Squid + Squidguard + AD

1. Squid + Squidguard + AD

Anderson Mekelburg
mekelburg

(usa RedHat)

Enviado em 17/11/2016 - 15:00h

Olá pessoal,

Estou tentando fazer uma configuração no squid da seguinte forma:

- Usuários que possuem acesso à Internet autenticam utilizando autenticação do Windows (auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp)
- Usuários do mesmo domínio que não possuem acesso à Internet solicita autenticação
- Usuários de outro domínio/workgroup sempre solicita autenticação

É possível realizar esta configuração?

As versões que estou utilizando:
Squid Cache: Version 3.5.19
SquidGuard: 1.4 Berkeley DB 4.7.25: (September 22, 2015)
CentOS release 6.7 (Final)

Meu squid.conf:

coredump_dir /squid/dumps
cache_dir diskd /cache 5000 14 256 Q1=64 Q2=72
maximum_object_size 10240 KB
mime_table /etc/squid/mime.conf
cache_mem 512 MB
visible_hostname squid
http_port 3128
snmp_port 3401
pid_filename /var/run/squid.pid

url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf
url_rewrite_children 40

refresh_pattern . 0 20% 4320
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 60
auth_param ntlm keep_alive on

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 15
auth_param basic realm Proxy - Identifique-se

authenticate_ip_ttl 30 minutes

#dns_nameservers 10.1.1.113
dns_retransmit_interval 5 seconds
dns_timeout 2 minutes

acl network src 10.0.0.0/8
acl no_log url_regex -i HTTP://osce80-en.url.trendmicro.com
acl no_log url_regex -i urs.microsoft.com
cache_access_log /var/log/squid/access.log squid !no_log
cache_log /var/log/squid/cache.log
cache_store_log none
cache_swap_log /squid/cache/
#cache_effective_user squid
#cache_effective_group squid
max_filedesc 8192
half_closed_clients off
cache_swap_high 100
cache_swap_low 80

acl CONNECT method CONNECT
acl manager proto cache_object
acl passwd proxy_auth REQUIRED
acl QUERY urlpath_regex cgi-bin \?
acl QUERY urlpath_regex bradesco
acl SSL_ports port 80 85 443 446 449 563 4431 4432 4437 444 9443 2401 2096 50001 16000 8444 554 5404 7070 8080 1935 200 407 8001 5938 8090 7778 2195 9031 1935 8082 8443 8586 643 8040 4443 8443 7000 7001 7002 7003 7004 7005 7006 7007 7008 7009 7010 1443 2083 9091 4172 8081 8181 9666 23461 3170 3501
acl port_ftp port 21
acl limitarlogin max_user_ip -s 2
acl grupo_ad proxy_auth -i "/etc/squid/groups/_GG_PROXY"
acl grupo_ad proxy_auth -i "/etc/squid/groups/_GG_PROXY_ACESSO_COMPLETO"
acl youtube proxy_auth -i "/etc/squid/groups/_GG_PROXY_ACESSO_YOUTUBE"
acl grupo_ad proxy_auth -i "/etc/squid/groups/_GG_PROXY_ACESSO_YOUTUBE"
acl grupo_ad proxy_auth -i "/etc/squid/groups/_GG_PROXY_PRIVILEGIADO"
acl grupo_ad proxy_auth -i "/etc/squid/groups/_GG_PROXY_EXECUTAVEIS_AUDIO"
acl grupo_ftp proxy_auth -i "/etc/squid/groups/_GG_PROXY_FTP"
acl grupo_ad proxy_auth -i "/etc/squid/groups/_GG_PROXY_TERCEIROS_MICROINFORMATICA"
acl grupo_ad proxy_auth -i "/etc/squid/groups/_GG_PROXY_GOOGLE_EARTH"
acl grupo_ad proxy_auth -i "/etc/squid/groups/_GG_PROXY_ADDMAKLER"
acl grupo_ad proxy_auth -i "/etc/squid/groups/_GG_PROXY_BLACKLIST_EXCESSAO"
acl grupo_acesso_simultaneo proxy_auth -i "/etc/squid/groups/_GG_PROXY_ACESSO_SIMULTANEO"
acl grupo_google proxy_auth -i "/etc/squid/groups/_GG_PROXY_GOOGLE_EARTH"
acl whitelist url_regex -i "/var/lib/squidguard/local/whitelist"
acl excessao_worldlingo url_regex -i "/var/lib/squidguard/local/excessao_worldlingo"
acl excessao_ip_443 url_regex -i "/var/lib/squidguard/local/excessao_ip_443"
acl greylist url_regex -i "/var/lib/squidguard/local/greylist_domains"
acl sites_tecnicos url_regex -i "/etc/squid/local/sites_tecnicos_microinfo"
acl mimes_audio rep_mime_type -i "/etc/squid/local/mimes_proibidos"
acl acesso_full proxy_auth -i "/etc/squid/groups/_GG_PROXY_ACESSO_COMPLETO"
acl acesso_full proxy_auth -i "/etc/squid/groups/_GG_PROXY_PRIVILEGIADO"
acl audio_exe proxy_auth -i "/etc/squid/groups/_GG_PROXY_EXECUTAVEIS_AUDIO"
acl grupo_ad proxy_auth -i "/etc/squid/groups/_GG_PROXY_IDIOMAS"
acl idiomas proxy_auth -i "/etc/squid/groups/_GG_PROXY_IDIOMAS"
acl antivirus proxy_auth -i "/etc/squid/groups/_GG_PROXY_ANTIVIRUS"
acl grupo_ad proxy_auth -i "/etc/squid/groups/_GG_PROXY_SKYPE"
acl grupo_skype proxy_auth -i "/etc/squid/groups/_GG_PROXY_SKYPE"
acl grupo_ad proxy_auth -i "/etc/squid/groups/_GG_PROXY_TEAM_VIEWER"
acl grupo_tviewer proxy_auth -i "/etc/squid/groups/_GG_PROXY_TEAM_VIEWER"
acl grupo_ad proxy_auth -i "/etc/squid/groups/_GG_PROXY_FACEBOOK"
acl grupo_facebook proxy_auth -i "/etc/squid/groups/_GG_PROXY_FACEBOOK"
acl grupo_ad proxy_auth -i "/etc/squid/groups/_GG_PROXY_YAMMER"
acl grupo_yammer proxy_auth -i "/etc/squid/groups/_GG_PROXY_YAMMER"
acl grupo_ad proxy_auth -i "/etc/squid/groups/_GG_PROXY_TELEGRAM"
acl grupo_telegram proxy_auth -i "/etc/squid/groups/_GG_PROXY_TELEGRAM"
acl downloads rep_mime_type application/x-mspublisher application/octet-stream application/exe application/x-exe application/dos-exe vms/exe application/x-winexe application/msdos-windows application/x-msdos-program audio/mpeg audio/wav Video/mpeg Video/avi Video/quicktime Video/x-msvideo Video/x-ms-wmv
acl uploads rep_mime_type application/x-mspublisher application/octet-stream application/exe application/x-exe application/dos-exe vms/exe application/x-winexe application/msdos-windows application/x-msdos-program audio/mpeg audio/wav Video/mpeg Video/avi Video/quicktime Video/x-msvideo Video/x-ms-wmv
acl gmail url_regex -i "/etc/squid/local/gmail"
acl facebook url_regex -i "/etc/squid/local/facebook"
acl telegram url_regex -i "/etc/squid/local/telegram"
acl telegram_mime rep_mime_type application/octet-stream
acl rede_jgs src 10.1.0.0/16
acl rede_filiais_br src 10.2.0.0/16
acl webex dst 66.163.36.0/24
acl webex dst 64.68.121.0/24
acl live_meeting src 209.1.15.0/24
acl live_meeting src 64.41.193.0/24
acl live_meeting src 216.34.51.0/24
acl live_meeting src 65.221.5.0/24
acl live_meeting src 204.176.46.0/24
acl live_meeting src 94.245.113.0/24
acl live_meeting src 204.79.179.0/24
acl live_meeting src 216.32.242.0/24
acl no_auth src 10.211.5.251/32
acl no_auth src 10.211.5.252/32
acl no_auth src 10.212.1.35/32
acl no_auth src 10.211.5.253/32
#acl no_auth src 10.1.1.107/32
#acl no_auth src 10.1.11.0/24
acl no_gmail src 10.211.0.0/16
acl skype_443 url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:443
acl skype_443 url_regex -i "/etc/squid/local/skype"
acl teamviewer url_regex -i "/etc/squid/local/teamviewer"
acl teamviewer url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/din.aspx?
acl usuario_instrutorctc proxy_auth -i instrutorctc
acl ips_instrutorctc src "/etc/squid/local/ips_instrutorctc"
acl redlist url_regex -i "/etc/squid/local/redlist"
acl snmp snmp_community public
acl no_cache_teste proxy_auth "/etc/squid/local/no_cache"

no_cache deny QUERY
cache deny no_cache_teste
http_access deny CONNECT !SSL_ports
http_access allow manager localhost
http_access deny manager
http_access deny redlist all
http_access deny gmail no_gmail
http_access allow whitelist
http_reply_access allow whitelist
http_access deny teamviewer !grupo_tviewer
http_reply_access deny teamviewer !grupo_tviewer
http_reply_access allow telegram_mime grupo_telegram
http_access allow telegram grupo_telegram
http_reply_access allow telegram grupo_telegram
http_access allow webex live_meeting
http_access deny skype_443 !grupo_skype !excessao_ip_443 !grupo_tviewer !antivirus
http_reply_access deny skype_443 !grupo_skype !excessao_ip_443 !grupo_tviewer !antivirus
http_reply_access deny mimes_audio !greylist !acesso_full !audio_exe
http_reply_access deny downloads !acesso_full !audio_exe !greylist !sites_tecnicos !grupo_google !whitelist !idiomas !youtube
http_reply_access deny uploads !acesso_full !audio_exe !greylist !sites_tecnicos !grupo_google !port_ftp !grupo_ftp !idiomas !youtube
http_access deny excessao_worldlingo
http_access allow port_ftp grupo_ftp acesso_full
http_access allow no_auth
http_access allow grupo_acesso_simultaneo
http_access deny grupo_ad limitarlogin
http_access allow grupo_ad
http_access deny usuario_instrutorctc !ips_instrutorctc
http_access allow passwd
http_access deny all
http_reply_access allow all
snmp_access allow snmp
icp_access allow all
forwarded_for delete
deny_info ERR_MAX_USER_IP limitarlogin
deny_info ERR_ACCESS_GMAIL gmail no_gmail