Squid with HTTPS filtering without certificate spoofing, integration with Active Directory 2012R2 + WPAD
This manual was written in connection with the production need to monitor the traffic (http and https) of users, as well as the distribution of access on white and black lists. The articles were taken as a basis: this and this one , in which the peek-n-splice technology was used. In these articles, the configuration assumes the use of a host with squid as a gateway; after configuring the config, a full-fledged proxy server is obtained with the ability to distribute access rights to groups from Active Directory. Upon completion of the configuration, the question arose of transferring proxy server settings to users. In view of the fact that in the office often laptops take home - the whole idea is at a standstill. Initially, the option of issuing proxy server settings via DHCP was considered, but it is not the best, since offices in different subnets and different equipment, WPAD was the way out of this situation. In short, this technology can be said that client machines on Windows OS are looking for a host named wpad.example.ru (up to third level domains) to request a settings file for networking. Based on this principle, you need to raise the web server, which would just give the wpad.dat file. You can raise the web server on the host with the proxy server (as was done), and create a cname wpad on the proxy server in the DNS server . It is better to use a proxy server with the ability to collect and view statistics, since the choice is sufficient. In view of some conservative considerations, it was decided to choose SARG. It is easy to set up, fairly acceptable statistics for an office with up to 100 employees.
- A client on Windows OS accesses a DNS server with a request to the host wpad.example.com , and the DNS server name corresponding entry indicates where to apply. Next, the client requests wpad.example.ru with a request for a settings file. Having received it, it begins to act accordingly to the instructions in it.
Pros:
- there is no need through GPO to register all clients with a proxy address
- Employee mobility (Internet access outside the office)
- To disable the use of this technology, it is enough to disable in the "Properties of the browser" - "Automatically receive settings"
Minuses:
- “Automatically receive settings” can be turned off by any user, so it’s better to leave this feature enabled and prevent it from being changed via GPO
An employee is trying to access the site with https through a proxy. When an encrypted connection is established, a “greeting” occurs, which is transmitted in open form, the proxy server intercepts it, and based on the configuration, squid allows or denies the connection. Those. intercepted to look at the "greeting", allowed or dropped a connection.
Pros:
- This is not a MITM attack, and there will be no problems with bank clients
- Display of domain names in the statistics of sites requested by https
Minuses:
- Unfortunately, it’s impossible to fully view which particular webpage was opened as during a MITM attack.
- This configuration showed itself well only on CentOS (there were problems on Debian, after a while kernel-panic happened)
- Host with Active Directory 2012R2 (user authorization method - Kerberos) 10.0.0.9
- Host with CentOS 7 (x64) (it's a web server for uploading wpad.dat, it's a proxy server) 10.0.0.10
- Test host with Windows OS to test operation 10.0.0.11
The process of installing CentOS does not make sense to describe. So let's keep in mind that we have a freshly installed CentOS 7 x64. So, for Squid to work equally well with http and https traffic, you need the following:
Or you can download the archive with the collected squid and its dependencies.
It is worth noting that for the installation of squid need some dependencies. Unfortunately, CentOS has rather poor official repositories, so some packages need to be downloaded from unofficial ones. Installing the necessary packages from the repository:
If something is wrong, something is missing in the terminal.
The / etc / selinux / config file should contain the value:
Install the package to work with selinux:
Add selinux rules
Allow connections to squid:
Allow kerberos:
We allow connections to the squid on port 3130:
After changing the selinux parameters, you must reboot the system to apply them.
Varningov and errorov should not be. If there is something - you need to check the settings.
Apply the setting on the fly:
Integration with the domain controller is necessary so that domain users can log in to the proxy server using the Kerberos protocol. The most reasonable solution is to leave only Kerberos due to the fact that this method is the safest, authorization occurs automatically. As for client machines that are outside the domain, there are no problems here, the username and password can be entered manually in the authorization pop-up window. Checked works.
The configuration file /etc/krb5.conf must be brought to the following form:
Everyone knows that Active Directory is closely tied to DNS, and for authorization to work correctly, you need to create a node (A or AAA) with the indication of the host name and its ip-address (It turns out the sq.example.ru record with the ip-address 10.0.0.10 ).
