CentOS 6.x 64 and Squid with authorization from Win2008AD
Installing Squid on CentOS 6.x 64 with authorization from Win2008AD , group distribution, linking to mac addresses, filter for file extensions and forbidden sites.
We will not describe the installation of Win2008AD . We assume that the controller is already installed and configured. Our first task is to create a group structure for the distribution of users in them, which will later have certain rights.
Create a user squid , he will be responsible for obtaining a list of users of their passwords and group membership. We assign him delegation to these opportunities.
Click the right mouse button on the root of our domain, select Delegate control . The setup wizard appears. Click Next . Click Add . We write our user squid , which will have read permissions from the domain. Click OK . Added our user. Click Next . We include Reading information about all users and Reading all information for intOrgPerson . Click Next . Click Finish .
')
Create a domain at the root of the proxy unit . Click the right mouse button on the root of our domain, select Create , select a Subdivision . We write the name of the proxy . Click OK . At the root of the domain will appear the so-called Organizational Unit called proxy .
In this division, we create a group structure for distributing users to receive different access rights through Squid . Create a group admins-proxy and users-proxy .
Click the right mouse button on the proxy , select Create , select Group . We write the name of the group admins-proxy . Click OK . Repeat for the users-proxy group.
The first group will have full access, the second will have restrictions. We add already existing users to each group. Let the user padmins be in the admins-proxy group , and the user pusers that were created earlier and we have added them now will be in the users-proxy group. Double click on the name of the group. Select the tab Members of the group . Click Add . We write the necessary user. Click OK . Repeat for other users and groups.
Install the Squid package:
yum install squid
After a successful installation, we prescribe the squid autorun:
chkconfig squid on
We will use authorization in squid based on LDAP . To do this, you first need to check the connection to the Win2008AD LDAP mechanism that is embedded in Squid .
We check the login link padmins and password VzRGI5xS user from the domain.
We carry out:
echo "padmins VzRGI5xS" | / usr / lib64 / squid / squid_ldap_auth -R -D squid@developer.com -w 3zdjK2H9 -b "dc = developer, dc = com" -f "sAMAccountName =% s" -h 192.168.151.2
And so, if this is done correctly, we get the answer OK . This means that our user padmins is found in the domain and is matched with the password VzRGI5xS . If there is no match, then we get an ERR Success response.
Now we check the login link of padmins and the admins-proxy group from the domain to which the user is a member.
We carry out:
echo "padmins admins-proxy" | / usr / lib64 / squid / squid_ldap_group -R -D squid@developer.com -w 3zdjK2H9 -b "dc = developer, dc = com" -f "(& (objectclass = person) (sAMAccountName =% v) (memberof = cn =% a, ou = proxy, dc = developer, dc = com)) "-h 192.168.151.2
And so, if this is done correctly, we get the answer OK . This means that our user padmins is found in the admins-proxy group of our domain. If there is no match, then we get an ERR Success response.
Get to setting up Squid .
Create the / etc / squid / rules directory:
mkdir / etc / squid / rules
In the / etc / squid / rules directory create files for the rules:
touch block-extension.txt
touch inet-mac.txt
touch url-block.txt
Contents of the block-extension.txt file (file extension filter):
Contents of the inet-mac.txt file (mac address filter allowed):
The contents of the url-block.txt file (url filter):
Open the /etc/squid/squid.conf config file for editing and bring it to the form:
The given config is 100% working.
Let's start Squid :
service squid start
How it works.
In the browser settings, write the address and port 3128 of our proxy server. We go to the site page, we get an invitation to enter a login and password.
If our user padmins correctly entered the password, squid skips it and the rules of the specified group are applied to it. From the config it is clear that there are no restrictions for the admins-proxy group. There is only a binding to mac addresses from the list.
Now, if our user pusers correctly entered the password, squid skips it and the rules of the specified group are applied to it. From the config it can be seen that the users-proxy group uses url-block ( url block list), block-extension ( extension block list) and media (stream stream lock list) filters.
And do not forget to open the port if it is closed:
iptables -A INPUT -p tcp -m state -m tcp -s 192.168.0.0/16 --dport 3128 --state NEW -j ACCEPT
We will not describe the installation of Win2008AD . We assume that the controller is already installed and configured. Our first task is to create a group structure for the distribution of users in them, which will later have certain rights.
Create a user squid , he will be responsible for obtaining a list of users of their passwords and group membership. We assign him delegation to these opportunities.
Click the right mouse button on the root of our domain, select Delegate control . The setup wizard appears. Click Next . Click Add . We write our user squid , which will have read permissions from the domain. Click OK . Added our user. Click Next . We include Reading information about all users and Reading all information for intOrgPerson . Click Next . Click Finish .
')
Create a domain at the root of the proxy unit . Click the right mouse button on the root of our domain, select Create , select a Subdivision . We write the name of the proxy . Click OK . At the root of the domain will appear the so-called Organizational Unit called proxy .
In this division, we create a group structure for distributing users to receive different access rights through Squid . Create a group admins-proxy and users-proxy .
Click the right mouse button on the proxy , select Create , select Group . We write the name of the group admins-proxy . Click OK . Repeat for the users-proxy group.
The first group will have full access, the second will have restrictions. We add already existing users to each group. Let the user padmins be in the admins-proxy group , and the user pusers that were created earlier and we have added them now will be in the users-proxy group. Double click on the name of the group. Select the tab Members of the group . Click Add . We write the necessary user. Click OK . Repeat for other users and groups.
Install the Squid package:
yum install squid
After a successful installation, we prescribe the squid autorun:
chkconfig squid on
We will use authorization in squid based on LDAP . To do this, you first need to check the connection to the Win2008AD LDAP mechanism that is embedded in Squid .
We check the login link padmins and password VzRGI5xS user from the domain.
We carry out:
echo "padmins VzRGI5xS" | / usr / lib64 / squid / squid_ldap_auth -R -D squid@developer.com -w 3zdjK2H9 -b "dc = developer, dc = com" -f "sAMAccountName =% s" -h 192.168.151.2
padmins # / domain user /
VzRGI5xS # / password for padmins user in domain /
squid@developer.com # / domain user who has the right to view the list of users of their passwords and all data about them /
3zdjK2H9 # / squid delegated user password /
dc = developer, dc = com # / domain controller /
192.168.151.2 # / IP address of the domain /
And so, if this is done correctly, we get the answer OK . This means that our user padmins is found in the domain and is matched with the password VzRGI5xS . If there is no match, then we get an ERR Success response.
Now we check the login link of padmins and the admins-proxy group from the domain to which the user is a member.
We carry out:
echo "padmins admins-proxy" | / usr / lib64 / squid / squid_ldap_group -R -D squid@developer.com -w 3zdjK2H9 -b "dc = developer, dc = com" -f "(& (objectclass = person) (sAMAccountName =% v) (memberof = cn =% a, ou = proxy, dc = developer, dc = com)) "-h 192.168.151.2
And so, if this is done correctly, we get the answer OK . This means that our user padmins is found in the admins-proxy group of our domain. If there is no match, then we get an ERR Success response.
Get to setting up Squid .
Create the / etc / squid / rules directory:
mkdir / etc / squid / rules
In the / etc / squid / rules directory create files for the rules:
touch block-extension.txt
touch inet-mac.txt
touch url-block.txt
Contents of the block-extension.txt file (file extension filter):
\ .exe $
\ .mp3 $
\ .mpg $
\ .mp4 $
\ .mpeg $
\ .flv $
\ .avi $
\ .wmv $
\ .swf $
\ .mov $
\ .mkv $
\ .wav $
\ .rar $
\ .msi $
\ .zip $
\ .tar $
\ .iso $
\ .nrg $
Contents of the inet-mac.txt file (mac address filter allowed):
04: 00: 27: 3a: 45: 13
10: 6e: 87: c4: 8c
00: 1f: d0: b5: c4: 65
The contents of the url-block.txt file (url filter):
odnoklassniki \ .ru
vk \ .com
facebook \ .com
Open the /etc/squid/squid.conf config file for editing and bring it to the form:
squid.conf
################################################## ##############################
# Squid normally listens to port 3128
http_port 3128
visible_hostname router-int.developer.com
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 :: 1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 :: 1
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00 :: / 7 # RFC 4193 local private network range
acl localnet src fe80 :: / 10 # RFC 4291 link-directly (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny! Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT! SSL_ports
# We strongly recommend the following uncommented to protect innocent
# web applications running on the proxy server
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE (S) ACCESS FROM YOUR CLIENTS
#
################################################## ##############################
### AD commands to connect to AD2008R2 ###
################################################## ##############################
auth_param basic program / usr / lib64 / squid / squid_ldap_auth -R -D squid@developer.com -w 3zdjK2H9 -b "dc = developer, dc = com" -f "sAMAccountName =% s" -h 192.168.151.2
auth_param basic children 5
auth_param basic realm Please insert your windows credentials to navigate
auth_param basic credentialsttl 1 hour
################################################## ##############################
################################################## ##############################
### AD commands to connect to groups AD2008R2 ###
################################################## ##############################
external_acl_type ldap_group% LOGIN / usr / lib64 / squid / squid_ldap_group -R -D squid@developer.com -w 3zdjK2H9 -b "dc = developer, dc = com" -f "(& (objectclass = person) (sAMAccountName =% v ) (memberof = cn =% a, ou = proxy, dc = developer, dc = com)) "-h 192.168.151.2
################################################## ##############################
################################################## ##############################
### Access sheets and locks by groups from AD2008R2 ###
################################################## ##############################
# (access list of users from the admins-proxy group located in AD2008R2)
acl admins-proxy external ldap_group admins-proxy
# (access list of users from the users-proxy group located in AD2008R2)
acl users-proxy external ldap_group users-proxy
# (list of user access by MAC address)
acl inet-mac arp "/etc/squid/rules/inet-mac.txt"
# (URL list block list)
acl url-block url_regex "/etc/squid/rules/url-block.txt"
# (block list list of file extensions)
acl block-extension url_regex -i "/etc/squid/rules/block-extension.txt"
# (blocking stream streams)
acl media rep_mime_type -i ^ audio /.*$
acl media rep_mime_type -i ^ video /.*$
acl media rep_mime_type -i ^ video / x-flv $
acl media rep_mime_type -i ^ application / x-shockwave-flash $
acl media rep_mime_type -i ^ application / octet-stream $
# (allow everything for admins-proxy group with binding to mac address)
http_access allow admins-proxy inet mac
# (disallow the users-proxy group url-block list)
http_access deny users-proxy url-block
# (disallow the users-proxy group block-extension list)
http_access deny users-proxy block-extension
# (disallow users-proxy group media list)
http_reply_access deny users-proxy media
# (allow the users-proxy group all that's left)
http_access allow users-proxy
################################################## ##############################
# And finally deny access to this proxy
http_access deny all
# We recommend at least the following line.
hierarchy_stoplist cgi-bin?
# Uncomment and adjust the disk cache directory.
#cache_dir ufs / var / spool / squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir / var / spool / squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ ftp: 1440 20% 10080
refresh_pattern ^ gopher: 1440 0% 1440
refresh_pattern -i (/ cgi-bin / | \?) 0 0% 0
refresh_pattern. 0 20% 4320
################################################## ##############################
# Squid normally listens to port 3128
http_port 3128
visible_hostname router-int.developer.com
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 :: 1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 :: 1
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00 :: / 7 # RFC 4193 local private network range
acl localnet src fe80 :: / 10 # RFC 4291 link-directly (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny! Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT! SSL_ports
# We strongly recommend the following uncommented to protect innocent
# web applications running on the proxy server
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE (S) ACCESS FROM YOUR CLIENTS
#
################################################## ##############################
### AD commands to connect to AD2008R2 ###
################################################## ##############################
auth_param basic program / usr / lib64 / squid / squid_ldap_auth -R -D squid@developer.com -w 3zdjK2H9 -b "dc = developer, dc = com" -f "sAMAccountName =% s" -h 192.168.151.2
auth_param basic children 5
auth_param basic realm Please insert your windows credentials to navigate
auth_param basic credentialsttl 1 hour
################################################## ##############################
################################################## ##############################
### AD commands to connect to groups AD2008R2 ###
################################################## ##############################
external_acl_type ldap_group% LOGIN / usr / lib64 / squid / squid_ldap_group -R -D squid@developer.com -w 3zdjK2H9 -b "dc = developer, dc = com" -f "(& (objectclass = person) (sAMAccountName =% v ) (memberof = cn =% a, ou = proxy, dc = developer, dc = com)) "-h 192.168.151.2
################################################## ##############################
################################################## ##############################
### Access sheets and locks by groups from AD2008R2 ###
################################################## ##############################
# (access list of users from the admins-proxy group located in AD2008R2)
acl admins-proxy external ldap_group admins-proxy
# (access list of users from the users-proxy group located in AD2008R2)
acl users-proxy external ldap_group users-proxy
# (list of user access by MAC address)
acl inet-mac arp "/etc/squid/rules/inet-mac.txt"
# (URL list block list)
acl url-block url_regex "/etc/squid/rules/url-block.txt"
# (block list list of file extensions)
acl block-extension url_regex -i "/etc/squid/rules/block-extension.txt"
# (blocking stream streams)
acl media rep_mime_type -i ^ audio /.*$
acl media rep_mime_type -i ^ video /.*$
acl media rep_mime_type -i ^ video / x-flv $
acl media rep_mime_type -i ^ application / x-shockwave-flash $
acl media rep_mime_type -i ^ application / octet-stream $
# (allow everything for admins-proxy group with binding to mac address)
http_access allow admins-proxy inet mac
# (disallow the users-proxy group url-block list)
http_access deny users-proxy url-block
# (disallow the users-proxy group block-extension list)
http_access deny users-proxy block-extension
# (disallow users-proxy group media list)
http_reply_access deny users-proxy media
# (allow the users-proxy group all that's left)
http_access allow users-proxy
################################################## ##############################
# And finally deny access to this proxy
http_access deny all
# We recommend at least the following line.
hierarchy_stoplist cgi-bin?
# Uncomment and adjust the disk cache directory.
#cache_dir ufs / var / spool / squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir / var / spool / squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ ftp: 1440 20% 10080
refresh_pattern ^ gopher: 1440 0% 1440
refresh_pattern -i (/ cgi-bin / | \?) 0 0% 0
refresh_pattern. 0 20% 4320
################################################## ##############################
The given config is 100% working.
Let's start Squid :
service squid start
How it works.
In the browser settings, write the address and port 3128 of our proxy server. We go to the site page, we get an invitation to enter a login and password.
If our user padmins correctly entered the password, squid skips it and the rules of the specified group are applied to it. From the config it is clear that there are no restrictions for the admins-proxy group. There is only a binding to mac addresses from the list.
Now, if our user pusers correctly entered the password, squid skips it and the rules of the specified group are applied to it. From the config it can be seen that the users-proxy group uses url-block ( url block list), block-extension ( extension block list) and media (stream stream lock list) filters.
And do not forget to open the port if it is closed:
iptables -A INPUT -p tcp -m state -m tcp -s 192.168.0.0/16 --dport 3128 --state NEW -j ACCEPT
Source: https://habr.com/ru/post/197154/
All Articles