Squid 3.3.8 не пускает в интернет TCP_DENIED/407

Ответить
Аватара пользователя
Sergey Kha
Сообщения: 3
Зарегистрирован: 10 янв 2017 10:33
Контактная информация:

Squid 3.3.8 не пускает в интернет TCP_DENIED/407

Сообщение Sergey Kha » 10 янв 2017 10:42

Доброго времени суток,

Не запускает пользователя в интернет, сделано как в мануале

Конфиг сквида

Код: Выделить всё

#	WELCOME TO SQUID 3.3.8
#	----------------------------
#	

# Negotiate Kerberos and NTLM authentication
auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/lib/squid3/negotiate_kerberos_auth -r -s HTTP/ubu.office.local@OFFICE.LOCAL
auth_param negotiate children 200 startup=50 idle=10
auth_param negotiate keep_alive off

# Only NTLM authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 100 startup=20 idle=5
auth_param ntlm keep_alive off

# Basic authentication via ldap for clients not authenticated via kerberos/ntlm
auth_param basic program /usr/lib/squid3/basic_ldap_auth -v 3 -P -R -b "dc=office,dc=local" -D proxik@office.local -W /etc/squid3/conf_param_ldappass.txt -f sAMAccountName=%s -h bdc.office.local
auth_param basic children 20
auth_param basic realm "SQUID Proxy Server Basic authentication!"
auth_param basic credentialsttl 2 hours

# ACCESS CONTROLS
# -----------------------------------------------------------------------------
#
# LDAP authorization
external_acl_type memberof ttl=3600 ipv4 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -v 3 -P -R -K -b "dc=office,dc=local" -D proxik@office.local -W /etc/squid3/conf_param_ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberOf:1.2.840.113556.1.4.1941:=cn=%g,OU=Test,DC=office,DC=local))" -h bdc.office.local vip.office.local
#

# TAG: auth_param

acl auth proxy_auth REQUIRED
acl BlockedAccess	external memberof "/etc/squid3/conf_param_groups_blocked.txt"
acl RestrictedAccess	external memberof "/etc/squid3/conf_param_groups_restricted.txt"
acl StandardAccess	external memberof "/etc/squid3/conf_param_groups_standard.txt"
acl FullAccess		external memberof "/etc/squid3/conf_param_groups_full_auth.txt"
acl AnonymousAccess	external memberof "/etc/squid3/conf_param_groups_full_anon.txt"


acl allowedsites        dstdomain "/etc/squid3/conf_param_sites_allowed.txt"
acl blockedsites        dstdomain "/etc/squid3/conf_param_sites_blocked.txt"
acl prioritysites       dstdomain "/etc/squid3/conf_param_sites_priority.txt"
#
#acl LocalWUServers    src       "/etc/squid3/conf_param_computers_wsus.txt"
#acl GlobalWUSites     dstdomain "/etc/squid3/conf_param_sites_wsus.txt"

# none

acl localnet src 192.168.2.0/24	# RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT

#---------------------------------------------------------------------------------
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Рђllow cachemgr access from localhost and localnet
http_access allow localhost manager
http_access allow localnet manager
http_access deny manager

# Allow direct access to Windows Update
#http_access allow GlobalWUSites LocalWUServers

# Allow unrestricted access to prioritysites
http_access allow prioritysites localnet

# Enforce authentication, order of rules is important for authorization levels
http_access deny !auth

# Prevent access to basic auth prompt for BlockedAccess users
http_access deny BlockedAccess all
http_access allow allowedsites localnet
http_access deny RestrictedAccess all
http_access allow AnonymousAccess auth localnet
http_access allow FullAccess auth localnet
http_access deny blockedsites
http_access allow StandardAccess auth localnet

# And finally deny all other access to this proxy
http_access deny all
#

#----------------------------------------------------------------------------------

# Squid normally listens to port 3128
http_port 3128

# MEMORY CACHE OPTIONS
# -----------------------------------------------------------------------------
#
cache_mem 2048 MB
maximum_object_size_in_memory 2048 KB
memory_replacement_policy heap GDSF

# DISK CACHE OPTIONS
# ---------------------------------------------------------------------------
#
cache_replacement_policy heap LFUDA
cache_dir ufs /var/spool/squid3 7000 16 256
maximum_object_size 32768 KB
#
# -----------------------------------------------------------------------------
logformat squid %{%Y.%m.%d/%H:%M:%S}tl %>A %>a %ru %un %Sh/%<A %mt

#
# don't log AnonymousAccess
access_log daemon:/var/log/squid3/access.log squid !AnonymousAccess
#access_log /var/log/squid3/access.log squid

# OPTIONS FOR TROUBLESHOOTING
# -----------------------------------------------------------------------------
#
cache_log /var/log/squid3/cache.log
coredump_dir /var/spool/squid3

# OPTIONS FOR TUNING THE CACHE
# -----------------------------------------------------------------------------
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .               0       20%     4320

# ADMINISTRATIVE PARAMETERS
# -----------------------------------------------------------------------------
#
cache_mgr admin@polispektr.uz
httpd_suppress_version_string on
visible_hostname UBU

# ERROR PAGE OPTIONS
# -----------------------------------------------------------------------------
#
error_directory /usr/share/squid3/errors/ru
error_default_language ru

# DNS OPTIONS
# -----------------------------------------------------------------------------
#
dns_v4_first on

# MISCELLANEOUS
# -----------------------------------------------------------------------------
#
forwarded_for delete
cachemgr_passwd StrOnG_PaZsZw0rD all
#
#
Машинка ubu, в домене, sudo wbinfo -t проходит, wbinfo -u; -g выдают пользователей и группы домена
sudo squid3 -k reconfigure отрабатывает нормально, ошибок конфига не найдено


в access.log сыпет
1484044361.775 0 192.168.2.106 TCP_DENIED/407 4176 GET http://ya.ru/ - HIER_NONE/- text/html

в какую сторону копать?
Последний раз редактировалось Sergey Kha 10 янв 2017 11:01, всего редактировалось 1 раз.

Аватара пользователя
Sergey Kha
Сообщения: 3
Зарегистрирован: 10 янв 2017 10:33
Контактная информация:

Re: Squid не пускает в интернет

Сообщение Sergey Kha » 10 янв 2017 10:51

если прописано

access_log daemon:/var/log/squid3/access.log squid !AnonymousAccess

то в access.log ничего не записывается

использую
/usr/lib/squid3/ext_ldap_group_acl -v 3 -P -R -K -b "dc=office,dc=local" -D proxik@office.local -W /etc/squid3/conf_param_ldappass.txt -f "(&(objectclass=person)(sAMAccountName=proxik)(memberOf:1.2.840.113556.1.4.1941:=cn=Internet-All-Users,OU=test,DC=office,DC=local))" -h bdc.office.local vip.office.local

получаю при вводе логина

proxik
ERR

Аватара пользователя
Sergey Kha
Сообщения: 3
Зарегистрирован: 10 янв 2017 10:33
Контактная информация:

Re: Squid не пускает в интернет

Сообщение Sergey Kha » 10 янв 2017 14:05

Разобрался, мешал kaspersky endpoint security на хост машине, не пускал на виртуалку с тестовой ос входящие запросы.

Ответить

Вернуться в «Прокси-сервер Squid»