Você tem a autenticação ativada para o Squid e o DansGuardian? Porque parece que sim. Desative a autenticação no Squid e tente conectar-se novamente através do DansGuardian.
Eu apenas criei um novo servidor proxy e compilei as versões mais recentes do squid e do dansguardian. Usamos a autenticação básica para selecionar quais usuários são permitidos fora de nossa rede. Parece squid está funcionando muito bem e aceita meu nome de usuário e senha e me deixa sair.
Mas se eu me conectar ao dans guardian, ele solicitará o nome de usuário e a senha e, em seguida, exibirá uma mensagem informando que meu nome de usuário não tem permissão para acessar a Internet. É puxar meu nome de usuário para a mensagem de erro, então eu sei que sabe quem eu sou. A parte em que me confundo é que pensei que a parte era manuseada por lula e a lula estava funcionando perfeitamente.
Alguém pode, por favor, checar meus arquivos de configuração e dizer se estou perdendo alguma coisa ou se há alguma nova opção que devo definir para que isso funcione.
dansguardian.conf
# Web Access Denied Reporting (does not affect logging)
#
# -1 = log, but do not block - Stealth mode
# 0 = just say 'Access Denied'
# 1 = report why but not what denied phrase
# 2 = report fully
# 3 = use HTML template file (accessdeniedaddress ignored) - recommended
# reportinglevel = 3
# Language dir where languages are stored for internationalisation.
# The HTML template within this dir is only used when reportinglevel
# is set to 3. When used, DansGuardian will display the HTML file instead of
# using the perl cgi script. This option is faster, cleaner
# and easier to customise the access denied page.
# The language file is used no matter what setting however.
# languagedir = '/etc/dansguardian/languages'
# language to use from languagedir. language = 'ukenglish'
# Logging Settings
#
# 0 = none 1 = just denied 2 = all text based 3 = all requests loglevel
= 3
# Log Exception Hits
# Log if an exception (user, ip, URL, phrase) is matched and so
# the page gets let through. Can be useful for diagnosing
# why a site gets through the filter. on | off logexceptionhits = on
# Log File Format
# 1 = DansGuardian format 2 = CSV-style format
# 3 = Squid Log File Format 4 = Tab delimited logfileformat = 1
# Log file location
#
# Defines the log directory and filename.
#loglocation = '/var/log/dansguardian/access.log'
# Network Settings
#
# the IP that DansGuardian listens on. If left blank DansGuardian will
# listen on all IPs. That would include all NICs, loopback, modem, etc.
# Normally you would have your firewall protecting this, but if you want
# you can limit it to only 1 IP. Yes only one. filterip =
# the port that DansGuardian listens to. filterport = 8080
# the ip of the proxy (default is the loopback - i.e. this server) proxyip =
127.0.0.1
# the port DansGuardian connects to proxy on proxyport = 3128
# accessdeniedaddress is the address of your web server to which the cgi
# dansguardian reporting script was copied
# Do NOT change from the default if you are not using the cgi.
# accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'
# Non standard delimiter (only used with accessdeniedaddress)
# Default is enabled but to go back to the original standard mode dissable it. nonstandarddelimiter = on
# Banned image replacement
# Images that are banned due to domain/url/etc reasons including those
# in the adverts blacklists can be replaced by an image. This will,
# for example, hide images from advert sites and remove broken image
# icons from banned domains.
# 0 = off
# 1 = on (default) usecustombannedimage = 1 custombannedimagefile = '/etc/dansguardian/transparent1x1.gif'
# Filter groups options
# filtergroups sets the number of filter groups. A filter group is a set of content
# filtering options you can apply to a group of users. The value must be 1 or more.
# DansGuardian will automatically look for dansguardianfN.conf where N is the filter
# group. To assign users to groups use the filtergroupslist option. All users default
# to filter group 1. You must have some sort of authentication to be able to map users
# to a group. The more filter groups the more copies of the lists will be in RAM so
# use as few as possible. filtergroups = 1 filtergroupslist = '/etc/dansguardian/filtergroupslist'
# Authentication files location bannediplist = '/etc/dansguardian/bannediplist' exceptioniplist = '/etc/dansguardian/exceptioniplist' banneduserlist = '/etc/dansguardian/banneduserlist' exceptionuserlist = '/etc/dansguardian/exceptionuserlist'
# Show weighted phrases found
# If enabled then the phrases found that made up the total which excedes
# the naughtyness limit will be logged and, if the reporting level is
# high enough, reported. on | off showweightedfound = on
# Weighted phrase mode
# There are 3 possible modes of operation:
# 0 = off = do not use the weighted phrase feature.
# 1 = on, normal = normal weighted phrase operation.
# 2 = on, singular = each weighted phrase found only counts once on a page.
# weightedphrasemode = 2
# Positive result caching for text URLs
# Caches good pages so they don't need to be scanned again
# 0 = off (recommended for ISPs with users with disimilar browsing)
# 1000 = recommended for most users
# 5000 = suggested max upper limit urlcachenumber =
#
# Age before they are stale and should be ignored in seconds
# 0 = never
# 900 = recommended = 15 mins urlcacheage =
# Smart and Raw phrase content filtering options
# Smart is where the multiple spaces and HTML are removed before phrase filtering
# Raw is where the raw HTML including meta tags are phrase filtered
# CPU usage can be effectively halved by using setting 0 or 1
# 0 = raw only
# 1 = smart only
# 2 = both (default) phrasefiltermode = 2
# Lower casing options
# When a document is scanned the uppercase letters are converted to lower case
# in order to compare them with the phrases. However this can break Big5 and
# other 16-bit texts. If needed preserve the case. As of version
2.7.0 accented
# characters are supported.
# 0 = force lower case (default)
# 1 = do not change case preservecase = 0
# Hex decoding options
# When a document is scanned it can optionally convert %XX to chars.
# If you find documents are getting past the phrase filtering due to encoding
# then enable. However this can break Big5 and other 16-bit texts.
# 0 = disabled (default)
# 1 = enabled hexdecodecontent = 0
# Force Quick Search rather than DFA search algorithm
# The current DFA implementation is not totally 16-bit character compatible
# but is used by default as it handles large phrase lists much faster.
# If you wish to use a large number of 16-bit character phrases then
# enable this option.
# 0 = off (default)
# 1 = on (Big5 compatible) forcequicksearch = 0
# Reverse lookups for banned site and URLs.
# If set to on, DansGuardian will look up the forward DNS for an IP URL
# address and search for both in the banned site and URL lists. This would
# prevent a user from simply entering the IP for a banned address.
# It will reduce searching speed somewhat so unless you have a local caching
# DNS server, leave it off and use the Blanket IP Block option in the
# bannedsitelist file instead. reverseaddresslookups = off
# Reverse lookups for banned and exception IP lists.
# If set to on, DansGuardian will look up the forward DNS for the IP
# of the connecting computer. This means you can put in hostnames in
# the exceptioniplist and bannediplist.
# It will reduce searching speed somewhat so unless you have a local DNS server,
# leave it off. reverseclientiplookups = off
# Build bannedsitelist and bannedurllist cache files.
# This will compare the date stamp of the list file with the date stamp of
# the cache file and will recreate as needed.
# If a bsl or bul .processed file exists, then that will be used instead.
# It will increase process start speed by 300%. On slow computers this will
# be significant. Fast computers do not need this option. on | off createlistcachefiles = on
# POST protection (web upload and forms)
# does not block forms without any file upload, i.e. this is just for
# blocking or limiting uploads
# measured in kibibytes after MIME encoding and header bumph
# use 0 for a complete block
# use higher (e.g. 512 = 512Kbytes) for limiting
# use -1 for no blocking
#maxuploadsize = 512
#maxuploadsize = 0 maxuploadsize = -1
# Max content filter page size
# Sometimes web servers label binary files as text which can be very
# large which causes a huge drain on memory and cpu resources.
# To counter this, you can limit the size of the document to be
# filtered and get it to just pass it straight through.
# This setting also applies to content regular expression modification.
# The size is in Kibibytes - eg 2048 = 2Mb
# use 0 for no limit maxcontentfiltersize =
# Username identification methods (used in logging)
# You can have as many methods as you want and not just one. The first one
# will be used then if no username is found, the next will be used.
# * proxyauth is for when basic proxy authentication is used (no good for
# transparent proxying).
# * ntlm is for when the proxy supports the MS NTLM authentication
# protocol. (Only works with IE5.5 sp1 and later). **NOT IMPLEMENTED**
# * ident is for when the others don't work. It will contact the computer
# that the connection came from and try to connect to an identd server
# and query it for the user owner of the connection. usernameidmethodproxyauth = on usernameidmethodntlm = off # **NOT IMPLEMENTED** usernameidmethodident = off
# Preemptive banning - this means that if you have proxy auth enabled and a user accesses
# a site banned by URL for example they will be denied straight away without a request
# for their user and pass. This has the effect of requiring the user to visit a clean
# site first before it knows who they are and thus maybe an admin user.
# This is how DansGuardian has always worked but in some situations it is less than
# ideal. So you can optionally disable it. Default is on.
# As a side effect disabling this makes AD image replacement work better as the mime
# type is know. preemptivebanning = on
# Misc settings
# if on it adds an X-Forwarded-For: <clientip> to the HTTP request
# header. This may help solve some problem sites that need to know the
# source ip. on | off forwardedfor = on
# if on it uses the X-Forwarded-For: <clientip> to determine the client
# IP. This is for when you have squid between the clients and DansGuardian.
# Warning - headers are easily spoofed. on | off usexforwardedfor = off
# if on it logs some debug info regarding fork()ing and accept()ing which
# can usually be ignored. These are logged by syslog. It is safe to leave
# it on or off logconnectionhandlingerrors = on
# Fork pool options
# sets the maximum number of processes to sporn to handle the incomming
# connections. Max value usually 250 depending on OS.
# On large sites you might want to try 180. maxchildren = 180
# sets the minimum number of processes to sporn to handle the incomming connections.
# On large sites you might want to try 32. minchildren = 32
# sets the minimum number of processes to be kept ready to handle connections.
# On large sites you might want to try 8. minsparechildren = 8
# sets the minimum number of processes to sporn when it runs out
# On large sites you might want to try 10. preforkchildren = 10
# sets the maximum number of processes to have doing nothing.
# When this many are spare it will cull some of them.
# On large sites you might want to try 64. maxsparechildren = 64
# sets the maximum age of a child process before it croaks it.
# This is the number of connections they handle before exiting.
# On large sites you might want to try 10000. maxagechildren = 5000
# Process options
# (Change these only if you really know what you are doing).
# These options allow you to run multiple instances of DansGuardian on a single machine.
# Remember to edit the log file path above also if that is your intention.
# IPC filename
#
# Defines IPC server directory and filename used to communicate with the log process. ipcfilename = '/tmp/.dguardianipc'
# URL list IPC filename
#
# Defines URL list IPC server directory and filename used to communicate with the URL
# cache process. urlipcfilename = '/tmp/.dguardianurlipc'
# PID filename
#
# Defines process id directory and filename.
#pidfilename = '/var/run/dansguardian.pid'
# Disable daemoning
# If enabled the process will not fork into the background.
# It is not usually advantageous to do this.
# on|off ( defaults to off ) nodaemon = off
# Disable logging process
# on|off ( defaults to off ) nologger = off
# Daemon runas user and group
# This is the user that DansGuardian runs as. Normally the user/group nobody.
# Uncomment to use. Defaults to the user set at compile time.
# daemonuser = 'nobody'
# daemongroup = 'nobody'
# Soft restart
# When on this disables the forced killing off all processes in the process group.
# This is not to be confused with the -g run time option - they are not related.
# on|off ( defaults to off ) softrestart = off
maxcontentramcachescansize = 2000 maxcontentfilecachescansize = 20000 downloadmanager = '/etc/dansguardian/downloadmanagers/default.conf' authplugin = '/etc/dansguardian/authplugins/proxy-basic.conf'
Squid.conf
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
#broken_vary_encoding allow apache
access_log /squid/var/logs/access.log squid
hosts_file /etc/hosts
auth_param basic program /squid/libexec/ncsa_auth /squid/etc/userbasic.auth
auth_param basic children 5
auth_param basic realm proxy
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl NoAuthNec src <HIDDEN FOR SECURITY>
acl BrkRm src <HIDDEN FOR SECURITY>
acl Dials src <HIDDEN FOR SECURITY>
acl Comps src <HIDDEN FOR SECURITY>
acl whsws dstdom_regex -i .opensuse.org .novell.com .suse.com mirror.mcs.an1.gov mirrors.kernerl.org www.suse.de suse.mirrors.tds.net mirrros.usc.edu ftp.ale.org suse.cs.utah.edu mirrors.usc.edu mirror.usc.an1.gov linux.nssl.noaa.gov noaa.gov .kernel.org ftp.ale.org ftp.gwdg.de .medibuntu.org mirrors.xmission.com .canonical.com .ubuntu.
acl opensites dstdom_regex -i .mbsbooks.com .bowker.com .usps.com .usps.gov .ups.com .fedex.com go.microsoft.com .microsoft.com .apple.com toolbar.msn.com .contacts.msn.com update.services.openoffice.org fms2.pointroll.speedera.net services.wmdrm.windowsmedia.com windowsupdate.com .adobe.com .symantec.com .vitalbook.com vxn1.datawire.net vxn.datawire.net download.lavasoft.de .download.lavasoft.com .lavasoft.com updates.ls-servers.com .canadapost. .myyellow.com minirick symantecliveupdate.com wm.overdrive.com www.overdrive.com productactivation.one.microsoft.com www.update.microsoft.com testdrive.whoson.com www.columbia.k12.mo.us banners.wunderground.com .kofax.com .gotomeeting.com tools.google.com .dl.google.com .cache.googlevideo.com .gpdl.google.com .clients.google.com cache.pack.google.com kh.google.com maps.google.com auth.keyhole.com .contacts.msn.com .hrblock.com .taxcut.com .merchantadvantage.com .jtv.com .malwarebytes.org www.google-analytics.com dcs.support.xerox.com .dhl.com .webtrendslive.com javadl-esd.sun.com javadl-alt.sun.com .excelsior.edu .dhlglobalmail.com .nessus.org .foxitsoftware.com foxit.vo.llnwd.net installshield.com .mindjet.com .mediascouter.com media.us.elsevierhealth.com .xplana.com .govtrack.us sa.tulsacc.edu .omniture.com fpdownload.macromedia.com webservices.amazon.com
acl password proxy_auth REQUIRED
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 631 2001 2005 8731 9001 9080 10000
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port # https, snews 443 563
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port # unregistered ports 1936-65535
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 10000
acl Safe_ports port 631
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl UTubeUsers proxy_auth "/squid/etc/utubeusers.list"
acl RestrictUTube dstdom_regex -i youtube.com
acl RestrictFacebook dstdom_regex -i facebook.com
acl FacebookUsers proxy_auth "/squid/etc/facebookusers.list"
acl BuemerKEC src 10.10.128.0/24
acl MBSsortnet src 10.10.128.0/26
acl MSNExplorer browser -i MSN
acl Printers src <HIDDEN FOR SECURITY>
acl SpecialFolks src <HIDDEN FOR SECURITY>
# streaming download
acl fails rep_mime_type ^.*mms.*
acl fails rep_mime_type ^.*ms-hdr.*
acl fails rep_mime_type ^.*x-fcs.*
acl fails rep_mime_type ^.*x-ms-asf.*
acl fails2 urlpath_regex dvrplayer mediastream mms://
acl fails2 urlpath_regex \.asf$ \.afx$ \.flv$ \.swf$
acl deny_rep_mime_flashvideo rep_mime_type -i video/flv
acl deny_rep_mime_shockwave rep_mime_type -i ^application/x-shockwave-flash$
acl x-type req_mime_type -i ^application/octet-stream$
acl x-type req_mime_type -i application/octet-stream
acl x-type req_mime_type -i ^application/x-mplayer2$
acl x-type req_mime_type -i application/x-mplayer2
acl x-type req_mime_type -i ^application/x-oleobject$
acl x-type req_mime_type -i application/x-oleobject
acl x-type req_mime_type -i application/x-pncmd
acl x-type req_mime_type -i ^video/x-ms-asf$
acl x-type2 rep_mime_type -i ^application/octet-stream$
acl x-type2 rep_mime_type -i application/octet-stream
acl x-type2 rep_mime_type -i ^application/x-mplayer2$
acl x-type2 rep_mime_type -i application/x-mplayer2
acl x-type2 rep_mime_type -i ^application/x-oleobject$
acl x-type2 rep_mime_type -i application/x-oleobject
acl x-type2 rep_mime_type -i application/x-pncmd
acl x-type2 rep_mime_type -i ^video/x-ms-asf$
acl RestrictHulu dstdom_regex -i hulu.com
acl broken dstdomain cms.montgomerycollege.edu events.columbiamochamber.com members.columbiamochamber.com public.genexusserver.com
acl RestrictVimeo dstdom_regex -i vimeo.com
acl http_port port 80
#http_reply_access deny deny_rep_mime_flashvideo
#http_reply_access deny deny_rep_mime_shockwave
#streaming files
#http_access deny fails
#http_reply_access deny fails
#http_access deny fails2
#http_reply_access deny fails2
#http_access deny x-type
#http_reply_access deny x-type
#http_access deny x-type2
#http_reply_access deny x-type2
follow_x_forwarded_for allow localhost
acl_uses_indirect_client on
log_uses_indirect_client on
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access allow SpecialFolks
http_access deny CONNECT !SSL_ports
http_access allow whsws
http_access allow opensites
http_access deny BuemerKEC !MBSsortnet
http_access deny BrkRm RestrictUTube RestrictFacebook RestrictVimeo
http_access allow RestrictUTube UTubeUsers
http_access deny RestrictUTube
http_access allow RestrictFacebook FacebookUsers
http_access deny RestrictFacebook
http_access deny RestrictHulu
http_access allow NoAuthNec
http_access allow BrkRm
http_access allow FacebookUsers RestrictVimeo
http_access deny RestrictVimeo
http_access allow Comps
http_access allow Dials
http_access allow Printers
http_access allow password
http_access deny !Safe_ports
http_access deny SSL_ports !CONNECT
http_access allow http_port
http_access deny all
http_reply_access allow all
icp_access allow all
access_log /squid/var/logs/access.log squid
visible_hostname proxy.site.com
forwarded_for off
coredump_dir /squid/cache/
#header_access Accept-Encoding deny broken
#acl snmppublic snmp_community mysecretcommunity
#snmp_port 3401
#snmp_access allow snmppublic all
cache_mem 3 GB
#acl snmppublic snmp_community mbssquid
#snmp_port 3401
#snmp_access allow snmppublic all
Você tem a autenticação ativada para o Squid e o DansGuardian? Porque parece que sim. Desative a autenticação no Squid e tente conectar-se novamente através do DansGuardian.