SQUID com autenticação e permissões por grupos do Active Directory e relatórios com SARG
Instalação e configuração do Squid e seus complementos para autenticação no Active Directory, utilizando a estrutura de grupos para conceder acesso a internet de acordo com perfis de usuários, além de geração de relatórios para monitoramento de acessos
[ Hits: 26.565 ]
Por: Carlos Rossini Alencar Liberal em 30/10/2018
Configurando o Squid
Primeiro, vamos fazer um backup do arquivo original:
# mv /etc/squid/squid.conf /etc/squid/squid.conf
Depois, vamos configurar o nosso Squid:
# nano /etc/squid/squid.conf
# mv /etc/squid/squid.conf /etc/squid/squid.conf
Depois, vamos configurar o nosso Squid:
# nano /etc/squid/squid.conf
#
#
# squid.conf - Carlos Rossini - rossiniliberal@gmail.com
############################## INICIO #######################################
#############################################################################
# Porta; Hostname; Dir erros;
#############################################################################
http_port 8888
visible_hostname PROXY
error_directory /usr/share/squid/errors/pt-BR
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
icp_port 0
htcp_port 0
snmp_port 0
#############################################################################
# hosts contornando o proxy
#############################################################################
acl direto src "/etc/squid/regras/ipslivres"
http_access allow direto
always_direct allow direto
#############################################################################
# sites que passam direto pelo proxy
#############################################################################
acl liberados dstdomain "/etc/squid/regras/liberados"
always_direct allow liberados
http_access allow liberados
#############################################################################
# cache e logs
#############################################################################
cache_mem 512 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 8000 KB
minimum_object_size 1 KB
maximum_object_size_in_memory 4000 KB
cache_dir ufs /var/spool/squid 100 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
cache_swap_log /var/log/squid/store.log
access_log /var/log/squid/access.log
strip_query_terms off
#############################################################################
# autenticacao
#############################################################################
# Texto da autenticacao no pop-up
auth_param basic realm .::. EMPRESA - Controle de acessos .::.
# Autenticacao com usuario ad do windows com pop up
auth_param basic program /usr/lib/squid/basic_ldap_auth -v 3 -b dc=empresa,dc=local -D cn=squid,cn=Users,dc=empresa,dc=local-w senha -f "sAMAccountName=%s" -u uid -P 10.10.10.2:389 -R
# Autenticacao por grupos do ad do windows
external_acl_type ldap_group %LOGIN /usr/lib/squid/ext_ldap_group_acl -R -b dc=empresa,dc=local -D cn=squid,cn=Users,dc=empresa,dc=local -w senha -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=internet,dc=empresa,dc=local))" -h 10.10.10.2:389
auth_param basic credentialsttl 6 hours
acl autenticados proxy_auth REQUIRED
#############################################################################
# acl de portas
#############################################################################
# portas seguras
acl SSL_ports port 443 563
# demais serviços
acl Safe_ports port 53 # OneDrive DNS
acl Safe_ports port 80 # http
acl Safe_ports port 81 # iper
acl Safe_ports port 8080 # tomcat
acl Safe_ports port 8443 # tomcat - ssl
acl Safe_ports port 10000 # webmin
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 2631 # Conectividade Social
acl Safe_ports port 901 # swat
acl Safe_ports port 23000 # SERPRO
acl Safe_ports port 1025-65535 # portas altas
#############################################################################
# Controle de acessos
############################################################################
acl PURGE method PURGE
acl CONNECT method CONNECT
acl localhost src 10.10.10.1
acl redelocal src 10.10.10.0/24
http_access deny !redelocal
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl usuarios_master external ldap_group usuarios_master
acl usuarios_redes_sociais external ldap_group usuarios_redes_sociais
acl usuarios_youtube external ldap_group usuarios_youtube
acl usuarios_comuns external ldap_group usuarios_comuns
acl webproxy url_regex -i "/etc/squid/regras/bloqueios/webproxy"
acl pornografia url_regex -i "/etc/squid/regras/bloqueios/pornografia"
acl streaming url_regex -i "/etc/squid/regras/bloqueios/streaming"
acl download url_regex -i "/etc/squid/regras/bloqueios/download"
acl redes_sociais url_regex -i "/etc/squid/regras/bloqueios/redes_sociais"
acl youtube url_regex -i "/etc/squid/regras/bloqueios/youtube"
http_access allow usuarios_master
http_access deny webproxy
http_access deny pornografia
http_access deny streaming
http_access allow usuarios_redes_sociais
http_access deny redes_sociais
http_access allow usuarios_youtube
http_access deny youtube
http_access allow usuarios_comuns
http_access deny autenticados
http_access allow redelocal
http_access allow localhost
http_access deny all
#############################################################################
# otimizacao de recursos e outras configuracoes
#############################################################################
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# gerenciador do cache
cache_mgr empresa@email.com
http_reply_access allow all
icp_access allow all
coredump_dir /squid/var/cache/squid
#
# squid.conf - Carlos Rossini - rossiniliberal@gmail.com
############################## INICIO #######################################
#############################################################################
# Porta; Hostname; Dir erros;
#############################################################################
http_port 8888
visible_hostname PROXY
error_directory /usr/share/squid/errors/pt-BR
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
icp_port 0
htcp_port 0
snmp_port 0
#############################################################################
# hosts contornando o proxy
#############################################################################
acl direto src "/etc/squid/regras/ipslivres"
http_access allow direto
always_direct allow direto
#############################################################################
# sites que passam direto pelo proxy
#############################################################################
acl liberados dstdomain "/etc/squid/regras/liberados"
always_direct allow liberados
http_access allow liberados
#############################################################################
# cache e logs
#############################################################################
cache_mem 512 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 8000 KB
minimum_object_size 1 KB
maximum_object_size_in_memory 4000 KB
cache_dir ufs /var/spool/squid 100 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
cache_swap_log /var/log/squid/store.log
access_log /var/log/squid/access.log
strip_query_terms off
#############################################################################
# autenticacao
#############################################################################
# Texto da autenticacao no pop-up
auth_param basic realm .::. EMPRESA - Controle de acessos .::.
# Autenticacao com usuario ad do windows com pop up
auth_param basic program /usr/lib/squid/basic_ldap_auth -v 3 -b dc=empresa,dc=local -D cn=squid,cn=Users,dc=empresa,dc=local-w senha -f "sAMAccountName=%s" -u uid -P 10.10.10.2:389 -R
# Autenticacao por grupos do ad do windows
external_acl_type ldap_group %LOGIN /usr/lib/squid/ext_ldap_group_acl -R -b dc=empresa,dc=local -D cn=squid,cn=Users,dc=empresa,dc=local -w senha -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=internet,dc=empresa,dc=local))" -h 10.10.10.2:389
auth_param basic credentialsttl 6 hours
acl autenticados proxy_auth REQUIRED
#############################################################################
# acl de portas
#############################################################################
# portas seguras
acl SSL_ports port 443 563
# demais serviços
acl Safe_ports port 53 # OneDrive DNS
acl Safe_ports port 80 # http
acl Safe_ports port 81 # iper
acl Safe_ports port 8080 # tomcat
acl Safe_ports port 8443 # tomcat - ssl
acl Safe_ports port 10000 # webmin
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 2631 # Conectividade Social
acl Safe_ports port 901 # swat
acl Safe_ports port 23000 # SERPRO
acl Safe_ports port 1025-65535 # portas altas
#############################################################################
# Controle de acessos
############################################################################
acl PURGE method PURGE
acl CONNECT method CONNECT
acl localhost src 10.10.10.1
acl redelocal src 10.10.10.0/24
http_access deny !redelocal
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl usuarios_master external ldap_group usuarios_master
acl usuarios_redes_sociais external ldap_group usuarios_redes_sociais
acl usuarios_youtube external ldap_group usuarios_youtube
acl usuarios_comuns external ldap_group usuarios_comuns
acl webproxy url_regex -i "/etc/squid/regras/bloqueios/webproxy"
acl pornografia url_regex -i "/etc/squid/regras/bloqueios/pornografia"
acl streaming url_regex -i "/etc/squid/regras/bloqueios/streaming"
acl download url_regex -i "/etc/squid/regras/bloqueios/download"
acl redes_sociais url_regex -i "/etc/squid/regras/bloqueios/redes_sociais"
acl youtube url_regex -i "/etc/squid/regras/bloqueios/youtube"
http_access allow usuarios_master
http_access deny webproxy
http_access deny pornografia
http_access deny streaming
http_access allow usuarios_redes_sociais
http_access deny redes_sociais
http_access allow usuarios_youtube
http_access deny youtube
http_access allow usuarios_comuns
http_access deny autenticados
http_access allow redelocal
http_access allow localhost
http_access deny all
#############################################################################
# otimizacao de recursos e outras configuracoes
#############################################################################
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# gerenciador do cache
cache_mgr empresa@email.com
http_reply_access allow all
icp_access allow all
coredump_dir /squid/var/cache/squid
Páginas do artigo
1. Introdução2. Configuração do Active Directory
3. Preparando o servidor Linux e iniciando a instalação de pacotes
4. Configurando o Kerberos
5. Configurando o Samba e ajustando o relógio com o servidor AD
6. Testando a comunicação com o Servidor AD e colocando o servidor proxy no domínio
7. Criando arquivos auxiliares do Squid
8. Configurando o Squid
9. Explicando algumas configurações do Squid
10. Programando o SARG para gerar o relatório todos os dias às 23:45
11. Observações, conclusão e referências
Outros artigos deste autor
Nenhum artigo encontrado.
Leitura recomendada
Autenticação Wireless WPA-WPA2 Pre-Shared-key
Criando e Consumindo Rede de Compartilhamento NFS
Instalando DNS Server (BIND) no CentOS 7
Zabbix Server 2.0 no Ubuntu Server 12.04 - Instalação e configuração
Comentários
[1] Comentário enviado por jeffersonmartins em 31/10/2018 - 11:38h
Parabéns, bem detalhado!
Será de grande valia!
Parabéns, bem detalhado!
Será de grande valia!
Patrocínio
Site hospedado pelo provedor RedeHost.
Destaques
Artigos
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Dicas
Como renomear arquivos de letras maiúsculas para minúsculas
Imprimindo no formato livreto no Linux
Vim - incrementando números em substituição
Efeito "livro" em arquivos PDF
Como resolver o erro no CUPS: Unable to get list of printer drivers
Tópicos
Não to conseguindo resolver este problemas ao instalar o playonelinux (1)
Excluir banco de dados no xampp (1)
Top 10 do mês
-
Xerxes
1° lugar - 65.670 pts -
Fábio Berbert de Paula
2° lugar - 51.062 pts -
Buckminster
3° lugar - 17.609 pts -
Mauricio Ferrari
4° lugar - 15.360 pts -
Alberto Federman Neto.
5° lugar - 14.010 pts -
Diego Mendes Rodrigues
6° lugar - 13.653 pts -
Daniel Lara Souza
7° lugar - 13.034 pts -
Andre (pinduvoz)
8° lugar - 10.407 pts -
edps
9° lugar - 10.586 pts -
Alessandro de Oliveira Faria (A.K.A. CABELO)
10° lugar - 10.480 pts
Scripts
[Python] Automação de scan de vulnerabilidades
[Python] Script para analise de superficie de ataque
[Shell Script] Novo script para redimensionar, rotacionar, converter e espelhar arquivos de imagem
[Shell Script] Iniciador de DOOM (DSDA-DOOM, Doom Retro ou Woof!)
[Shell Script] Script para adicionar bordas às imagens de uma pasta
A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.
Site hospedado por:
