ola pessoal estou fazendo testes com bloqueios https no squid. confesso que estou achando documentação muito confusa.. e também muita polêmica. meu maior problema é o facebook hj.. tenho regras de bloqueios http (grupos ldap) e gostaria de poder filtrar tb os https.
alguém utiliza squid com bloqueios https? poderia me passar alguma instrução? eu ja compilei o squid com --enable-ssl e adicionei este conteúdo ao squid.conf https_port 3126 protocol=http cert=/etc/squid/ssl2/server_cert.pem key=/etc/squid/ssl2/server_key.pem . . acl SSL method CONNECT never_direct allow SSL . log de inicializacao do squid,, e tentativa de acesso a um site https 2012/05/31 10:54:04| Starting Squid Cache version 2.7.STABLE9 for i386-debian-linux-gnu... 2012/05/31 10:54:04| Process ID 3337 2012/05/31 10:54:04| With 32768 file descriptors available 2012/05/31 10:54:04| Using epoll for the IO loop 2012/05/31 10:54:04| Performing DNS Tests... 2012/05/31 10:54:04| Successful DNS name lookup tests... 2012/05/31 10:54:04| DNS Socket created at 0.0.0.0, port 60995, FD 6 2012/05/31 10:54:04| Adding nameserver 127.0.0.1 from squid.conf 2012/05/31 10:54:04| Adding nameserver 10.12.0.2 from squid.conf 2012/05/31 10:54:04| Adding nameserver 10.12.0.22 from squid.conf 2012/05/31 10:54:04| helperOpenServers: Starting 10 'ldap_auth' processes 2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes 2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes 2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes 2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes 2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes 2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes 2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes 2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes 2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes 2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes 2012/05/31 10:54:04| User-Agent logging is disabled. 2012/05/31 10:54:04| Referer logging is disabled. 2012/05/31 10:54:04| logfileOpen: opening log /var/log/squid/ppol-test-access.log 2012/05/31 10:54:04| Unlinkd pipe opened on FD 71 2012/05/31 10:54:04| Swap maxSize 2048000 + 512000 KB, estimated 196923 objects 2012/05/31 10:54:04| Target number of buckets: 9846 2012/05/31 10:54:04| Using 16384 Store buckets 2012/05/31 10:54:04| Max Mem size: 512000 KB 2012/05/31 10:54:04| Max Swap size: 2048000 KB 2012/05/31 10:54:04| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2012/05/31 10:54:04| Store logging disabled 2012/05/31 10:54:04| Rebuilding storage in /var/spool/squid/ppol-test (DIRTY) 2012/05/31 10:54:04| Using Least Load store dir selection 2012/05/31 10:54:04| Set Current Directory to /var/cache/squid 2012/05/31 10:54:04| Loaded Icons. 2012/05/31 10:54:04| Accepting proxy HTTP connections at 0.0.0.0, port 3125, FD 73. 2012/05/31 10:54:04| Accepting HTTPS connections at 0.0.0.0, port 3126, FD 74. 2012/05/31 10:54:04| Accepting ICP messages at 0.0.0.0, port 3130, FD 75. 2012/05/31 10:54:04| HTCP Disabled. 2012/05/31 10:54:04| WCCP Disabled. 2012/05/31 10:54:04| Ready to serve requests. 2012/05/31 10:54:04| Done reading /var/spool/squid/ppol-test swaplog (40 entries) 2012/05/31 10:54:04| Finished rebuilding storage from disk. 2012/05/31 10:54:04| 40 Entries scanned 2012/05/31 10:54:04| 0 Invalid entries. 2012/05/31 10:54:04| 0 With invalid flags. 2012/05/31 10:54:04| 40 Objects loaded. 2012/05/31 10:54:04| 0 Objects expired. 2012/05/31 10:54:04| 0 Objects cancelled. 2012/05/31 10:54:04| 0 Duplicate URLs purged. 2012/05/31 10:54:04| 0 Swapfile clashes avoided. 2012/05/31 10:54:04| Took 0.3 seconds ( 154.6 objects/sec). 2012/05/31 10:54:04| Beginning Validation Procedure 2012/05/31 10:54:04| Completed Validation Procedure 2012/05/31 10:54:04| Validated 40 Entries 2012/05/31 10:54:04| store_swap_size = 796k 2012/05/31 10:54:05| storeLateRelease: released 0 objects 2012/05/31 10:54:35| aclCheckFast: list: 0xb8875760 2012/05/31 10:54:35| aclMatchAclList: checking all 2012/05/31 10:54:35| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2012/05/31 10:54:35| aclMatchIp: '10.12.60.60' found 2012/05/31 10:54:35| aclMatchAclList: returning 1 2012/05/31 10:54:35| clientNegotiateSSL: Error negotiating SSL connection on FD 72: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1) 2012/05/31 10:54:35| aclCheckFast: list: 0xb8875760 2012/05/31 10:54:35| aclMatchAclList: checking all 2012/05/31 10:54:35| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2012/05/31 10:54:35| aclMatchIp: '10.12.60.60' found 2012/05/31 10:54:35| aclMatchAclList: returning 1 2012/05/31 10:54:35| clientNegotiateSSL: Error negotiating SSL connection on FD 72: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1) 2012/05/31 10:54:35| aclCheckFast: list: 0xb8875760 2012/05/31 10:54:35| aclMatchAclList: checking all 2012/05/31 10:54:35| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2012/05/31 10:54:35| aclMatchIp: '10.12.60.60' found 2012/05/31 10:54:35| aclMatchAclList: returning 1 2012/05/31 10:54:35| clientNegotiateSSL: Error negotiating SSL connection on FD 72: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1) 2012/05/31 10:54:35| aclCheckFast: list: 0xb8875760 2012/05/31 10:54:35| aclMatchAclList: checking all 2012/05/31 10:54:35| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2012/05/31 10:54:35| aclMatchIp: '10.12.60.60' found o certificado foi auto gerado ( openssl req -new -x509 -nodes -keyout server_key.pem -out server_cert.pem ) nao possuo unidade certificadora oficial.. não sei se seria este o motivo do erro, ou outra coisa. teria algum modo de me auxiliar, obrigado. alguém tem um cenário similar? Alisson Ceolin -- GUS-BR - Grupo de Usuários de Slackware Brasil http://www.slackwarebrasil.org/ http://groups.google.com/group/slack-users-br Antes de perguntar: http://www.istf.com.br/perguntas/ Para sair da lista envie um e-mail para: [email protected]