And so,there are two chairs option integration with the domain. The first option is using Windows ( ktpass ), the second option is using Linux ( Msktutil ). The Windows option is good because you can disable the password expiration for the squid user. The Linux version is good because you can enter into the domain through the creation of a computer account.
We create the user in AD, for example squid
Now generate krb5.keytab . At the command prompt on a domain controller with administrative rights, you must run this command:
The krb5.keytab file itself (can be moved using WinSCP) to sq.example.ru in the / etc directory.
In the archive with the squid and dependencies msktutil is also attached, install it:
Now execute the following command:
If successful, the output of the command will be great; I see no point in copying here. Errors and varningov should not be. It is worth paying attention to - computer-name sq-k is not a typo. The hostname must be different.
In view of the need to update the password for the computer account, this can be done through cron.
It is necessary to add a task to it:
After moving krb5.keytab , it is recommended to lower access rights to the file
In ActiveDirectory in OU Users, you need to create three groups according to which Internet access will be distributed: Internet-full, Internet-medium , Internet-low .
Verification of authorization in Active Directory using the /etc/krb5.keytab file
The output of the command should be something like this:
And the klist should display the following:
The Squid configuration is almost complete, now we reboot the host to apply the settings. After the reboot for the test, you can manually register the proxy in the sq.example.ru settings by specifying port 3130 .
Installing a web server:
After installation we include in autoload:
Run:
If you try to open the domain name sq.example.ru in your browser, the test page apache2 should open.
Next, you need to create a / var / www / html / wpad.dat file with the following content:
By default, the file in the /var/www/html/wpad.dat directory is given to everyone without any additional apache2 settings, and this is just necessary for correct interaction with client machines on Windows OS.
Lines
Indicate that calls to the hosts on the 192.168.0.0/24, 10.0.0.0/24 and 127.0.0.0/8 subnets (the latter is necessary for the correct operation of the services when accessing localhost) are transmitted directly, and also the connection to the domain hosts .example .ru:
Lines:
Indicate that when accessing domain names .inet-example.ru occurs directly
If the requested resource does not fall under the above conditions, the following is true:
On the Active Directory DNS server you need to create a cname wpad (FQDN wpad.example.com) on sq.example.com.
For verification, you need to open wpad / wpad.dat in the browser and the wpad.dat file should automatically download. Thus, all hosts download the file, and based on the content act. It is recommended to re-log or reboot all computers in the domain on Windows to download the file.
If gcc has not been installed before, now is the time:
In the file po / Makefile.in.in, the gettext version is specified as 0.18, so that there was no error during make install, you need to change to 0.19:
The standard configuration file /usr/local/etc/sarg.conf is better to save:
Now create the sarg.conf file with the following content:
Add a line:
This line indicates that reports will be generated every day and for the current day at 23:55
The previously installed web server can also be assigned the task of displaying reports, with a request to enter a login and password for authorization. Create the file /etc/httpd/conf.d/sarg.conf with the following contents:
Generate login and password file for authorization
Restart apache2 :
When you try to open sq.example.ru/reports, you will be prompted to enter your login and password. In case of successful authorization, you can view the statistics.
Everything here is ambiguous and may depend on some features. In the current task, it was a reasonable decision to exclude the possibility of installing a proxy server for the user, or disabling the “Automatic detection of parameters”.
To prohibit the input of a proxy server or change the settings for automatic detection of parameters, you can use Group Policy. We create and associate a group policy with an OU, for example, office .
Editing Group Policy:
In this directory, find the parameters and translate into "Enabled" status:
In conclusion, I can say this, this configuration has been working successfully since the spring of 2016, and has proven itself well. All questions will be happy to answer.
UPD # 1: 12.11.16
1 The extra lines of ports 3128 and 3129 were removed from the squid config.
2 included selinux and added rules.
3 The certificate generation was removed from the manual (it works without it)
4 Minor fixes
UPD # 2: 11/20/16
1 Extra lines have been removed from krb5.conf config
2 Added method of integration with AD through Msktutil
3 Forwarding added
4 Updated archive with squid and dependencies.
Content
- 1. Introduction
- 1.1 Simplified WPAD Workflow
- 1.2 Pros and cons of WPAD
- 1.3 Squid Peek-n-splice - how to it works
- 1.4 Pros and cons of Peek-n-splice
- 1.5 Required to solve the problem
- 1.1 Simplified WPAD Workflow
- 2 Configuring the operating system and installing Squid
- 2.1 Squid build options
- 2.2 Installing packages from official repositories
- 2.3 Manual installation of Squid and additional packages
- 2.4 Setting permissions on the swap directory for squid
- 2.5 squid configuration file
- 2.6 Configuring the / etc / hosts file
- 2.7 Customize selinux
- 2.8 Generate swap
- 2.9 Enabling the squid daemon, checking the configuration file
- 2.10 Traffic forwarding
- 3 Integration with Active Directory Domain Controller 2012R2
')- 3.1 Kerberos configuration
- 3.2 Creating DNS Records
- 3.3 Domain Integration Options
- 3.3.1 Integration by Windows
- 3.3.2 Linux integration
- 3.4 Recommended rights to the krb5.keytab file
- 3.5 Groups in Active Directory to adjust Internet access
- 3.6 Verification of authorization in Active Directory using the krb5.keytab file
- 4 WPAD
- 5 Traffic Statistics
- 5.1 Installing SARG from Source
- 5.2 Configuring SARG
- 5.3 Schedule of generating attendance reports
- 5.4 Web server configuration
- 5.5 Authorization on a site with statistics
- 6 Group Policy
1.1 Simplified WPAD Workflow
- A client on Windows OS accesses a DNS server with a request to the host wpad.example.com , and the DNS server name corresponding entry indicates where to apply. Next, the client requests wpad.example.ru with a request for a settings file. Having received it, it begins to act accordingly to the instructions in it.
1.2 How good this technology is.
Pros:
- there is no need through GPO to register all clients with a proxy address
- Employee mobility (Internet access outside the office)
- To disable the use of this technology, it is enough to disable in the "Properties of the browser" - "Automatically receive settings"
Minuses:
- “Automatically receive settings” can be turned off by any user, so it’s better to leave this feature enabled and prevent it from being changed via GPO
1.3 Squid Peek-n-splice - how to it works
An employee is trying to access the site with https through a proxy. When an encrypted connection is established, a “greeting” occurs, which is transmitted in open form, the proxy server intercepts it, and based on the configuration, squid allows or denies the connection. Those. intercepted to look at the "greeting", allowed or dropped a connection.
1.4 Pros and cons of Peek-n-splice
Pros:
- This is not a MITM attack, and there will be no problems with bank clients
- Display of domain names in the statistics of sites requested by https
Minuses:
- Unfortunately, it’s impossible to fully view which particular webpage was opened as during a MITM attack.
- This configuration showed itself well only on CentOS (there were problems on Debian, after a while kernel-panic happened)
1.5 And so, now it is worth noting that it is given
- Host with Active Directory 2012R2 (user authorization method - Kerberos) 10.0.0.9
- Host with CentOS 7 (x64) (it's a web server for uploading wpad.dat, it's a proxy server) 10.0.0.10
- Test host with Windows OS to test operation 10.0.0.11
"Let's go" Gagarin Yu.A.
