# TAG: Liberando portas para o proxy
#
# Proxy Autenticado com LDAP
#
# TAG: Configuracao para tipos de autenticacao
#
# Proxy Autenticado com LDAP
#
auth_param basic program /usr/lib/squid3/squid_ldap_auth -b "dc=localdomain" -h 192.168.0.251 -p 389 -v 3 -f "uid=%s"
auth_param basic children 5
auth_param basic realm Autenticacao de USUARIOS para acesso a INTERNET
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive on
# --<> Funcao externa para controle de proxy por grupo <>--
external_acl_type ldap_group %LOGIN /usr/lib/squid3/squid_ldap_group -b dc=localdomain -f (&(cn=%a)(memberUid=%v)) -h 192.168.0.251
-p 389 -v 3
# TAG: acl
#
# Regras squid para bloqueios e liberacoes
#
# --<> ACL Padrao <>--
acl manager proto cache_object
#
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 8080 # unregistred ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
# --<> Iniciando ACL Personalizadas <>--
# ****************************
# --<> ACL Portas <>--
acl Safe_ports port 8880 # Astransp
# --<> ACL Especiais <>--
#
# MSN
acl Safe_ports port 1863
acl MSN_noauth url_regex -i "/srv/squid/listas/msn_noauth"
acl MSN_url url_regex -i "/srv/squid/listas/msn"
acl MSN_sites url_regex -i "/srv/squid/listas/sitesmsn"
acl MSN_allow src "/srv/squid/msn_src"
# FACEBOOK
acl Facebook url_regex -i "/srv/squid/listas/facebook"
acl FacebookAllow src "/srv/squid/facebook_src"
# ORKUT
acl Orkut url_regex -i "/srv/squid/listas/orkut"
acl OrkutAllow src "/srv/squid/orkut_src"
# TWITTER
acl Twitter url_regex -i "/srv/squid/listas/twitter"
acl TwitterAllow src "/srv/squid/twitter_src"
# YOUTUBE
acl Youtube url_regex -i "/srv/squid/listas/youtube"
acl YoutubeAllow src "/srv/squid/youtube_src"
# MYSPACE
acl MySpace url_regex -i "/srv/squid/listas/myspace"
acl MyspaceAllow src "/srv/squid/myspace_src"
# --<> L D A P - groups <>--
#
# OBS: NetFull --<> Acesso total a internet
# NetFullProtect --<> Acesso total restringindo apenas sites de risco
# NetOn --<> Acesso permitindo restringindo apenas alguns sites
# NetOff --<> Sem acesso a internet
# NetBlock --<> Acesso bloqueado liberando apenas alguns sites
# G_ORKUT_YOUTUBE_TWITTER_FACEBOOK --<> Libera acesso a Orkut, Youtube, Twitter e Facebook
acl NetFull external ldap_group NetFull
acl NetOn external ldap_group NetOn
acl NetOff external ldap_group NetOff
acl NetBlock external ldap_group NetBlock
acl NetMSN external ldap_group G_MSN
acl NetOrkutYoutubeTwitterFacebook external ldap_group G_ORKUT_YOUTUBE_TWITTER_FACEBOOK
# --<> O R I G E M - bloqueio pela origem <>--
#
# OBS: ProxyFull --<> Acesso total a internet
# ProxyOn --<> Acesso a internet com algumas restricoes
# ProxyOff --<> Acesso bloqueado a internet, exceto os sites liberados a todos
# ProxyBlock --<> Acesso liberado apenas a sites permitidos
acl ProxyFull src "/srv/squid/proxyfull"
acl ProxyOn src "/srv/squid/proxyon"
acl ProxyOff src "/srv/squid/proxyoff"
acl ProxyBlock src "/srv/squid/proxyblock"
# --<> L I S T A S <>--
#
# OBS: NWWhiteAllList --<> Lista de sites liberados para todos os usuarios através do NWSYSTEM
# NWBlockAllList --<> Lista de sites bloqueados para todos os usuarios através do NWSYSTEM
acl NWWhiteAllList url_regex -i "/srv/squid/listas/NWWhiteAllList"
acl NWBlockAllList url_regex -i "/srv/squid/listas/NWBlockAllList"
# WhiteAllList --<> Lista de sites liberados para todos os usuarios
# BlockAllList --<> Lista de sites bloqueados para todos os usuarios
acl WhiteAllList url_regex -i "/srv/squid/listas/WhiteAllList"
acl BlockAllList url_regex -i "/srv/squid/listas/BlockAllList"
# WhiteList --<> Lista de sites liberados, falsos negativos
# BlackList --<> Lista de sites bloqueados
# WhiteListNetBlock --<> Lista de sites liberados, para os usuários NetBlock
acl WhiteList url_regex -i "/srv/squid/listas/WhiteList"
acl BlackList url_regex -i "/srv/squid/listas/BlackList"
acl WhiteListNetBlock url_regex -i "/srv/squid/listas/WhiteNetBlock"
# TAG: http_access
#
# Regras padrao do sistema
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
# Regras definidas administrador da rede
# --> LIBERAR: MSN
#http_access allow MSN_noauth
#http_access allow MSN_url NetMSN
#http_access allow MSN_url MSN_allow
#http_access allow MSN_sites NetMSN
#http_access allow MSN_sites MSN_allow
#http_access deny MSN_url
#http_access deny MSN_sites
# --> LIBERAR: ORKUT YOUTUBE TWITTER (Alipio e Flavia)
#http_access allow Facebook FacebookAllow
#http_access allow Facebook NetOrkutYoutubeTwitterFacebook
#http_access allow Orkut OrkutAllow
#http_access allow Orkut NetOrkutYoutubeTwitterFacebook
#http_access allow Twitter TwitterAllow
#http_access allow Twitter NetOrkutYoutubeTwitterFacebook
#http_access allow Youtube YoutubeAllow
#http_access allow Youtube NetOrkutYoutubeTwitterFacebook
# --> LIBERAR: Sites permitios para toda a empresa
http_access allow WhiteAllList
http_access allow NWWhiteAllList
# --> BLOQUEAR: Sites bloqueados para toda a empresa
http_access deny BlockAllList
http_access deny NWBlockAllList
# --> BLOQUEAR: Maquinas e usuários
http_access deny NetOff
http_access deny ProxyOff
# --> LIBERAR: Acesso total
http_access allow NetFull
http_access allow ProxyFull
http_access allow WhiteList
http_access deny BlackList
http_access allow NetOn
http_access allow ProxyOn
http_access deny !WhiteListNetBlock
http_access allow NetBlock
http_access allow ProxyBlock
# --> Balcanceamento de Link
#http_access allow ips_link1
#http_access allow ips_link2
# And finally deny all other access to this proxy
http_access deny all
#Allow ICP queries from local networks only
#icp_access allow localnet
icp_access deny all
# Diversos
hierarchy_stoplist cgi-bin ?
cache_mem 1024 MB
maximum_object_size_in_memory 1024 KB
cache_dir ufs /var/spool/squid3 2048 128 1024
minimum_object_size 0 KB
maximum_object_size 4096 KB
cache_swap_low 90
cache_swap_high 95
access_log /var/log/squid3/access.log squid
emulate_httpd_log on
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_port 3130
coredump_dir /var/spool/squid3
# Corrigir problema de TCP_IMS_HIT/304
ignore_expect_100 on