Hi all, here's my new situation (still on squid 2.7) i want to send by DIRECT uservipstr, uservip i want to send by PARENT userti, userlimitado, user200mb, userinternet
i want to send by DIRECT all the NTLM users that don't belong to any list of above (ikr, my english sucks) i want to block streaming (blockstr, blockstr2, audyvid, vidyaud) for all but uservipstr if i remove the line "always_direct allow ntlm" DIRECT/PARENT tules works but doesn't streaming rules if i let that line, streaming works but doesn't DIRECT/PARENT here's my squid.conf. I'll put here all because can't find where's my error ######################## ##NOMBRE VISIBLE DEL PROXY visible_hostname prana ##NTLM # ##DECLARADO auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm keep_alive off ##DECLARACION DE NTLM EXTERNO PARA BLOQUEO DE DESCARGA DE ARCHIVOS ##BALANCEO DE CARGA Y TAMAÑOS DE ARCHIVOS DESCARGADOS # ##DECLARADO external_acl_type ntlm_group ttl=3600 children=100 %LOGIN /usr/lib/squid/ wbinfo_group.pl ##ACA DECLARO LISTAS DE ACCESO DE ROEMMERS # ##DECLARADO acl porno url_regex -i "/etc/squid/listas/porno.lst" acl permitidos dstdomain -i "/etc/squid/listas/permitidos.lst" acl directo url_regex -i "/etc/squid/listas/direct.lst" acl vidyaud rep_mime_type -i "/etc/squid/listas/blockstr.lst" acl useragent browser -i "/etc/squid/blockejec/browser.lst" acl blockstr req_mime_type -i "/etc/squid/blockejec/blocstreaming.lst" acl blockejec url_regex -i "/etc/squid/blockejec/blockejec.lst" acl audyvid req_mime_type -i "/etc/squid/listas/blockstr.lst" acl blockstr2 rep_mime_type -i "/etc/squid/blockejec/blocstreaming.lst" acl destinolimitado dstdomain -i "/etc/squid/listas/limitado.lst" ###ACL DE SKYPE acl skype external ntlm_group "/etc/squid/listas/skype.lst" acl numeric_ips dstdom_regex ^(([0-9]+.[0-9]+.[0-9]+.[0-9]+)|([([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?])):443 acl skype_ua browser ^skype acl validuseragent browser \S+ # ##DECLARADO acl all src all acl CONNECT method CONNECT ##DECLARO SQSTAT ##ACL SQSTAT acl manager proto cache_object acl webserver src 192.168.8.121/255.255.255.255 http_access allow manager webserver http_reply_access allow manager webserver http_access deny manager #REGLAS DE NAVEGACION http_access deny porno all http_reply_access deny porno all deny_info http://www.pranaglobal.com.ar/restringidos/roemmers porno deny_info http://www.pranaglobal.com.ar/restringidos/roemmers porno acl uservipstr external ntlm_group "/etc/squid/listas/uservipstr.lst" http_access deny blockejec uservipstr http_access allow uservipstr http_reply_access allow uservipstr http_access deny blockstr !uservipstr all http_reply_access deny blockstr !uservipstr all http_access deny blockstr2 !uservipstr all http_reply_access deny blockstr2 !uservipstr all http_access deny audyvid !uservipstr all http_access deny vidyaud !uservipstr all http_reply_access deny audyvid !uservipstr all http_reply_access deny vidyaud !uservipstr all reply_body_max_size 9999999999999999999999999999999 deny uservipstr acl uservip external ntlm_group "/etc/squid/listas/uservip.lst" http_access deny blockejec uservip http_access allow uservip reply_body_max_size 9999999999999999999999999999999 deny uservip http_reply_access allow uservip always_direct allow uservip acl userti external ntlm_group "/etc/squid/listas/userti.lst" http_access deny blockejec !userti http_access allow userti http_reply_access allow userti reply_body_max_size 9999999999999999999999999999999 deny userti acl user200mb external ntlm_group "/etc/squid/listas/user200mb.lst" http_access allow user200mb http_reply_access allow user200mb reply_body_max_size 500000000 deny user200mb acl userinternet external ntlm_group "/etc/squid/listas/userinternet.lst" http_access allow userinternet http_reply_access allow userinternet reply_body_max_size 45000000 deny userinternet acl userlimitado external ntlm_group "/etc/squid/listas/userlimitado.lst" http_access deny userlimitado !destinolimitado http_reply_access deny userlimitado !destinolimitado never_direct allow userlimitado #deny deny_info http://www.pranaglobal.com.ar/restringidos/roemmers destinolimitado reply_body_max_size 45000000 deny userlimitado ##DECLARO LISTAS DE ACCESO EXTRAS ##LISTO ##ACL COMUNES acl localnet src 192.168.0.0/16 acl SSL_ports port 443 # https acl SSL_ports port 563 # snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl Safe_ports port 78 69 #Spotify ##SRC'S DECLARADAS # ##ACA DECLARO ACCESOS HTTP Y FILTRADO POR GRUPO DE AD # Deny requests to unknown ports #http_access allow Safe_ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports ##ACCESOS HTTP DECLARADOS # ##ACA INICIA SSO acl ntlm proxy_auth REQUIRED #http_access deny !ntlm ########################################## DESCOMENTAR SI VAMOS CON BLACKLIST http_access deny numeric_ips !skype http_access deny skype_ua !skype http_access deny !validuseragent !skype ########################################## http_access allow permitidos ntlm http_reply_access allow permitidos ntlm http_access allow permitidos !userlimitado http_reply_access allow permitidos !userlimitado http_access deny all http_reply_access deny all reply_body_max_size 500000 deny all ##ACA TERMINA # ##Allow ICP queries from local networks only icp_access allow localnet icp_access deny all ## # ## Squid normally listens to port 3128 http_port 3128 ##PUERTO SQUID DECLARADO # ##LOG access_log /var/log/squid/access.log squid ##HECHO # #LIMITANDO DESCARGA A 40 MB #reply_body_max_size 0 allow userti #reply_body_max_size 0 allow uservip #reply_body_max_size 0 allow uservipstr #reply_body_max_size 4000000 allow user200mb #reply_body_max_size 4000 allow userinternet #reply_body_max_size 4000 allow userlimitado #reply_body_max_size 0 deny all ##HECHO ##PROXY PARENT!! EN CASO DE QUE SE CAIGA EL PROXY PARENT ## O AL MOMENTO DE REEMPLAZAR EL FIREWALL POR UN ACTIVO-ACTIVO ##COMENTAR ESTAS LINEAS cache_peer 192.168.26.15 parent 3128 0 no-digest proxy-only no-delay no-query dead_peer_timeout 30 seconds # #HECHO ##EN QUE CASOS ES DIRECT? ## ##EL RESTO NAVEGARA POR PARENT always_direct allow uservipstr always_direct allow uservip always_direct allow directo always_direct allow blockejec always_direct deny blockstr always_direct allow permitidos all never_direct allow blockstr never_direct allow userti always_direct allow ntlm always_direct deny all never_direct allow all ##LLAMADO A SQUIDGUARD url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf url_rewrite_children 50 ############################## Thanks for your attention -- Jonathan Filogna It Senior Tasso SRL 4702 1910
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users