Squid + AD permição nos grupos

lluisfeliipe
(usa Ubuntu)

Enviado em 11/01/2012 - 15:09h

Estou com uma duvida no conf abaixo os grupos do Ad estão comunicando correramente com o squid, mas
gostaria de fazer da seguinte forma:

Grupo_restrito: acesse apenas alguns sites

Grupo_sem limite: acesse todos os sites

Grupo_ redesocial: não acesse nda referente a rede social.


http_port 3128
http_port 8080
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
half_closed_clients off
no_cache deny QUERY
#cache_dir ufs /usr/local/squid/var/cache 6000 64 64
cache_dir ufs /usr/local/squid/var/cache2 1000 16 256
cache_mem 64 MB
cache_access_log /usr/local/squid/var/logs/access.log
cache_log /usr/local/squid/var/logs/cache.log
cache_store_log none
ftp_user anonymous@anonymous
ftp_passive on
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
cache_effective_user squid
cache_effective_group squid
error_directory /usr/local/squid/share/errors/Portuguese
coredump_dir /usr/local/squid/var/logs/

# Acesso irrestrito a sites de bancos
acl sites_liberados dstdom_regex -i "/etc/squid/rules/sites_liberados"
http_access allow sites_liberados
always_direct allow sites_liberados
no_cache deny sites_liberados

auth_param ntlm program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 20 minutes

auth_param basic program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

#external_acl_type nt_group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl

acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl manager proto cache_object
acl SSL_ports port 443 563 873
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

acl ip_lucilia_sousa src 172.16.61.114
http_access allow ip_lucilia_sousa

acl ip_jurandi_frutuoso src 172.17.61.118
http_access allow ip_jurandi_frutuoso

acl ip_ana_melo src 172.17.61.61
http_access allow ip_ana_melo all

acl ip_lourdes_almeida src 172.17.61.66
http_access allow ip_lourdes_almeida all

acl bancos dstdom_regex -i "/usr/local/squid/rules/sites_bancos"
http_access allow bancos

external_acl_type ldap_group %LOGIN /usr/local/squid/libexec/squid_ldap_group -R -b "dc=conass,dc=org" -D "cn=proxy_user,ou=Internet,dc=conass,dc=org" -w "goiaba22" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou="Internet",dc=conass,dc=org))" -h 172.16.61.1

##b
#acl users_msnskypegtalk external nt_group Proxy_ACL_LIBERA_Msn_Skype_Gtalk
acl users_msnskypegtalk external ldap_group Proxy_ACL_LIBERA_Msn_Skype_Gtalk
acl semlimite external ldap_group Proxy_ACL_SemLimite
acl todos_usuarios external ldap_group Proxy_ACL_Todos
acl governo external ldap_group Proxy_ACL_Governo

acl meebo dst 69.36.226.106/255.255.255.255
http_access deny meebo all
acl mangaloo dst 85.184.4.0/255.255.255.0
http_access deny mangaloo all
acl 4shared dst 72.36.151.218/255.255.255.255
http_access deny 4shared all
acl testedns dst 216.146.35.97/255.255.255.255
http_access deny testedns all

# Regras para o MSN
acl msn-type req_mime_type -i ^application/x-msn-messenger$
acl msn dstdomain loginnet.passport.com
acl msnmessenger url_regex -i gateway.dll
acl webmsn dstdomain webmessenger.msn.com
acl msn1 dst 216.32.66.236/255.255.255.255

http_access allow users_msnskypegtalk msn-type
http_access allow users_msnskypegtalk msn
http_access allow users_msnskypegtalk msnmessenger
http_access allow users_msnskypegtalk webmsn
http_access allow users_msnskypegtalk msn1

http_access deny msn-type
http_access deny msn
http_access deny msnmessenger
http_access deny webmsn
http_access deny msn1

# Regras para o SKYPE
acl numeric_IPs dstdom_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443
acl Skype_UA browser ^skype^
http_access allow CONNECT users_msnskypegtalk numeric_IPS Skype_UA

http_access deny numeric_IPs
http_access deny Skype_UA

acl AuthorizedUsers proxy_auth REQUIRED

# Regras de bloqueio de Sites
acl sites_suspeitos dstdom_regex -i "/usr/local/squid/rules/sites_suspeitos"
http_access deny sites_suspeitos

acl sites_suspeitos3 dstdom_regex -i "/usr/local/squid/rules/sites_suspeitos3"
http_access deny sites_suspeitos3

http_access allow semlimite

##b
acl sites_deny dstdom_regex -i "/usr/local/squid/rules/sites_deny"
http_access deny sites_deny

##b
# Bloqueio de alguns usuarios para acessar somente sites do governo e companhia aerea

acl sites_governo dstdom_regex -i "/usr/local/squid/rules/sites_governo"
http_access allow sites_governo

http_access deny governo

acl ip_gabriela src 172.17.61.106
http_access deny ip_gabriela all

# Quando separar os grupos, colocar deny
http_access allow todos_usuarios

http_access allow AuthorizedUsers
http_access deny all

http_reply_access allow all
icp_access allow all

phrich
(usa Slackware)

Enviado em 13/01/2012 - 00:45h

Cara eu já fiz isso com o ntlm_auth, que autentica no AD, com este tipo de autenticação que vc usa, eu não saberia lhe explicar...

Outra forma de fazer isso também é com autenticação ldap.

Se vc quiser mudar para alguma das duas, eu poderia lhe ajudar, talvez se vc não sacar muito de ldap, com o ntlm é muito tranquilo de fazer...