SQUID com autenticação e permissões por grupos do Active Directory e relatórios com SARG
Instalação e configuração do Squid e seus complementos para autenticação no Active Directory, utilizando a estrutura de grupos para conceder acesso a internet de acordo com perfis de usuários, além de geração de relatórios para monitoramento de acessos
[ Hits: 28.494 ]
Por: Carlos Rossini Alencar Liberal em 30/10/2018
Configurando o Squid
Primeiro, vamos fazer um backup do arquivo original:
# mv /etc/squid/squid.conf /etc/squid/squid.conf
Depois, vamos configurar o nosso Squid:
# nano /etc/squid/squid.conf
# mv /etc/squid/squid.conf /etc/squid/squid.conf
Depois, vamos configurar o nosso Squid:
# nano /etc/squid/squid.conf
#
#
# squid.conf - Carlos Rossini - rossiniliberal@gmail.com
############################## INICIO #######################################
#############################################################################
# Porta; Hostname; Dir erros;
#############################################################################
http_port 8888
visible_hostname PROXY
error_directory /usr/share/squid/errors/pt-BR
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
icp_port 0
htcp_port 0
snmp_port 0
#############################################################################
# hosts contornando o proxy
#############################################################################
acl direto src "/etc/squid/regras/ipslivres"
http_access allow direto
always_direct allow direto
#############################################################################
# sites que passam direto pelo proxy
#############################################################################
acl liberados dstdomain "/etc/squid/regras/liberados"
always_direct allow liberados
http_access allow liberados
#############################################################################
# cache e logs
#############################################################################
cache_mem 512 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 8000 KB
minimum_object_size 1 KB
maximum_object_size_in_memory 4000 KB
cache_dir ufs /var/spool/squid 100 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
cache_swap_log /var/log/squid/store.log
access_log /var/log/squid/access.log
strip_query_terms off
#############################################################################
# autenticacao
#############################################################################
# Texto da autenticacao no pop-up
auth_param basic realm .::. EMPRESA - Controle de acessos .::.
# Autenticacao com usuario ad do windows com pop up
auth_param basic program /usr/lib/squid/basic_ldap_auth -v 3 -b dc=empresa,dc=local -D cn=squid,cn=Users,dc=empresa,dc=local-w senha -f "sAMAccountName=%s" -u uid -P 10.10.10.2:389 -R
# Autenticacao por grupos do ad do windows
external_acl_type ldap_group %LOGIN /usr/lib/squid/ext_ldap_group_acl -R -b dc=empresa,dc=local -D cn=squid,cn=Users,dc=empresa,dc=local -w senha -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=internet,dc=empresa,dc=local))" -h 10.10.10.2:389
auth_param basic credentialsttl 6 hours
acl autenticados proxy_auth REQUIRED
#############################################################################
# acl de portas
#############################################################################
# portas seguras
acl SSL_ports port 443 563
# demais serviços
acl Safe_ports port 53 # OneDrive DNS
acl Safe_ports port 80 # http
acl Safe_ports port 81 # iper
acl Safe_ports port 8080 # tomcat
acl Safe_ports port 8443 # tomcat - ssl
acl Safe_ports port 10000 # webmin
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 2631 # Conectividade Social
acl Safe_ports port 901 # swat
acl Safe_ports port 23000 # SERPRO
acl Safe_ports port 1025-65535 # portas altas
#############################################################################
# Controle de acessos
############################################################################
acl PURGE method PURGE
acl CONNECT method CONNECT
acl localhost src 10.10.10.1
acl redelocal src 10.10.10.0/24
http_access deny !redelocal
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl usuarios_master external ldap_group usuarios_master
acl usuarios_redes_sociais external ldap_group usuarios_redes_sociais
acl usuarios_youtube external ldap_group usuarios_youtube
acl usuarios_comuns external ldap_group usuarios_comuns
acl webproxy url_regex -i "/etc/squid/regras/bloqueios/webproxy"
acl pornografia url_regex -i "/etc/squid/regras/bloqueios/pornografia"
acl streaming url_regex -i "/etc/squid/regras/bloqueios/streaming"
acl download url_regex -i "/etc/squid/regras/bloqueios/download"
acl redes_sociais url_regex -i "/etc/squid/regras/bloqueios/redes_sociais"
acl youtube url_regex -i "/etc/squid/regras/bloqueios/youtube"
http_access allow usuarios_master
http_access deny webproxy
http_access deny pornografia
http_access deny streaming
http_access allow usuarios_redes_sociais
http_access deny redes_sociais
http_access allow usuarios_youtube
http_access deny youtube
http_access allow usuarios_comuns
http_access deny autenticados
http_access allow redelocal
http_access allow localhost
http_access deny all
#############################################################################
# otimizacao de recursos e outras configuracoes
#############################################################################
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# gerenciador do cache
cache_mgr empresa@email.com
http_reply_access allow all
icp_access allow all
coredump_dir /squid/var/cache/squid
#
# squid.conf - Carlos Rossini - rossiniliberal@gmail.com
############################## INICIO #######################################
#############################################################################
# Porta; Hostname; Dir erros;
#############################################################################
http_port 8888
visible_hostname PROXY
error_directory /usr/share/squid/errors/pt-BR
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
icp_port 0
htcp_port 0
snmp_port 0
#############################################################################
# hosts contornando o proxy
#############################################################################
acl direto src "/etc/squid/regras/ipslivres"
http_access allow direto
always_direct allow direto
#############################################################################
# sites que passam direto pelo proxy
#############################################################################
acl liberados dstdomain "/etc/squid/regras/liberados"
always_direct allow liberados
http_access allow liberados
#############################################################################
# cache e logs
#############################################################################
cache_mem 512 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 8000 KB
minimum_object_size 1 KB
maximum_object_size_in_memory 4000 KB
cache_dir ufs /var/spool/squid 100 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
cache_swap_log /var/log/squid/store.log
access_log /var/log/squid/access.log
strip_query_terms off
#############################################################################
# autenticacao
#############################################################################
# Texto da autenticacao no pop-up
auth_param basic realm .::. EMPRESA - Controle de acessos .::.
# Autenticacao com usuario ad do windows com pop up
auth_param basic program /usr/lib/squid/basic_ldap_auth -v 3 -b dc=empresa,dc=local -D cn=squid,cn=Users,dc=empresa,dc=local-w senha -f "sAMAccountName=%s" -u uid -P 10.10.10.2:389 -R
# Autenticacao por grupos do ad do windows
external_acl_type ldap_group %LOGIN /usr/lib/squid/ext_ldap_group_acl -R -b dc=empresa,dc=local -D cn=squid,cn=Users,dc=empresa,dc=local -w senha -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=internet,dc=empresa,dc=local))" -h 10.10.10.2:389
auth_param basic credentialsttl 6 hours
acl autenticados proxy_auth REQUIRED
#############################################################################
# acl de portas
#############################################################################
# portas seguras
acl SSL_ports port 443 563
# demais serviços
acl Safe_ports port 53 # OneDrive DNS
acl Safe_ports port 80 # http
acl Safe_ports port 81 # iper
acl Safe_ports port 8080 # tomcat
acl Safe_ports port 8443 # tomcat - ssl
acl Safe_ports port 10000 # webmin
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 2631 # Conectividade Social
acl Safe_ports port 901 # swat
acl Safe_ports port 23000 # SERPRO
acl Safe_ports port 1025-65535 # portas altas
#############################################################################
# Controle de acessos
############################################################################
acl PURGE method PURGE
acl CONNECT method CONNECT
acl localhost src 10.10.10.1
acl redelocal src 10.10.10.0/24
http_access deny !redelocal
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl usuarios_master external ldap_group usuarios_master
acl usuarios_redes_sociais external ldap_group usuarios_redes_sociais
acl usuarios_youtube external ldap_group usuarios_youtube
acl usuarios_comuns external ldap_group usuarios_comuns
acl webproxy url_regex -i "/etc/squid/regras/bloqueios/webproxy"
acl pornografia url_regex -i "/etc/squid/regras/bloqueios/pornografia"
acl streaming url_regex -i "/etc/squid/regras/bloqueios/streaming"
acl download url_regex -i "/etc/squid/regras/bloqueios/download"
acl redes_sociais url_regex -i "/etc/squid/regras/bloqueios/redes_sociais"
acl youtube url_regex -i "/etc/squid/regras/bloqueios/youtube"
http_access allow usuarios_master
http_access deny webproxy
http_access deny pornografia
http_access deny streaming
http_access allow usuarios_redes_sociais
http_access deny redes_sociais
http_access allow usuarios_youtube
http_access deny youtube
http_access allow usuarios_comuns
http_access deny autenticados
http_access allow redelocal
http_access allow localhost
http_access deny all
#############################################################################
# otimizacao de recursos e outras configuracoes
#############################################################################
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# gerenciador do cache
cache_mgr empresa@email.com
http_reply_access allow all
icp_access allow all
coredump_dir /squid/var/cache/squid
Páginas do artigo
1. Introdução2. Configuração do Active Directory
3. Preparando o servidor Linux e iniciando a instalação de pacotes
4. Configurando o Kerberos
5. Configurando o Samba e ajustando o relógio com o servidor AD
6. Testando a comunicação com o Servidor AD e colocando o servidor proxy no domínio
7. Criando arquivos auxiliares do Squid
8. Configurando o Squid
9. Explicando algumas configurações do Squid
10. Programando o SARG para gerar o relatório todos os dias às 23:45
11. Observações, conclusão e referências
Outros artigos deste autor
Nenhum artigo encontrado.
Leitura recomendada
Utilizando o script vpnautomatica
Como encontrar o NetID e o Broadcast de uma determinada rede
Análise de Desempenho: Web API
Instalação do OCS Inventory (última versão, 2.9.2 - 2022) no Debian 11
Testando velocidade entre equipamentos Ubiquiti
Comentários
[1] Comentário enviado por jeffersonmartins em 31/10/2018 - 11:38h
Parabéns, bem detalhado!
Será de grande valia!
Parabéns, bem detalhado!
Será de grande valia!
Patrocínio
Site hospedado pelo provedor RedeHost.
Destaques
Artigos
IA Turbina o Desktop Linux enquanto distros renovam forças
Como extrair chaves TOTP 2FA a partir de QRCODE (Google Authenticator)
Linux em 2025: Segurança prática para o usuário
Desktop Linux em alta: novos apps, distros e privacidade marcam o sábado
IA chega ao desktop e impulsiona produtividade no mundo Linux
Dicas
Atualizando o Fedora 42 para 43
Como saber se o seu e-mail já teve a senha vazada?
Como descobrir se a sua senha já foi vazada na internet?
Tópicos
Preciso recuperar videos *.mp4 corrompidos (2)
Secure boot, artigo interessante, nada técnico. (1)
\Boot sem espaço em disco (Fedora KDE Plasma 42) (6)
Top 10 do mês
-
Xerxes
1° lugar - 112.808 pts -
Fábio Berbert de Paula
2° lugar - 86.392 pts -
Alberto Federman Neto.
3° lugar - 26.453 pts -
Mauricio Ferrari
4° lugar - 24.397 pts -
edps
5° lugar - 23.786 pts -
Alessandro de Oliveira Faria (A.K.A. CABELO)
6° lugar - 23.222 pts -
Buckminster
7° lugar - 22.223 pts -
Daniel Lara Souza
8° lugar - 20.167 pts -
Andre (pinduvoz)
9° lugar - 19.283 pts -
Juliao Junior
10° lugar - 16.336 pts
Scripts
A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.
Site hospedado por:
