Squid bloqueando usuário com privilégio de acesso a qualquer site.

RG · 26 de Janeiro de 2011, 10:52

Bom dia Amigos,

Estou com o seguinte problema e gostaria da ajuda:

Em uma única estação Win7, para todo e qualquer usuário no grupo de acesso full (Acesso a sites bloqueados inclusive) o Squid está bloqueando o acesso aos sites que constam no arquivo de sites bloqueados. Se estes mesmos usuários usarem outra estação com seus usuários, funciona normamente. Resumindo, nesta estação ele bloqueia sites bloqueados mesmo para quem tem permissão a eles.
Utilizo Squid 2.6 com autenticação no AD.

A mensagem que aparece é :

ERRO
A URL solicitada não pode ser recuperada

Na tentativa de recuperar a URL: http://www.youtube.com/
O seguinte erro foi encontrado:
Proibido o Acesso.
O controle de acessos impediu sua requisição. Caso você não concorde com isso,
por favor, contate seu provedor de serviços, ou o administrador de sistemas.

Generated Tue, 25 Jan 2011 16:31:54 GMT by teste (squid/2.6.STABLE18)
----------------------------------------------------------------------------------------------
Qualquer informação, dica, é bem vinda.

zekkerj · 26 de Janeiro de 2011, 10:58

Mostre seu squid.conf.

RG · 26 de Janeiro de 2011, 11:14

Segue meu Squid.conf
Obrigado
----------------------------------------------------------------------------------------------------------------

# aggregate the "delay parameters" for the aggregate bucket
# (class 1, 2, 3).
#
# individual the "delay parameters" for the individual
# buckets (class 2, 3).
#
# network the "delay parameters" for the network buckets
# (class 3).
#
# A pair of delay parameters is written restore/maximum, where restore is
# the number of bytes (not bits - modem and network speeds are usually
# quoted in bits) per second placed into the bucket, and maximum is the
# maximum number of bytes which can be in the bucket at any time.
#
# For example, if delay pool number 1 is a class 2 delay pool as in the
# above example, and is being used to strictly limit each host to 64kbps
# (plus overheads), with no overall limit, the line is:
#
#delay_parameters 1 -1/-1 8000/8000
#
# Note that the figure -1 is used to represent "unlimited".
#
# And, if delay pool number 2 is a class 3 delay pool as in the above
# example, and you want to limit it to a total of 256kbps (strict limit)
# with each 8-bit network permitted 64kbps (strict limit) and each
# individual host permitted 4800bps with a bucket maximum size of 64kb
# to permit a decent web page to be downloaded at a decent speed
# (if the network is not being limited due to overuse) but slow down
# large downloads more significantly:
#
#delay_parameters 2 32000/32000 8000/8000 600/8000
#
# There must be one delay_parameters line for each delay pool.
#
#Default:
# none

# TAG: delay_initial_bucket_level (percent, 0-100)
# The initial bucket percentage is used to determine how much is put
# in each bucket when squid starts, is reconfigured, or first notices
# a host accessing it (in class 2 and class 3, individual hosts and
# networks only have buckets associated with them once they have been
# "seen" by squid).
#
#Default:
# delay_initial_bucket_level 50

# WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
# -----------------------------------------------------------------------------

# PERSISTENT CONNECTION HANDLING
# -----------------------------------------------------------------------------
#
# Also see "pconn_timeout" in the TIMEOUTS section

# TAG: client_persistent_connections
# TAG: server_persistent_connections
# Persistent connection support for clients and servers. By
# default, Squid uses persistent connections (when allowed)
# with its clients and servers. You can use these options to
# disable persistent connections with clients and/or servers.
#
#Default:
# client_persistent_connections on
# server_persistent_connections on

# TAG: persistent_connection_after_error
# With this directive the use of persistent connections after
# HTTP errors can be disabled. Useful if you have clients
# who fail to handle errors on persistent connections proper.
#
#Default:
# persistent_connection_after_error off

# TAG: detect_broken_pconn
# Some servers have been found to incorrectly signal the use
# of HTTP/1.0 persistent connections even on replies not
# compatible, causing significant delays. This server problem
# has mostly been seen on redirects.
#
# By enabling this directive Squid attempts to detect such
# broken replies and automatically assume the reply is finished
# after 10 seconds timeout.
#
#Default:
# detect_broken_pconn off

# CACHE DIGEST OPTIONS
# -----------------------------------------------------------------------------

# SNMP OPTIONS
# -----------------------------------------------------------------------------

# ICP OPTIONS
# -----------------------------------------------------------------------------

# MULTICAST ICP OPTIONS
# -----------------------------------------------------------------------------

# INTERNAL ICON OPTIONS
# -----------------------------------------------------------------------------

# ERROR PAGE OPTIONS
# -----------------------------------------------------------------------------

# TAG: error_directory
# If you wish to create your own versions of the default
# (English) error files, either to customize them to suit your
# language or company copy the template English files to another
# directory and point this tag at them.
#
# The squid developers are interested in making squid available in
# a wide variety of languages. If you are making translations for a
# langauge that Squid does not currently provide please consider
# contributing your translation back to the project.
#
#Default:
# error_directory /usr/share/squid/errors/English
error_directory /usr/share/squid/errors/Portuguese

# OPTIONS INFLUENCING REQUEST FORWARDING
# -----------------------------------------------------------------------------

# ADVANCED NETWORKING OPTIONS
# -----------------------------------------------------------------------------

# DNS OPTIONS
# -----------------------------------------------------------------------------

# TAG: dns_nameservers
# Use this if you want to specify a list of DNS name servers
# (IP addresses) to use instead of those given in your
# /etc/resolv.conf file.
# On Windows platforms, if no value is specified here or in
# the /etc/resolv.conf file, the list of DNS name servers are
# taken from the Windows registry, both static and dynamic DHCP
# configurations are supported.
#
# Example: dns_nameservers 10.0.0.1 192.172.0.4
#
#Default:
# none

hosts_file /etc/hosts

# TAG: append_domain
# Appends local domain name to hostnames without any dots in
# them. append_domain must begin with a period.
#
# Be warned there are now Internet names with no dots in
# them using only top-domain names, so setting this may
# cause some Internet sites to become unavailable.
#
#Example:
# append_domain .yourdomain.com
#
#Default:
# none

# MISCELLANEOUS
# -----------------------------------------------------------------------------

# TAG: uri_whitespace
# What to do with requests that have whitespace characters in the
# URI. Options:
#
# strip: The whitespace characters are stripped out of the URL.
# This is the behavior recommended by RFC2396.
# deny: The request is denied. The user receives an "Invalid
# Request" message.
# allow: The request is allowed and the URI is not changed. The
# whitespace characters remain in the URI. Note the
# whitespace is passed to redirector processes if they
# are in use.
# encode: The request is allowed and the whitespace characters are
# encoded according to RFC1738. This could be considered
# a violation of the HTTP/1.1
# RFC because proxies are not allowed to rewrite URI's.
# chop: The request is allowed and the URI is chopped at the
# first whitespace. This might also be considered a
# violation.
#
#Default:
# uri_whitespace strip
uri_whitespace encode

# TAG: coredump_dir
# By default Squid leaves core files in the directory from where
# it was started. If you set 'coredump_dir' to a directory
# that exists, Squid will chdir() to that directory at startup
# and coredump files will be left there.
#
#Default:
# coredump_dir none
#
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# TAG: chroot
# Use this to have Squid do a chroot() while initializing. This
# also causes Squid to fully drop root privileges after
# initializing. This means, for example, if you use a HTTP
# port less than 1024 and try to reconfigure, you will may get an
# error saying that Squid can not open the port.
#
#Default:
# none

teste@teste:/etc/squid$ vi squid.conf
teste@teste:/etc/squid$ sudo vi squid.conf
# WELCOME TO SQUID 2.6.STABLE18
# ----------------------------
#
# This is the default Squid configuration file. You may wish
# to look at the Squid home page (http://www.squid-cache.org/)
# for the FAQ and other documentation.
#
# The default Squid config file shows what the defaults for
# various options happen to be. If you don't need to change the
# default, you shouldn't uncomment the line. Doing so may cause
# run-time problems. In some cases "none" refers to no default
# setting at all, while in other cases it refers to a valid
# option - the comments for that keyword indicate if this is the
# case.
#

# OPTIONS FOR AUTHENTICATION
# -----------------------------------------------------------------------------

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 40
#auth_param ntlm max_challenge_lifetime 180 minutes

zekkerj · 26 de Janeiro de 2011, 11:28

tá incompleto... e vou te pedir também pra tirar os comentários antes de postar, senão fica phdz de encontrar as configurações.

RG · 26 de Janeiro de 2011, 13:46

Obrigado pelo retorno. O arquivo é bem extenso mesmo. Não tinha notado que estava incompleto. Segue o arquivo completo e sem comentários. Apenas o que é efetivamente usado:

# OPTIONS FOR AUTHENTICATION
# -----------------------------------------------------------------------------

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 40
auth_param basic program /usr/lib/squid/ldap_auth -b "ou=users,ou=testeserver,dc=teste,dc=testeserver,dc=srv,dc=br" -f "sAMAccountName=%s" -D "guardiao@teste.testeserver.srv.br" -w spassword -H ldap://192.168.0.254:389 -v3
auth_param basic children 15
auth_param basic realm Autenticacao no Servidor Proxy
auth_param basic credentialsttl 1 hour
auth_param basic casesensitive off

