Bloquear msn/skype/outloook squid autenticado

[lfernandosg]

Tenho squid autenticado.

o usuário só navega, se colocar as configurações do proxy.

Se ele marcar o proxy, não consegue entrar no msn mas consegue baixar e-mails do outlook e entrar no skype e não pede autenticação.


Se ele não marcar o proxy no navegador:

Ele não navega em nada, mas consegue entrar no msn/skype e baixar/enviar e-mails do outlook.

O que posso fazer para bloquear isso? tenho uma acl chamada no_auth(não pede autenticação para acessar os sites dentro dela) que se eu não colocar as urls do msn dentro dela, os usuários não conseguem conectar no msn mesmo que a acl do usuário tenha as urls do msn. mas nessa acl só tem as urls do msn então não era para conectar no skype ou baixar e-mail sem pedir autenticação concorda?

Abaixo meu squid.conf


root@cache:/home/novaf# cat /etc/squid/squid.conf
#NOME DO SERVIDOR#####################################################
visible_hostname DebianLinux
######################################################################
#IP+PORTA USADA ####################################################
http_port 10.0.1.254:3128
######################################################################
icp_port 0
######################################################################
#CACHE USADO-METADE DA RAM)###########################################
cache_mem 512 MB
######################################################################
#Cache Swap###########################################################
cache_swap_low 80
cache_swap_high 90
######################################################################
#OBJECT_SIZE##########################################################
maximum_object_size 200 MB
minimum_object_size 0 KB
#tamanho m?ximo dos objetos alocados na mem?ria.
maximum_object_size_in_memory 30 KB
######################################################################
#DIRETORIOS DO CACHE MULTIPLOS########################################
cache_dir aufs /var/cachesquid1 5000 16 256

# Resolve um problema com conex?es persistentes que ocorre com certos servidores,
# e que provoca delays em nosso cache.
detect_broken_pconn on

# Provoca um ganho de performance ao usar conex?es Pipeline (requisi??es em
# paralelo)
#pipeline_prefetch on

#DNS squid cache
dns_nameservers 10.0.1.254

#####################################################################
#LOGS################################################################
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
#####################################################################
#REGRA AUTENTICACAO
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 3
authenticate_ttl 10 minutes
authenticate_ip_ttl 0
####################################################################
request_body_max_size 0 MB
####################################################################

#ACL's########################################################
#SITES QUE N?O PRECISAM DE AUTENTICACAO COM SENHA
acl NO_AUTH url_regex -i '/etc/squid/no_auth_url'
http_access allow NO_AUTH
#################################################
#SITES BLOQUEADOS PARA QUALQUER USUARIO
acl BLOCK url_regex -i '/etc/squid/bloqueados'
http_access deny BLOCK
#################################################
#MSN S? PARA USUARIOS DESSA ACL##################
acl bloqueiamsn url_regex -i "/etc/squid/bloqueiamsn"
acl g_liberado proxy_auth itamar carlos.eduardo fernandocomercial alisson neide ademario marinalva fernando rmartins vicente handerson
http_access deny bloqueiamsn !g_liberado
#################################################
##### BLOQUEIO DE DOWNLOAD DAS EXTENSOES ABAIXO##
acl extensoes url_regex -i \.bat \.scr \.mp3 \.bat \.vbs \.wmv \.wma \.mp4
http_access deny extensoes


#acl downloads urlpath_regex "/etc/squid/downloads.txt"
#http_access deny downloads
#testando a opcao abaixo
#acl downloads req_mime_type application/octet-stream application/zip audio/mpeg audio/wav video/mpeg video/avi video/quicktime video/x-msvideo video/x-ms-wmv/
#http_access deny downloads
#################################################
#REGRAS GERAIS###################################
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 4243 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost


#FTP
ftp_passive on
ftp_sanitycheck on



#Estas 'refresh_pattern' fazem com que o squid mantenha o maximo
#possivel um objeto em cache, aumentando o cache HIT e byte HIT

refresh_pattern -i \.jpg$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.gif$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.png$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.jpeg$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.bmp$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.tif$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.tiff$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.swf$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.exe$ 0 50% 21600 reload-into-ims
refresh_pattern -i \.php$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.html$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.htm$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.shtml$ 0 20% 1440 reload-into-ims
refresh_pattern -i \.shtm$ 0 20% 1440 reload-into-ims
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320




#ZPH cache FULL
zph_local 0x60
zph_mode tos
zph_option 136
zph_parent 0
zph_sibling 0


#SITES QUE N?O ENTRAM NO CACHE###################
acl NO_CACHE url_regex -i '/etc/squid/no_cache_url'
no_cache deny NO_CACHE
#################################################
#AUTENTICA??ES POR USUARIO#######################

#Fernando
acl u_fernandocomercial proxy_auth fernandocomercial
#Marcelo
acl u_marcelo proxy_auth marcelo
#Mariana
acl u_mariana proxy_auth mariana
#Angel
acl u_angel proxy_auth angel

e etc...


#ACLS DE AUTENTICAO(O QUE PODE E O QUE N?O PODE ACESSAR)##########
#USER: Daniel
acl u_daniel_url_allow url_regex -i "/etc/squid/u_daniel_allow"
http_access allow u_daniel u_daniel_url_allow
acl u_daniel_url_deny url_regex -i "/etc/squid/u_daniel_deny"
http_access deny u_daniel u_daniel_url_deny
#ACLS DE AUTENTICAO(O QUE PODE E O QUE Nÿ?O PODE ACESSAR)##########

#USER: Mariana
acl u_mariana_url_allow url_regex -i "/etc/squid/u_mariana_allow"
http_access allow u_mariana u_mariana_url_allow
acl u_mariana_url_deny url_regex -i "/etc/squid/u_mariana_deny"
http_access deny u_mariana u_mariana_url_deny

#USER: Junior
acl u_junior_url_allow url_regex -i "/etc/squid/u_junior_allow"
http_access allow u_junior u_junior_url_allow
acl u_junior_url_deny url_regex -i "/etc/squid/u_junior_deny"
http_access deny u_junior u_junior_url_deny

e etc...

####################################################################
#LIBERAR AUTENTICACAO################################################
acl autenticados proxy_auth REQUIRED
http_access allow autenticados
#####################################################################
miss_access allow all
cache_mgr root
memory_pools on
#####################################################################
#BLOQUEIA TUDO#######################################################
http_access deny all
####################################################################


então, cada usuário tem sua acl de permissão e bloqueio...eu bloqueio tudo e só libero o que eu quero.

como faço para resolver esse problema do skype/msn/outlook?

[claudiolh]

Primeiro, vc tem que direcionar a porta 443 para o proxy, ai ja vai fazer o bloqueio do msn e do squid.

Segundo, vc nao tem como filtrar outlook por proxy por q ele usa portas especificas para email, a nao ser que vc esteja acessando seu email via webmail.

[ronanbnu]

Bloquear Skype:

No squid:

#Bloqueio Sype
#
acl skype_80 url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:80
acl skype_443 url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:443
acl skype_ua browser ^skype^


http_access deny skype_80
http_access deny skype_443
http_access deny skype_ua

MSN e OUTROS:

acl bloqueados url_regex "/usr/local/squid/etc/bloqueados"

crie o arquivo bloqueados e ali adicione as palavras do tipo : msn, livemessenger etc....

http_access deny bloqueados

Bloquear EMAILS

NO Firewall :

#Bloquear portas email para toda rede
#-------------------------------------
iptables -A FORWARD -p tcp -m multiport --dport 25,110,465,995,587 -j DROP

No mais creio que seria isso, implementa e poste o resultado (as regras podem variar um pouco dependendo de sua arquitetura)

Att,

Ronan