2 Configuring the operating system and installing Squid
The process of installing CentOS does not make sense to describe. So let's keep in mind that we have a freshly installed CentOS 7 x64. So, for Squid to work equally well with http and https traffic, you need the following:
2.1 Squid should be built with these parameters
squid -v
$ squid -v
Squid Cache: Version 3.5.16
Service Name: squid
configure options: '--build = x86_64-redhat-linux-gnu' '--host = x86_64-redhat-linux-gnu' '--program-prefix =' '--prefix = / usr' '--exec- prefix = / usr '' --bindir = / usr / bin '' --sbindir = / usr / sbin '' --sysconfdir = / etc '' --datadir = / usr / share '' --includedir = / usr / include '' --libdir = / usr / lib64 '' --libexecdir = / usr / libexec '' --sharedstatedir = / var / lib '' --mandir = / usr / share / man '' --infodir = / usr / share / info '' --verbose '' --exec_prefix = / usr '' --libexecdir = / usr / lib64 / squid '' --localstatedir = / var '' --datadir = / usr / share / squid '' --sysconfdir = / etc / squid '' --with-logdir = $ (localstatedir) / log / squid '' --with-pidfile = $ (localstatedir) /run/squid.pid '' --disable -dependency-tracking '' --enable-follow-x-forwarded-for '' --enable-auth '' --enable-auth-basic = DB, LDAP, NCSA, NIS, PAM, POP3, RADIUS, SASL, SMB, getpwnam, fake '' --enable-auth-ntlm = smb_lm, fake '' --enable-auth-digest = file, LDAP, eDirectory '' --enable-auth-negotiate = kerberos, wrapper '' - enable-external-acl-helpers = wbinfo_group, kerberos_ldap_group, LDAP_group, delayer, file_userip, SQL _session, unix_group, session, time_quota '' --enable-cache-digests '' --enable-cachemgr-hostname = localhost '' --enable-delay-pools '' --enable-epoll '' --enable-icap -client '' --enable-ident-lookups '' --enable-linux-netfilter '' --enable-removal-policies = heap, lru '' --enable-snmp '' --enable-storeio = aufs, diskd, ufs, rock '' --enable-wccpv2 '' --enable-esi '' --enable-ssl-crtd '' --enable-icmp '' --with-aio '' --with-default- user = squid '' --with-filedescriptors = 16384 '' --with-dl '' --with-openssl '' --with-pthreads '' --with-included-ltdl '' --disable-arch- native '' --enable-ecap '' --without-nettle '' build_alias = x86_64-redhat-linux-gnu '' host_alias = x86_64-redhat-linux-gnu '' CFLAGS = -O2 -g -pipe -Wall - Wp, -D_FORTIFY_SOURCE = 2 -fexceptions -fstack-protector-strong --param = ssp-buffer-size = 4 -grecord-gcc-switches -m64 -mtune = generic '' LDFLAGS = -Wl, -z, relro '' CXXFLAGS = -O2 -g -pipe -Wall -Wp, -D_FORTIFY_SOURCE = 2 -fexceptions -fstack-protector-strong --param = ssp-buffer-size = 4 -grecord-gcc-switches -m64 -mtune = generic -fP IC '' PKG_CONFIG_PATH =: / usr / lib64 / pkgconfig: / usr / share / pkgconfig '—enable-ltdl-convenience
Squid Cache: Version 3.5.16
Service Name: squid
configure options: '--build = x86_64-redhat-linux-gnu' '--host = x86_64-redhat-linux-gnu' '--program-prefix =' '--prefix = / usr' '--exec- prefix = / usr '' --bindir = / usr / bin '' --sbindir = / usr / sbin '' --sysconfdir = / etc '' --datadir = / usr / share '' --includedir = / usr / include '' --libdir = / usr / lib64 '' --libexecdir = / usr / libexec '' --sharedstatedir = / var / lib '' --mandir = / usr / share / man '' --infodir = / usr / share / info '' --verbose '' --exec_prefix = / usr '' --libexecdir = / usr / lib64 / squid '' --localstatedir = / var '' --datadir = / usr / share / squid '' --sysconfdir = / etc / squid '' --with-logdir = $ (localstatedir) / log / squid '' --with-pidfile = $ (localstatedir) /run/squid.pid '' --disable -dependency-tracking '' --enable-follow-x-forwarded-for '' --enable-auth '' --enable-auth-basic = DB, LDAP, NCSA, NIS, PAM, POP3, RADIUS, SASL, SMB, getpwnam, fake '' --enable-auth-ntlm = smb_lm, fake '' --enable-auth-digest = file, LDAP, eDirectory '' --enable-auth-negotiate = kerberos, wrapper '' - enable-external-acl-helpers = wbinfo_group, kerberos_ldap_group, LDAP_group, delayer, file_userip, SQL _session, unix_group, session, time_quota '' --enable-cache-digests '' --enable-cachemgr-hostname = localhost '' --enable-delay-pools '' --enable-epoll '' --enable-icap -client '' --enable-ident-lookups '' --enable-linux-netfilter '' --enable-removal-policies = heap, lru '' --enable-snmp '' --enable-storeio = aufs, diskd, ufs, rock '' --enable-wccpv2 '' --enable-esi '' --enable-ssl-crtd '' --enable-icmp '' --with-aio '' --with-default- user = squid '' --with-filedescriptors = 16384 '' --with-dl '' --with-openssl '' --with-pthreads '' --with-included-ltdl '' --disable-arch- native '' --enable-ecap '' --without-nettle '' build_alias = x86_64-redhat-linux-gnu '' host_alias = x86_64-redhat-linux-gnu '' CFLAGS = -O2 -g -pipe -Wall - Wp, -D_FORTIFY_SOURCE = 2 -fexceptions -fstack-protector-strong --param = ssp-buffer-size = 4 -grecord-gcc-switches -m64 -mtune = generic '' LDFLAGS = -Wl, -z, relro '' CXXFLAGS = -O2 -g -pipe -Wall -Wp, -D_FORTIFY_SOURCE = 2 -fexceptions -fstack-protector-strong --param = ssp-buffer-size = 4 -grecord-gcc-switches -m64 -mtune = generic -fP IC '' PKG_CONFIG_PATH =: / usr / lib64 / pkgconfig: / usr / share / pkgconfig '—enable-ltdl-convenience
Or you can download the archive with the collected squid and its dependencies.
2.2 Installing the necessary packages from the official repositories
It is worth noting that for the installation of squid need some dependencies. Unfortunately, CentOS has rather poor official repositories, so some packages need to be downloaded from unofficial ones. Installing the necessary packages from the repository:
# yum install -y libtool-ltdl perl-DBI perl-Digest-MD5 cyrus-sasl-gssapi krb5-workstation 2.3 Manual installation of Squid and additional packages
# rmp -Uvh squid-3.5.8-4.el7.centos.x86_64.rpm libecap-1.0.0-3.el7.centos.x86_64.rpm squid-helpers-3.5.8-4.el7.centos.x86_64.rpm perl-Crypt-OpenSSL-X509-1.803-4.el7.x86_64.rpm If something is wrong, something is missing in the terminal.
2.4 Setting permissions for the swap directory
# chown squid:squid /var/spool/squid 2.5 configuration file /etc/squid/squid.conf
squid.conf
### negotiate kerberos
auth_param negotiate program / usr / lib64 / squid / negotiate_kerberos_auth -s HTTP /sq.example.ru@EXAMPLE.RU
auth_param negotiate children 60
auth_param negotiate keep_alive off
external_acl_type inet_medium ttl = 300 negative_ttl = 60% LOGIN / usr / lib64 / squid / ext_kerberos_ldap_group_acl -g Internet-medium@EXAMPLE.RU
external_acl_type inet_full ttl = 300 negative_ttl = 60% LOGIN / usr / lib64 / squid / ext_kerberos_ldap_group_acl -g Internet-full@EXAMPLE.RU
external_acl_type inet_low ttl = 300 negative_ttl = 60% LOGIN / usr / lib64 / squid / ext_kerberos_ldap_group_acl -g Internet-low@EXAMPLE.RU
acl localnet src 10.0.0.0/24
acl localnet src 192.168.0.0/24
acl my_full external inet_full
acl my_medium external inet_medium
acl my_low external inet_low
acl auth proxy_auth REQUIRED
# in addition to the default 443, for the online business serara nuzhe additional. port 9443
acl SSL_ports port 443 9443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# In this configuration, whitelist is the list of allowed sites for the Internet-low@EXAMPLE.RU user group (access only to those sites that are in whitelist.txt)
# And blocked_http.txt - the list of prohibited sites for the Internet-medium@EXAMPLE.RU group (all sites can be accessed, except for those that are blocked_http.txt)
acl white_list dstdomain "/etc/squid/whitelist.txt"
acl black_list dstdomain "/etc/squid/blocked_http.txt"
dns_nameservers 10.0.0.9
# access rule
http_access deny! Safe_ports
http_access deny CONNECT! SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny! auth
http_access deny my_medium black_list
http_access allow my_medium
http_access allow my_low white_list
http_access deny my_low all
http_access allow my_full
# Allow localhost
http_access allow localhost
# Forbid everything else
http_access deny all
# Opaque port through which client hosts interact with the proxy server
http_port 10.0.0.10:3130 options = NO_SSLv3: NO_SSLv2
always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
# This option is needed for peek-n-splice to work correctly. The file blocked_https.txt itself does not affect anything, but it should not be empty either. Magic.
