Limité des urls avec SQUID

Limité des urls avec SQUID - Logiciels - Linux et OS Alternatifs

Marsh Posté le 27-05-2005 à 11:27:38    

voila y a quelqu'un qui serai capable de m'aider car j'ai trouvé cela mais j'arrive pas vraiment a m'en sortire...
 
mon bute est de mettre en place un proxy avec squid afin de limiter les url pour la navigation sur internet.
 
 
 
voila ce que j'ai trouvé:
 
# WELCOME TO SQUID 2
# ------------------
 
#  TAG: hierarchy_stoplist
# A list of words which, if found in a URL, cause the object to
# be handled directly by this cache.  In other words, use this
# to not query neighbor caches for certain objects.  You may
# list this option multiple times.
#We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
 
#  TAG: no_cache
# A list of ACL elements which, if matched, cause the request to
# not be satisfied from the cache and the reply to not be cached.
# In other words, use this to force certain objects to never be cached.
#
# You must use the word 'DENY' to indicate the ACL names which should
# NOT be cached.
#
#We recommend you to use the following two lines.
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
 
 
 
#  TAG: auth_param
# This is used to pass parameters to the various authentication
# schemes.
# format: auth_param scheme parameter [setting]
#  
# auth_param basic program /usr/local/bin/ncsa_auth /usr/local/etc/passwd  
# would tell the basic authentication scheme it's program parameter.
#
# The order that authentication prompts are presented to the client_agent
# is dependant on the order the scheme first appears in config file.
# IE has a bug (it's not rfc 2617 compliant) in that it will use the basic
# scheme if basic is the first entry presented, even if more secure schemes
# are presented. For now use the order in the file below. If other browsers
# have difficulties (don't recognise the schemes offered even if you are using
# basic) then either put basic first, or disable the other schemes (by commenting
# out their program entry).
#
# Once an authentication scheme is fully configured, it can only be shutdown
# by shutting squid down and restarting. Changes can be made on the fly and
# activated with a reconfigure. I.E. You can change to a different helper,
# but not unconfigure the helper completely.
#
# === Parameters for the basic scheme follow. ===
#  
# "program" cmdline
# Specify the command for the external authenticator.  Such a
# program reads a line containing "username password" and replies
# "OK" or "ERR" in an endless loop.  If you use an authenticator,
# make sure you have 1 acl of type proxy_auth.  By default, the
# basic authentication sheme is not used unless a program is specified.
#
# If you want to use the traditional proxy authentication,
# jump over to the ../auth_modules/NCSA directory and
# type:
#  % make
#  % make install
#
# Then, set this line to something like
#
# auth_param basic program /usr/local/bin/ncsa_auth /usr/local/etc/passwd
#
# "children" numberofchildren
# The number of authenticator processes to spawn (no default).
# If you start too few Squid will have to wait for them to
# process a backlog of usercode/password verifications, slowing
# it down. When password verifications are done via a (slow)
# network you are likely to need lots of authenticator
# processes.
# auth_param basic children 5
#
# "realm" realmstring
# Specifies the realm name which is to be reported to the
# client for the basic proxy authentication scheme (part of
# the text the user will see when prompted their username and
# password). There is no default.
# auth_param basic realm Squid proxy-caching web server
#
# "credentialsttl" timetolive
# Specifies how long squid assumes an externally validated
# username:password pair is valid for - in other words how
# often the helper program is called for that user. Set this
# low to force revalidation with short lived passwords.  Note
# that setting this high does not impact your susceptability
# to replay attacks unless you are using an one-time password
# system (such as SecureID).  If you are using such a system,
# you will be vulnerable to replay attacks unless you also
# use the max_user_ip ACL in an http_access rule.
#
# === Parameters for the digest scheme follow ===
#
# "program" cmdline
# Specify the command for the external authenticator.  Such
# a program reads a line containing "username":"realm" and
# replies with the appropriate H(A1) value base64 encoded.
# See rfc 2616 for the definition of H(A1).  If you use an
# authenticator, make sure you have 1 acl of type proxy_auth.
# By default, authentication is not used.
#
# If you want to use build an authenticator,
# jump over to the ../digest_auth_modules directory and choose the
# authenticator to use. It it's directory type
#         % make
#         % make install
#
# Then, set this line to something like
#
# auth_param digest program /usr/local/bin/digest_auth_pw /usr/local/etc/digpass
#
#
# "children" numberofchildren
# The number of authenticator processes to spawn (no default).
# If you start too few Squid will have to wait for them to
# process a backlog of H(A1) calculations, slowing it down.
# When the H(A1) calculations are done via a (slow) network
# you are likely to need lots of authenticator processes.
# auth_param digest children 5
#
# "realm" realmstring
# Specifies the realm name which is to be reported to the
# client for the digest proxy authentication scheme (part of
# the text the user will see when prompted their username and
# password). There is no default.
# auth_param digest realm Squid proxy-caching web server
#
# "nonce_garbage_interval" timeinterval
# Specifies the interval that nonces that have been issued
# to client_agent's are checked for validity.
#
# "nonce_max_duration" timeinterval
# Specifies the maximum length of time a given nonce will be
# valid for.
#
# "nonce_max_count" number
# Specifies the maximum number of times a given nonce can be
# used.
#
# "nonce_strictness" on|off
# Determines if squid requires strict increment-by-1 behaviour
# for nonce counts, or just incrementing (off - for use when
# useragents generate nonce counts that occasionally miss 1
# (ie, 1,2,4,6)). Default off.
#
# "check_nonce_count" on|off
# This directive if set to off can disable the nonce count check
# completely to work around buggy digest qop implementations in
# certain mainstream browser versions. Default on to check the
# nonce count to protect from authentication replay attacks.
#
# "post_workaround" on|off
# This is a workaround to certain buggy browsers who sends
# an incorrect request digest in POST requests when reusing
# the same nonce as aquired earlier on a GET request.
#
# === NTLM scheme options follow ===
#
# "program" cmdline
# Specify the command for the external ntlm authenticator.
# Such a program reads a line containing the uuencoded NEGOTIATE
# and replies with the ntlm CHALLENGE, then waits for the
# response and answers with "OK" or "ERR" in an endless loop.
# If you use an ntlm authenticator, make sure you have 1 acl
# of type proxy_auth.  By default, the ntlm authenticator_program
# is not used.
#
# auth_param ntlm program /usr/local/bin/ntlm_auth
#
# "children" numberofchildren
# The number of authenticator processes to spawn (no default).
# If you start too few Squid will have to wait for them to
# process a backlog of credential verifications, slowing it
# down. When crendential verifications are done via a (slow)
# network you are likely to need lots of authenticator
# processes.
# auth_param ntlm children 5
#
# "max_challenge_reuses" number
# The maximum number of times a challenge given by a ntlm
# authentication helper can be reused. Increasing this number
# increases your exposure to replay attacks on your network.
# 0 means use the challenge only once.  (disable challenge
# caching) See max_ntlm_challenge_lifetime for more information.
# auth_param ntlm max_challenge_reuses 0
#
# "max_challenge_lifetime" timespan
# The maximum time period that a ntlm challenge is reused
# over.  The actual period will be the minimum of this time
# AND the number of reused challenges.
# auth_param ntlm max_challenge_lifetime 2 minutes
#
#Recommended minimum configuration:
#auth_param digest program <uncomment and complete this line>
#auth_param digest children 5
#auth_param digest realm Squid proxy-caching web server
#auth_param digest nonce_garbage_interval 5 minutes
#auth_param digest nonce_max_duration 30 minutes
#auth_param digest nonce_max_count 50
#auth_param ntlm program <uncomment and complete this line to activate>
#auth_param ntlm children 5
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 2 minutes
#auth_param basic program <uncomment and complete this line>
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
 
 
 
#  TAG: refresh_pattern
# usage: refresh_pattern [-i] regex min percent max [options]
#
# By default, regular expressions are CASE-SENSITIVE.  To make
# them case-insensitive, use the -i option.
#
# 'Min' is the time (in minutes) an object without an explicit
# expiry time should be considered fresh. The recommended
# value is 0, any higher values may cause dynamic applications
# to be erroneously cached unless the application designer
# has taken the appropriate actions.
#
# 'Percent' is a percentage of the objects age (time since last
# modification age) an object without explicit expiry time
# will be considered fresh.
#
# 'Max' is an upper limit on how long objects without an explicit
# expiry time will be considered fresh.
#
# options: override-expire
#   override-lastmod
#   reload-into-ims
#   ignore-reload
#
#  override-expire enforces min age even if the server
#  sent a Expires: header. Doing this VIOLATES the HTTP
#  standard.  Enabling this feature could make you liable
#  for problems which it causes.
#
#  override-lastmod enforces min age even on objects
#  that was modified recently.
#
#  reload-into-ims changes client no-cache or ``reload''
#  to If-Modified-Since requests. Doing this VIOLATES the
#  HTTP standard. Enabling this feature could make you
#  liable for problems which it causes.
#
#  ignore-reload ignores a client no-cache or ``reload''
#  header. Doing this VIOLATES the HTTP standard. Enabling
#  this feature could make you liable for problems which
#  it causes.
#  
# Basically a cached object is:
#
#  FRESH if expires < now, else STALE
#  STALE if age > max
#  FRESH if lm-factor < percent, else STALE
#  FRESH if age < min
#  else STALE
#
# The refresh_pattern lines are checked in the order listed here.
# The first entry which matches is used.  If none of the entries
# match, then the default will be used.
#
# Note, you must uncomment all the default lines if you want
# to change one. The default setting is only active if none is
# used.
#
#Suggested default:
refresh_pattern ^ftp:  1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern .  0 20% 4320
 
#  TAG: quick_abort_min (KB)
#  TAG: quick_abort_max (KB)
#  TAG: quick_abort_pct (percent)
# The cache by default continues downloading aborted requests
# which are almost completed (less than 16 KB remaining). This
# may be undesirable on slow (e.g. SLIP) links and/or very busy
# caches.  Impatient users may tie up file descriptors and
# bandwidth by repeatedly requesting and immediately aborting
# downloads.
#
# When the user aborts a request, Squid will check the
# quick_abort values to the amount of data transfered until
# then.
#
# If the transfer has less than 'quick_abort_min' KB remaining,
# it will finish the retrieval.
#
# If the transfer has more than 'quick_abort_max' KB remaining,
# it will abort the retrieval.
#
# If more than 'quick_abort_pct' of the transfer has completed,
# it will finish the retrieval.
#
# If you do not want any retrieval to continue after the client
# has aborted, set both 'quick_abort_min' and 'quick_abort_max'
# to '0 KB'.
#
# If you want retrievals to always continue if they are being
# cached then set 'quick_abort_min' to '-1 KB'.
#
#Default:
# quick_abort_min 16 KB
quick_abort_max 1000 KB
quick_abort_pct 1
 
 
 
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70  # gopher
acl Safe_ports port 210  # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT
 
##WOOT##
acl if   src   194.235.52.0/255.255.255.0
acl micrUsers  src   192.168.1.0/255.255.255.0
acl iMacAdd  src    192.168.2.0/255.255.255.0
acl iMacSites  dstdomain "/usr/local/etc/squid/allowed.domains"
acl iMacURL  url_regex "/usr/local/etc/squid/allowed.url"
acl iMacRSites  dstdomain  "/usr/local/etc/squid/restricted.domains"
acl FTP   method  FTP
acl ftpURL  url_regex -i ^ftp*
 
#  TAG: http_access
# Allowing or Denying access based on defined access lists
#
# Access to the HTTP port:
# http_access allow|deny [!]aclname ...
#
# NOTE on default values:
#
# If there are no "access" lines present, the default is to deny
# the request.
#
# If none of the "access" lines cause a match, the default is the
# opposite of the last line in the list.  If the last line was
# deny, then the default is allow.  Conversely, if the last line
# is allow, the default will be deny.  For these reasons, it is a
# good idea to have an "deny all" or "allow all" entry at the end
# of your access lists to avoid potential confusion.
#
#Default:
# http_access deny all
#
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend to uncomment the following to protect innocent
# web applications running on the proxy server who think that the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
 
# Exampe rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
 
##WOOT##
 
http_access allow if
http_access allow micrUsers
http_access allow iMacAdd iMacSites
http_access allow iMacAdd iMacURL
http_access deny iMacAdd iMacRSites
http_access deny FTP iMacAdd
http_access deny ftpURL
 
 
# And finally deny all other access to this proxy
http_access deny all
 
#  TAG: http_reply_access
#        Allow replies to client requests. This is complementary to http_access.
#
#        http_reply_access allow|deny [!] aclname ...
#
#        NOTE: if there are no access lines present, the default is to allow
# all replies
#
#        If none of the access lines cause a match, then the opposite of the
#        last line will apply. Thus it is good practice to end the rules
#        with an "allow all" or "deny all" entry.
#
#Default:
# http_reply_access allow all
#
#Recommended minimum configuration:
#
# Insert your own rules here.
#
#
# and finally allow by default
http_reply_access allow all
 
#  TAG: icp_access
# Allowing or Denying access to the ICP port based on defined
# access lists
#
# icp_access  allow|deny [!]aclname ...
#
# See http_access for details
#
#Default:
icp_access deny all
 
 
#  TAG: miss_access
# Use to force your neighbors to use you as a sibling instead of
# a parent.  For example:
#
#  acl localclients src 172.16.0.0/16
#  miss_access allow localclients
#  miss_access deny  !localclients
#
# This means that only your local clients are allowed to fetch
# MISSES and all other clients can only fetch HITS.
#
# By default, allow all clients who passed the http_access rules
# to fetch MISSES from us.
#
#Default setting:
miss_access allow all
 
 
 
 
#  TAG: cache_effective_user
#  TAG: cache_effective_group
#
# If you start Squid as root, it will change its effective/real
# UID/GID to the UID/GID specified below.  The default is to
# change to UID to nobody.  If you define cache_effective_user,
# but not cache_effective_group, Squid sets the GID the
# effective user's default group ID (taken from the password
# file).
#
# If Squid is not started as root, the cache_effective_user
# value is ignored and the GID value is unchanged by default.
# However, you can make Squid change its GID to another group
# that the process owner is a member of.  Note that if Squid
# is not started as root then you cannot set http_port to a
# value lower than 1024.
#
#Default:
cache_effective_user nobody
cache_effective_group nogroup
 
 
 
#  TAG: httpd_accel_with_proxy on|off
# If you want to use Squid as both a local httpd accelerator
# and as a proxy, change this to 'on'. Note however that your
# proxy users may have trouble to reach the accelerated domains
# unless their browsers are configured not to use this proxy for
# those domains (for example via the no_proxy browser configuration
# setting)
#
#Default:
httpd_accel_with_proxy on
 
 
 
 
 
#
# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/cache
 
 
 
 
visible_hostname www.asd.asd

Reply

Marsh Posté le 27-05-2005 à 11:27:38   

Reply

Marsh Posté le 27-05-2005 à 14:15:39    

Lire la doc de SQUID ca aide tu sais ?
 
2 solutions :
 
1. faire une ACL de type url_regex pour chaque URL que tu veux interdire :
http://squid.visolve.com/squid/squ [...] ls.htm#acl

Citation :


acl AIMEPASMS url_regex ^http://*microsoft.com


 
puis tu dis que tu n'autorise pas cette ACL

Citation :


http_access deny AIMEPASMS


 
2. tu mets toutes tes URL que tu n'aimes pas dans un fichier, et tu fais une ACL pour ce fichier :

Citation :


acl MABLACKLISTE url_regex "blacklist.txt"


 
puis tu interdit cette ACL :

Citation :


http_access deny MABLACKLISTE


 
Note : tu place le fichier blacklist.txt dans /etc/squid/


Message édité par Dark_Schneider le 27-05-2005 à 14:17:49

---------------
Mandriva : parce que nous le valons bien ! http://linux-wizard.net/index.php
Reply

Marsh Posté le 27-05-2005 à 14:20:26    

en regardant ton fichiers de conf, tu sembles placer les fichiers dans /usr/local/etc/squid/


---------------
Mandriva : parce que nous le valons bien ! http://linux-wizard.net/index.php
Reply

Sujets relatifs:

Leave a Replay

Make sure you enter the(*)required information where indicate.HTML code is not allowed