El 30/05/12, Daniel <danielog2...@gmail.com> escribió: > Entonces el orden de las líneas si afecta? Es como Iptables? Muchas gracias, > Saludos
Hola, para squid el archivo te indica dónde poner la reglas, por ejemplo yo siempre pongo mis ACLS al final de todas las acls (que ya estan) y los http_access donde dice INSERT YOUR RULES HERE, ahí abajito pongo y nunca tuve problemas :), espero no tenerlos... > > Daniel Ortiz Gutierrez > > El 30/05/2012, a las 14:49, Ernesto Pérez Estévez <cen...@ecualinux.com> > escribió: > >> On 05/30/2012 02:15 PM, Daniel wrote: >>> Así? Ya corregí pero aun así Deja pasar todo. >>>>>>> acl manager proto cache_object >>>>>>> acl localhost src 127.0.0.1/32 ::1 >>>>>>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 >>>>>>> acl localnet src 10.1.0.0/17 >>>>>>> acl google src 74.125.0.0/16 >>>>>>> acl youtube srcdomain .youtube.com >>>>>>> acl youtube_2 srcdom_regex -i \.youtube\.com >>>>>>> http_access allow manager localhost >>>>>>> http_access deny manager >>>>>>> http_access allow localnet >>>>>>> http_access allow localhost >>>>>>> http_port 10.1.50.252:8080 intercept >>>>> http_access deny google >>>>> http_access deny youtube >>>>> http_access deny youtube_2 >>>>> visible_hostname proxy.lsvp >> >> ok, si ese es el orden, entonces no está bien, porque estás poniendo el >> allow localnet delante de los deny, y siempre se irán por el allow >> entonces >> saludos >> epe >> >> >>> >>> Daniel Ortiz Gutierrez >>> >>> El 30/05/2012, a las 13:03, Ernesto Pérez Estévez<cen...@ecualinux.com> >>> escribió: >>> >>>> On 05/30/2012 12:55 PM, Daniel wrote: >>>>>>> acl manager proto cache_object >>>>>>> acl localhost src 127.0.0.1/32 ::1 >>>>>>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 >>>>>>> acl localnet src 10.1.0.0/17 >>>>>>> acl google src 74.125.0.0/16 >>>>>>> acl youtube srcdomain .youtube.com >>>>>>> acl youtube_2 srcdom_regex -i \.youtube\.com >>>>>>> http_access allow manager localhost >>>>>>> http_access deny manager >>>>>>> http_access allow localnet >>>>>>> http_access allow localhost >>>>>>> http_port 10.1.50.252:8080 intercept >>>>> http_access deny google >>>>> http_access deny youtube >>>>> http_access deny youtube_2 >>>>> visible_hostname proxy.lsvp >>>>> >>>>> Perdón no puse el archivo de configuración completo. >>>> ahora dudo de la posición del http_access (porque tú usas http_port >>>> aquí, parámetro que no comprendo) >>>> >>>> >>>>> >>>>> Daniel Ortiz Gutierrez >>>>> >>>>> El 30/05/2012, a las 12:33, Ernesto Pérez Estévez<cen...@ecualinux.com> >>>>> escribió: >>>>> >>>>>> On 05/30/2012 12:09 PM, Daniel wrote: >>>>>>> Saludos >>>>>>> >>>>>>> Instale Squid 3.1 en un centos 6.2 minimo, con un "yum install >>>>>>> squid" >>>>>>> este es el archivo de configuracion, >>>>>>> >>>>>>> acl manager proto cache_object >>>>>>> acl localhost src 127.0.0.1/32 ::1 >>>>>>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 >>>>>>> acl localnet src 10.1.0.0/17 >>>>>>> >>>>>>> acl google src 74.125.0.0/16 >>>>>>> acl youtube srcdomain .youtube.com >>>>>>> acl youtube_2 srcdom_regex -i \.youtube\.com >>>>>>> >>>>>> quizá leí muy rápido, pero veo la ACL definida mas no el http_access >>>>>> para denegar o permitir lo que machee con esa acl >>>>>> >>>>>>> >>>>>>> http_access allow manager localhost >>>>>>> http_access deny manager >>>>>>> http_access allow localnet >>>>>>> http_access allow localhost >>>>>>> http_port 10.1.50.252:8080 intercept >>>>>>> >>>>>>> acl google src 74.125.0.0/16 >>>>>>> acl youtube srcdomain .youtube.com >>>>>>> acl youtube_2 srcdom_regex -i \.youtube\.com >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> el problema es que no me respeta ninguna ACL, todo lo deja pasar lo >>>>>>> e >>>>>>> intentado con otras direcciones para ver si es problema de https >>>>>>> pero >>>>>>> incluso cuando pongo >>>>>>> >>>>>>> acl all src all >>>>>>> http_access all deny >>>>>>> >>>>>>> me sigue dejando navegar sin problemas, mis reglas de iptables son: >>>>>>> >>>>>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports >>>>>>> 8080 >>>>>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT >>>>>>> >>>>>>> el puerto 443 esta abierto por que no me estoy metiendo con https, >>>>>>> por >>>>>>> el momento. >>>>>>> >>>>>>> Saludos y espero alguien me pueda ayudar. >>>>>>> _______________________________________________ >>>>>>> CentOS-es mailing list >>>>>>> CentOS-es@centos.org >>>>>>> http://lists.centos.org/mailman/listinfo/centos-es >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> This message has been scanned for viruses and >>>>>> dangerous content by MailScanner, and is >>>>>> believed to be clean. >>>>>> >>>>>> _______________________________________________ >>>>>> CentOS-es mailing list >>>>>> CentOS-es@centos.org >>>>>> http://lists.centos.org/mailman/listinfo/centos-es >>>>> _______________________________________________ >>>>> CentOS-es mailing list >>>>> CentOS-es@centos.org >>>>> http://lists.centos.org/mailman/listinfo/centos-es >>>>> >>>> >>>> >>>> -- >>>> This message has been scanned for viruses and >>>> dangerous content by MailScanner, and is >>>> believed to be clean. >>>> >>>> _______________________________________________ >>>> CentOS-es mailing list >>>> CentOS-es@centos.org >>>> http://lists.centos.org/mailman/listinfo/centos-es >>> _______________________________________________ >>> CentOS-es mailing list >>> CentOS-es@centos.org >>> http://lists.centos.org/mailman/listinfo/centos-es >>> >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> _______________________________________________ >> CentOS-es mailing list >> CentOS-es@centos.org >> http://lists.centos.org/mailman/listinfo/centos-es > _______________________________________________ > CentOS-es mailing list > CentOS-es@centos.org > http://lists.centos.org/mailman/listinfo/centos-es > _______________________________________________ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es