#
acl blocked ssl :: server_name "/etc/squid/blocked_https.txt"
acl step1 at_step SslBump1
ssl_bump peek step1
# we terminate connection if the client comes on the forbidden resource
ssl_bump terminate blocked
ssl_bump splice all
coredump_dir / var / spool / squid
refresh_pattern ^ ftp: 1440 20% 10080
refresh_pattern ^ gopher: 1440 0% 1440
refresh_pattern -i (/ cgi-bin / | \?) 0 0% 0
refresh_pattern. 0 20% 4320
cache_dir aufs / var / spool / squid 20000 49 256
maximum_object_size 61440 KB
minimum_object_size 3 KB
#httpd_suppress_version_string on
#visible_hostname PROXYSERVER
cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 512 KB
memory_replacement_policy lru
logfile_rotate 4
auth_param negotiate program / usr / lib64 / squid / negotiate_kerberos_auth -s HTTP /sq.example.ru@EXAMPLE.RU
auth_param negotiate children 60
auth_param negotiate keep_alive off
external_acl_type inet_medium ttl = 300 negative_ttl = 60% LOGIN / usr / lib64 / squid / ext_kerberos_ldap_group_acl -g Internet-medium@EXAMPLE.RU
external_acl_type inet_full ttl = 300 negative_ttl = 60% LOGIN / usr / lib64 / squid / ext_kerberos_ldap_group_acl -g Internet-full@EXAMPLE.RU
external_acl_type inet_low ttl = 300 negative_ttl = 60% LOGIN / usr / lib64 / squid / ext_kerberos_ldap_group_acl -g Internet-low@EXAMPLE.RU
acl localnet src 10.0.0.0/24
acl localnet src 192.168.0.0/24
acl my_full external inet_full
acl my_medium external inet_medium
acl my_low external inet_low
acl auth proxy_auth REQUIRED
# in addition to the default 443, for the online business serara nuzhe additional. port 9443
acl SSL_ports port 443 9443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# In this configuration, whitelist is the list of allowed sites for the Internet-low@EXAMPLE.RU user group (access only to those sites that are in whitelist.txt)
# And blocked_http.txt - the list of prohibited sites for the Internet-medium@EXAMPLE.RU group (all sites can be accessed, except for those that are blocked_http.txt)
acl white_list dstdomain "/etc/squid/whitelist.txt"
acl black_list dstdomain "/etc/squid/blocked_http.txt"
dns_nameservers 10.0.0.9
# access rule
http_access deny! Safe_ports
http_access deny CONNECT! SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny! auth
http_access deny my_medium black_list
http_access allow my_medium
http_access allow my_low white_list
http_access deny my_low all
http_access allow my_full
# Allow localhost
http_access allow localhost
# Forbid everything else
http_access deny all
# Opaque port through which client hosts interact with the proxy server
http_port 10.0.0.10:3130 options = NO_SSLv3: NO_SSLv2
always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
# This option is needed for peek-n-splice to work correctly. The file blocked_https.txt itself does not affect anything, but it should not be empty either. Magic.
#
acl blocked ssl :: server_name "/etc/squid/blocked_https.txt"
acl step1 at_step SslBump1
ssl_bump peek step1
# we terminate connection if the client comes on the forbidden resource
ssl_bump terminate blocked
ssl_bump splice all
coredump_dir / var / spool / squid
refresh_pattern ^ ftp: 1440 20% 10080
refresh_pattern ^ gopher: 1440 0% 1440
refresh_pattern -i (/ cgi-bin / | \?) 0 0% 0
refresh_pattern. 0 20% 4320
cache_dir aufs / var / spool / squid 20000 49 256
maximum_object_size 61440 KB
minimum_object_size 3 KB
#httpd_suppress_version_string on
#visible_hostname PROXYSERVER
cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 512 KB
memory_replacement_policy lru
logfile_rotate 4
2.6 You must first bring the file / etc / hosts to such content.
127.0.0.1 localohost 10.0.0.10 sq.example.ru sq 2.7 Customize selinux
The / etc / selinux / config file should contain the value:
SELINUX=enforcing Install the package to work with selinux:
# yum install policycoreutils-python Add selinux rules
Allow connections to squid:
# setsebool -P squid_connect_any on Allow kerberos:
# setsebool -P allow_kerberos on We allow connections to the squid on port 3130:
# semanage port -a -t squid_port_t -p tcp 3130 After changing the selinux parameters, you must reboot the system to apply them.
