Configurando servidor proxy transparent com Squid

Hoje explicarei como configurar o squid para servir como proxy transparente no gateway da rede fazendo cache e restrição de acesso de alguns sites.

Instalação
Baixando o source do squid 3.1.16
$wget “http://www.squid-cache.org/Versions/v3/3.1/squid-3.1.16.tar.gz”
Extraindo o source do download acima
$tar -xzvf squid-3.1.16.tar.gz
$cd squid-3.1.16
$./configure –prefix=/usr/local/squid \
–enable-err-Portuguese=lang \
–mandir=/usr/share/man \
–enable-auth=”basic,digest,ntlm” \
–enable-removal-policies=”lru,heap” \
–enable-digest-auth-helpers=”password” \
–enable-basic-auth-helpers=”getpwnam,YP,NCSA,MSNT” \
–enable-external-acl-helpers=”ip_user,unix_group,wbinfo_group” \
–enable-ntlm-auth-helpers=”fakeauth,no_check” \
–enable-removal-policies \
–enable-linux-netfilter \
–enable-ident-lookups \
–enable-useragent-log \
–enable-cache-digests \
–enable-delay-pools \
–enable-referer-log \
–enable-underscores \
–enable-async-io \
–enable-truncate \
–enable-arp-acl \
–with-pthreads \
–enable-icmp \
–enable-htcp \
–enable-carp \
–enable-poll \
–enable-snmp \
–enable-wccp \
–enable-ssl

$make
#make install

Configuração
Como foi definido o local da instalação em /usr/local/squid no ./configure
#mv /usr/local/squid/etc/squid.conf /usr/local/squid/etc/squid.conf.bkp
squid.conf

http_port 3128 transparent
visible_hostname mundodacomputacao.com.br

cache_mem 64 MB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 2048 16 256
cache_access_log /usr/local/squid/var/logs/cache.log
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280

acl manager proto cache_object
acl localhost src 127.0.0.1
acl localnet src 192.168.1.0/24
acl Safe_ports port 80 #http
acl Safe_ports port 21 #ftp
acl Safe_ports port 443 563 #https,snews
acl Safe_ports port 70 #gopher
acl Safe_ports port 210 #wais
acl Safe_ports port 280 #http-mgmt
acl Safe_ports port 488 #gss-http
acl Safe_ports port 591 #filemaker
acl Safe_ports port 777 #multiling http
acl Safe_ports port 901 #swat
acl Safe_ports port 1025-65535 #portas altas
acl purge method PURGE
acl CONNECT method CONNECT
acl SSL_ports port 443 563

##ACLS
acl sitesbloqueados url_regex -i "/usr/local/squid/dominiosbloqueados"
acl palavrasproibidas url_regex -i "/usr/local/squid/palavrasproibidas"
acl sitespermitidos url_regex -i "/usr/local/squid/dominiospermitidos"
acl redelocal src 192.168.1.0/24
#ACL para bloquear skype
acl acl_url_im_skype url_regex ^((0|1[0-9]{0,2}|2[0-9]{0,1}|2[0-4][0-9]|25[0-5]|[3-9][0-9]{0,1})\.){3}(0|1[0-9]{0,2}|2[0-9]{0,1}|2[0-4][0-9]|25[0-5][3-9][0-9]{0,1})(:|/|$\?)

http_access allow manager localhost localnet
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

##Controle de acesso
http_access deny sitesbloqueados
http_access deny palavrasproibidas
http_access deny CONNECT acl_url_im_skype
http_access allow sitespermitidos
http_access allow localhost
http_access allow redelocal
http_access deny all
error_directory /usr/local/squid/share/errors/pt-br

#touch /usr/local/squid/dominiosbloqueados
#touch /usr/local/squid/palavrasproibidas
#touch /usr/local/squid/dominiospermitidos
#cp /usr/local/squid/sbin/squid /usr/sbin
#mkdir /usr/local/squid/var/cache
#mkdir /usr/local/squid/var/logs
#chmod 0777 /usr/local/squid/var/cache
#chmod 0777 /usr/local/squid/var/logs

/usr/local/squid/dominiosbloqueados

orkut.com
http://www.orkut.com
facebook.com
http://www.facebook.com
twitter.com
http://www.twitter.com
http://www.ebuddy.com
http://www.meebo.com
http://www.4shared.com
4shared.com
http://www.esnips.com
esnips.com
http://www.adrive.com
adrive.com
http://www.megaupload.com
megaupload.com
http://www.redtube.com
redtude.com
http://www.youtube.com
youtube.com
http://www.torproject.org
torproject.org
http://www.ninjacloak.com
ninjacloak.com
speedyhide.info/index.php
speedyhide.info
http://www.dropbox.com

/usr/local/squid/palavrasproibidas

orkut
facebook
twitter
youtube
sexo
bondage
tor
torproject
vidalia
gatewall.dll
ms
messenger
webmessengers
webmessenger
ebuddy
meebo
iloveim
skype
porno
sexy
safadinha
speedhide
ninjacloak
dropbox

