Boa Noite!
Tenho um servidor Squid, DCHP, DNS ... funciona ok, mas se coloco o endereço do servidor no navegador ( para forçar os https passar pelo squid, para validar todos os bloqueios) todos os sites começam a dar erro "ERRO - A URL requisitada não pôde ser recuperada - Acesso Negado".
Segue abaixo meus arquivos.
/var/www/html/wpad.dat
function FindProxyForUrl ( url, host)
if ( IsPlainHostName(host))
return "DIRECT";
else
return "PROXY 192.168.200.254:3128";
/etc/squid/squid.conf
# Porta no qual o proxy sera conectado
http_port 3128 transparent
#Nome do Servidor
visible_hostname Proxy
# Politica de acesso de ip's na rede
acl all src 0.0.0.0/0.0.0.0
acl redelocal src 192.168.200.0/24#-192.168.200.253
acl localhost src 127.0.0.1/255.255.255.255
# Permissao total a diretores
#acl diretores src 192.168.200.11 192.168.200.10
#http_access allow diretores
# Nao sei o que e
acl manager proto cache_object
acl purge method PURGE
acl CONNECT method CONNECT
# Politica de acesso de portas
acl SSL_ports port 443 563
acl Safe_ports port 21 80 443 563 70 210 280 488 59 777 901 1025-65535 2631
# Quantidade de memoria para ser usada no cache da memoria
cache_mem 1000 mb
# Tamanho maximo do arquivo para ficar no cache de memoria
maximum_object_size_in_memory 128 KB
# Tamanho maximo e minimo do arquivo a ficar no cache do HD
maximum_object_size 512 MB
minimum_object_size 1 KB
# Quando atingir a percentagem maxima, desta os
# arquivos antigos ate percentagem minima
cache_swap_high 95
cache_swap_low 50
# Localizacao da pasta de cache do HD
# Tamanho total a utilizar, qtd de pasta e subpasta
cache_dir ufs /var/spool/squid/ 9000 16 256
# Localizao do arquivo de log de acesso do proxy
cache_access_log /var/log/squid/access.log
# Libera url's listadas no arquivo
acl sitesliberados url_regex -i "/etc/squid/sites/liberados"
http_access allow redelocal sitesliberados
# Bloqueio de sites pornos
acl porno url_regex -i "/etc/squid/sites/porno"
http_access deny redelocal porno
# Bloqueio de redes socias
acl redessociais url_regex -i "/etc/squid/sites/redessociais"
acl horario_almoco time 12:00-14:00
http_access allow redessociais horario_almoco
http_access deny redelocal redessociais
# Bloqueio de proxys
acl proxys url_regex -i "/etc/squid/sites/proxys"
http_access deny proxys
# Bloqueia url's listadas no arquivo
#acl sitesbloqueados url_regex -i "/etc/squid3/sites/bloqueados"
#http_access deny redelocal sitesbloqueados
#permitindo e negando acesso atraves das acl's
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow redelocal
http_access allow localhost
http_access deny all
/etc/init.d/firewall
#!/bin/sh
### BEGIN INIT INFO
# Provides: firewall.sh
# Required-Start: $local_fs $remote_fs $network $syslog
# Required-Stop: $local_fs $remote_fs $network $syslog
# Default-Start: 2 3 4 5 # Default-Stop: 0 1 6
# Short-Description: Start firewall.sh at boot time
# Description: Enable service provided by firewall.sh.
### END INIT INFO
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat
modprobe ip_nat_ftp
############################
# Definicoes das Variaveis #
############################
internet="enp2s0"
rede="enp3s0"
UP_PORTS="1024:65535"
D_PORTS=":1024"
#Servidores NTP
NTP1="200.20.186.75"
NTP2="200.20.186.94"
#route add default gw 192.168.3.1 $internet
export internet rede UP_PORTS D_PORTS NTP1 NTP2
#####################################
##### Definicao de Policiamento #####
#####################################
# Tabela filter
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# Tabela nat
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
##### Protecao contra IP Spoofing #####
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 >$i
done
##### Ativacao do redirecionamento de pacotes (requerido para NAT) #####
echo "1" >/proc/sys/net/ipv4/ip_forward
###############################################################
# Redirecionando Porta 80 para SQUID
iptables -t nat -A PREROUTING -p tcp -i $rede --dport 80 -j REDIRECT --to-port 3128
iptables -A INPUT -p udp --dport 1024:65535 -j ACCEPT
iptables -A FORWARD -p udp --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p udp --dport 1024:65535 -j ACCEPT
# Sites liberados
iptables -t nat -A PREROUTING -d pje.trtes.jus.br -j RETURN
iptables -t nat -A PREROUTING -d www.trtes.jus.br -j RETURN
# Masquerade
iptables -t nat -A POSTROUTING -o $internet -j MASQUERADE
/etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto enp2s0
iface enp2s0 inet dhcp
# The second network interface
auto enp3s0
iface enp3s0 inet static
address 192.168.200.254
netmask 255.255.255.0
ddns-update-style none;
# option definitions common to all supported networks...
#option wpad code 252 = text;
#option wpad "http://192.168.200.254/wpad.dat\n";
log-facility local7;
# A slightly different configuration for an internal subnet.
subnet 192.168.200.0 netmask 255.255.255.0 {
range 192.168.200.170 192.168.200.198;
option domain-name-servers 8.8.8.8, 208.67.222.222;
option domain-name "homecare.com.br";
option routers 192.168.200.254;
option broadcast-address 255.255.255.255;
default-lease-time 600;
max-lease-time 7200;
}