+ Responder ao Tópico



  1. #1

    Padrão controle de acesso burlado

    Bom dia Amigos !

    Tenho um squid rodando em um webserver, funcionando como proxy transparente e barrando alguns sites por palavras chaves. Ate aki tudo blz, os sites que contem determinada palavra estao sendo barrados perfeitamente, mas de uns tempos para ca descobrimos uma falha, se seu digitar o parametro ?=meudominio o site passa a ser acessado, sem figuras mas os links todos estao la. Por exemplo : se eu digitar www.orkut.com ele barra e se eu digitar www.orkut.com/?=meudominio ele passa pelo block

    Será que eu tenho de setar alguma confi no squid.conf ? Por favor nao sei mais o implementar para sanar essa falha


    Desde ja agradeco a atenção !! e que a força esteja com vcs

  2. #2

    Padrão

    Citação Postado originalmente por neotecsjc Ver Post
    Bom dia Amigos !

    Tenho um squid rodando em um webserver, funcionando como proxy transparente e barrando alguns sites por palavras chaves. Ate aki tudo blz, os sites que contem determinada palavra estao sendo barrados perfeitamente, mas de uns tempos para ca descobrimos uma falha, se seu digitar o parametro ?=meudominio o site passa a ser acessado, sem figuras mas os links todos estao la. Por exemplo : se eu digitar www.orkut.com ele barra e se eu digitar www.orkut.com/?=meudominio ele passa pelo block

    Será que eu tenho de setar alguma confi no squid.conf ? Por favor nao sei mais o implementar para sanar essa falha


    Desde ja agradeco a atenção !! e que a força esteja com vcs


    Cara tenta implementar mais as acls ou expressões regulares ou então usa o Dansguardian axo q o SquidGuard tbm faz isso!

  3. #3

    Padrão

    cola as regras que tu da usando ai...

  4. #4

    Padrão

    Segue minhas regras

    #Recommended minimum configuration:
    acl all src 0.0.0.0/0.0.0.0
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    #acl allowedhosts proxy_auth REQUIRED
    acl allowedhosts src "/usr/local/squid/etc/rede192"
    acl to_localhost dst 127.0.0.0/8
    #acl hora1 time 8:00-9:00
    #acl hora2 time 12:00-14:0
    #acl hora3 time 16:30-21:00
    #acl livres src "/usr/local/squid/etc/ips-livres.cf"
    #acl financas src "/usr/local/squid/etc/ips-financas.cf"
    acl SSL_ports port 443 563 4404 4405 7443
    acl Safe_ports port 8900
    acl Safe_ports port 80
    acl Safe_ports port 8080
    acl Safe_ports port 81
    acl Safe_ports port 21
    acl Safe_ports port 443 563
    acl Safe_ports port 70
    acl Safe_ports port 210
    acl Safe_ports port 1025-65535
    acl Safe_ports port 280
    acl Safe_ports port 488
    acl Safe_ports port 591
    acl Safe_ports port 777
    acl CONNECT method CONNECT

    #
    # restricao de acesso
    #
    acl PornoURLs url_regex "/usr/local/squid/etc/porno.acl"

    # bloqueio MSN
    acl MSN url_regex "/usr/local/squid/etc/msn.acl"

    # para sites pemitidos
    acl permitidos url_regex "/usr/local/squid/etc/permitidos.acl"

    # para uso da conectividade social caixa - denis - 05/01/06
    acl cscaixa url_regex "/usr/local/squid/etc/cscaixa"
    acl Safe_ports port 8888
    acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
    no_cache deny cscaixa
    always_direct allow cscaixa