Check-list do Squid
#squid -z

Iniciando o serviço
Copie este script retirado do Servidor Linux(Slackware) para iniciar/parar o squid, mas também funciona na distro Debian, basta mover o script para /etc/init.d/.
rc.squid.conf

#!/bin/sh
# Start/stop/restart/reload the Squid Internet Object Cache (squid)
# To make Squid start automatically at boot, make this
# file executable: chmod 755 /etc/rc.d/rc.squid
# Written for Slackware Linux by Erik Jan Tromp
# Modified by David Somero
SQUIDCFG=/usr/local/squid/etc/squid.conf
SQUIDCMD=/usr/sbin/squid
if [ ! -r $SQUIDCFG ]; then
echo "Please set the correct path to $SQUIDCFG"
exit 1
fi
if [ ! -x $SQUIDCMD ]; then
echo "$SQUIDCMD not found"
exit 1
fi
squid_start() {
# Create cache directory hierarchy if needed
ALL_DIRS=$(awk '/^cache_dir/ {print $3}' $SQUIDCFG)
[ -z "$ALL_DIRS" ] && ALL_DIRS=/var/cache/squid
for CACHE_DIR in $ALL_DIRS ; do
if [ ! -d $CACHE_DIR/00 ] ; then
echo "Creating swap directories: $SQUIDCMD -z"
$SQUIDCMD -z 2> /dev/null
break
fi
done
echo "Starting Squid: $SQUIDCMD -F"
$SQUIDCMD -F
}
squid_stop() {
COUNTDOWN=$(awk '/^shutdown_lifetime/ {print $2}' $SQUIDCFG)
[ -z "$COUNTDOWN" ] && COUNTDOWN=30
echo -n "Shutting down Squid in $COUNTDOWN seconds: "
$SQUIDCMD -k shutdown 2> /dev/null
while $SQUIDCMD -k check 2> /dev/null ; do
sleep 1
echo -n .
COUNTDOWN=$[ $COUNTDOWN - 1 ]
if [ $COUNTDOWN -le 0 ] ; then
$SQUIDCMD -k interrupt 2> /dev/null
sleep 1
break
fi
done
echo
}
squid_restart() {
squid_stop
sleep 1
squid_start
}
squid_reload() {
$SQUIDCMD -k reconfigure 2> /dev/null
}
case "$1" in
'start')
squid_start
;;
'stop')
squid_stop
;;
'restart')
squid_restart
;;
'reload')
squid_reload
;;
*)
echo "usage: $0 start|stop|restart|reload"
esac

No Slackware:
#chmod +x /etc/rc.d/rc.squid
#/etc/rc.d/rc.squid start
No Debian:
#chmod +x /etc/init.d/rc.squid
#/etc/init.d/rc.squid start

Para poder fazer proxy transparente adicione essa regra no seu script de firewall

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

A interface eth1 indica a placa da rede local, onde o proxy recebe as requisições dos outros micros da rede e o 3128 indica a porta usada pelo Squid.
PS:Nesse caso: eth0=rede externa(internet) e eth1=rede interna(intranet)
Verifique o log do Squid de acessos

# tail -f /usr/local/squid/var/logs/cache.log
1321733892.697 88 192.168.1.100 TCP_MISS/200 1067 GET http://s.glbimg.com/es/ge/media/globoesporte2010/img/icone_regulamento.png - DIRECT/186.192.82.11 image/png
2011/11/19 18:24:50| Squid is already running! Process ID 586
1321734296.188 33 192.168.1.100 TCP_DENIED/403 6472 GET http://www.youtube.com/ - NONE/- text/html
1321734299.694 3485 192.168.1.100 TCP_REFRESH_UNMODIFIED/304 454 GET http://www.squid-cache.org/Artwork/SN.png - DIRECT/209.169.10.131 -
1321734407.090 19 192.168.1.100 TCP_DENIED/403 4230 GET http://www.twitter.com/ - NONE/- text/html
1321734407.282 23 192.168.1.100 TCP_DENIED/403 4231 GET http://www.twitter.com/favicon.ico - NONE/- text/html
1321734410.259 6 192.168.1.100 TCP_DENIED/403 4263 GET http://www.twitter.com/favicon.ico - NONE/- text/html
1321734414.542 10 192.168.1.100 TCP_DENIED/403 4087 GET http://www.orkut.com/ - NONE/- text/html
1321734419.972 11 192.168.1.100 TCP_DENIED/403 3951 GET http://www.facebook.com/ - NONE/- text/html
2011/11/19 18:51:18| NETDB state saved; 0 entries, 1 msec

Feito!

About these ads

Deixar uma resposta

Preencha os seus detalhes abaixo ou clique num ícone para iniciar sessão:

WordPress.com Logo

Está a comentar usando a sua conta WordPress.com Log Out / Modificar )

Imagem do Twitter

Está a comentar usando a sua conta Twitter Log Out / Modificar )

Facebook photo

Está a comentar usando a sua conta Facebook Log Out / Modificar )

Google+ photo

Está a comentar usando a sua conta Google+ Log Out / Modificar )

Connecting to %s

Seguir

Get every new post delivered to your Inbox.

%d bloggers like this: