Step Security – Squid Completo

Publicado: Março 21, 2008 | Autor: rafaelveragini | Filed under: Security | Deixe um comentário »

.. SQUID PROXY ..  

Falando em proxy não podemos deixar de falar do proxy mais rápido e o mais modular do mundo da informática o SQUID!!! Demonstro abaixo um modelo criado pela minha pessoa espero que ajude a todos! 

Importante! 

Este .conf esta com regras (ACLs) para bloquear MSN, Goolge Talk e sites de PPPPPP!!!!!! Endereços padrões que não são permitidos na maioria das empresas. 

Obs. melhores documentos do SQUID (man squid) e (http://www.squid-cache.org/)  

# Arquivo de configuração /etc/squid/squid.conf 

# daemon

# Service start                     /etc/init.d/squid start

# Service stop                     /etc/init.d/squid stop

# Service reload                  /etc/init.d/squid reload 

# utilize tail –f /var/log/squid/access.log     # você poderá monitorar ou até mesmo utilizar para analisar um endereço específico.

SQUID.CONF

# Proxy
#       Owner: Rafael Duarte
############################
#Create date: 01/02/2007
http_port 192.168.0.2:8088
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

#Manager cache proxy
cache_mem 64 MB
cache_dir diskd /var/spool/squid 512 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

#ACL — Acesso exclusivo rede 192.168.0.0/24
acl LanEMP src 192.168.0.0/255.255.255.0

#ACL — EMP…

#Ips com acesso ao MSN Messenger
acl MsnAllow src 192.168.0.28/255.255.255.255 
acl MsnAllow src 192.168.0.111/255.255.255.255
acl MsnAllow src 192.168.0.14/255.255.255.255
acl MsnAllow src 192.168.0.12/255.255.255.255

acl sites dstdomain .talkx.l.google.com .talk.google.com .cervejazul.com.br

.inutilidades.hex.com.br .video.google.com .meebo.com .inutilidades.com.br

.meebo.com.br .portaldovt.com.br .imaginarlo.com .ninjaproxy.com

.playboy.com.br .sexy.com .video.msn.com .video.globo.com .orkut.com

acl extensoes urlpath_regex .wma$ .asf$ .mov$ .mpg$ .mpeg$ .avi$

.mp3$ .wav$ .mid$ .pps$ .bat$ .scr$ .exe$

acl palavras url_regex -i talkx talk koolim mathtunnel safehazard meebo google-talk googletalk thecrims radiotuner iloveim msnanywhere proxify mastaline screensaver linkblog messbrasil ilovemessenger canalmsn meiobit mmclient centova tutorials1 contabilsantaizabel msnpiki msnfanatic youtube messengerfx sexo putaria filetransferenabled

acl MsnDominiosIP dst 216.32.66.235/255.255.255.255 72.21.057.0/255.255.255.0 207.46.110.0/255.255.255.0 62.116.121.0/255.255.255.0 64.12.163.0/255.255.255.0 205.188.179.0/255.255.255.0 205.188.213.0/255.255.255.0 62.116.83.62/255.255.255.255 69.36.226.0/255.255.255.0 216.129.112.0/255.255.255.0 216.129.113.0/255.255.255.0 65.216.115.0/255.255.255.0 85.184.4.0/255.255.255.0 193.238.160.0/255.255.255.0 72.36.146.0/255.255.255.0 209.34.241.0/255.255.255.0 64.92.172.108/255.255.255.255

acl MsnDominios dstdomain .imessenger.com .messenger.msn.com .messenger.hotmail.com

.realtunnel.com .webmessenger.msn.com .webmessenger.com.br .e-messenger.com.br

.e-messenger.net .msnmessenger.com .webmessenger.com .emessenger.com

.iloveim.com .iloveim.com.br .ilovemessenger.com .akamai.net .akamaitech.net

.hopster.com .meebo.com .meebo.com.br .wm.jabbernet.dk .imessenger.com.br

.webmessenger.blitzaffe.com .leamonde.net .msngamecenter.com .msn2go.com

.msnger.com .messenger.yahoo.com .cresce.net .messengerfx.com

#ACL — Deny all other access
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
#Recommend minimum configuration
acl SSL_ports port 443 563            # https, snews
acl SSL_ports port 873                  # rsync
acl Safe_ports port 80                   # http
acl Safe_ports port 21                   # ftp
acl Safe_ports port 443 563           # https, snews
acl Safe_ports port 70                   # gopher
acl Safe_ports port 210                 # wais
acl Safe_ports port 1025-65535     # unregistered ports
acl Safe_ports port 280                 # http-mgmt
acl Safe_ports port 488                 # gss-http
acl Safe_ports port 591                 # filemaker
acl Safe_ports port 777                 # multiling http
acl Safe_ports port 631                 # cups
acl Safe_ports port 873                 # rsync
acl Safe_ports port 901                 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

#Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
#Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
#Deny requests to unknown ports
http_access deny !Safe_ports
#Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

#Police — EMP –
http_access deny palavras
http_access deny sites
http_access deny extensoes
http_access allow MsnAllow
http_access deny MsnDominiosIP
http_access deny MsnDominios

#Police — Acesso exclusivo local 127.0.0.1/255.255.255.255
http_access allow localhost
#Police — Acesso exclusivo rede LanEMP 192.168.0.0/24
http_access allow LanEMP

#Deny All other access
http_access deny all

#Limpeza automática do cache
reference_age 1 week

#Definição para que não seja feito cachê de páginas seguras SSL
no_cache deny SSL_ports

---