SQUID com autenticação e permissões por grupos do Active Directory e relatórios com SARG

Instalação e configuração do Squid e seus complementos para autenticação no Active Directory, utilizando a estrutura de grupos para conceder acesso a internet de acordo com perfis de usuários, além de geração de relatórios para monitoramento de acessos

[ Hits: 26.570 ]

Por: Carlos Rossini Alencar Liberal em 30/10/2018


Configurando o Squid



Primeiro, vamos fazer um backup do arquivo original:

# mv /etc/squid/squid.conf /etc/squid/squid.conf

Depois, vamos configurar o nosso Squid:

# nano /etc/squid/squid.conf

#
#
# squid.conf - Carlos Rossini - rossiniliberal@gmail.com

############################## INICIO #######################################

#############################################################################
# Porta; Hostname; Dir erros;
#############################################################################

    http_port 8888
    visible_hostname PROXY
    error_directory /usr/share/squid/errors/pt-BR

    acl QUERY urlpath_regex cgi-bin \?
    no_cache deny QUERY
    icp_port 0
    htcp_port 0
    snmp_port 0

#############################################################################
# hosts contornando o proxy
#############################################################################

    acl direto src "/etc/squid/regras/ipslivres"
    http_access allow direto
    always_direct allow direto

#############################################################################
# sites que passam direto pelo proxy
#############################################################################

    acl liberados dstdomain "/etc/squid/regras/liberados"
    always_direct allow liberados
    http_access allow liberados

#############################################################################
# cache e logs
#############################################################################

    cache_mem 512 MB
    cache_swap_low 90
    cache_swap_high 95
    maximum_object_size 8000 KB
    minimum_object_size 1 KB
    maximum_object_size_in_memory 4000 KB
    cache_dir ufs /var/spool/squid 100 16 256    
    cache_access_log /var/log/squid/access.log
    cache_log /var/log/squid/cache.log
    cache_store_log /var/log/squid/store.log
    cache_swap_log /var/log/squid/store.log
    access_log /var/log/squid/access.log
    strip_query_terms off

#############################################################################
# autenticacao
#############################################################################

# Texto da autenticacao no pop-up
    auth_param basic realm .::. EMPRESA - Controle de acessos .::.

# Autenticacao com usuario ad do windows com pop up
    auth_param basic program /usr/lib/squid/basic_ldap_auth -v 3 -b dc=empresa,dc=local -D cn=squid,cn=Users,dc=empresa,dc=local-w senha -f "sAMAccountName=%s" -u uid -P 10.10.10.2:389 -R

# Autenticacao por grupos do ad do windows
   external_acl_type ldap_group %LOGIN /usr/lib/squid/ext_ldap_group_acl -R -b dc=empresa,dc=local -D cn=squid,cn=Users,dc=empresa,dc=local -w senha -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=internet,dc=empresa,dc=local))" -h 10.10.10.2:389

    auth_param basic credentialsttl 6 hours
    acl autenticados proxy_auth REQUIRED

#############################################################################
# acl de portas
#############################################################################

# portas seguras
    acl SSL_ports port 443 563

# demais serviços
    acl Safe_ports port 53 # OneDrive DNS
    acl Safe_ports port 80 # http
    acl Safe_ports port 81 # iper
    acl Safe_ports port 8080 # tomcat
    acl Safe_ports port 8443 # tomcat - ssl
    acl Safe_ports port 10000 # webmin
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 563 # https, snews
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 631 # cups
    acl Safe_ports port 777 # multiling http
    acl Safe_ports port 2631 # Conectividade Social
    acl Safe_ports port 901 # swat
    acl Safe_ports port 23000 # SERPRO
    acl Safe_ports port 1025-65535 # portas altas

#############################################################################
# Controle de acessos
############################################################################

    acl PURGE method PURGE
    acl CONNECT method CONNECT

    acl localhost src 10.10.10.1
    acl redelocal src 10.10.10.0/24

    http_access deny !redelocal

    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports

    acl usuarios_master external ldap_group usuarios_master
    acl usuarios_redes_sociais external ldap_group usuarios_redes_sociais
    acl usuarios_youtube external ldap_group usuarios_youtube
    acl usuarios_comuns external ldap_group usuarios_comuns
    acl webproxy url_regex -i "/etc/squid/regras/bloqueios/webproxy"
    acl pornografia url_regex -i "/etc/squid/regras/bloqueios/pornografia"
    acl streaming url_regex -i "/etc/squid/regras/bloqueios/streaming"
    acl download url_regex -i "/etc/squid/regras/bloqueios/download"
    acl redes_sociais url_regex -i "/etc/squid/regras/bloqueios/redes_sociais"
    acl youtube url_regex -i "/etc/squid/regras/bloqueios/youtube"

    http_access allow usuarios_master
    http_access deny webproxy
    http_access deny pornografia
    http_access deny streaming
    http_access allow usuarios_redes_sociais
    http_access deny redes_sociais
    http_access allow usuarios_youtube
    http_access deny youtube
    http_access allow usuarios_comuns
    http_access deny autenticados

    http_access allow redelocal
    http_access allow localhost

    http_access deny all

#############################################################################
# otimizacao de recursos e outras configuracoes
#############################################################################

    refresh_pattern ^ftp:           1440    20%     10080
    refresh_pattern ^gopher:        1440    0%      1440
    refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
    refresh_pattern .               0       20%     4320

# gerenciador do cache
    cache_mgr empresa@email.com

    http_reply_access allow all
    icp_access allow all
    coredump_dir /squid/var/cache/squid

Página anterior     Próxima página

Páginas do artigo
   1. Introdução
   2. Configuração do Active Directory
   3. Preparando o servidor Linux e iniciando a instalação de pacotes
   4. Configurando o Kerberos
   5. Configurando o Samba e ajustando o relógio com o servidor AD
   6. Testando a comunicação com o Servidor AD e colocando o servidor proxy no domínio
   7. Criando arquivos auxiliares do Squid
   8. Configurando o Squid
   9. Explicando algumas configurações do Squid
   10. Programando o SARG para gerar o relatório todos os dias às 23:45
   11. Observações, conclusão e referências
Outros artigos deste autor
Nenhum artigo encontrado.
Leitura recomendada

DHCP e VLANs no CentOS 6.5 - Instalação e configuração

Roubando bits (parte 2): como resolver questões rapidamente sem calculadora

Crimpagem de Conectores RJ-45

Redes de Computadores · IPtables · Endereços IPs - Explicações básicas

Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota

  
Comentários
[1] Comentário enviado por jeffersonmartins em 31/10/2018 - 11:38h

Parabéns, bem detalhado!
Será de grande valia!


Contribuir com comentário




Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts