SQUID com autenticação e permissões por grupos do Active Directory e relatórios com SARG
Instalação e configuração do Squid e seus complementos para autenticação no Active Directory, utilizando a estrutura de grupos para conceder acesso a internet de acordo com perfis de usuários, além de geração de relatórios para monitoramento de acessos
[ Hits: 28.759 ]
Por: Carlos Rossini Alencar Liberal em 30/10/2018
Configurando o Squid
Primeiro, vamos fazer um backup do arquivo original:
# mv /etc/squid/squid.conf /etc/squid/squid.conf
Depois, vamos configurar o nosso Squid:
# nano /etc/squid/squid.conf
# mv /etc/squid/squid.conf /etc/squid/squid.conf
Depois, vamos configurar o nosso Squid:
# nano /etc/squid/squid.conf
#
#
# squid.conf - Carlos Rossini - rossiniliberal@gmail.com
############################## INICIO #######################################
#############################################################################
# Porta; Hostname; Dir erros;
#############################################################################
http_port 8888
visible_hostname PROXY
error_directory /usr/share/squid/errors/pt-BR
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
icp_port 0
htcp_port 0
snmp_port 0
#############################################################################
# hosts contornando o proxy
#############################################################################
acl direto src "/etc/squid/regras/ipslivres"
http_access allow direto
always_direct allow direto
#############################################################################
# sites que passam direto pelo proxy
#############################################################################
acl liberados dstdomain "/etc/squid/regras/liberados"
always_direct allow liberados
http_access allow liberados
#############################################################################
# cache e logs
#############################################################################
cache_mem 512 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 8000 KB
minimum_object_size 1 KB
maximum_object_size_in_memory 4000 KB
cache_dir ufs /var/spool/squid 100 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
cache_swap_log /var/log/squid/store.log
access_log /var/log/squid/access.log
strip_query_terms off
#############################################################################
# autenticacao
#############################################################################
# Texto da autenticacao no pop-up
auth_param basic realm .::. EMPRESA - Controle de acessos .::.
# Autenticacao com usuario ad do windows com pop up
auth_param basic program /usr/lib/squid/basic_ldap_auth -v 3 -b dc=empresa,dc=local -D cn=squid,cn=Users,dc=empresa,dc=local-w senha -f "sAMAccountName=%s" -u uid -P 10.10.10.2:389 -R
# Autenticacao por grupos do ad do windows
external_acl_type ldap_group %LOGIN /usr/lib/squid/ext_ldap_group_acl -R -b dc=empresa,dc=local -D cn=squid,cn=Users,dc=empresa,dc=local -w senha -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=internet,dc=empresa,dc=local))" -h 10.10.10.2:389
auth_param basic credentialsttl 6 hours
acl autenticados proxy_auth REQUIRED
#############################################################################
# acl de portas
#############################################################################
# portas seguras
acl SSL_ports port 443 563
# demais serviços
acl Safe_ports port 53 # OneDrive DNS
acl Safe_ports port 80 # http
acl Safe_ports port 81 # iper
acl Safe_ports port 8080 # tomcat
acl Safe_ports port 8443 # tomcat - ssl
acl Safe_ports port 10000 # webmin
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 2631 # Conectividade Social
acl Safe_ports port 901 # swat
acl Safe_ports port 23000 # SERPRO
acl Safe_ports port 1025-65535 # portas altas
#############################################################################
# Controle de acessos
############################################################################
acl PURGE method PURGE
acl CONNECT method CONNECT
acl localhost src 10.10.10.1
acl redelocal src 10.10.10.0/24
http_access deny !redelocal
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl usuarios_master external ldap_group usuarios_master