# ACCESS CONTROLS
# -----------------------------------------------------------------------------

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443      # https
acl SSL_ports port 563      # snews
acl SSL_ports port 873      # rsync
acl SSL_ports port 8080      # Tomcat/JBoss
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443      # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210      # wais
acl Safe_ports port 1025-65535   # unregistered ports
acl Safe_ports port 280      # http-mgmt
acl Safe_ports port 488      # gss-http
acl Safe_ports port 591      # filemaker
acl Safe_ports port 777      # multiling http
acl Safe_ports port 631      # cups
acl Safe_ports port 873      # rsync
acl Safe_ports port 901      # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

acl ldapauth proxy_auth REQUIRED
acl our_networks src 192.168.0.0/24

acl blacklist.palavra url_regex -i "/etc/squid/politica/bloqueado.palavra"
acl whitelist-palava url_regex -i "/etc/squid/politica/liberado.palavra"
acl blacklist.dominio dstdomain -i "/etc/squid/politica/bloqueado.dominio"
acl withelist-dominio dstdomain -i "/etc/squid/politica/liberado.dominio"
acl usuarios-privilegiados proxy_auth "/etc/squid/politica/usuarios.privilegiados"
acl relat_sucursais url_regex -i sucursais.testeserver.srv.br/relatorios/webservice.asmx sucursais.testeserver.srv.br/relatorios/importadorhtml/service.asmx
acl rg_msg_msn1 url_regex -i "/etc/squid/politica/rg_msg_msn1"
acl impressora dst 192.168.0.181/32

acl liberado.semauth dstdomain -i "/etc/squid/politica/liberado.semauth"
acl PC-023 src 192.168.0.96
acl PC-048 src 192.168.0.40
acl PC-044 src 192.168.0.18

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow liberado.semauth

http_access allow PC-023
http_access allow PC-048
http_access allow PC-044
http_access allow relat_sucursais
http_access allow rg_msg_msn1
http_access allow impressora
http_access allow usuarios-privilegiados

http_access deny blacklist.palavra
http_access deny blacklist.dominio
http_access allow whitelist-palava
http_access allow withelist-dominio

http_access allow ldapauth

http_access allow our_networks
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# OPTIONS FOR X-Forwarded-For
#

# NETWORK OPTIONS
# -----------------------------------------------------------------------------

http_port 3128

# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
# -----------------------------------------------------------------------------

# MEMORY CACHE OPTIONS
# -----------------------------------------------------------------------------

cache_mem 512 MB

# LOGFILE OPTIONS
# -----------------------------------------------------------------------------

access_log /var/log/squid/access.log squid
cache_store_log none

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

refresh_pattern ^ftp:      1440   20%   10080
refresh_pattern ^gopher:   1440   0%   1440
refresh_pattern .      0   20%   4320
uch responses
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

visible_hostname teste

error_directory /usr/share/squid/errors/Portuguese

hosts_file /etc/hosts
uri_whitespace encode
coredump_dir /var/spool/squid

zekkerj · 26 de Janeiro de 2011, 14:09

Qual é a versao do Win7 em uso na máquina problemática? Home, Professional, etc?

Há outras máquinas com a mesma versão do SO em uso?

O navegador, na máquina problemática, chega a abrir o prompt da senha pro Squid?

RG · 26 de Janeiro de 2011, 14:25

A versão do SO é o Windows 7 Professional.
Agora tenho uma informação adicional: O problema ocorre somente em Win7. Consegui novas estações para teste e nas estações com XP o problema não ocorre, somente no Win7.
O Squid não solicita usuário e senha. Funciona normalmente, mas quando o site é bloqueado para todos, exceto o usuário que tem permissão, o erro ocorre. Resumindo, em Win7, mesmo o usuário tendo acesso, aparece mensagem de erro que a página tem seu acesso proibido.

RG · 27 de Janeiro de 2011, 14:52

Amigos, alguém tem alguma idéia? Toda dica e informação é bem-vinda.

zekkerj · 27 de Janeiro de 2011, 15:09

Tente ver na documentação sobre a autenticação se é necessário/possível especificar que seja usado o protocolo NTLMv2 (usado no Windows 7), em vez de NTLM (usado no XP).

RG · 28 de Janeiro de 2011, 15:31

Obrigado pelo retorno. Bem, no Win7 Pro eu testei todos os modos de autenticação possíveis e nenhum funcionou. Vou olhar agora um pouco mais o Squid. Se tiveres qualquer sugestão, é bem vinda.

RG · 31 de Março de 2011, 15:59

Amigos, gostaria de compartilhar uma dúvida :
Descobri que posso ter uma falha nas minhas ACLs. A ACL que trata dos usuários com privilégios para acessar qualquer site é a última a ser carregada. Primeiro carrego os sites proibidos e outros.
Para colocar esta regra como primeira apenas altero a ordem das regras e reinicio o Squid?
Já testei todas as autenticações possíveis.

Qualquer ajuda é bem vinda.

zekkerj · 31 de Março de 2011, 16:10

RG, a ordem das diretivas "acl" não importa, o que importa é a ordem das diretivas "http_access".