SQUID com autenticação e permissões por grupos do Active Directory e relatórios com SARG
Instalação e configuração do Squid e seus complementos para autenticação no Active Directory, utilizando a estrutura de grupos para conceder acesso a internet de acordo com perfis de usuários, além de geração de relatórios para monitoramento de acessos
[ Hits: 27.283 ]
Por: Carlos Rossini Alencar Liberal em 30/10/2018
Configurando o Squid
Primeiro, vamos fazer um backup do arquivo original:
# mv /etc/squid/squid.conf /etc/squid/squid.conf
Depois, vamos configurar o nosso Squid:
# nano /etc/squid/squid.conf
# mv /etc/squid/squid.conf /etc/squid/squid.conf
Depois, vamos configurar o nosso Squid:
# nano /etc/squid/squid.conf
#
#
# squid.conf - Carlos Rossini - rossiniliberal@gmail.com
############################## INICIO #######################################
#############################################################################
# Porta; Hostname; Dir erros;
#############################################################################
http_port 8888
visible_hostname PROXY
error_directory /usr/share/squid/errors/pt-BR
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
icp_port 0
htcp_port 0
snmp_port 0
#############################################################################
# hosts contornando o proxy
#############################################################################
acl direto src "/etc/squid/regras/ipslivres"
http_access allow direto
always_direct allow direto
#############################################################################
# sites que passam direto pelo proxy
#############################################################################
acl liberados dstdomain "/etc/squid/regras/liberados"
always_direct allow liberados
http_access allow liberados
#############################################################################
# cache e logs
#############################################################################
cache_mem 512 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 8000 KB
minimum_object_size 1 KB
maximum_object_size_in_memory 4000 KB
cache_dir ufs /var/spool/squid 100 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
cache_swap_log /var/log/squid/store.log
access_log /var/log/squid/access.log
strip_query_terms off
#############################################################################
# autenticacao
#############################################################################
# Texto da autenticacao no pop-up
auth_param basic realm .::. EMPRESA - Controle de acessos .::.
# Autenticacao com usuario ad do windows com pop up
auth_param basic program /usr/lib/squid/basic_ldap_auth -v 3 -b dc=empresa,dc=local -D cn=squid,cn=Users,dc=empresa,dc=local-w senha -f "sAMAccountName=%s" -u uid -P 10.10.10.2:389 -R
# Autenticacao por grupos do ad do windows
external_acl_type ldap_group %LOGIN /usr/lib/squid/ext_ldap_group_acl -R -b dc=empresa,dc=local -D cn=squid,cn=Users,dc=empresa,dc=local -w senha -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=internet,dc=empresa,dc=local))" -h 10.10.10.2:389
auth_param basic credentialsttl 6 hours
acl autenticados proxy_auth REQUIRED
#############################################################################
# acl de portas
#############################################################################
# portas seguras
acl SSL_ports port 443 563
# demais serviços
acl Safe_ports port 53 # OneDrive DNS
acl Safe_ports port 80 # http
acl Safe_ports port 81 # iper
acl Safe_ports port 8080 # tomcat
acl Safe_ports port 8443 # tomcat - ssl
acl Safe_ports port 10000 # webmin
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 2631 # Conectividade Social
acl Safe_ports port 901 # swat
acl Safe_ports port 23000 # SERPRO
acl Safe_ports port 1025-65535 # portas altas
#############################################################################
# Controle de acessos
############################################################################
acl PURGE method PURGE
acl CONNECT method CONNECT
acl localhost src 10.10.10.1
acl redelocal src 10.10.10.0/24
http_access deny !redelocal
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl usuarios_master external ldap_group usuarios_master
acl usuarios_redes_sociais external ldap_group usuarios_redes_sociais
acl usuarios_youtube external ldap_group usuarios_youtube
acl usuarios_comuns external ldap_group usuarios_comuns
acl webproxy url_regex -i "/etc/squid/regras/bloqueios/webproxy"
acl pornografia url_regex -i "/etc/squid/regras/bloqueios/pornografia"
acl streaming url_regex -i "/etc/squid/regras/bloqueios/streaming"
acl download url_regex -i "/etc/squid/regras/bloqueios/download"
acl redes_sociais url_regex -i "/etc/squid/regras/bloqueios/redes_sociais"
acl youtube url_regex -i "/etc/squid/regras/bloqueios/youtube"
http_access allow usuarios_master
http_access deny webproxy
http_access deny pornografia
http_access deny streaming
http_access allow usuarios_redes_sociais
http_access deny redes_sociais
http_access allow usuarios_youtube
http_access deny youtube
http_access allow usuarios_comuns
http_access deny autenticados
http_access allow redelocal
http_access allow localhost
http_access deny all
#############################################################################
# otimizacao de recursos e outras configuracoes
#############################################################################
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# gerenciador do cache
cache_mgr empresa@email.com
http_reply_access allow all
icp_access allow all
coredump_dir /squid/var/cache/squid
#
# squid.conf - Carlos Rossini - rossiniliberal@gmail.com
############################## INICIO #######################################
#############################################################################
# Porta; Hostname; Dir erros;
#############################################################################
http_port 8888
visible_hostname PROXY
error_directory /usr/share/squid/errors/pt-BR
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
icp_port 0
htcp_port 0
snmp_port 0
#############################################################################
# hosts contornando o proxy
#############################################################################
acl direto src "/etc/squid/regras/ipslivres"
http_access allow direto
always_direct allow direto
#############################################################################
# sites que passam direto pelo proxy
#############################################################################
acl liberados dstdomain "/etc/squid/regras/liberados"
always_direct allow liberados
http_access allow liberados
#############################################################################
# cache e logs
#############################################################################
cache_mem 512 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 8000 KB
minimum_object_size 1 KB
maximum_object_size_in_memory 4000 KB
cache_dir ufs /var/spool/squid 100 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
cache_swap_log /var/log/squid/store.log
access_log /var/log/squid/access.log
strip_query_terms off
#############################################################################
# autenticacao
#############################################################################
# Texto da autenticacao no pop-up
auth_param basic realm .::. EMPRESA - Controle de acessos .::.
# Autenticacao com usuario ad do windows com pop up
auth_param basic program /usr/lib/squid/basic_ldap_auth -v 3 -b dc=empresa,dc=local -D cn=squid,cn=Users,dc=empresa,dc=local-w senha -f "sAMAccountName=%s" -u uid -P 10.10.10.2:389 -R
# Autenticacao por grupos do ad do windows
external_acl_type ldap_group %LOGIN /usr/lib/squid/ext_ldap_group_acl -R -b dc=empresa,dc=local -D cn=squid,cn=Users,dc=empresa,dc=local -w senha -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=internet,dc=empresa,dc=local))" -h 10.10.10.2:389
auth_param basic credentialsttl 6 hours
acl autenticados proxy_auth REQUIRED
#############################################################################
# acl de portas
#############################################################################
# portas seguras
acl SSL_ports port 443 563
# demais serviços
acl Safe_ports port 53 # OneDrive DNS
acl Safe_ports port 80 # http
acl Safe_ports port 81 # iper
acl Safe_ports port 8080 # tomcat
acl Safe_ports port 8443 # tomcat - ssl
acl Safe_ports port 10000 # webmin
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 2631 # Conectividade Social
acl Safe_ports port 901 # swat
acl Safe_ports port 23000 # SERPRO
acl Safe_ports port 1025-65535 # portas altas
#############################################################################
# Controle de acessos
############################################################################
acl PURGE method PURGE
acl CONNECT method CONNECT
acl localhost src 10.10.10.1
acl redelocal src 10.10.10.0/24
http_access deny !redelocal
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl usuarios_master external ldap_group usuarios_master
acl usuarios_redes_sociais external ldap_group usuarios_redes_sociais
acl usuarios_youtube external ldap_group usuarios_youtube
acl usuarios_comuns external ldap_group usuarios_comuns
acl webproxy url_regex -i "/etc/squid/regras/bloqueios/webproxy"
acl pornografia url_regex -i "/etc/squid/regras/bloqueios/pornografia"
acl streaming url_regex -i "/etc/squid/regras/bloqueios/streaming"
acl download url_regex -i "/etc/squid/regras/bloqueios/download"
acl redes_sociais url_regex -i "/etc/squid/regras/bloqueios/redes_sociais"
acl youtube url_regex -i "/etc/squid/regras/bloqueios/youtube"
http_access allow usuarios_master
http_access deny webproxy
http_access deny pornografia
http_access deny streaming
http_access allow usuarios_redes_sociais
http_access deny redes_sociais
http_access allow usuarios_youtube
http_access deny youtube
http_access allow usuarios_comuns
http_access deny autenticados
http_access allow redelocal
http_access allow localhost
http_access deny all
#############################################################################
# otimizacao de recursos e outras configuracoes
#############################################################################
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# gerenciador do cache
cache_mgr empresa@email.com
http_reply_access allow all
icp_access allow all
coredump_dir /squid/var/cache/squid
Páginas do artigo
1. Introdução2. Configuração do Active Directory
3. Preparando o servidor Linux e iniciando a instalação de pacotes
4. Configurando o Kerberos
5. Configurando o Samba e ajustando o relógio com o servidor AD
6. Testando a comunicação com o Servidor AD e colocando o servidor proxy no domínio
7. Criando arquivos auxiliares do Squid
8. Configurando o Squid
9. Explicando algumas configurações do Squid
10. Programando o SARG para gerar o relatório todos os dias às 23:45
11. Observações, conclusão e referências
Outros artigos deste autor
Nenhum artigo encontrado.
Leitura recomendada
Debian 9: como instalar TL-WN823N v2 (TP-LINK)
Alterando o forward do SSH após conexão
Criando RADIUS no Windows Server 2012 para autenticar no Mikrotik
MikroTik RouterOS 5.20 para provedores - Tutorial completo
Comentários
[1] Comentário enviado por jeffersonmartins em 31/10/2018 - 11:38h
Parabéns, bem detalhado!
Será de grande valia!
Parabéns, bem detalhado!
Será de grande valia!
Patrocínio
Site hospedado pelo provedor RedeHost.
Destaques
Artigos
Programa IRPF - Guia de Instalação e Resolução de alguns Problemas
Criando uma Infraestrutura para uma micro Empresa
Criar entrada (menuentry) ISO no Grub
Como gerar qualquer emoji ou símbolo unicode a partir do seu teclado
Dicas
Instalando o Pi-Hole versão v5.18.4 depois do lançamento da versão v6.0
Instalar o VIM 9.1 no Debian 12
Como saber o range de um IP público?
Muitas dificuldades ao instalar distro Linux em Notebook Sony Vaio PCG-6131L (VPCEA24FM)
Tópicos
Liberação de alguns links no squid (12)
impressora de rede via dominio - gpo (2)
Top 10 do mês
-
Xerxes
1° lugar - 82.194 pts -
Fábio Berbert de Paula
2° lugar - 60.512 pts -
Buckminster
3° lugar - 23.754 pts -
Mauricio Ferrari
4° lugar - 19.931 pts -
Alberto Federman Neto.
5° lugar - 18.150 pts -
Daniel Lara Souza
6° lugar - 16.124 pts -
Diego Mendes Rodrigues
7° lugar - 15.775 pts -
edps
8° lugar - 15.802 pts -
Alessandro de Oliveira Faria (A.K.A. CABELO)
9° lugar - 15.286 pts -
Andre (pinduvoz)
10° lugar - 13.285 pts
Scripts
A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.
Site hospedado por:
