repon
Junior Member | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору
Цитата: а как у вас в кальмара трафик попадает? Если transparent, то Вы должны его туда redirect'ить. Или в браузерах жёстко прописан адрес прокси, тогда зачем transparent? Если всё же трафик туда заворачивается с обычных портов firewall'ом, то с SSL вообще такое не прокатит. Правила у Вас, конечно, ужасно написаны. Вместо того что бы в каждом правиле указывать, что пользователь должен быть авторизован, проще в начале запретить не авторизованных одни раз и всё — http_access deny !password | под редиректором я подразумевал - режика 1)в браузерах прописаны прокси, удалил transparent. 2) Добавлено: если добавлю правило http_access deny !password то эти удалять Код: http_access deny to_localhost http_access allow password CONNECT SquidProxyUsers SSL_ports http_access allow password CONNECT SquidProxyICQUsers icq_servers SSL_ports http_access allow password CONNECT DomainUsers tlt_ip SSL_ports http_access allow password CONNECT DomainUsers local_ip SSL_ports http_access deny all CONNECT # запрещены все, кроме этих портов http_access deny !Safe_ports http_access allow password DomainUsers tlt_ip http_access allow password DomainUsers local_ip http_access allow password SquidProxyUsers http_access deny all | или из них удалить "password " ? Добавлено: Код: # squid 2.7 http_port 192.168.2.5:8888 icp_port 0 htcp_port 0 dns_nameservers 217.23.80.2 217.23.80.4 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- # TAG: no_cache #We recommend you to use the following two lines. acl QUERY urlpath_regex cgi-bin \? acl icq urlpath_regex login.icq.com no_cache deny QUERY no_cache deny icq acl apache rep_header Server ^Apache broken_vary_encoding allow apache # OPTIONS WHICH AFFECT THE CACHE SIZE # ----------------------------------------------------------------------------- cache_mem 128 MB cache_swap_low 90 cache_swap_high 95 maximum_object_size 8192 KB minimum_object_size 0 KB maximum_object_size_in_memory 8 KB ipcache_size 4096 ipcache_low 90 ipcache_high 95 fqdncache_size 4096 cache_replacement_policy lru memory_replacement_policy lru # LOGFILE PATHNAMES AND CACHE DIRECTORIES # ----------------------------------------------------------------------------- cache_dir ufs c:/squid/var/cache 4096 16 256 access_log c:/squid/var/logs/access.log cache_log none cache_store_log none emulate_httpd_log off log_ip_on_direct on mime_table c:/squid/etc/mime.conf log_mime_hdrs off pid_filename c:/squid/var/logs/squid.pid debug_options ALL,1 log_fqdn off # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS # ----------------------------------------------------------------------------- unlinkd_program c:/squid/libexec/unlinkd.exe authenticate_cache_garbage_interval 30 minutes authenticate_ttl 30 minutes auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe --helper-protocol=squid-2.7-ntlmssp auth_param ntlm children 5 auth_param ntlm keep_alive on auth_param basic program c:/squid/libexec/mswin_auth.exe -O kimsar auth_param basic children 5 auth_param basic realm Autosphere Squid proxy-server auth_param basic credentialsttl 2 hours auth_param basic casesensitive on external_acl_type NT_global_group %LOGIN c:/squid/libexec/mswin_check_lm_group.exe -G # OPTIONS FOR TUNING THE CACHE # ----------------------------------------------------------------------------- request_header_max_size 20 KB request_body_max_size 0 KB # TAG: refresh_pattern #Suggested default: refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 quick_abort_min 16 KB quick_abort_max 16 KB quick_abort_pct 95 negative_ttl 1 minute positive_dns_ttl 6 hours negative_dns_ttl 5 minutes range_offset_limit 0 KB # TIMEOUTS # ----------------------------------------------------------------------------- connect_timeout 2 minutes read_timeout 15 minutes request_timeout 5 minutes persistent_request_timeout 1 minute client_lifetime 8 hours half_closed_clients off pconn_timeout 120 seconds ident_timeout 10 seconds shutdown_lifetime 30 seconds # ACCESS CONTROLS # ----------------------------------------------------------------------------- acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 5190 15100 acl Safe_ports port 8332 # bitcoin acl Safe_ports port 80 # http acl Safe_ports port 110 21 25 3389 # smtp, udal rab stol acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl icq_proto proto HTTPS acl DomainUsers external NT_global_group "c:/squid/etc/Domain_Users.list" #список групп "Domain Users" acl SquidProxyUsers external NT_global_group squid_proxy # группа squid_proxy в домене с доступом acl SquidProxyICQUsers external NT_global_group squid_proxy # группа в домене с доступом только к аське acl tlt_ip dst "c:/squid/etc/tlt_ip.list" acl local_ip dst "c:/squid/etc/local_ip.list" acl icq_servers dst "c:/squid/etc/icq_servers.list" acl password proxy_auth REQUIRED # TAG: http_access # Allowing or Denying access based on defined access lists http_access deny !password http_access deny to_localhost http_access allow CONNECT SquidProxyUsers SSL_ports http_access allow CONNECT SquidProxyICQUsers icq_servers SSL_ports http_access allow CONNECT DomainUsers tlt_ip SSL_ports http_access allow CONNECT DomainUsers local_ip SSL_ports http_access deny all CONNECT http_access deny !Safe_ports http_access allow DomainUsers tlt_ip http_access allow DomainUsers local_ip http_access allow SquidProxyUsers http_access deny all # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. http_reply_access allow all icp_access deny all miss_access allow all # ADMINISTRATIVE PARAMETERS # ---------------------------------------------------------------------------- cache_mgr repon06@ya.ru cache_effective_user nobody cache_effective_group none visible_hostname Autosphere Proxy Server # OPTIONS FOR THE CACHE REGISTRATION SERVICE # ----------------------------------------------------------------------------- announce_period 0 # MISCELLANEOUS # ----------------------------------------------------------------------------- memory_pools off forwarded_for on log_icp_queries off cachemgr_passwd lesssssssecret shutdown cachemgr_passwd lesssssssecret info stats/objects cachemgr_passwd disable all store_avg_object_size 9 KB client_db on reload_into_ims off icon_directory c:/squid/share/icons short_icon_urls off error_directory c:/squid/share/errors/Russian-1251 maximum_single_addr_tries 1 snmp_port 0 offline_mode off uri_whitespace strip strip_query_terms on coredump_dir c:/squid/var/cache redirector_bypass off ignore_unknown_nameservers on client_persistent_connections on server_persistent_connections on balance_on_multiple_ip on request_entities off high_response_time_warning 0 high_page_fault_warning 0 high_memory_warning 0 | переписал.... проблема с xiva-daria.mail.yandex.net:443 осталась ((( Код: 1348044937.126 156 192.168.2.21 TCP_MISS/200 569 POST http://www.google-analytics.com/p/__utm.gif kimsar\bdm DIRECT/74.125.143.102 image/gif 1348044942.314 0 192.168.2.21 TCP_DENIED/407 1770 CONNECT xiva-daria.mail.yandex.net:443 - NONE/- text/html 1348044942.360 31 192.168.2.21 TCP_DENIED/407 1933 CONNECT xiva-daria.mail.yandex.net:443 - NONE/- text/html 1348044942.407 31 192.168.2.21 TCP_DENIED/407 1770 CONNECT xiva-daria.mail.yandex.net:443 - NONE/- text/html 1348044946.439 117880 192.168.2.21 TCP_MISS/200 68552 CONNECT webattach.mail.yandex.net:443 kimsar\bdm DIRECT/213.180.193.64 - |
|