#######################################################

# Virgos TI - squid.conf
#######################################################
error_directory /usr/share/squid/errors/Portuguese/
httpd_suppress_version_string on
dns_defnames on
## Proxy transparente
##
#httpd_accel_host 80
#httpd_accel_host virtual
#httpd_accel_with_proxy on
#httpd_accel_uses_host_header on
#arquivo de log do squid
access_log /var/log/squid/access.log squid
pid_filename /var/run/squid.pid
visible_hostname firewall.alcoa
#portas do squid
http_port 2120
http_port 3128 transparent
https_port 3130 transparent cert=/etc/chaves/server.crt key=/etc/chaves/server.k
ey
cache_effective_user squid
cache_mgr administrador@alcoa.com.br
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
## nao faz cache
acl NOCACHE dstdomain "/etc/squid/nocache-dom"
no_cache deny QUERY
no_cache deny NOCACHE
##
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
#
# Default ACLs (Regras padrão do squid)
#
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 8081 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 10000 # webmin
acl Safe_ports port 995 587 # imap
acl CONNECT method CONNECT

##
# Autenticacao
##
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 5 hour
##
## Custom ACLs
##
#Tempo que squid guarda o IP utilizado pelo usuario
#authenticate_ip_ttl
#Bloqueia o acesso de um usuario atraves de varios Desktops
#acl FOO max_user_ip 2
# proxy aberto para as redes abaixo
acl alcoa src 192.168.0.0/24
# redes permitidas sem autenticacao
acl intra-ip dst 200.9.84.0/24 200.136.235.0/24
acl intra-dom dstdomain ufscar
acl intra-ports port 443 80 25 110 143
#Regra para inclusão de Aplicativos/Extensões
acl notworkrelated-mime_req req_mime_type "/etc/squid/mime_proibidos.txt"
acl notworkrelated-mime_rep rep_mime_type "/etc/squid/mime_proibidos.txt"
# Torrrent
acl notworkrelated-mime rep_mime_type "/etc/squid/notworkrelated-mime"
## Regras basicas Palavras e dominios
#dominios nao permitidos ex. 4shared, megaupload
acl notworkrelated-dom dstdomain "/etc/squid/notworkrelated-dom"
# expressoes nao permitidas
acl notworkrelated-regex url_regex "/etc/squid/notworkrelated-regex"
# expressoes permitidas
acl workrelated-regex url_regex "/etc/squid/workrelated-regex"
#dominios permitidos
acl workrelated-dom dstdomain "/etc/squid/workrelated-dom"
##dominios redes sociais
acl redessociais-dom dstdomain "/etc/squid/redessociais"
##
## dominios proxys
acl proxys-dom dstdomain "/etc/squid/proxys-dom"
##
##
## Regra MSN (inclusão de dominios relacionados ao MSN)
acl msn_dom dstdomain "/etc/squid/msn-dom"
acl msn_regex url_regex "/etc/squid/msn-regex"
###
## Regras de Horario
acl manha time MTWHF 8:00-12:00
acl tarde time MTWHF 14:00-18:00
## Regras de ips
# IPs liberados
acl ip_irrestrito src "/etc/squid/ip_irrestrito"
#usuarios irrestritos
acl auth_irrestrito proxy_auth teste
#usuarios comuns
acl auth_restrito proxy_auth REQUIRED

##
## Aplicando as regras
##
http_access allow manager localhost
http_access deny manager
http_access allow auth_irrestrito
# Acesso irrestrito
http_access allow ip_irrestrito
http_access allow auth_irrestrito
# Bloqueio de portas
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports !Safe_ports
# Libera acesso local e dominios locais
http_access allow localhost
http_access allow intra-ip intra-ports
http_access allow intra-dom intra-ports
http_access allow workrelated-dom
# Bloqueio Sites Downloads e Torrent
http_access deny notworkrelated-dom
http_access deny notworkrelated-mime
# Bloqueio por Palavras
http_access deny notworkrelated-regex !workrelated-dom
# Bloqueio MSN - Horario
http_access deny msn_dom manha
http_access deny msn_dom tarde
http_access deny msn_regex manha
http_access deny msn_regex tarde
# Bloqueio Redes Sociais
http_access deny redessociais-dom manha
http_access deny redessociais-dom tarde
# Bloqueio Proxy Reversos
http_access deny proxys-dom manha
http_access deny proxys-dom tarde

# Acesso da rede Alcoa - Restrito a regra de horario

http_access allow alcoa
http_access allow auth_restrito
# Bloqueia os demais acessos
http_access deny all
# Bloqueio de MIME(Aplicativos )
http_reply_access deny notworkrelated-mime_rep
http_reply_access deny notworkrelated-mime_req

http_reply_access allow all

icp_access allow all
coredump_dir /var/spool/squid
# debug - cache.log
debug_options ALL,1 33,2