Ya logré realizar la denegación de páginas con el squid oficial, para alrededor de 50 subredes, lo cual me funciona de lujo.
Pero, estoy implementando que en una subred (192.192.100.0/27) los usuarios no puedan entrar a determinados sitios (yahoo, hotmail, hi5, myspace, etc), y que también no puedan realizar descargas de determinados archivos (doc, ppt, xls, etc).
Estuvo intentando con multiples configuraciones y nada de nada, les posteo mi squid conf:
- Código: Selecionar todos
http_port 8080 transparent
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
cache_mem 384 MB
maximum_object_size 64000 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 64 KB
cache_dir diskd /partition/squid/cache 4700 16 256 Q1=72 Q2=64
access_log /partition/squid/logs/access.log
cache_log /partition/squid/logs/cache.log
cache_store_log none
cache_effective_user nobody
cache_effective_group nogroup
pid_filename /var/run/squid.pid
half_closed_clients off
server_persistent_connections off
client_persistent_connections off
memory_pools on
buffered_logs on
pipeline_prefetch on
dns_retransmit_interval 15 seconds
#cache_swap_low 70
#cache_swap_high 90
#########refresh_pattern -i ^http://.*\.(css|htm|html|ico|js|jsp|xml)$ 1440 80% 999999
#########refresh_pattern -i ^http://.*\.(bmp|gif|jpeg|jpg|png)$ 1440 80% 999999 ignore-reload
#########refresh_pattern -i ^http://.*\.(ace|adt|arj|asf|avi|bin|bz2|bzip|cab|dat|dll|doc|dot|exe|fla|flv|gz|iso|lha|log|lzh|mdb|mid|mov|mp3|mpeg|mpg|msi|mso|ogg|pps|ppt|rar|rm|rtf|shs|src|sys|swf|tgz|tif|ttf|wav|wma|wri|wmv|vpu|vpaa|vqf|vob|zip)$ 43200 100% 999999 ignore-reload
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
#acl to_localhost dst 127.0.0.1/32
acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 8180
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 901
acl manager proto cache_object
acl PURGE method PURGE
acl CONNECT method CONNECT
http_access allow PURGE localhost
http_access allow manager localhost
http_access deny PURGE
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl internal_net src "/usr/local/squid/etc/ipaccess.yes"
### Zero Penalty Hits ###
server_persistent_connections off
zph_mode tos
zph_local 0x30
#ACL para evitar hace cache sobre estas paginas web
acl XXYY dstdomain www.trinchera.com.ni
no_cache deny XXYY
acl AABB dstdomain www.canal2tv.com
no_cache deny AABB
acl radio dstdomain .scfire-chi0l-2.stream.aol.com
no_cache deny radio
acl XXZZ dstdomain www.malwarepatrol.net/cgi/submit?action=list_squid
no_cache deny XXZZ
#DENEGACION DE DESCARGAS DE ARCHIVOS
acl virus urlpath_regex -i "/usr/local/squid/etc/extensiones_negadas.txt"
http_access deny virus
#POPUPS
acl popup url_regex -i "/usr/local/squid/etc/popups.txt"
acl excento url_regex -i "/usr/local/squid/etc/sitios_permitidos.txt"
http_access deny popup !excento
deny_info http://192.168.168.253:600 popup
deny_info http://192.168.168.253:600 excento
### Creo las ACL para Negar y Permitir ###
acl bloquea url_regex -i "/usr/local/squid/etc/sitios_prohibidos.txt
acl inocentes url_regex -i "/usr/local/squid/etc/sitios_permitidos.txt"
acl malware_block_list url_regex -i "/usr/local/squid/etc/malware_block_list.txt"
acl spyware url_regex -i "/usr/local/squid/etc/malware1.txt"
acl virusinfected url_regex -i "/usr/local/squid/etc/virusinfected.txt"
acl hacking url_regex -i "/usr/local/squid/etc/hacking.txt"
acl spybot url_regex -i "/usr/local/squid/etc/spybot.txt"
#### ACL PARA IP PUBLICA #### ####ESTA ES EL CODIGO QUE NO ME FUNCIONA
acl red_publica src 192.192.100.0/27
acl bloqueo_de_webs urlpath_regex -i "/usr/local/squid/etc/zbloqueo_publico"
http_access deny bloqueo_de_webs red_publica
### Aplico las ACL recien creadas ###
http_access deny bloquea !inocentes
deny_info http://192.168.168.253:900 bloquea
deny_info http://192.168.168.253:900 inocentes
http_access deny malware_block_list !inocentes
deny_info http://192.168.168.253:900 malware_block_list
deny_info http://192.168.168.253:900 inocentes
http_access deny spyware !inocentes
deny_info http://192.168.168.253:900 spyware
deny_info http://192.168.168.253:900 inocentes
http_access deny virusinfected !inocentes
deny_info http://192.168.168.253:900 virusinfected
deny_info http://192.168.168.253:900 inocentes
http_access deny hacking !inocentes
deny_info http://192.168.168.253:900 hacking
deny_info http://192.168.168.253:900 inocentes
http_access deny spybot !inocentes
deny_info http://192.168.168.253:900 spybot
deny_info http://192.168.168.253:900 inocentes
#Access deny to Squid ident. header
header_access Via deny all
header_access X-Forwarded-For deny all
header_access Proxy-Connection deny all
header_access Accept-Encoding deny all
http_access allow internal_net
http_access deny all
#http_reply_access allow all
#icp_access allow all
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
visible_hostname brazilfw
coredump_dir /partition/squid/cache
error_directory /usr/local/squid/share/errors/Spanish
################ P E R S O N A L I Z A C I O N D E S Q U I D ################################
## FLAGS desesperadas para aumentar o uso do cache ###
refresh_pattern -i \.doubleclick\.net 1440 40% 20160
refresh_pattern -i \.benchmark\.kelkoo\.net: 1440 40% 20160
refresh_pattern -i \.googleadservices\.com 1440 40% 20160
refresh_pattern \.google\.ni\/search$ 30 40% 20160
refresh_pattern -i \.do? 3000 80% 432000 override-expire
refresh_pattern -i \.do$ 3000 80% 432000 override-expire
refresh_pattern -i \.do 3000 80% 432000
refresh_pattern -i \.jsp? 3000 80% 432000 override-expire
refresh_pattern -i \.jsp$ 3000 80% 432000 override-expire
refresh_pattern -i \.jsp 3000 80% 432000 override-expire
## TENTATIVA DESESPERADA PARA SALVAR AS ATUALIZAÇÔES DO WINDOWS XP E NOD32 ##
#refresh_pattern windowsupdate.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
#refresh_pattern download.microsoft.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
#refresh_pattern eset.com/.*\.(rar|nup|ver) 4320 100% 43200 reload-into-ims
#Microsoft Windows update/Downloads
#refresh_pattern windowsupdate.com/.*\.(cab|exe) 4320 150% 43200 reload-into-ims
#refresh_pattern download.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
#refresh_pattern www.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
#refresh_pattern windowsupdate 1080 150% 10080 override-lastmod
#refresh_pattern msn\.com 4320 150% 10080 override-lastmod
#refresh_pattern ^http://.*\.doubleclick\.net 10080 300% 40320
#refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
#################################
### A C L D E W I N D O W S U P D A T E C A V E R N I C O L A
refresh_pattern .windowsupdate.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
#################################
# Java
refresh_pattern \.class$ 2880 60% 28800
# Imagenes
refresh_pattern \.gif$ 4320 80% 43200
refresh_pattern \.jpg$ 4320 80% 43200
refresh_pattern \.jpeg$ 4320 80% 43200
refresh_pattern \.png$ 4320 80% 43200
refresh_pattern \.bmp$ 4320 80% 43200
refresh_pattern \.tif$ 4320 80% 43200
refresh_pattern \.tiff$ 4320 80% 43200
refresh_pattern \.xbm$ 4320 80% 43200
# Animaciones
refresh_pattern \.mov$ 2880 80% 28800
refresh_pattern \.avi$ 2880 80% 28800
refresh_pattern \.mpg$ 2880 80% 28800
#refresh_pattern \.swf$ 2880 80% 28800
#refresh_pattern \.flv$ 2880 80% 28800
refresh_pattern \.flash$ 2880 80% 28800
# Audio
refresh_pattern \.wav$ 2880 80% 28800
refresh_pattern \.au$ 2880 80% 28800
refresh_pattern \.mid$ 2880 80% 28800
refresh_pattern \.mp3$ 2880 80% 28800
refresh_pattern \.rm$ 2880 80% 28800
# Archivos comprimidos
refresh_pattern \.zip$ 2880 50% 28800
refresh_pattern \.cab$ 2880 50% 28800
refresh_pattern \.gz$ 2880 50% 28800
refresh_pattern \.arj$ 2880 50% 28800
refresh_pattern \.lha$ 2880 50% 28800
refresh_pattern \.lzh$ 2880 50% 28800
refresh_pattern \.rar$ 2880 50% 28800
refresh_pattern \.tgz$ 2880 50% 28800
refresh_pattern \.tar$ 2880 50% 28800
refresh_pattern \.Z$ 2880 50% 28800
refresh_pattern \.iso$ 2880 50% 28800
refresh_pattern \.exe$ 2880 50% 28800
refresh_pattern \.deb$ 2880 50% 28800
refresh_pattern \.rpm$ 2880 50% 28800
refresh_pattern \.dev$ 2880 50% 28800
# Documentos
refresh_pattern \.pdf$ 2880 60% 28800
refresh_pattern \.rtf$ 2880 60% 28800
refresh_pattern \.doc$ 2880 60% 28800
refresh_pattern \.wp$ 2880 60% 28800
refresh_pattern \.wp5$ 2880 60% 28800
refresh_pattern \.ps$ 2880 60% 28800
refresh_pattern \.prn$ 2880 60% 28800
#AGREGADOS POR MI
#HTTP
#refresh_pattern \.js$ 2880 80% 28800
#refresh_pattern \.htm$ 2880 40% 4320
#refresh_pattern \.txt$ 2880 40% 28800
#refresh_pattern ^http: 2880 40% 4320
refresh_pattern -i (.*html$|.*htm|.*shtml|.*aspx|.*asp|.*php|.*js) 180 35% 4320 override-expire override-lastmod ignore-reload reload-into-ims
#fqdncache_size 1500
logfile_rotate 0
half_closed_clients off
#collapsed_forwarding on
offline_mode on #realizar caché de lo que pase por el proxy
La parte que dice: "Este es el código que no me funciona", es donde quiero bloquear determinados sitios.
Gracias
Saludos