    # Liberando MSN para alguns usuarios
    #acl permitidosMSN proxy_auth "/usr/local/squid/etc/permitidosmsn"

    http_access allow manager localhost
    http_access deny manager
    # Deny requests to unknown ports
    http_access deny !Safe_ports
    # Deny CONNECT to other than SSL ports
    http_access deny CONNECT !SSL_ports
    #

    http_access allow allowedhosts permitidos
    http_access deny allowedhosts PornoURLs

    http_reply_access allow all

    icp_access allow all

    miss_access allow all

    cache_mgr webmaster

    #Default:
    cache_effective_user nobody

    visible_hostname funcate.fastec.com.br


    # HTTPD-ACCELERATOR OPTIONS
    # -----------------------------------------------------------------------------

    # TAG: httpd_accel_host
    # TAG: httpd_accel_port
    #
    httpd_accel_host virtual
    #Default:
    httpd_accel_port 80

    # TAG: httpd_accel_single_host on|off
    #
    #Default:
    # httpd_accel_single_host off

    # TAG: httpd_accel_with_proxy on|off
    #
    #Default:
    httpd_accel_with_proxy on

    # TAG: httpd_accel_uses_host_header on|off
    #
    #Default:
    httpd_accel_uses_host_header on

    # TAG: httpd_accel_no_pmtu_disc on|off
    #
    #Default:
    # httpd_accel_no_pmtu_disc off


    # MISCELLANEOUS
    # -----------------------------------------------------------------------------

    # TAG: dns_testnames
    #
    #Default:
    # dns_testnames netscape.com internic.net nlanr.net microsoft.com

    # TAG: logfile_rotate
    #
    #Default:
    logfile_rotate 10

    # TAG: append_domain
    #
    #Example:
    # append_domain .yourdomain.com
    #
    #Default:
    append_domain .fastec.com.br

    # TAG: tcp_recv_bufsize (bytes)
    #
    #Default:
    # tcp_recv_bufsize 0 bytes

    # TAG: err_html_text
    #
    #Default:
    # none

    # TAG: deny_info
    #
    #Default:
    # none

    # TAG: memory_pools on|off
    #
    #Default:
    # memory_pools on

    # TAG: memory_pools_limit (bytes)
    #
    #Default:
    # memory_pools_limit 5 MB

    # TAG: forwarded_for on|off
    #
    #Default:
    # forwarded_for on

    # TAG: log_icp_queries on|off
    #
    #Default:
    # log_icp_queries on

    # TAG: icp_hit_stale on|off
    #
    #Default:
    # icp_hit_stale off

    # TAG: minimum_direct_hops
    #
    #Default:
    # minimum_direct_hops 4

    # TAG: minimum_direct_rtt
    #
    #Default:
    # minimum_direct_rtt 400

    # TAG: cachemgr_passwd
    #
    #Example:
    # cachemgr_passwd secret shutdown
    # cachemgr_passwd lesssssssecret info stats/objects
    cachemgr_passwd qwepoi all
    #
    #Default:
    # none

    # TAG: store_avg_object_size (kbytes)
    #
    #Default:
    # store_avg_object_size 13 KB

    # TAG: store_objects_per_bucket
    #
    #Default:
    # store_objects_per_bucket 20

    # TAG: client_db on|off
    #
    #Default:
    # client_db on

    # TAG: netdb_low
    # TAG: netdb_high
    #
    #Default:
    # netdb_low 900
    # netdb_high 1000

    # TAG: netdb_ping_period
    #
    #Default:
    # netdb_ping_period 5 minutes

    # TAG: query_icmp on|off
    #
    #Default:
    # query_icmp off

    # TAG: test_reachability on|off
    #
    #Default:
    # test_reachability off

    # TAG: buffered_logs on|off
    #
    #Default:
    # buffered_logs off

    # TAG: reload_into_ims on|off
    #
    #Default:
    # reload_into_ims off

    # TAG: always_direct
    #
    #Default:
    # none

    # TAG: never_direct
    #
    #Default:
    # none

    # TAG: header_access
    #
    #Default:
    # none

    # TAG: header_replace
    #
    #Default:
    # none

    # TAG: icon_directory
    #
    #Default:
    # icon_directory /usr/local//share/icons

    # TAG: short_icon_urls
    #
    #Default:
    # short_icon_urls off

    # TAG: error_directory
    #
    #Default:
    error_directory /usr/local/squid/share/errors/Portuguese
    #error_directory /usr/local/share/errors/Portuguese

    # TAG: maximum_single_addr_tries
    #
    #Default:
    # maximum_single_addr_tries 1

    # TAG: retry_on_error
    #
    #Default:
    # retry_on_error off

    # TAG: snmp_port
    # Note: This option is only available if Squid is rebuilt with the
    #
    #Default:
    # snmp_port 3401

    # TAG: snmp_access
    #
    #Example:
    # snmp_access allow snmppublic localhost
    # snmp_access deny all
    #
    #Default:
    # snmp_access deny all

    # TAG: snmp_incoming_address
    #
    #Default:
    # snmp_incoming_address 0.0.0.0
    # snmp_outgoing_address 255.255.255.255

    # TAG: as_whois_server
    #
    #Default:
    # as_whois_server whois.ra.net
    # as_whois_server whois.ra.net

    # TAG: wccp_router
    #
    #Default:
    # wccp_router 0.0.0.0

    # TAG: wccp_version
    #
    #Default:
    # wccp_version 4

    # TAG: wccp_incoming_address
    # TAG: wccp_outgoing_address
    #
    #Default:
    # wccp_incoming_address 0.0.0.0
    # wccp_outgoing_address 255.255.255.255


    # DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
    # -----------------------------------------------------------------------------

    # TAG: delay_pools
    #
    #Default:
    # delay_pools 0

    # TAG: delay_class
    #
    #Example:
    # delay_pools 2 # 2 delay pools
    # delay_class 1 2 # pool 1 is a class 2 pool
    # delay_class 2 3 # pool 2 is a class 3 pool
    #
    #Default:
    # none

    # TAG: delay_access
    #
    #Example:
    # delay_access 1 allow some_big_clients
    # delay_access 1 deny all
    # delay_access 2 allow lotsa_little_clients
    # delay_access 2 deny all
    #
    #Default:
    # none

    # TAG: delay_parameters
    #
    #delay_parameters 2 32000/32000 8000/8000 600/8000
    #
    #Default:
    # none

    # TAG: delay_initial_bucket_level (percent, 0-100)
    #
    #Default:
    # delay_initial_bucket_level 50

    # TAG: incoming_icp_average
    # TAG: incoming_http_average
    # TAG: incoming_dns_average
    # TAG: min_icp_poll_cnt
    # TAG: min_dns_poll_cnt
    # TAG: min_http_poll_cnt
    #
    #Default:
    # incoming_icp_average 6
    # incoming_http_average 4
    # incoming_dns_average 4
    # min_icp_poll_cnt 8
    # min_dns_poll_cnt 8
    # min_http_poll_cnt 8

    # TAG: max_open_disk_fds
    #
    #Default:
    # max_open_disk_fds 0

    # TAG: offline_mode
    #
    #Default:
    # offline_mode off

    # TAG: uri_whitespace
    #
    #Default:
    uri_whitespace strip

    # TAG: broken_posts
    #
    #Example:
    # acl buggy_server url_regex ^http://....
    # broken_posts allow buggy_server
    #
    #Default:
    # none

    # TAG: mcast_miss_addr
    #
    #Default:
    # mcast_miss_addr 255.255.255.255

    # TAG: mcast_miss_ttl
    #
    #Default:
    # mcast_miss_ttl 16

    # TAG: mcast_miss_port
    #
    #Default:
    # mcast_miss_port 3135

    # TAG: mcast_miss_encode_key
    #
    #Default:
    # mcast_miss_encode_key XXXXXXXXXXXXXXXX

    # TAG: nonhierarchical_direct
    #
    #Default:
    # nonhierarchical_direct on

    # TAG: prefer_direct
    #
    #Default:
    # prefer_direct off


    deny_info YouSendIt - Send large files - transfer delivery - FTP Replacement permitidos