LINUX.ORG.RU
ФорумAdmin

Squid3+SquidGuard не даёт зайти на https

 , ,


0

1

Сломал всю голову! Прошу помощи. Ubuntu 15.04 Squid3, непрозрачный, авторизация через kerberos. Поставил SquidGuard. Проблема в том, что когда я включаю SquidGuard в конфиге Squid, пользователи перестают заходить на хттпс сайты. Комменчу строки с использованием SquidGuard, всё нормально. Access.log:

1437470381.748      0 192.168.0.4 TCP_DENIED/407 3779 CONNECT mail.yandex.ru:443 - HIER_NONE/- text/html
1437470381.749      0 192.168.0.4 TCP_DENIED/407 3779 CONNECT mail.yandex.ru:443 - HIER_NONE/- text/html
1437470381.808     42 192.168.0.4 TCP_MISS/503 0 CONNECT mail.yandex.ru:443 Konus2 HIER_NONE/- -
1437470381.819      0 192.168.0.4 TCP_DENIED/407 3779 CONNECT mail.yandex.ru:443 - HIER_NONE/- text/html
1437470381.830     64 192.168.0.4 TCP_MISS/503 0 CONNECT mail.yandex.ru:443 Konus2 HIER_NONE/- -
1437470381.883     49 192.168.0.4 TCP_MISS/503 0 CONNECT mail.yandex.ru:443 Konus2 HIER_NONE/- -
1437470384.028      1 192.168.0.4 TCP_DENIED/407 3594 CONNECT store.office.com:443 - HIER_NONE/- text/html
1437470384.107     61 192.168.0.4 TCP_MISS/503 0 CONNECT store.office.com:443 Konus1 HIER_NONE/- -
1437470384.708      1 192.168.0.4 TCP_DENIED/407 3775 CONNECT jim28.mail.ru:443 - HIER_NONE/- text/html
1437470384.791     48 192.168.0.4 TCP_MISS/503 0 CONNECT jim28.mail.ru:443 sekr2 HIER_NONE/- -
1437470384.806      0 192.168.0.4 TCP_DENIED/407 3811 CONNECT stat.radar.imgsmail.ru:443 - HIER_NONE/- text/html
1437470384.869     42 192.168.0.4 TCP_MISS/503 0 CONNECT stat.radar.imgsmail.ru:443 sekr2 HIER_NONE/- -
1437470384.977      0 192.168.0.4 TCP_DENIED/407 3775 CONNECT jim28.mail.ru:443 - HIER_NONE/- text/html
1437470385.045     50 192.168.0.4 TCP_MISS/503 0 CONNECT jim28.mail.ru:443 sekr1 HIER_NONE/- -
1437470385.056      0 192.168.0.4 TCP_DENIED/407 3811 CONNECT stat.radar.imgsmail.ru:443 - HIER_NONE/- text/html
1437470385.129     52 192.168.0.4 TCP_MISS/503 0 CONNECT stat.radar.imgsmail.ru:443 sekr1 HIER_NONE/- -
В cache.log - логи удачных negotiate авторизаций
2015/07/21 12:21:43| negotiate_kerberos_auth: INFO: user Konus2 authenticated......

 # OPTIONS FOR AUTHENTICATION
# -----------------------------------------------------------------------------
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -i -r -s HTTP/ubuntusquid.net.loc@NET.LOC
auth_param negotiate children 100 startup=10 idle=10
auth_param negotiate keep_alive on

### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=NET
auth_param ntlm children 10
auth_param ntlm keep_alive off

### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm
auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b "dc=net,dc=loc" -D squid@net.loc -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h dc2.net.loc
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute
# ACCESS CONTROLS
# -----------------------------------------------------------------------------

acl localnet src 192.168.0.0/24 #  internal network

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
### acl for proxy auth and ldap authorizations
acl auth proxy_auth REQUIRED

### enforce authentication
http_access deny !auth
http_access allow auth

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

http_access allow localnet
http_access allow localhost
http_access deny all

# NETWORK OPTIONS
# -----------------------------------------------------------------------------

http_port 3128

# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
# -----------------------------------------------------------------------------
#
hierarchy_stoplist cgi-bin ?
forward_max_tries 25
# LOGFILE OPTIONS
# -----------------------------------------------------------------------------
#
access_log daemon:/var/log/squid3/access.log squid
logfile_rotate 30

# OPTIONS FOR TROUBLESHOOTING
# -----------------------------------------------------------------------------

cache_log /var/log/squid3/cache.log

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid3

# ADMINISTRATIVE PARAMETERS
# -----------------------------------------------------------------------------
#
dns_v4_first on
cache_mgr heremustbeadmin@email.ru
httpd_suppress_version_string on
visible_hostname UBUNTUSQUID

# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
# example lin deb packages
#refresh_pattern (\.deb|\.udeb)$   129600 100% 129600
refresh_pattern .               0       20%     4320

#url_rewrite_bypass on
#url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
#url_rewrite_children 5
dbhome /var/lib/squidguard/db
logdir /var/log/squidguard

#
# TIME RULES:
# abbrev for weekdays:
# s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat

time workhours {
        weekly mtwhf 08:00 - 19:30
}

#
# SOURCE ADDRESSES:
#

src admin {
        ip              192.168.0.81/24
        user            admin
}

src users {
        ip              192.168.0.4 - 192.168.0.250
}
dest socialnet {
        domainlist      BL/socialnet/domains
        urllist         BL/socialnet/urls
}

#
# ACL RULES:
#

acl {
        admin {
                pass     any
        }

        users {
                pass      !socialnet any
        }
        default {
                pass      none
                redirect http://192.168.0.1/deny.html
        }
}

А что с версией сквида и гуарда? Сталкивался с подобным на режике, одна из версий наглухо блочила весь https, решилось откатом на старую версию.

splinoz ()
Ответ на: комментарий от splinoz

В целом, не очень понятно, как может быть связан гуард с блокировкой https сайтов....

squid@ubuntusquid:~$ squid3 -v
Squid Cache: Version 3.3.8
Ubuntu
configure options:  '--build=i686-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid3' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' 'build_alias=i686-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security'
squid@ubuntusquid:~$ squidGuard -v
SquidGuard: 1.5 Berkeley DB 5.3.28: (September  9, 2013)

cetriolino ()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.