diff --git a/sisr1/automatisation.sh b/sisr1/automatisation.sh index 6670d0b..cc7b310 100644 --- a/sisr1/automatisation.sh +++ b/sisr1/automatisation.sh @@ -2,4 +2,4 @@ files="./etc/crontab -0 2-3 * * * root scriptsauvegarde.sh \ No newline at end of file +0 2 * * * /root/scriptsauvegarde.sh \ No newline at end of file diff --git a/sisr1/tp05_squid/squid.conf b/sisr1/tp05_squid/squid.conf index ea77dd5..899a1d6 100644 --- a/sisr1/tp05_squid/squid.conf +++ b/sisr1/tp05_squid/squid.conf @@ -1353,178 +1353,12 @@ acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http -acl mots_cles_refuses url_regex -i twitch chatgpt +# acl mots_cles_refuses url_regex -i twitch chatgpt +acl mots_cles_refuses url_regex -i youtube discord twitch facebook instagram snapchat +acl ip_restreintes src 172.16.0.5-172.16.0.99 -# TAG: proxy_protocol_access -# Determine which client proxies can be trusted to provide correct -# information regarding real client IP address using PROXY protocol. -# -# Requests may pass through a chain of several other proxies -# before reaching us. The original source details may by sent in: -# * HTTP message Forwarded header, or -# * HTTP message X-Forwarded-For header, or -# * PROXY protocol connection header. -# -# This directive is solely for validating new PROXY protocol -# connections received from a port flagged with require-proxy-header. -# It is checked only once after TCP connection setup. -# -# A deny match results in TCP connection closure. -# -# An allow match is required for Squid to permit the corresponding -# TCP connection, before Squid even looks for HTTP request headers. -# If there is an allow match, Squid starts using PROXY header information -# to determine the source address of the connection for all future ACL -# checks, logging, etc. -# -# SECURITY CONSIDERATIONS: -# -# Any host from which we accept client IP details can place -# incorrect information in the relevant header, and Squid -# will use the incorrect information as if it were the -# source address of the request. This may enable remote -# hosts to bypass any access control restrictions that are -# based on the client's source addresses. -# -# This clause only supports fast acl types. -# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. -#Default: -# all TCP connections to ports with require-proxy-header will be denied - -# TAG: follow_x_forwarded_for -# Determine which client proxies can be trusted to provide correct -# information regarding real client IP address. -# -# Requests may pass through a chain of several other proxies -# before reaching us. The original source details may by sent in: -# * HTTP message Forwarded header, or -# * HTTP message X-Forwarded-For header, or -# * PROXY protocol connection header. -# -# PROXY protocol connections are controlled by the proxy_protocol_access -# directive which is checked before this. -# -# If a request reaches us from a source that is allowed by this -# directive, then we trust the information it provides regarding -# the IP of the client it received from (if any). -# -# For the purpose of ACLs used in this directive the src ACL type always -# matches the address we are testing and srcdomain matches its rDNS. -# -# On each HTTP request Squid checks for X-Forwarded-For header fields. -# If found the header values are iterated in reverse order and an allow -# match is required for Squid to continue on to the next value. -# The verification ends when a value receives a deny match, cannot be -# tested, or there are no more values to test. -# NOTE: Squid does not yet follow the Forwarded HTTP header. -# -# The end result of this process is an IP address that we will -# refer to as the indirect client address. This address may -# be treated as the client address for access control, ICAP, delay -# pools and logging, depending on the acl_uses_indirect_client, -# icap_uses_indirect_client, delay_pool_uses_indirect_client, -# log_uses_indirect_client and tproxy_uses_indirect_client options. -# -# This clause only supports fast acl types. -# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. -# -# SECURITY CONSIDERATIONS: -# -# Any host from which we accept client IP details can place -# incorrect information in the relevant header, and Squid -# will use the incorrect information as if it were the -# source address of the request. This may enable remote -# hosts to bypass any access control restrictions that are -# based on the client's source addresses. -# -# For example: -# -# acl localhost src 127.0.0.1 -# acl my_other_proxy srcdomain .proxy.example.com -# follow_x_forwarded_for allow localhost -# follow_x_forwarded_for allow my_other_proxy -#Default: -# X-Forwarded-For header will be ignored. - -# TAG: acl_uses_indirect_client on|off -# Controls whether the indirect client address -# (see follow_x_forwarded_for) is used instead of the -# direct client address in acl matching. -# -# NOTE: maxconn ACL considers direct TCP links and indirect -# clients will always have zero. So no match. -#Default: -# acl_uses_indirect_client on - -# TAG: delay_pool_uses_indirect_client on|off -# Controls whether the indirect client address -# (see follow_x_forwarded_for) is used instead of the -# direct client address in delay pools. -#Default: -# delay_pool_uses_indirect_client on - -# TAG: log_uses_indirect_client on|off -# Controls whether the indirect client address -# (see follow_x_forwarded_for) is used instead of the -# direct client address in the access log. -#Default: -# log_uses_indirect_client on - -# TAG: tproxy_uses_indirect_client on|off -# Controls whether the indirect client address -# (see follow_x_forwarded_for) is used instead of the -# direct client address when spoofing the outgoing client. -# -# This has no effect on requests arriving in non-tproxy -# mode ports. -# -# SECURITY WARNING: Usage of this option is dangerous -# and should not be used trivially. Correct configuration -# of follow_x_forwarded_for with a limited set of trusted -# sources is required to prevent abuse of your proxy. -#Default: -# tproxy_uses_indirect_client off - -# TAG: spoof_client_ip -# Control client IP address spoofing of TPROXY traffic based on -# defined access lists. -# -# spoof_client_ip allow|deny [!]aclname ... -# -# If there are no "spoof_client_ip" lines present, the default -# is to "allow" spoofing of any suitable request. -# -# Note that the cache_peer "no-tproxy" option overrides this ACL. -# -# This clause supports fast acl types. -# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. -#Default: -# Allow spoofing on all TPROXY traffic. - -# TAG: http_access -# Allowing or Denying access based on defined access lists -# -# To allow or deny a message received on an HTTP, HTTPS, or FTP port: -# http_access allow|deny [!]aclname ... -# -# NOTE on default values: -# -# If there are no "access" lines present, the default is to deny -# the request. -# -# If none of the "access" lines cause a match, the default is the -# opposite of the last line in the list. If the last line was -# deny, the default is allow. Conversely, if the last line -# is allow, the default will be deny. For these reasons, it is a -# good idea to have an "deny all" entry at the end of your access -# lists to avoid potential confusion. -# -# This clause supports both fast and slow acl types. -# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. -# -#Default: -# Deny, unless rules exist in squid.conf. -# +http_access deny ip_restreintes mots_cles_refuses +http_access allow localnet # # Recommended minimum Access Permission configuration: @@ -1552,9 +1386,9 @@ include /etc/squid/conf.d/*.conf # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed -http_access deny mots_cles_refuses -http_access allow localnet -http_access allow localhost +# http_access deny mots_cles_refuses +# http_access allow localnet +# http_access allow localhost # And finally deny all other access to this proxy