Problema ACL
Ciao trovo interessante il progetto volevo dargli spazio su sistemistiindip
Ho interfacciato squidtl come redirector ad uno squid che mi autentica degli utenti e/o gruppi. Questa parte di gestione funziona egregiamente, ma la parte relativa al blocco di siti e liste con redirect verso la pagina deny.php, non funziona o meglio viene loggata e mappata come bloccata nelle regole e nella lista dei siti, però squid autorizza comunque l'accesso al sito/dominio bloccato.
Il mio dubbio e che a squid manchi qualche direttiva. Sai aiutarmi?
Allego la mia conf di squid
http_port 8080
url_rewrite_program /usr/local/
##PAM AUTH (passwd e shadow)
auth_param basic program /usr/lib/
auth_param basic children 5
auth_param basic realm Proxy
auth_param basic credentialsttl 2 hours
###allow auth PAM
acl password proxy_auth REQUIRED
http_access allow password
# And finally deny all other access to this proxy
http_access deny all
Saluti
Paolo
Question information
- Language:
- Italian Edit question
- Status:
- Answered
- For:
- SquidTL Edit question
- Assignee:
- No assignee Edit question
- Last query:
- Last reply:
Revision history for this message
|
#1 |
Ciao Paolo,
l'URL rewriter dovrebbe bloccare, a prescindere dalle ACL di Squid, la connessione se rileva che non è autorizzata. Puoi allegare qualche riga del log di SquidTL nelle parti relative al BLOCCO ?
Grazie, Michele
Revision history for this message
|
#2 |
si certo...ho impostato una semplice ACL, ho provato anche con regexp per bloccare un semplice sito, ad esempio facebook.com
asterisk:/var/log# tail -f squid/squidtl.
[2197] 2011-01-17 10:10:13 DEBUG - IN: http://
[2197] 2011-01-17 10:10:13 DEBUG - SquidInfo - P:http D:www.facebook.com U: O:http://
[2197] 2011-01-17 10:10:13 DEBUG - MySQL: SELECT ID FROM DB_Access WHERE (Src="192.
[2197] 2011-01-17 10:10:13 DEBUG - MySQL: INSERT INTO DB_Access (Src,Domain,
[2197] 2011-01-17 10:10:13 NOTICE - ALLOWED: www.facebook.com (DEFAULT)
in realtà al sito viene applicata la politica di default (ALLOWED) e non la rules correttamenet attivata.
LOG esteso
[2197] 2011-01-17 10:13:51 DEBUG - MySQL: SELECT ID FROM DB_Access WHERE (Src="192.
[2197] 2011-01-17 10:13:51 DEBUG - MySQL: SELECT ipRange,ID FROM DB_Context;
[2197] 2011-01-17 10:13:51 DEBUG - doRegExp: 192.168.200.152/32 192.168.200.152 = 0
[2197] 2011-01-17 10:13:51 DEBUG - doRegExp: 192.168.200.9/32 192.168.200.152 = 0
[2197] 2011-01-17 10:13:51 DEBUG - doRegExp: 192.168.200.0/24 192.168.200.152 = 0
[2197] 2011-01-17 10:13:51 NOTICE - getUserContext(
[2197] 2011-01-17 10:13:51 DEBUG - MySQL: SELECT IdentifiedBy,
[2197] 2011-01-17 10:13:51 DEBUG - doRegExp: paolo paolo = 1
[2197] 2011-01-17 10:13:51 NOTICE - getRealIdent(
[2197] 2011-01-17 10:13:51 DEBUG - MySQL: INSERT INTO DB_Access (Src,Domain,
[2197] 2011-01-17 10:13:51 DEBUG - MySQL: SELECT GroupID FROM UserGroup WHERE UserID='paolo';
[2197] 2011-01-17 10:13:51 DEBUG - MySQL: SELECT t1.ID,t1.
