SQUID com autenticação e permissões por grupos do Active Directory e relatórios com SARG
Instalação e configuração do Squid e seus complementos para autenticação no Active Directory, utilizando a estrutura de grupos para conceder acesso a internet de acordo com perfis de usuários, além de geração de relatórios para monitoramento de acessos
[ Hits: 25.525 ]
Por: Carlos Rossini Alencar Liberal em 30/10/2018
Configurando o Squid
Primeiro, vamos fazer um backup do arquivo original:
# mv /etc/squid/squid.conf /etc/squid/squid.conf
Depois, vamos configurar o nosso Squid:
# nano /etc/squid/squid.conf
# mv /etc/squid/squid.conf /etc/squid/squid.conf
Depois, vamos configurar o nosso Squid:
# nano /etc/squid/squid.conf
#
#
# squid.conf - Carlos Rossini - rossiniliberal@gmail.com
############################## INICIO #######################################
#############################################################################
# Porta; Hostname; Dir erros;
#############################################################################
http_port 8888
visible_hostname PROXY
error_directory /usr/share/squid/errors/pt-BR
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
icp_port 0
htcp_port 0
snmp_port 0
#############################################################################
# hosts contornando o proxy
#############################################################################
acl direto src "/etc/squid/regras/ipslivres"
http_access allow direto
always_direct allow direto
#############################################################################
# sites que passam direto pelo proxy
#############################################################################
acl liberados dstdomain "/etc/squid/regras/liberados"
always_direct allow liberados
http_access allow liberados
#############################################################################
# cache e logs
#############################################################################
cache_mem 512 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 8000 KB
minimum_object_size 1 KB
maximum_object_size_in_memory 4000 KB
cache_dir ufs /var/spool/squid 100 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
cache_swap_log /var/log/squid/store.log
access_log /var/log/squid/access.log
strip_query_terms off
#############################################################################
# autenticacao
#############################################################################
# Texto da autenticacao no pop-up
auth_param basic realm .::. EMPRESA - Controle de acessos .::.
# Autenticacao com usuario ad do windows com pop up
auth_param basic program /usr/lib/squid/basic_ldap_auth -v 3 -b dc=empresa,dc=local -D cn=squid,cn=Users,dc=empresa,dc=local-w senha -f "sAMAccountName=%s" -u uid -P 10.10.10.2:389 -R
# Autenticacao por grupos do ad do windows
external_acl_type ldap_group %LOGIN /usr/lib/squid/ext_ldap_group_acl -R -b dc=empresa,dc=local -D cn=squid,cn=Users,dc=empresa,dc=local -w senha -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=internet,dc=empresa,dc=local))" -h 10.10.10.2:389
auth_param basic credentialsttl 6 hours
acl autenticados proxy_auth REQUIRED
#############################################################################
# acl de portas
#############################################################################
# portas seguras
acl SSL_ports port 443 563
# demais serviços
acl Safe_ports port 53 # OneDrive DNS
acl Safe_ports port 80 # http
acl Safe_ports port 81 # iper
acl Safe_ports port 8080 # tomcat
acl Safe_ports port 8443 # tomcat - ssl
acl Safe_ports port 10000 # webmin
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 2631 # Conectividade Social
acl Safe_ports port 901 # swat
acl Safe_ports port 23000 # SERPRO
acl Safe_ports port 1025-65535 # portas altas
#############################################################################
# Controle de acessos
############################################################################
acl PURGE method PURGE
acl CONNECT method CONNECT
acl localhost src 10.10.10.1
acl redelocal src 10.10.10.0/24
http_access deny !redelocal
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl usuarios_master external ldap_group usuarios_master
acl usuarios_redes_sociais external ldap_group usuarios_redes_sociais
acl usuarios_youtube external ldap_group usuarios_youtube
acl usuarios_comuns external ldap_group usuarios_comuns
acl webproxy url_regex -i "/etc/squid/regras/bloqueios/webproxy"
acl pornografia url_regex -i "/etc/squid/regras/bloqueios/pornografia"
acl streaming url_regex -i "/etc/squid/regras/bloqueios/streaming"
acl download url_regex -i "/etc/squid/regras/bloqueios/download"
acl redes_sociais url_regex -i "/etc/squid/regras/bloqueios/redes_sociais"
acl youtube url_regex -i "/etc/squid/regras/bloqueios/youtube"
http_access allow usuarios_master
http_access deny webproxy
http_access deny pornografia
http_access deny streaming
http_access allow usuarios_redes_sociais
http_access deny redes_sociais
http_access allow usuarios_youtube
http_access deny youtube
http_access allow usuarios_comuns
http_access deny autenticados
http_access allow redelocal
http_access allow localhost
http_access deny all
#############################################################################
# otimizacao de recursos e outras configuracoes
#############################################################################
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# gerenciador do cache
cache_mgr empresa@email.com
http_reply_access allow all
icp_access allow all
coredump_dir /squid/var/cache/squid
#
# squid.conf - Carlos Rossini - rossiniliberal@gmail.com
############################## INICIO #######################################
#############################################################################
# Porta; Hostname; Dir erros;
#############################################################################
http_port 8888
visible_hostname PROXY
error_directory /usr/share/squid/errors/pt-BR
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
icp_port 0
htcp_port 0
snmp_port 0
#############################################################################
# hosts contornando o proxy
#############################################################################
acl direto src "/etc/squid/regras/ipslivres"
http_access allow direto
always_direct allow direto
#############################################################################
# sites que passam direto pelo proxy
#############################################################################
acl liberados dstdomain "/etc/squid/regras/liberados"
always_direct allow liberados
http_access allow liberados
#############################################################################
# cache e logs
#############################################################################
cache_mem 512 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 8000 KB
minimum_object_size 1 KB
maximum_object_size_in_memory 4000 KB
cache_dir ufs /var/spool/squid 100 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
cache_swap_log /var/log/squid/store.log
access_log /var/log/squid/access.log
strip_query_terms off
#############################################################################
# autenticacao
#############################################################################
# Texto da autenticacao no pop-up
auth_param basic realm .::. EMPRESA - Controle de acessos .::.
# Autenticacao com usuario ad do windows com pop up
auth_param basic program /usr/lib/squid/basic_ldap_auth -v 3 -b dc=empresa,dc=local -D cn=squid,cn=Users,dc=empresa,dc=local-w senha -f "sAMAccountName=%s" -u uid -P 10.10.10.2:389 -R
# Autenticacao por grupos do ad do windows
external_acl_type ldap_group %LOGIN /usr/lib/squid/ext_ldap_group_acl -R -b dc=empresa,dc=local -D cn=squid,cn=Users,dc=empresa,dc=local -w senha -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=internet,dc=empresa,dc=local))" -h 10.10.10.2:389
auth_param basic credentialsttl 6 hours
acl autenticados proxy_auth REQUIRED
#############################################################################
# acl de portas
#############################################################################
# portas seguras
acl SSL_ports port 443 563
# demais serviços
acl Safe_ports port 53 # OneDrive DNS
acl Safe_ports port 80 # http
acl Safe_ports port 81 # iper
acl Safe_ports port 8080 # tomcat
acl Safe_ports port 8443 # tomcat - ssl
acl Safe_ports port 10000 # webmin
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 2631 # Conectividade Social
acl Safe_ports port 901 # swat
acl Safe_ports port 23000 # SERPRO
acl Safe_ports port 1025-65535 # portas altas
#############################################################################
# Controle de acessos
############################################################################
acl PURGE method PURGE
acl CONNECT method CONNECT
acl localhost src 10.10.10.1
acl redelocal src 10.10.10.0/24
http_access deny !redelocal
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl usuarios_master external ldap_group usuarios_master
acl usuarios_redes_sociais external ldap_group usuarios_redes_sociais
acl usuarios_youtube external ldap_group usuarios_youtube
acl usuarios_comuns external ldap_group usuarios_comuns
acl webproxy url_regex -i "/etc/squid/regras/bloqueios/webproxy"
acl pornografia url_regex -i "/etc/squid/regras/bloqueios/pornografia"
acl streaming url_regex -i "/etc/squid/regras/bloqueios/streaming"
acl download url_regex -i "/etc/squid/regras/bloqueios/download"
acl redes_sociais url_regex -i "/etc/squid/regras/bloqueios/redes_sociais"
acl youtube url_regex -i "/etc/squid/regras/bloqueios/youtube"
http_access allow usuarios_master
http_access deny webproxy
http_access deny pornografia
http_access deny streaming
http_access allow usuarios_redes_sociais
http_access deny redes_sociais
http_access allow usuarios_youtube
http_access deny youtube
http_access allow usuarios_comuns
http_access deny autenticados
http_access allow redelocal
http_access allow localhost
http_access deny all
#############################################################################
# otimizacao de recursos e outras configuracoes
#############################################################################
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# gerenciador do cache
cache_mgr empresa@email.com
http_reply_access allow all
icp_access allow all
coredump_dir /squid/var/cache/squid
Páginas do artigo
1. Introdução2. Configuração do Active Directory
3. Preparando o servidor Linux e iniciando a instalação de pacotes
4. Configurando o Kerberos
5. Configurando o Samba e ajustando o relógio com o servidor AD
6. Testando a comunicação com o Servidor AD e colocando o servidor proxy no domínio
7. Criando arquivos auxiliares do Squid
8. Configurando o Squid
9. Explicando algumas configurações do Squid
10. Programando o SARG para gerar o relatório todos os dias às 23:45
11. Observações, conclusão e referências
Outros artigos deste autor
Nenhum artigo encontrado.
Leitura recomendada
Servidor DNS: Debian 9 Stretch
Configurando o Rclone no CentOS 7
PPoE Mikrotik - QoS Dinâmico e Individual
Comentários
[1] Comentário enviado por jeffersonmartins em 31/10/2018 - 11:38h
Parabéns, bem detalhado!
Será de grande valia!
Parabéns, bem detalhado!
Será de grande valia!
Patrocínio
Site hospedado pelo provedor RedeHost.
Destaques
Artigos
Melhorando o tempo de boot do Fedora e outras distribuições
Como instalar as extensões Dash To Dock e Hide Top Bar no Gnome 45/46
E a guerra contra bots continua
Tradução do artigo do filósofo Gottfried Wilhelm Leibniz sobre o sistema binário
Conheça o firewall OpenGFW, uma implementação do (Great Firewall of China).
Dicas
Instalando o FreeOffice no LMDE 6
Anki: Remover Tags de Estilo HTML de Todas as Cartas
Colocando uma opção de redimensionamento de imagem no menu de contexto do KDE
Tópicos
Top 10 do mês
-
Xerxes
1° lugar - 68.533 pts -
Fábio Berbert de Paula
2° lugar - 56.543 pts -
Clodoaldo Santos
3° lugar - 42.199 pts -
Buckminster
4° lugar - 22.439 pts -
Sidnei Serra
5° lugar - 21.718 pts -
Alberto Federman Neto.
6° lugar - 16.952 pts -
Daniel Lara Souza
7° lugar - 16.937 pts -
Mauricio Ferrari
8° lugar - 16.798 pts -
Diego Mendes Rodrigues
9° lugar - 15.594 pts -
edps
10° lugar - 13.861 pts
Scripts
[Shell Script] Script para desinstalar pacotes desnecessários no OpenSuse
[Shell Script] Script para criar certificados de forma automatizada no OpenVpn
[Shell Script] Conversor de vídeo com opção de legenda
[C/C++] BRT - Bulk Renaming Tool
[Shell Script] Criação de Usuarios , Grupo e instalação do servidor de arquivos samba
A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.
Site hospedado por:
