cws-khuntly · July 17, 2016 19:51
diff --git a/squid.conf b/squid.conf
 #
 # Recommended minimum configuration:
 #
 visible_hostname proxy.caspersbox.com

 ## add in basic authentication (pending ldap auth)
 auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=caspersbox,dc=com" -f "uid=%s" -D "uid=AppUser,ou=AppAdmins,organizationalUnitName=Service Accounts,organizationalUnitName=Users,organizationName=CWS US,dc=caspersbox,dc=com" -W /etc/squid/ldap_pass -h data.caspersbox.corp -p 10389
 auth_param basic children 50
 auth_param basic realm CWS Proxy Services
 auth_param basic credentialsttl 90 minutes

 acl manager proto cache_object
 acl localhost src 127.0.0.1/32 ::1
 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

 # Example rule allowing access from your local networks.
 # Adapt to list your (internal) IP networks from where browsing
 # should be allowed
 acl localnet src 192.168.10.0/24

 acl SSL_ports port 443
 acl Safe_ports port 80      # http
 acl Safe_ports port 21      # ftp
 acl Safe_ports port 443     # https
 acl Safe_ports port 70      # gopher
 acl Safe_ports port 210     # wais
 acl Safe_ports port 1025-65535  # unregistered ports
 acl Safe_ports port 280     # http-mgmt
 acl Safe_ports port 488     # gss-http
 acl Safe_ports port 591     # filemaker
 acl Safe_ports port 777     # multiling http
 acl CONNECT method CONNECT

 ## custom acl
 acl DENIED_SITES url_regex "/etc/squid/DENIED_SITES.acl"

 ## proxy auth
 acl ldap_users proxy_auth REQUIRED

 ## add in filter
 redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
 redirect_children 8
 redirector_bypass on

 #
 # Recommended minimum Access Permission configuration:
 #

 ## require authentication
 http_access allow ldap_users

 #  Only allow cachemgr access from localhost
 http_access allow manager localhost
 http_access deny manager

 # Deny requests to certain unsafe ports
 http_access deny !Safe_ports

 # Deny CONNECT to other than secure SSL ports
 http_access deny CONNECT !SSL_ports

 ## deny custom blocks
 http_access deny DENIED_SITES

 # We strongly recommend the following be uncommented to protect innocent
 # web applications running on the proxy server who think the only
 # one who can access services on "localhost" is a local user
 http_access deny to_localhost

 #
 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
 #

 # Example rule allowing access from your local networks.
 # Adapt localnet in the ACL section to list your (internal) IP networks
 # from where browsing should be allowed
 http_access allow localnet
 http_access allow localhost

 # And finally deny all other access to this proxy
 http_access deny all

 # Squid normally listens to port 3128
 http_port 192.168.10.8:3128

 # We recommend you to use at least the following line.
 hierarchy_stoplist cgi-bin ?

 # Uncomment and adjust the following to add a disk cache directory.
 cache_dir ufs /var/spool/squid 800 14 256
 cache_mem 32 MB
 cache_store_log none

 # Leave coredumps in the first cache dir
 coredump_dir /var/spool/squid

 half_closed_clients off
 maximum_object_size 1024 KB

 # Add any of your own refresh_pattern entries above these.
 refresh_pattern ^ftp:       1440    20% 10080
 refresh_pattern ^gopher:    1440    0%  1440
 refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
 refresh_pattern .       0   20% 4320
 cache_effective_user squid
 cache_effective_group squid

 cache deny SSL_ports CONNECT
diff --git a/squidGuard.conf b/squidGuard.conf
 #
 # CONFIG FILE FOR SQUIDGUARD
 #

 dbhome /var/squidGuard/db
 logdir /var/log/squidGuard

 #
 # TIME RULES:
 # abbrev for weekdays: 
 # s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat

 time authtime {
    weekly s     08:00 - 19:00
    weekly a     08:00 - 19:00
    weekly mtwhf 15:00 - 19:00
 }

 #
 # REWRITE RULES:
 #

 rew dmz {
    s@://admin/@://admin.foo.bar.de/@i
    s@://foo.bar.de/@://www.foo.bar.de/@i
 }

 #
 # SOURCE ADDRESSES:
 #

 src admin {
    user khuntly chuntly
 }

 src cws {
    ip    192.168.10.0/24
 }

 #
 # DESTINATION CLASSES:
 #

 #dest bl_warez {
 #    domainlist        blacklists/warez/domains
 #    urllist           blacklists/warez/urls
 #    redirect          http://localhost/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u
 #}

 #dest bl_ads {
 #    domainlist        blacklists/ads/domains
 #    urllist           blacklists/ads/urls
 #    expressionlist    blacklists/ads/expressions
 #    redirect          http://localhost/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u
 #}

 #dest bl_drugs {
 #    domainlist        blacklists/drugs/domains
 #    urllist           blacklists/drugs/urls
 #    redirect          http://localhost/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u
 #}

 #dest bl_adult {
 #    domainlist        blacklists/adult/domains
 #    urllist           blacklists/adult/urls
 #    redirect          http://localhost/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u
 #}

 dest adult {
    domainlist        blacklists/porn/domains
    urllist           blacklists/porn/urls
    expressionlist    blacklists/porn/expressions
    redirect          http://localhost/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u
 }

 acl {
    admin {
        pass    any
    }

    cws within authtime {
        pass    !adult all
        redirect http://localhost/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u
    }

    default {
        pass    none
        redirect http://localhost/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u
    }
 }
	#
	# Recommended minimum configuration:
	#
	visible_hostname proxy.caspersbox.com

	## add in basic authentication (pending ldap auth)
	auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=caspersbox,dc=com" -f "uid=%s" -D "uid=AppUser,ou=AppAdmins,organizationalUnitName=Service Accounts,organizationalUnitName=Users,organizationName=CWS US,dc=caspersbox,dc=com" -W /etc/squid/ldap_pass -h data.caspersbox.corp -p 10389
	auth_param basic children 50
	auth_param basic realm CWS Proxy Services
	auth_param basic credentialsttl 90 minutes

	acl manager proto cache_object
	acl localhost src 127.0.0.1/32 ::1
	acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

	# Example rule allowing access from your local networks.
	# Adapt to list your (internal) IP networks from where browsing
	# should be allowed
	acl localnet src 192.168.10.0/24

	acl SSL_ports port 443
	acl Safe_ports port 80 # http
	acl Safe_ports port 21 # ftp
	acl Safe_ports port 443 # https
	acl Safe_ports port 70 # gopher
	acl Safe_ports port 210 # wais
	acl Safe_ports port 1025-65535 # unregistered ports
	acl Safe_ports port 280 # http-mgmt
	acl Safe_ports port 488 # gss-http
	acl Safe_ports port 591 # filemaker
	acl Safe_ports port 777 # multiling http
	acl CONNECT method CONNECT

	## custom acl
	acl DENIED_SITES url_regex "/etc/squid/DENIED_SITES.acl"

	## proxy auth
	acl ldap_users proxy_auth REQUIRED

	## add in filter
	redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
	redirect_children 8
	redirector_bypass on

	#
	# Recommended minimum Access Permission configuration:
	#

	## require authentication
	http_access allow ldap_users

	# Only allow cachemgr access from localhost
	http_access allow manager localhost
	http_access deny manager

	# Deny requests to certain unsafe ports
	http_access deny !Safe_ports

	# Deny CONNECT to other than secure SSL ports
	http_access deny CONNECT !SSL_ports

	## deny custom blocks
	http_access deny DENIED_SITES

	# We strongly recommend the following be uncommented to protect innocent
	# web applications running on the proxy server who think the only
	# one who can access services on "localhost" is a local user
	http_access deny to_localhost

	#
	# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
	#

	# Example rule allowing access from your local networks.
	# Adapt localnet in the ACL section to list your (internal) IP networks
	# from where browsing should be allowed
	http_access allow localnet
	http_access allow localhost

	# And finally deny all other access to this proxy
	http_access deny all

	# Squid normally listens to port 3128
	http_port 192.168.10.8:3128

	# We recommend you to use at least the following line.
	hierarchy_stoplist cgi-bin ?

	# Uncomment and adjust the following to add a disk cache directory.
	cache_dir ufs /var/spool/squid 800 14 256
	cache_mem 32 MB
	cache_store_log none

	# Leave coredumps in the first cache dir
	coredump_dir /var/spool/squid

	half_closed_clients off
	maximum_object_size 1024 KB

	# Add any of your own refresh_pattern entries above these.
	refresh_pattern ^ftp: 1440 20% 10080
	refresh_pattern ^gopher: 1440 0% 1440
	refresh_pattern -i (/cgi-bin/\|\?) 0 0% 0
	refresh_pattern . 0 20% 4320
	cache_effective_user squid
	cache_effective_group squid

	cache deny SSL_ports CONNECT
	#
	# CONFIG FILE FOR SQUIDGUARD
	#

	dbhome /var/squidGuard/db
	logdir /var/log/squidGuard

	#
	# TIME RULES:
	# abbrev for weekdays:
	# s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat

	time authtime {
	weekly s 08:00 - 19:00
	weekly a 08:00 - 19:00
	weekly mtwhf 15:00 - 19:00
	}

	#
	# REWRITE RULES:
	#

	rew dmz {
	s@://admin/@://admin.foo.bar.de/@i
	s@://foo.bar.de/@://www.foo.bar.de/@i
	}

	#
	# SOURCE ADDRESSES:
	#

	src admin {
	user khuntly chuntly
	}

	src cws {
	ip 192.168.10.0/24
	}

	#
	# DESTINATION CLASSES:
	#

	#dest bl_warez {
	# domainlist blacklists/warez/domains
	# urllist blacklists/warez/urls
	# redirect http://localhost/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u
	#}

	#dest bl_ads {
	# domainlist blacklists/ads/domains
	# urllist blacklists/ads/urls
	# expressionlist blacklists/ads/expressions
	# redirect http://localhost/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u
	#}

	#dest bl_drugs {
	# domainlist blacklists/drugs/domains
	# urllist blacklists/drugs/urls
	# redirect http://localhost/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u
	#}

	#dest bl_adult {
	# domainlist blacklists/adult/domains
	# urllist blacklists/adult/urls
	# redirect http://localhost/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u
	#}

	dest adult {
	domainlist blacklists/porn/domains
	urllist blacklists/porn/urls
	expressionlist blacklists/porn/expressions
	redirect http://localhost/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u
	}

	acl {
	admin {
	pass any
	}

	cws within authtime {
	pass !adult all
	redirect http://localhost/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u
	}

	default {
	pass none
	redirect http://localhost/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u
	}
	}