# reboot 2.8 swap generation
# squid -z 2.9 Enabling the squid daemon, checking the configuration file
# systemctl enable squid # squid -k parse Varningov and errorov should not be. If there is something - you need to check the settings.
2.10 Allowed traffic forwarding
# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf Apply the setting on the fly:
# sysctl -p 3 Integration with Active Directory Domain Controller 2012R2
Integration with the domain controller is necessary so that domain users can log in to the proxy server using the Kerberos protocol. The most reasonable solution is to leave only Kerberos due to the fact that this method is the safest, authorization occurs automatically. As for client machines that are outside the domain, there are no problems here, the username and password can be entered manually in the authorization pop-up window. Checked works.
3.1 Configuration file /etc/krb5.conf
The configuration file /etc/krb5.conf must be brought to the following form:
krb5.conf
[libdefaults]
default_realm = EXAMPLE.RU
ticket_lifetime = 24h
default_keytab_name = /etc/krb5.keytab
[realms]
EXAMPLE.RU = {
kdc = dc1.example.ru
admin_server = dc1.example.ru
default_domain = example.ru
}
[domain_realm]
.example.ru = EXAMPLE.RU
example.ru = EXAMPLE.RU
default_realm = EXAMPLE.RU
ticket_lifetime = 24h
default_keytab_name = /etc/krb5.keytab
[realms]
EXAMPLE.RU = {
kdc = dc1.example.ru
admin_server = dc1.example.ru
default_domain = example.ru
}
[domain_realm]
.example.ru = EXAMPLE.RU
example.ru = EXAMPLE.RU
3.2 Creating DNS Records
Everyone knows that Active Directory is closely tied to DNS, and for authorization to work correctly, you need to create a node (A or AAA) with the indication of the host name and its ip-address (It turns out the sq.example.ru record with the ip-address 10.0.0.10 ).
3.3 Domain Integration Options
And so,
3.3.1 Integration by Windows
We create the user in AD, for example squid
Now generate krb5.keytab . At the command prompt on a domain controller with administrative rights, you must run this command:
C:\Windows\system32> ktpass -princ HTTP/sq.example.ru@EXAMPLE.RU -mapuser squid@EXAMPLE.RU -crypto rc4-hmac-nt -pass Pa$$wd12 -ptype KRB5_NT_PRINCIPAL -out C:\ The krb5.keytab file itself (can be moved using WinSCP) to sq.example.ru in the / etc directory.
3.3.2 Linux integration
In the archive with the squid and dependencies msktutil is also attached, install it:
# rpm -Uhv msktutil-0.5.1-2.el7.x86_64.rpm Now execute the following command:
# msktutil -c -b "CN=COMPUTERS" -s HTTP/sq.example.ru -k /etc/krb5.keytab --computer-name sq-k --upn HTTP/sq.example.ru --server dc1.example.ru --verbose --enctypes 28 If successful, the output of the command will be great; I see no point in copying here. Errors and varningov should not be. It is worth paying attention to - computer-name sq-k is not a typo. The hostname must be different.
In view of the need to update the password for the computer account, this can be done through cron.
# crontab -e It is necessary to add a task to it:
00 3 * * * msktutil --auto-update --verbose --computer-name sq-k 3.4 Recommended rights to the krb5.keytab file
After moving krb5.keytab , it is recommended to lower access rights to the file
# chown squid:squid /etc/krb5.keytab && chmod 644 /etc/krb5.keytab 3.5 AD Access Groups
In ActiveDirectory in OU Users, you need to create three groups according to which Internet access will be distributed: Internet-full, Internet-medium , Internet-low .
