5 seconds
dns_timeout 2 minutes
dns_defnames off
hosts_file /etc/hosts
ignore_unknown_nameservers on
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
memory_pools on
memory_pools_limit 5 MB
forwarded_for on
client_db on
coredump_dir /var/spool/squid3
Questa configurazione permette ai client di autenticarsi via NTLM cioè non inserendo user e password ma sfruttando la login al dominio.
Categorised as: Linux | Proxy | Work
Comments are disabled on this post