acl usuarios_redes_sociais external ldap_group usuarios_redes_sociais
acl usuarios_youtube external ldap_group usuarios_youtube
acl usuarios_comuns external ldap_group usuarios_comuns
acl webproxy url_regex -i "/etc/squid/regras/bloqueios/webproxy"
acl pornografia url_regex -i "/etc/squid/regras/bloqueios/pornografia"
acl streaming url_regex -i "/etc/squid/regras/bloqueios/streaming"
acl download url_regex -i "/etc/squid/regras/bloqueios/download"
acl redes_sociais url_regex -i "/etc/squid/regras/bloqueios/redes_sociais"
acl youtube url_regex -i "/etc/squid/regras/bloqueios/youtube"
http_access allow usuarios_master
http_access deny webproxy
http_access deny pornografia
http_access deny streaming
http_access allow usuarios_redes_sociais
http_access deny redes_sociais
http_access allow usuarios_youtube
http_access deny youtube
http_access allow usuarios_comuns
http_access deny autenticados
http_access allow redelocal
http_access allow localhost
http_access deny all
#############################################################################
# otimizacao de recursos e outras configuracoes
#############################################################################
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# gerenciador do cache
cache_mgr empresa@email.com
http_reply_access allow all
icp_access allow all
coredump_dir /squid/var/cache/squid
#
# squid.conf - Carlos Rossini - rossiniliberal@gmail.com
############################## INICIO #######################################
#############################################################################
# Porta; Hostname; Dir erros;
#############################################################################
http_port 8888
visible_hostname PROXY
error_directory /usr/share/squid/errors/pt-BR
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
icp_port 0
htcp_port 0
snmp_port 0
#############################################################################
# hosts contornando o proxy
#############################################################################
acl direto src "/etc/squid/regras/ipslivres"
http_access allow direto
always_direct allow direto
#############################################################################
# sites que passam direto pelo proxy
#############################################################################
acl liberados dstdomain "/etc/squid/regras/liberados"
always_direct allow liberados
http_access allow liberados
#############################################################################
# cache e logs
#############################################################################
cache_mem 512 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 8000 KB
minimum_object_size 1 KB
maximum_object_size_in_memory 4000 KB
cache_dir ufs /var/spool/squid 100 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
cache_swap_log /var/log/squid/store.log
access_log /var/log/squid/access.log
strip_query_terms off
#############################################################################
# autenticacao
#############################################################################
# Texto da autenticacao no pop-up
auth_param basic realm .::. EMPRESA - Controle de acessos .::.
# Autenticacao com usuario ad do windows com pop up
auth_param basic program /usr/lib/squid/basic_ldap_auth -v 3 -b dc=empresa,dc=local -D cn=squid,cn=Users,dc=empresa,dc=local-w senha -f "sAMAccountName=%s" -u uid -P 10.10.10.2:389 -R
# Autenticacao por grupos do ad do windows
external_acl_type ldap_group %LOGIN /usr/lib/squid/ext_ldap_group_acl -R -b dc=empresa,dc=local -D cn=squid,cn=Users,dc=empresa,dc=local -w senha -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=internet,dc=empresa,dc=local))" -h 10.10.10.2:389
auth_param basic credentialsttl 6 hours
acl autenticados proxy_auth REQUIRED
#############################################################################
# acl de portas
#############################################################################
# portas seguras
acl SSL_ports port 443 563
# demais serviços
acl Safe_ports port 53 # OneDrive DNS
acl Safe_ports port 80 # http
acl Safe_ports port 81 # iper
acl Safe_ports port 8080 # tomcat
acl Safe_ports port 8443 # tomcat - ssl
