############################
# 1. Instalacja
############################
## linux ##
apt-get update ; apt-get install squid3
## bsd ##
pkg_add squid3
############################
# 2. Konfiguracja
############################
vi /etc/squid3/squid.conf
############################
# MAIN CONFIG
############################
## proxy port ##
http_port 7955 # absolutnie nie uzywamy opcji transparent aby uniknac nie pozadanych polaczen typu reverse na portach 80,443 porty te sa wrazliwe ze wzgledu na wymuszona regule allow to any dst.
## do not cache, only filter ##
cache deny all
## dns config ##
dns_defnames on
dns_nameservers 208.67.222.222 208.67.220.220
ignore_unknown_nameservers on
## log config ##
logformat squid %tl %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
client_netmask 255.255.255.255
access_log /mnt/hdd2/squid_log/access.log squid # logi 3mamy na innym hdd
strip_query_terms off
uri_whitespace strip
## cache mgr & lan config ##
acl manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 172.168.20.0/24 # RFC 1918 possible internal network
## marking default ports ##
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
############################
# ACL rules
############################
## users list config ##
acl user src "/etc/squid3/user.acl"
## daytime config ##
acl daytime time MTWHF 06:30-18:00
## deny filetype ##
acl global-filetype url_regex "/etc/squid3/global-filetype.acl"
acl user-filetype url_regex "/etc/squid3/user-filetype.acl"
## deny post blacklist ##
acl abuse url_regex "/etc/squid3/abuse.acl"
## deny ads ##
acl url-ads url_regex "/etc/squid3/ads.acl"
## deny anonymous-proxy ##
acl anon-proxy urlpath_regex "/etc/squid3/anon-proxy.acl"
## white-list exception ##
acl white-list dstdomain "/etc/squid3/white-list.acl"
## custom ssl exception list ##
acl ssl_exc dstdomain "/etc/squid3/ssl.acl"
## global request white-list ##
acl req_exc dstdomain "/etc/squid3/req_exc.acl"
## custom reply_max_size exception list ##
acl rep_size dstdomain "/etc/squid3/rep_size.acl"
## custom redirecting exception list ##
acl rdr_host_exc dstdomain "/etc/squid3/rdr_host_exc.acl"
acl rdr_exc urlpath_regex "/etc/squid3/rdr_exc.acl"
## connection rate ##
acl connrate maxconn 200
############################
# ACL ACCESS rules
############################
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports # blokada portow
http_access deny CONNECT !SSL_ports
http_access deny connrate user # zezwol na max 200 polaczen
http_access deny global-filetype user # blokada pobierania plikow wg rozszrzen z reguly global-filetype
http_access deny user-filetype user # blokada pobierania plikow wg rozszerzen z reguly user-filetype
http_access deny url-ads user # blokada #$%@!#%# reklam
http_access allow All white-list # biala lista domen, ignoruje rowniez anonimowsc etc.
http_access allow rdr_host_exc rdr_exc # zezwol domenom z reguly rdr_host_exc na przekierowania uwzglednione w regule rdr_exc
http_access deny anon-proxy # blokuj strony szyfrujace url'e
http_access deny abuse # blokuj czarna liste POST slow kluczowych
http_access deny SSL_ports !ssl_exc # blokada wszystkich polaczen SSL oprocz za wyjatkiem uwzglednionych w regule ssl_exc
http_access allow localhost # zezwol proxy dla lo
http_access allow daytime user # zezwol proxy dla listy uzytkownikow uwzglednionych w regule user w dniach tygodnia i godzinach uwzglednionych w regule daytime
http_access deny all # zablokuj proxy dla all
############################
# give me some anonymity
############################
## do not forward ##
forwarded_for off
follow_x_forwarded_for deny all
via off
## deny multicast icp
icp_port 0
icp_access deny all
## deny ident lookups
ident_lookup_access deny all
## deny other request_header ##
request_header_access All deny !req_exc # blokada naglowkow http, np. uniemozliwienie tworzenia plikow cookies a tym samym zablokowanie mozliwosci logowania sie na prywatna poczte np. poczta.o2.pl, poczta.wp.pl etc.
## deny large request ##
reply_body_max_size 1 MB !rep_size # blokuj zapytania wieksze niz 1 MB, np. nie bedzie mozna pobrac wiekszych plikow niz 1 MB. Za wyjatkiem domen ustalonych w regule rep_size
## hide proxy version ##
httpd_suppress_version_string on # nie wyswietlaj wersji squida ; )
## operator info ##
cache_mgr [email protected] # kontakt z adminem
### wiecej info na http://www.squid-cache.org/ ###
############################
# 3. Zawartosc plikow acl
############################
user.acl
global-filetype.acl:
user-filetype.acl:
abuse.acl:
ads.acl:
anon-proxy.acl:
white-list.acl:
ssl.acl:
req_exc.acl:
rep_size.acl:
rdr_host_exc.acl
rdr_exc.acl
### restartujemy proxy ###
/etc/init.d/squid3 restart
lub na bsd:
/etc/rc.d/squid3 restart
############################
# 4. Reguly firewall
############################
###################################
## Linux
###################################
### local proxy ###
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to-destination 172.168.20.1:7955
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 7955
iptables -A INPUT -i eth0 -m iprange src-range 172.168.20.100-172.168.20.200 -p tcp --dport 7955 -j ACCEPT
### remote proxy ###
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to-destination 172.168.20.10:7955
iptables -A FORWARD -i eth1 -m iprange src-range 172.168.20.100-172.168.20.200 -d 172.168.20.10 -p tcp --dport 7955 -j ACCEPT
{ proxy_rules 172.168.20.10 }
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 7955
iptables -A INPUT -i eth0 -m iprange src-range 172.168.20.100-172.168.20.200 -p tcp --dport 7955 -j ACCEPT
###################################
## BSD
###################################
### local proxy ###
pass out on em1 inet proto tcp from {172.168.20.100 - 172.168.20.200} to any port 80 rdr-to em0 port 7955
pass in on em1 inet proto tcp from {172.168.20.100 - 172.168.20.200} to em0 port 7955
### remote proxy ###
pass out on em1 inet proto tcp from {172.168.20.100 - 172.168.20.200} to any port 80 rdr-to 172.168.20.10 port 7955
{ proxy_rules 172.168.20.10 }
pass in on em0 inet proto tcp from {172.168.20.100 - 172.168.20.200} to em0 port 7955
pass out on em0 inet proto tcp from {172.168.20.100 - 172.168.20.200} to em0 port 7955
# 1. Instalacja
############################
## linux ##
apt-get update ; apt-get install squid3
## bsd ##
pkg_add squid3
############################
# 2. Konfiguracja
############################
vi /etc/squid3/squid.conf
############################
# MAIN CONFIG
############################
## proxy port ##
http_port 7955 # absolutnie nie uzywamy opcji transparent aby uniknac nie pozadanych polaczen typu reverse na portach 80,443 porty te sa wrazliwe ze wzgledu na wymuszona regule allow to any dst.
## do not cache, only filter ##
cache deny all
## dns config ##
dns_defnames on
dns_nameservers 208.67.222.222 208.67.220.220
ignore_unknown_nameservers on
## log config ##
logformat squid %tl %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
client_netmask 255.255.255.255
access_log /mnt/hdd2/squid_log/access.log squid # logi 3mamy na innym hdd
strip_query_terms off
uri_whitespace strip
## cache mgr & lan config ##
acl manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 172.168.20.0/24 # RFC 1918 possible internal network
## marking default ports ##
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
############################
# ACL rules
############################
## users list config ##
acl user src "/etc/squid3/user.acl"
## daytime config ##
acl daytime time MTWHF 06:30-18:00
## deny filetype ##
acl global-filetype url_regex "/etc/squid3/global-filetype.acl"
acl user-filetype url_regex "/etc/squid3/user-filetype.acl"
## deny post blacklist ##
acl abuse url_regex "/etc/squid3/abuse.acl"
## deny ads ##
acl url-ads url_regex "/etc/squid3/ads.acl"
## deny anonymous-proxy ##
acl anon-proxy urlpath_regex "/etc/squid3/anon-proxy.acl"
## white-list exception ##
acl white-list dstdomain "/etc/squid3/white-list.acl"
## custom ssl exception list ##
acl ssl_exc dstdomain "/etc/squid3/ssl.acl"
## global request white-list ##
acl req_exc dstdomain "/etc/squid3/req_exc.acl"
## custom reply_max_size exception list ##
acl rep_size dstdomain "/etc/squid3/rep_size.acl"
## custom redirecting exception list ##
acl rdr_host_exc dstdomain "/etc/squid3/rdr_host_exc.acl"
acl rdr_exc urlpath_regex "/etc/squid3/rdr_exc.acl"
## connection rate ##
acl connrate maxconn 200
############################
# ACL ACCESS rules
############################
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports # blokada portow
http_access deny CONNECT !SSL_ports
http_access deny connrate user # zezwol na max 200 polaczen
http_access deny global-filetype user # blokada pobierania plikow wg rozszrzen z reguly global-filetype
http_access deny user-filetype user # blokada pobierania plikow wg rozszerzen z reguly user-filetype
http_access deny url-ads user # blokada #$%@!#%# reklam
http_access allow All white-list # biala lista domen, ignoruje rowniez anonimowsc etc.
http_access allow rdr_host_exc rdr_exc # zezwol domenom z reguly rdr_host_exc na przekierowania uwzglednione w regule rdr_exc
http_access deny anon-proxy # blokuj strony szyfrujace url'e
http_access deny abuse # blokuj czarna liste POST slow kluczowych
http_access deny SSL_ports !ssl_exc # blokada wszystkich polaczen SSL oprocz za wyjatkiem uwzglednionych w regule ssl_exc
http_access allow localhost # zezwol proxy dla lo
http_access allow daytime user # zezwol proxy dla listy uzytkownikow uwzglednionych w regule user w dniach tygodnia i godzinach uwzglednionych w regule daytime
http_access deny all # zablokuj proxy dla all
############################
# give me some anonymity
############################
## do not forward ##
forwarded_for off
follow_x_forwarded_for deny all
via off
## deny multicast icp
icp_port 0
icp_access deny all
## deny ident lookups
ident_lookup_access deny all
## deny other request_header ##
request_header_access All deny !req_exc # blokada naglowkow http, np. uniemozliwienie tworzenia plikow cookies a tym samym zablokowanie mozliwosci logowania sie na prywatna poczte np. poczta.o2.pl, poczta.wp.pl etc.
## deny large request ##
reply_body_max_size 1 MB !rep_size # blokuj zapytania wieksze niz 1 MB, np. nie bedzie mozna pobrac wiekszych plikow niz 1 MB. Za wyjatkiem domen ustalonych w regule rep_size
## hide proxy version ##
httpd_suppress_version_string on # nie wyswietlaj wersji squida ; )
## operator info ##
cache_mgr [email protected] # kontakt z adminem
### wiecej info na http://www.squid-cache.org/ ###
############################
# 3. Zawartosc plikow acl
############################
user.acl
Kod:
172.168.20.100-172.168.20.200global-filetype.acl:
Kod:
\.vbs$
\.vba$
\.scr$
\.pif$
\.bat$
\.cmd$
\.dll$
\.ocx$user-filetype.acl:
Kod:
\.exe$
\.msi$
\.msu$
\.7zip$
\.rar$
\.com$
\.zip$
\.mp3$
\.mp4$
\.avi$
\.divx$
\.mts$
\.mkv$
\.flv$
\.torrent$
\.iso$
\.mds$
\.mpeg$
\.mpg$
\.tar$
\.bz2$
\.gzip$
\.gz$
\.wav$
\.qc$
\.zip.html$abuse.acl:
Kod:
piratebay
serials.ws
crack
keygen
gamecopyworld
proxy
hack
haker
dwn.so
chomikuj.
warez
isohunt
torent
torrent
exploit
spoof
hotfile
rapidshare
megaupload
downloader
shell
mediafire.
zalukaj.tv
speedyshare.
sendspace.
slideshare.
imageshack.
uploading.
uploaduj.
flickr.com
multiupload.
peb.pl
p2p
porn
xxx
adultsads.acl:
Kod:
/adv/.*\.gif$
^http://.*hit\.gemius\.pl/
^http://*\.adocean\.pl/
^http://ads\.
^http://ad\.
^http://ads02\.
^http://ads2\.
^http://pagead2\.
^http://reklamy\.
^http://adv\.
//homeads\.*
//.*doubleclick.net/.*
/[Aa]ds/.*\.gif$
/[Aa]d[Pp]ix/
/[Aa]d[Ss]erver
/[Aa][Dd]/.*\.[GgJj][IiPp][FfGg]$
/[Bb]annerads/
/adbanner.*\.[GgJj][IiPp][FfGg]$
/images/ad/
/a/b/*
/reklame/
/RealMedia/ads/.*
^http://www\.submit-it.*
^http://www\.eads.*
^http://adaver.*\.
^http://adforce\.
adbot\.com
/ads/.*\.gif.*
_ad\..*cgi
/Banners/
/SmartBanner/
/Ads/Media/Images/
^http://static\.wired\.com/advertising/
^http://*\.dejanews\.com/ads/
^http://adfu\.blockstackers\.com/
^http://ads2\.zdnet\.com/adverts
^http://www2\.burstnet\.com/gifs/
^http://www.\.valueclick\.com/cgi-bin/cycle
^http://www\.altavista\.com/av/gifs/ie_horiz\.gif
^http://pagead2\.googlesyndication\.com
//.*/Adverts/.*
//.*/adverts/.*
//.*/gifs/ads/.*
//.*/graphics/advert.*
//.*/home/ads/.*
//.*/image.ng.*
//.*/image/ads/.*
//.*/images/adds/.*
//.*/images/ads/.*
//.*/img/ads/.*
//.*/logoshowad.*
//.*/pictures/sponsor/.*
//.*/sponsors/images/.*
//.*ancestry.com/ads/.*
//.*apcmag.com/ads/.*
//.*cmpnet.com/ads/graphics/.*
//.*cnet.com/Banners/.*
//.*cnnfn.com/ads/.*
//.*dejanews.com/gtplacer.*
//.*desktoppublishing.com/ad/.*
//.*doubleclick.net/ad/.*
//.*doubleclick.net/viewad/.*
//.*eads.com/graphics/ads/.*
//.*excite.com/img/ads/.*
//.*focalink.com/SmartBanner/
//.*four11.com/g/ads/.*
//.*gamelan.com/Advertisements/images/.*
//.*i8.net/worldnet/ad.cgi.*
//.*imgis.com/?adserv.*
//.*imgis.com/images/.*
//.*infoseek.com/doc/sponsors/images/.*
//.*infoworld.com/ads/gif/.*
//.*intellicast.com/ads/.*
//.*looksmart.com/r?.*gif
//.*mcp.com/ad_banners/.*
//.*miningco.com/zadz/.*
//.*motherjones.com/global/ADVERTISEMENTS/.*
//.*movielink.com/media/imagelinks/MF.ad.*
//.*movielink.com/media/imagelinks/MF.sponsor.*
//.*mrshowbiz.com/ad/.*
//.*msn.com/ads/.*
//.*mudconnect.com/ads/
//.*mydesktop.com/img/ads/.*
//.*netscape.com.au/ads/images/.*
//.*netscape.com.au/inserts/images/.*
//.*netscape.com/ads/images/.*
//.*netscape.com/inserts/images/.*
//.*news.com/Banners/Images/.*
//.*riddler.com/Commonwealth/bin/statdeploy.*
//.*safe-audit.com/exposure.cfm.*
//.*shareware.com/Banners/Images/.*
//.*sjmercury.com/advert/logos/.*
//.*smh.com.au/adproof.*
//.*techweb.com/ads/.*
//.*tqn.com/zadz/.*
//.*tripod.com/ads/.*
//.*tucows.wire.net.au/images/adds/.*
//.*webreview.com/universal/graphics/ads/.*
//.*windows95.com/gifs/ads/.*
//.*winntmag.com/images/.*
//.*winntmag.com/titlebar/titlebar.stm
//.*wire.net.au/images/adverts/.*
//.*wired.com/advertising/.*
//.*wisewire.com/ClickAd.emc.*
//.*wisewire.com/SKB/.*
//.*worldvillage.com/adds/banners/
//.*yahoo.com/adv/.*
//.*zdnet.com/adverts/.*
//204.123.2.101/ads/.*
//images.yahoo.com/promotions/.*
//.*buysellads.*anon-proxy.acl:
Kod:
^/browse\.php
\.php\?q=
\.php\?u=i8v
\.php\?i8v
\.php\?u=
\.php\?sp=
^/?url=
^/file\.php
^/download\.phpwhite-list.acl:
Kod:
my.comapny.comssl.acl:
Kod:
.mbank.pl
.bph.pl
.paypal.com
.bzwbk.pl
.apple.com
.google.com
.gstatic.com
.aliorbank.pl
.google-analytics.com
.paypal.pl
.paypalobjects.com
.centrum24.plreq_exc.acl:
Kod:
.istock.com
.istockphoto.com
.istockimg.com
.www.istockphoto.comrep_size.acl:
Kod:
.youtube.com # jezeli chcesz zezwolic na ogladanie filmow powyzej 20+ sekund ;)
.istockphoto.com
.istockimg.com
.ftp.icm.edu.pl # repo obsdrdr_host_exc.acl
Kod:
#.facebook.com ## unhash jesli chces zezwolic na przekierowania linkow postowanych na fb - mozliwosc spear phishingu :):)rdr_exc.acl
Kod:
\.php\?q=
\.php\?u=### restartujemy proxy ###
/etc/init.d/squid3 restart
lub na bsd:
/etc/rc.d/squid3 restart
############################
# 4. Reguly firewall
############################
###################################
## Linux
###################################
### local proxy ###
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to-destination 172.168.20.1:7955
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 7955
iptables -A INPUT -i eth0 -m iprange src-range 172.168.20.100-172.168.20.200 -p tcp --dport 7955 -j ACCEPT
### remote proxy ###
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to-destination 172.168.20.10:7955
iptables -A FORWARD -i eth1 -m iprange src-range 172.168.20.100-172.168.20.200 -d 172.168.20.10 -p tcp --dport 7955 -j ACCEPT
{ proxy_rules 172.168.20.10 }
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 7955
iptables -A INPUT -i eth0 -m iprange src-range 172.168.20.100-172.168.20.200 -p tcp --dport 7955 -j ACCEPT
###################################
## BSD
###################################
### local proxy ###
pass out on em1 inet proto tcp from {172.168.20.100 - 172.168.20.200} to any port 80 rdr-to em0 port 7955
pass in on em1 inet proto tcp from {172.168.20.100 - 172.168.20.200} to em0 port 7955
### remote proxy ###
pass out on em1 inet proto tcp from {172.168.20.100 - 172.168.20.200} to any port 80 rdr-to 172.168.20.10 port 7955
{ proxy_rules 172.168.20.10 }
pass in on em0 inet proto tcp from {172.168.20.100 - 172.168.20.200} to em0 port 7955
pass out on em0 inet proto tcp from {172.168.20.100 - 172.168.20.200} to em0 port 7955
Ostatnia edycja: