Сломал всю голову! Прошу помощи. Ubuntu 15.04 Squid3, непрозрачный, авторизация через kerberos. Поставил SquidGuard. Проблема в том, что когда я включаю SquidGuard в конфиге Squid, пользователи перестают заходить на хттпс сайты. Комменчу строки с использованием SquidGuard, всё нормально. Access.log:
1437470381.748 0 192.168.0.4 TCP_DENIED/407 3779 CONNECT mail.yandex.ru:443 - HIER_NONE/- text/html
1437470381.749 0 192.168.0.4 TCP_DENIED/407 3779 CONNECT mail.yandex.ru:443 - HIER_NONE/- text/html
1437470381.808 42 192.168.0.4 TCP_MISS/503 0 CONNECT mail.yandex.ru:443 Konus2 HIER_NONE/- -
1437470381.819 0 192.168.0.4 TCP_DENIED/407 3779 CONNECT mail.yandex.ru:443 - HIER_NONE/- text/html
1437470381.830 64 192.168.0.4 TCP_MISS/503 0 CONNECT mail.yandex.ru:443 Konus2 HIER_NONE/- -
1437470381.883 49 192.168.0.4 TCP_MISS/503 0 CONNECT mail.yandex.ru:443 Konus2 HIER_NONE/- -
1437470384.028 1 192.168.0.4 TCP_DENIED/407 3594 CONNECT store.office.com:443 - HIER_NONE/- text/html
1437470384.107 61 192.168.0.4 TCP_MISS/503 0 CONNECT store.office.com:443 Konus1 HIER_NONE/- -
1437470384.708 1 192.168.0.4 TCP_DENIED/407 3775 CONNECT jim28.mail.ru:443 - HIER_NONE/- text/html
1437470384.791 48 192.168.0.4 TCP_MISS/503 0 CONNECT jim28.mail.ru:443 sekr2 HIER_NONE/- -
1437470384.806 0 192.168.0.4 TCP_DENIED/407 3811 CONNECT stat.radar.imgsmail.ru:443 - HIER_NONE/- text/html
1437470384.869 42 192.168.0.4 TCP_MISS/503 0 CONNECT stat.radar.imgsmail.ru:443 sekr2 HIER_NONE/- -
1437470384.977 0 192.168.0.4 TCP_DENIED/407 3775 CONNECT jim28.mail.ru:443 - HIER_NONE/- text/html
1437470385.045 50 192.168.0.4 TCP_MISS/503 0 CONNECT jim28.mail.ru:443 sekr1 HIER_NONE/- -
1437470385.056 0 192.168.0.4 TCP_DENIED/407 3811 CONNECT stat.radar.imgsmail.ru:443 - HIER_NONE/- text/html
1437470385.129 52 192.168.0.4 TCP_MISS/503 0 CONNECT stat.radar.imgsmail.ru:443 sekr1 HIER_NONE/- -
2015/07/21 12:21:43| negotiate_kerberos_auth: INFO: user Konus2 authenticated...... # OPTIONS FOR AUTHENTICATION
# -----------------------------------------------------------------------------
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -i -r -s HTTP/ubuntusquid.net.loc@NET.LOC
auth_param negotiate children 100 startup=10 idle=10
auth_param negotiate keep_alive on
### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=NET
auth_param ntlm children 10
auth_param ntlm keep_alive off
### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm
auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b "dc=net,dc=loc" -D squid@net.loc -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h dc2.net.loc
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute
# ACCESS CONTROLS
# -----------------------------------------------------------------------------
acl localnet src 192.168.0.0/24 # internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
### acl for proxy auth and ldap authorizations
acl auth proxy_auth REQUIRED
### enforce authentication
http_access deny !auth
http_access allow auth
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
http_access allow localnet
http_access allow localhost
http_access deny all
# NETWORK OPTIONS
# -----------------------------------------------------------------------------
http_port 3128
# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
# -----------------------------------------------------------------------------
#
hierarchy_stoplist cgi-bin ?
forward_max_tries 25
# LOGFILE OPTIONS
# -----------------------------------------------------------------------------
#
access_log daemon:/var/log/squid3/access.log squid
logfile_rotate 30
# OPTIONS FOR TROUBLESHOOTING
# -----------------------------------------------------------------------------
cache_log /var/log/squid3/cache.log
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid3
# ADMINISTRATIVE PARAMETERS
# -----------------------------------------------------------------------------
#
dns_v4_first on
cache_mgr heremustbeadmin@email.ru
httpd_suppress_version_string on
visible_hostname UBUNTUSQUID
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
# example lin deb packages
#refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600
refresh_pattern . 0 20% 4320
#url_rewrite_bypass on
#url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
#url_rewrite_children 5
dbhome /var/lib/squidguard/db
logdir /var/log/squidguard
#
# TIME RULES:
# abbrev for weekdays:
# s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat
time workhours {
weekly mtwhf 08:00 - 19:30
}
#
# SOURCE ADDRESSES:
#
src admin {
ip 192.168.0.81/24
user admin
}
src users {
ip 192.168.0.4 - 192.168.0.250
}
dest socialnet {
domainlist BL/socialnet/domains
urllist BL/socialnet/urls
}
#
# ACL RULES:
#
acl {
admin {
pass any
}
users {
pass !socialnet any
}
default {
pass none
redirect http://192.168.0.1/deny.html
}
}