[2197] 2011-01-17 10:13:51 NOTICE - ALLOWED: www.facebook.com (DEFAULT)
[2197] 2011-01-17 10:13:52 DEBUG - IN: http://
[2197] 2011-01-17 10:13:52 DEBUG - SquidInfo - P:http D:b.static.
[2197] 2011-01-17 10:13:52 DEBUG - MySQL: SELECT ID FROM DB_Access WHERE (Src="192.
[2197] 2011-01-17 10:13:52 DEBUG - MySQL: SELECT ipRange,ID FROM DB_Context;
[2197] 2011-01-17 10:13:52 DEBUG - doRegExp: 192.168.200.152/32 192.168.200.152 = 0
[2197] 2011-01-17 10:13:52 DEBUG - doRegExp: 192.168.200.9/32 192.168.200.152 = 0
[2197] 2011-01-17 10:13:52 DEBUG - doRegExp: 192.168.200.0/24 192.168.200.152 = 0
[2197] 2011-01-17 10:13:52 NOTICE - getUserContext(
[2197] 2011-01-17 10:13:52 DEBUG - MySQL: SELECT IdentifiedBy,
[2197] 2011-01-17 10:13:52 DEBUG - doRegExp: paolo paolo = 1
[2197] 2011-01-17 10:13:52 NOTICE - getRealIdent(
[2197] 2011-01-17 10:13:52 DEBUG - MySQL: INSERT INTO DB_Access (Src,Domain,
[2197] 2011-01-17 10:13:52 DEBUG - MySQL: SELECT GroupID FROM UserGroup WHERE UserID='paolo';
[2197] 2011-01-17 10:13:52 DEBUG - MySQL: SELECT t1.ID,t1.
[2197] 2011-01-17 10:13:52 NOTICE - ALLOWED: b.static.
[2199] 2011-01-17 10:13:52 DEBUG - IN: http://
[2199] 2011-01-17 10:13:52 DEBUG - SquidInfo - P:http D:b.static.
[2199] 2011-01-17 10:13:52 DEBUG - MySQL: SELECT ID FROM DB_Access WHERE (Src="192.
[2198] 2011-01-17 10:13:52 DEBUG - IN: http://
[2198] 2011-01-17 10:13:52 DEBUG - SquidInfo - P:http D:b.static.
[2198] 2011-01-17 10:13:52 DEBUG - MySQL: SELECT ID FROM DB_Access WHERE (Src="192.
[2197] 2011-01-17 10:13:52 DEBUG - IN: http://
[2197] 2011-01-17 10:13:52 DEBUG - SquidInfo - P:http D:b.static.
[2197] 2011-01-17 10:13:52 DEBUG - MySQL: SELECT ID FROM DB_Access WHERE (Src="192.
[2197] 2011-01-17 10:13:52 DEBUG - ALLOWED: b.static.
[2197] 2011-01-17 10:13:52 NOTICE - ALLOWED: b.static.
[2200] 2011-01-17 10:13:52 DEBUG - IN: http://
[2200] 2011-01-17 10:13:52 DEBUG - SquidInfo - P:http D:static.
[2200] 2011-01-17 10:13:52 DEBUG - MySQL: SELECT ID FROM DB_Access WHERE (Src="192.
[2200] 2011-01-17 10:13:52 DEBUG - MySQL: SELECT ipRange,ID FROM DB_Context;
[2200] 2011-01-17 10:13:52 DEBUG - doRegExp: 192.168.200.152/32 192.168.200.152 = 0
[2200] 2011-01-17 10:13:52 DEBUG - doRegExp: 192.168.200.9/32 192.168.200.152 = 0
[2200] 2011-01-17 10:13:52 DEBUG - doRegExp: 192.168.200.0/24 192.168.200.152 = 0
[2200] 2011-01-17 10:13:52 NOTICE - getUserContext(
[2200] 2011-01-17 10:13:52 DEBUG - MySQL: SELECT IdentifiedBy,
[2200] 2011-01-17 10:13:52 DEBUG - doRegExp: paolo paolo = 1
[2200] 2011-01-17 10:13:52 NOTICE - getRealIdent(
[2200] 2011-01-17 10:13:52 DEBUG - MySQL: INSERT INTO DB_Access (Src,Domain,
[2200] 2011-01-17 10:13:52 DEBUG - MySQL: SELECT GroupID FROM UserGroup WHERE UserID='paolo';
[2200] 2011-01-17 10:13:52 DEBUG - MySQL: SELECT t1.ID,t1.
[2200] 2011-01-17 10:13:52 NOTICE - ALLOWED: static.ak.fbcdn.net (DEFAULT)
[2199] 2011-01-17 10:13:52 DEBUG - ALLOWED: b.static.
[2199] 2011-01-17 10:13:52 NOTICE - ALLOWED: b.static.
[2198] 2011-01-17 10:13:52 DEBUG - ALLOWED: b.static.
[2198] 2011-01-17 10:13:52 NOTICE - ALLOWED: b.static.
[2197] 2011-01-17 10:13:52 DEBUG - IN: http://
[2197] 2011-01-17 10:13:52 DEBUG - SquidInfo - P:http D:b.static.
[2197] 2011-01-17 10:13:52 DEBUG - MySQL: SELECT ID FROM DB_Access WHERE (Src="192.
[2197] 2011-01-17 10:13:52 DEBUG - ALLOWED: b.static.
[2197] 2011-01-17 10:13:52 NOTICE - ALLOWED: b.static.
[2197] 2011-01-17 10:13:52 DEBUG - IN: http://
[2197] 2011-01-17 10:13:52 DEBUG - SquidInfo - P:http D:static.
[2197] 2011-01-17 10:13:52 DEBUG - MySQL: SELECT ID FROM DB_Access WHERE (Src="192.
[2197] 2011-01-17 10:13:52 DEBUG - ALLOWED: static.ak.fbcdn.net related request of ID 1066
[2197] 2011-01-17 10:13:52 NOTICE - ALLOWED: static.ak.fbcdn.net (EXPLICIT)
[2197] 2011-01-17 10:13:52 DEBUG - IN: http://
[2197] 2011-01-17 10:13:52 DEBUG - SquidInfo - P:http D:static.
[2197] 2011-01-17 10:13:52 DEBUG - MySQL: SELECT ID FROM DB_Access WHERE (Src="192.
[2197] 2011-01-17 10:13:52 DEBUG - ALLOWED: static.ak.fbcdn.net related request of ID 1066
[2197] 2011-01-17 10:13:52 NOTICE - ALLOWED: static.ak.fbcdn.net (EXPLICIT)
[2198] 2011-01-17 10:13:52 DEBUG - IN: http://
[2198] 2011-01-17 10:13:52 DEBUG - SquidInfo - P:http D:b.static.
[2198] 2011-01-17 10:13:52 DEBUG - MySQL: SELECT ID FROM DB_Access WHERE (Src="192.
[2197] 2011-01-17 10:13:52 DEBUG - IN: http://
[2197] 2011-01-17 10:13:52 DEBUG - SquidInfo - P:http D:static.
[2197] 2011-01-17 10:13:52 DEBUG - MySQL: SELECT ID FROM DB_Access WHERE (Src="192.
[2197] 2011-01-17 10:13:52 DEBUG - ALLOWED: static.ak.fbcdn.net related request of ID 1066
[2197] 2011-01-17 10:13:52 NOTICE - ALLOWED: static.ak.fbcdn.net (EXPLICIT)
[2198] 2011-01-17 10:13:52 DEBUG - ALLOWED: b.static.
[2198] 2011-01-17 10:13:52 NOTICE - ALLOWED: b.static.
[2197] 2011-01-17 10:13:52 DEBUG - IN: http://
[2197] 2011-01-17 10:13:52 DEBUG - SquidInfo - P:http D:b.static.
[2197] 2011-01-17 10:13:52 DEBUG - MySQL: SELECT ID FROM DB_Access WHERE (Src="192.
[2197] 2011-01-17 10:13:52 DEBUG - ALLOWED: b.static.
[2197] 2011-01-17 10:13:52 NOTICE - ALLOWED: b.static.
[2197] 2011-01-17 10:13:52 DEBUG - IN: http://
[2197] 2011-01-17 10:13:52 DEBUG - SquidInfo - P:http D:b.static.
[2197] 2011-01-17 10:13:52 DEBUG - MySQL: SELECT ID FROM DB_Access WHERE (Src="192.
[2197] 2011-01-17 10:13:52 DEBUG - ALLOWED: b.static.
[2197] 2011-01-17 10:13:52 NOTICE - ALLOWED: b.static.
[2197] 2011-01-17 10:13:52 DEBUG - IN: http://
[2197] 2011-01-17 10:13:52 DEBUG - SquidInfo - P:http D:b.static.
[2197] 2011-01-17 10:13:52 DEBUG - MySQL: SELECT ID FROM DB_Access WHERE (Src="192.
[2197] 2011-01-17 10:13:52 DEBUG - ALLOWED: b.static.
[2197] 2011-01-17 10:13:52 NOTICE - ALLOWED: b.static.
[2197] 2011-01-17 10:13:52 DEBUG - IN: http://
[2197] 2011-01-17 10:13:52 DEBUG - SquidInfo - P:http D:static.
[2197] 2011-01-17 10:13:52 DEBUG - MySQL: SELECT ID FROM DB_Access WHERE (Src="192.
[2197] 2011-01-17 10:13:52 DEBUG - ALLOWED: static.ak.fbcdn.net related request of ID 1066
[2197] 2011-01-17 10:13:52 NOTICE - ALLOWED: static.ak.fbcdn.net (EXPLICIT)
[2197] 2011-01-17 10:13:52 DEBUG - IN: http://
[2197] 2011-01-17 10:13:52 DEBUG - SquidInfo - P:http D:static.
[2197] 2011-01-17 10:13:52 DEBUG - MySQL: SELECT ID FROM DB_Access WHERE (Src="192.
[2197] 2011-01-17 10:13:52 DEBUG - ALLOWED: static.ak.fbcdn.net related request of ID 1066
[2197] 2011-01-17 10:13:52 NOTICE - ALLOWED: static.ak.fbcdn.net (EXPLICIT)
[2197] 2011-01-17 10:13:52 DEBUG - IN: http://
[2197] 2011-01-17 10:13:52 DEBUG - SquidInfo - P:http D:static.
[2197] 2011-01-17 10:13:52 DEBUG - MySQL: SELECT ID FROM DB_Access WHERE (Src="192.
[2197] 2011-01-17 10:13:52 DEBUG - ALLOWED: static.ak.fbcdn.net related request of ID 1066
[2197] 2011-01-17 10:13:52 NOTICE - ALLOWED: static.ak.fbcdn.net (EXPLICIT)
Revision history for this message
|
#3 |
Innanzitutto ti suggerisco di utilizzare, per la regola, il dominio "*.facebook.com" così da comprendere tutto. Poi sembra esserci un problema nella definizione dei contesti:
[2197] 2011-01-17 10:13:52 DEBUG - doRegExp: 192.168.200.152/32 192.168.200.152 = 0
[2197] 2011-01-17 10:13:52 DEBUG - doRegExp: 192.168.200.9/32 192.168.200.152 = 0
[2197] 2011-01-17 10:13:52 DEBUG - doRegExp: 192.168.200.0/24 192.168.200.152 = 0
suggerisco di mettere gli IP senza "/netmask": prova ad impostare solamente 192.168.200.152
Fammi sapere, Michele
Revision history for this message
|
#4 |
ho provato....ma anche definiendo un solo filtro per un solo utente, il blocco non viene applicato, eliminare la mask non cambia nulla. A dire il vero anche identificando gli IP e non lo user il blocco non viene applicato...forse qualcosa mi sfugge,. Grazie comunque
Saluti
Paolo
Can you help with this problem?
Provide an answer of your own, or ask Paolo PAVAN for more information if necessary.