acl Safe_ports port 10000 # webmin
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 2631 # Conectividade Social
acl Safe_ports port 901 # swat
acl Safe_ports port 23000 # SERPRO
acl Safe_ports port 1025-65535 # portas altas
#############################################################################
# Controle de acessos
############################################################################
acl PURGE method PURGE
acl CONNECT method CONNECT
acl localhost src 10.10.10.1
acl redelocal src 10.10.10.0/24
http_access deny !redelocal
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl usuarios_master external ldap_group usuarios_master
acl usuarios_redes_sociais external ldap_group usuarios_redes_sociais
acl usuarios_youtube external ldap_group usuarios_youtube
acl usuarios_comuns external ldap_group usuarios_comuns
acl webproxy url_regex -i "/etc/squid/regras/bloqueios/webproxy"
acl pornografia url_regex -i "/etc/squid/regras/bloqueios/pornografia"
acl streaming url_regex -i "/etc/squid/regras/bloqueios/streaming"
acl download url_regex -i "/etc/squid/regras/bloqueios/download"
acl redes_sociais url_regex -i "/etc/squid/regras/bloqueios/redes_sociais"
acl youtube url_regex -i "/etc/squid/regras/bloqueios/youtube"
http_access allow usuarios_master
http_access deny webproxy
http_access deny pornografia
http_access deny streaming
http_access allow usuarios_redes_sociais
http_access deny redes_sociais
http_access allow usuarios_youtube
http_access deny youtube
http_access allow usuarios_comuns
http_access deny autenticados
http_access allow redelocal
http_access allow localhost
http_access deny all
#############################################################################
# otimizacao de recursos e outras configuracoes
#############################################################################
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# gerenciador do cache
cache_mgr empresa@email.com
http_reply_access allow all
icp_access allow all
coredump_dir /squid/var/cache/squid
Páginas do artigo
1. Introdução2. Configuração do Active Directory
3. Preparando o servidor Linux e iniciando a instalação de pacotes
4. Configurando o Kerberos
5. Configurando o Samba e ajustando o relógio com o servidor AD
6. Testando a comunicação com o Servidor AD e colocando o servidor proxy no domínio
7. Criando arquivos auxiliares do Squid
8. Configurando o Squid
9. Explicando algumas configurações do Squid
10. Programando o SARG para gerar o relatório todos os dias às 23:45
11. Observações, conclusão e referências
Outros artigos deste autor
Nenhum artigo encontrado.
Leitura recomendada
VLAN Tagging nos sistemas GNU/Linux derivados do Red Hat
Asterisk - Configuração de Ramais SIP
Configurando Zabbix 3.4 no CentOS 7
FreeRadius 3 + iODBC + Base de Dados em MS SQL Server 2008 no Ubuntu Server - Guia definitivo
Comentários
[1] Comentário enviado por jeffersonmartins em 31/10/2018 - 11:38h
Parabéns, bem detalhado!
Será de grande valia!
Parabéns, bem detalhado!
Será de grande valia!
Patrocínio
Site hospedado pelo provedor RedeHost.
Destaques
Artigos
Cirurgia para acelerar o openSUSE em HD externo via USB
Void Server como Domain Control
Modo Simples de Baixar e Usar o bash-completion
Monitorando o Preço do Bitcoin ou sua Cripto Favorita em Tempo Real com um Widget Flutuante
Dicas
Como fazer a conversão binária e aplicar as restrições no Linux
Como quebrar a senha de um servidor Linux Debian
Como bloquear pendrive em uma rede Linux
Um autoinstall.yaml para Ubuntu com foco em quem vai fazer máquina virtual
Instalar GRUB sem archinstall no Arch Linux em UEFI Problemático
Tópicos
Fiz uma pergunta no fórum mas não consigo localizar [RESOLVIDO] (21)
Top 10 do mês
-
Xerxes
1° lugar - 149.895 pts -
Fábio Berbert de Paula
2° lugar - 68.864 pts -
Mauricio Ferrari
3° lugar - 21.736 pts -
Buckminster
4° lugar - 21.281 pts -
Alberto Federman Neto.
5° lugar - 20.571 pts -
edps
6° lugar - 19.573 pts -
Daniel Lara Souza
7° lugar - 18.949 pts -
Andre (pinduvoz)
8° lugar - 17.462 pts -
Alessandro de Oliveira Faria (A.K.A. CABELO)
9° lugar - 16.249 pts -
Diego Mendes Rodrigues
10° lugar - 14.487 pts
Scripts
A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.
Site hospedado por:
