squid ad | Kadmin

May 21

Squid, Kerberos и SquidGuard

By kadmin AD, CentOS, Kadmin, SQUID No Comments

После включения Centos в домен, (use_fully_qualified_names = True) или до… поставим Squid c авторизацией в AD и парсер блэклистов SquidGuard.

yum install squid squidGuard

1	yum install squid squidGuard

Запускаем Squid:

systemctl enable squid
systemctl start squid

1 2	systemctl enable squid systemctl start squid

Проверяем ходит ли браузер в Инет через прокси.
Смотрим в tail -f /var/log/squid/access.log

Для аутентификации пользователей через AD создадим пользователя proxy и кейтаб для него proxy.keytab на контроллере домена:

ktpass -princ HTTP/proxy.domain.ru@DOMAIN.RU -mapuser squid -pass паролик -ptype KRB5_NT_SRV_HST -out proxy.keytab

Successfully mapped HTTP/proxy.domain.ru to squid.

ktpass -princ HTTP/proxy.domain.ru@DOMAIN.RU -mapuser squid -pass паролик -ptype KRB5_NT_SRV_HST -out proxy.keytab

Successfully mapped HTTP/proxy.domain.ru to squid.

Копируем proxy.keytab на proxy.domian.ru, chown squid. proxy.keytab, и прописываем в /etc/sysconfig/squid

KRB5_KTNAME=/etc/proxy.keytab
export KRB5_KTNAME

1 2	KRB5_KTNAME=/etc/proxy.keytab export KRB5_KTNAME

Проверка:

kinit -V -k -t /etc/proxy.keytab HTTP/proxy.domain.ru@DOMAIN.RU

1	kinit -V -k -t /etc/proxy.keytab HTTP/proxy.domain.ru@DOMAIN.RU

Добавляем в /etc/squid/squid.conf

auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -r -s HTTP/proxy.domain.ru@DOMAIN.RU
auth_param negotiate children 300 startup=20 idle=10
auth_param negotiate keep_alive on

acl localnet src 192.168.0.0/16
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
acl auth proxy_auth REQUIRED

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access deny !localnet
http_access allow auth
http_access deny all

http_port 3128
coredump_dir /var/spool/squid

cache_mem 3000 MB
maximum_object_size_in_memory 4 MB
cache_mgr info@domain.ru

url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf

auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -r -s HTTP/proxy.domain.ru@DOMAIN.RU

auth_param negotiate children 300 startup=20 idle=10

auth_param negotiate keep_alive on

acl localnet src 192.168.0.0/16

acl SSL_ports port 443

acl Safe_ports port 80

acl Safe_ports port 443

acl CONNECT method CONNECT

acl auth proxy_auth REQUIRED

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager

http_access deny manager

http_access deny to_localhost

http_access deny !localnet

http_access allow auth

http_access deny all

http_port 3128

coredump_dir /var/spool/squid

cache_mem 3000 MB

maximum_object_size_in_memory 4 MB

cache_mgr info@domain.ru

url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf

Или просто после INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS в /etc/squid/squid.conf добавляем:

acl auth proxy_auth REQUIRED
http_access allow auth

1 2	acl auth proxy_auth REQUIRED http_access allow auth

Проверяем ходит ли браузер в Инет через прокси с аутентификацией.
Смотрим в tail -f /var/log/squid/cache.log

Редактируем /etc/squid/squidGuard.conf

dbhome /etc/squid/blacklists
logdir /var/log/squidGuard
src lan {
        ip              192.168.0.0/16
}
dest adv {
        domainlist      adv/domains
        urllist         adv/urls
}
dest spyware {
        domainlist      spyware/domains
        urllist         spyware/urls
}
dest porn {
        domainlist      porn/domains
        urllist         porn/urls
        #expressionlist porn/expressions
}
dest redirector {
        domainlist      redirector/domains
        urllist         redirector/urls
}
acl {
        default {
                pass none
                redirect http://kadmin.ru
        }
        lan {
                pass !adv !spyware !porn !redirector !shopping all
                redirect http://kadmin.ru
        }
}

dbhome /etc/squid/blacklists

logdir /var/log/squidGuard

src lan {

ip 192.168.0.0/16

}

dest adv {

domainlist adv/domains

urllist adv/urls

}

dest spyware {

domainlist spyware/domains

urllist spyware/urls

}

dest porn {

domainlist porn/domains

urllist porn/urls

#expressionlist porn/expressions

}

dest redirector {

domainlist redirector/domains

urllist redirector/urls

}

acl {

default {

pass none

redirect http://kadmin.ru

}

lan {

pass !adv !spyware !porn !redirector !shopping all

redirect http://kadmin.ru

}

В конец /etc/squid/squid.conf

url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf

1	url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf

И вот такой скрипт для обновления списков SquidGuard ./listupdate:

cd /etc/squid
rm -rf shallalist.tar.gz
wget http://www.shallalist.de/Downloads/shallalist.tar.gz
tar zxf shallalist.tar.gz
yes | cp -RT BL/ blacklists/
chown squid. -R /etc/squid/
squidGuard -C all
chown squid. -R /etc/squid/
service squid restart

cd /etc/squid

rm -rf shallalist.tar.gz

wget http://www.shallalist.de/Downloads/shallalist.tar.gz

tar zxf shallalist.tar.gz

yes | cp -RT BL/ blacklists/

chown squid. -R /etc/squid/

squidGuard -C all

chown squid. -R /etc/squid/

service squid restart

mkdir /etc/squid/BL
chmod +x /etc/squid/listupdate
и crontab -e обновляем каждый день:

30 0 * * * /etc/squid/listupdate

1	30 0 * * * /etc/squid/listupdate

Запускаем:

./listupdate

1	./listupdate

Или без обновления:

chown squid. -R /etc/squid/ &amp;&amp; squidGuard -C all &amp;&amp; chown squid. -R /etc/squid/ &amp;&amp; service squid restart

1	chown squid. -R /etc/squid/ && squidGuard -C all && chown squid. -R /etc/squid/ && service squid restart

Смотрим в tail -f /var/log/squidGuard/squidGuard.log

Синхронизация времени с контроллером

yum install ntp ntpdate
rm -rf /etc/localtime
ln -s /usr/share/zoneinfo/Europe/Moscow /etc/localtime
service ntpd stop
ntpdate 192.168.123.222
ntpdate -bs 192.168.123.222
ntpdate 192.168.123.222
service ntpd star

yum install ntp ntpdate

rm -rf /etc/localtime

ln -s /usr/share/zoneinfo/Europe/Moscow /etc/localtime

service ntpd stop

ntpdate 192.168.123.222

ntpdate -bs 192.168.123.222

ntpdate 192.168.123.222

service ntpd star

Вот и все, теперь хотелось бы добавить фильтрацию для отдельных пользователей но при добавлении

src googusers {
user admin badadmin
}

src googusers {

user admin badadmin

}

squidGuard из epel падает с сегфолтом:
https://bugzilla.redhat.com/show_bug.cgi?id=1253662