Il primo anello della catena \u00e8 squid3 che provvede all’autenticazione degli utenti, al servizio di caching vero e proprio, alla gestione delle ACL e delle eccezioni.<\/p>\n
Di seguito il file squid.conf<\/p>\n
auth_param ntlm program \/usr\/bin\/ntlm_auth –helper-protocol=squid-2.5-ntlmssp
\nauth_param ntlm children 25
\nauth_param ntlm keep_alive on
\nauth_param basic program \/usr\/bin\/ntlm_auth –helper-protocol=squid-2.5-basic
\nauth_param basic children 5
\nauth_param basic realm Squid proxy-caching web server
\nauth_param basic credentialsttl 4 hours
\nauth_param basic casesensitive off
\nauthenticate_cache_garbage_interval 1 hour
\nauthenticate_ttl 1 hour
\nacl my_lan src 192.168.2.0\/24
\nacl localhost src 127.0.0.1\/32
\n### windows update prima di autenticazione
\nacl windowsupdate dstdomain windowsupdate.microsoft.com
\nacl windowsupdate dstdomain .update.microsoft.com
\nacl windowsupdate dstdomain download.windowsupdate.com
\nacl windowsupdate dstdomain redir.metaservices.microsoft.com
\nacl windowsupdate dstdomain images.metaservices.microsoft.com
\nacl windowsupdate dstdomain c.microsoft.com
\nacl windowsupdate dstdomain www.download.windowsupdate.com
\nacl windowsupdate dstdomain wustat.windows.com
\nacl windowsupdate dstdomain crl.microsoft.com
\nacl windowsupdate dstdomain sls.microsoft.com
\nacl windowsupdate dstdomain productactivation.one.microsoft.com
\nacl windowsupdate dstdomain ntservicepack.microsoft.com
\nacl CONNECT method CONNECT
\nacl wuCONNECT dstdomain www.update.microsoft.com
\nacl wuCONNECT dstdomain sls.microsoft.com
\nhttp_access allow CONNECT wuCONNECT my_lan
\nhttp_access allow CONNECT wuCONNECT localhost
\nhttp_access allow windowsupdate my_lan
\nhttp_access allow windowsupdate localhost
\n### avast update prima di autenticazione
\nacl avast dstdomain .avast.com
\nhttp_access allow avast
\n### disperato tentativo per adobe
\nacl adobe dstdomain .adobe.com
\nhttp_access allow adobe
\n### acl per autocad exchange 2012
\nacl autodesk dstdomain .autodesk.com
\nhttp_access allow autodesk
\nacl ya dstdomain .yahoo.com
\nhttp_access allow ya
\n#acl macaddress arp 09:00:2b:23:45:67
\n#acl myexample dst_as 1241
\nacl password proxy_auth REQUIRED
\n##\u00e0 test per mario brignoli accesso liceo
\nacl fileupload req_mime_type -i ^multipart\/form-data$
\nacl javascript rep_mime_type -i ^application\/x-javascript$
\nacl manager proto cache_object
\nacl to_localhost dst 127.0.0.0\/8
\n#
\nacl SSL_ports port 443
\nacl Safe_ports port 80\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # http
\nacl Safe_ports port 21\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # ftp
\nacl Safe_ports port 443\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # https
\nacl Safe_ports port 70\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # gopher
\nacl Safe_ports port 210\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # wais
\nacl Safe_ports port 1025-65535\u00a0 # unregistered ports
\nacl Safe_ports port 280\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # http-mgmt
\nacl Safe_ports port 488\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # gss-http
\nacl Safe_ports port 591\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # filemaker
\nacl Safe_ports port 777\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # multiling http
\nacl CONNECT method CONNECT
\n# Only allow cachemgr access from localhost
\nhttp_access allow manager localhost
\nhttp_access deny manager
\n# Deny requests to unknown ports
\nhttp_access deny !Safe_ports
\n# Deny CONNECT to other than SSL ports
\nhttp_access deny CONNECT !SSL_ports
\n#
\nacl gator browser Gator\/5.0
\nacl blacklist url_regex “\/jumper\/etc\/blacklist.txt”
\nacl malware_block_list url_regex -i “\/jumper\/etc\/malware_block_list.txt”
\nacl reqmsn req_mime_type -i ^application\/x-msn-messenger
\nacl repmsn rep_mime_type -i ^application\/x-msn-messenger
\nhttp_access deny blacklist
\nhttp_access deny malware_block_list
\ndeny_info http:\/\/malware.hiperlinks.com.br\/denied.shtml malware_block_list
\nhttp_access deny gator
\nhttp_access deny reqmsn
\nhttp_reply_access deny repmsn
\nhttp_access allow localhost
\nhttp_access allow password
\nhttp_access deny all
\nicp_access deny all
\nhtcp_access deny all
\nhtcp_clr_access deny all
\nhttp_port 192.168.2.241:3128
\ncache_peer 127.0.0.1 parent 8080 0 proxy-only no-query login=*:nopassword
\ncache_peer_access 127.0.0.1 allow password
\nhierarchy_stoplist cgi-bin ?
\ncache_mem 2000 MB
\nmaximum_object_size_in_memory 350 KB
\nmemory_replacement_policy lru
\ncache_replacement_policy lru
\ncache_dir aufs \/cache 22000 16 256
\nmax_open_disk_fds 0
\nminimum_object_size 0 KB
\nmaximum_object_size 4096 KB
\nlogformat combined %>a %ui %un [%tl] “%rm %ru HTTP\/%rv” %>Hs %<st “%{Referer}>h” “%{User-Agent}>h” %Ss:%Sh
\naccess_log jumper\/var\/log\/squid3\/access.log squid
\ncache_log \/jumper\/var\/log\/squid3\/cache.log
\ncache_store_log jumper\/var\/log\/squid3\/store.log
\nlogfile_rotate 0
\nemulate_httpd_log off
\nlog_ip_on_direct on
\nmime_table \/usr\/share\/squid3\/mime.conf
\nlog_mime_hdrs off
\npid_filename \/var\/run\/squid3.pid
\ndebug_options ALL,1
\nlog_fqdn on
\nbuffered_logs on
\nftp_user Squid@
\nftp_list_width 32
\nftp_passive on
\nftp_sanitycheck on
\nftp_telnet_protocol on
\ndiskd_program \/usr\/lib\/squid3\/diskd
\nunlinkd_program \/usr\/lib\/squid3\/unlinkd
\nrefresh_pattern ^ftp:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1440\u00a0\u00a0\u00a0 20%\u00a0\u00a0\u00a0\u00a0 10080
\nrefresh_pattern ^gopher:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1440\u00a0\u00a0\u00a0 0%\u00a0\u00a0\u00a0\u00a0\u00a0 1440
\nrefresh_pattern (cgi-bin|\\?)\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0%\u00a0\u00a0\u00a0\u00a0\u00a0 0
\nrefresh_pattern .\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 20%\u00a0\u00a0\u00a0\u00a0 4320
\nquick_abort_min 16 KB
\nquick_abort_max 16 KB
\nquick_abort_pct 95
\nread_ahead_gap 16 KB
\npositive_dns_ttl 6 hours
\nnegative_dns_ttl 1 minutes
\nrange_offset_limit 0 KB
\nminimum_expiry_time 60 seconds
\nstore_avg_object_size 13 KB
\nstore_objects_per_bucket 20
\nrequest_header_max_size 20 KB
\nreply_header_max_size 20 KB
\nrequest_body_max_size 0 KB
\nie_refresh on
\nrelaxed_header_parser on
\nforward_timeout 4 minutes
\nconnect_timeout 1 minute
\nrequest_timeout 5 minutes
\npersistent_request_timeout 2 minutes
\nclient_lifetime 600 minutes
\nhalf_closed_clients on
\npconn_timeout 1 minute
\nident_timeout 10 seconds
\nshutdown_lifetime 30 seconds
\ncache_mgr webmaster
\nmail_from squid@proxy
\nmail_program mail
\ncache_effective_user proxy
\ncache_effective_group proxy
\nhttpd_suppress_version_string on
\nvisible_hostname proxy
\nclient_persistent_connections on
\nserver_persistent_connections on
\npersistent_connection_after_error off
\nsnmp_port 3401
\nicp_port 3130
\nicon_directory \/usr\/share\/squid3\/icons
\nglobal_internal_static on
\nerror_directory \/usr\/share\/squid3\/errors\/Italian
\nemail_err_data on
\nacl FTP proto FTP
\nalways_direct allow FTP
\ncheck_hostnames on
\nallow_underscore on
\ndns_retransmit_interval 5 seconds
\ndns_timeout 2 minutes
\ndns_defnames off
\nhosts_file \/etc\/hosts
\nignore_unknown_nameservers on
\nipcache_size 1024
\nipcache_low 90
\nipcache_high 95
\nfqdncache_size 1024
\nmemory_pools on
\nmemory_pools_limit 5 MB
\nforwarded_for on
\nclient_db on
\ncoredump_dir \/var\/spool\/squid3<\/p>\n
Questa configurazione permette ai client di autenticarsi via NTLM cio\u00e8 non inserendo user e password ma sfruttando la login al dominio.<\/p>\n","protected":false},"excerpt":{"rendered":"
Il primo anello della catena \u00e8 squid3 che provvede all’autenticazione degli utenti, al servizio di caching vero e proprio, alla gestione delle ACL e delle eccezioni. Di seguito il file squid.conf auth_param ntlm program \/usr\/bin\/ntlm_auth –helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 25 auth_param ntlm keep_alive on auth_param basic program \/usr\/bin\/ntlm_auth –helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,13,6],"tags":[17,44,43,42],"class_list":["post-892","post","type-post","status-publish","format-standard","hentry","category-linux","category-proxy","category-work","tag-cache","tag-ntlm","tag-proxy-2","tag-squid3"],"_links":{"self":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/892","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=892"}],"version-history":[{"count":2,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/892\/revisions"}],"predecessor-version":[{"id":896,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/892\/revisions\/896"}],"wp:attachment":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=892"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=892"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=892"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}