3.6 Authorization check
Verification of authorization in Active Directory using the /etc/krb5.keytab file
# kinit -V -k -t /etc/krb5.keytab HTTP/sq.example.ru@EXAMPLE.RU The output of the command should be something like this:
Using default cache: /tmp/krb5cc_0 Using principal: HTTP/sq.example.ru@EXAMPLE.RU Using keytab: /etc/krb5.keytab Authenticated to Kerberos v5 And the klist should display the following:
klist
Ticket cache: FILE: / tmp / krb5cc_0
Default principal: HTTP/sq.example.ru@EXAMPLE.RU
Valid starting Expires Service principal
10/09/2016 10:19:20 AM 10.10.2016 08:19:20 krbtgt/EXAMPLE.RU@EXAMPLE.RU
renew until 10/10/2016 10:19:20 PM
Default principal: HTTP/sq.example.ru@EXAMPLE.RU
Valid starting Expires Service principal
10/09/2016 10:19:20 AM 10.10.2016 08:19:20 krbtgt/EXAMPLE.RU@EXAMPLE.RU
renew until 10/10/2016 10:19:20 PM
The Squid configuration is almost complete, now we reboot the host to apply the settings. After the reboot for the test, you can manually register the proxy in the sq.example.ru settings by specifying port 3130 .
4 WPAD
4.1 Installing and configuring the apache2 web server
Installing a web server:
# yum install -y httpd After installation we include in autoload:
# systemctl enable httpd Run:
# systemctl start httpd If you try to open the domain name sq.example.ru in your browser, the test page apache2 should open.
Next, you need to create a / var / www / html / wpad.dat file with the following content:
wpad.dat
function FindProxyForURL (url, host)
{
// var ip_host = dnsResolve (host);
// var localnet = "192.168.0.0";
// var localhost = "127.0.0.0";
// var localnet = "10.0.0.0";
if (isInNet (host, "192.168.0.0", "255.255.255.0") ||
isInNet (host, "10.0.0.0", "255.255.255.0") ||
isInNet (host, “127.0.0.0”, “255.0.0.0”) ||
shExpMatch (host, "* .example.ru"))
{return "DIRECT"; }
if (dnsDomainIs (host, "* .inet-example.ru"))
{return "DIRECT"; }
return "PROXY sq.exmaple.ru:3130";
}
{
// var ip_host = dnsResolve (host);
// var localnet = "192.168.0.0";
// var localhost = "127.0.0.0";
// var localnet = "10.0.0.0";
if (isInNet (host, "192.168.0.0", "255.255.255.0") ||
isInNet (host, "10.0.0.0", "255.255.255.0") ||
isInNet (host, “127.0.0.0”, “255.0.0.0”) ||
shExpMatch (host, "* .example.ru"))
{return "DIRECT"; }
if (dnsDomainIs (host, "* .inet-example.ru"))
{return "DIRECT"; }
return "PROXY sq.exmaple.ru:3130";
}
4.2 Description of the wpad.dat file
By default, the file in the /var/www/html/wpad.dat directory is given to everyone without any additional apache2 settings, and this is just necessary for correct interaction with client machines on Windows OS.
Lines
if (isInNet( host, "192.168.0.0", "255.255.255.0") || isInNet( host, "10.0.0.0", "255.255.255.0") || Indicate that calls to the hosts on the 192.168.0.0/24, 10.0.0.0/24 and 127.0.0.0/8 subnets (the latter is necessary for the correct operation of the services when accessing localhost) are transmitted directly, and also the connection to the domain hosts .example .ru:
Lines:
if (dnsDomainIs( host, "*.inet-example.ru" )) { return "DIRECT"; } Indicate that when accessing domain names .inet-example.ru occurs directly
If the requested resource does not fall under the above conditions, the following is true:
return "PROXY sq.exmaple.ru:3130"; 4.3 Create CNAME
On the Active Directory DNS server you need to create a cname wpad (FQDN wpad.example.com) on sq.example.com.
For verification, you need to open wpad / wpad.dat in the browser and the wpad.dat file should automatically download. Thus, all hosts download the file, and based on the content act. It is recommended to re-log or reboot all computers in the domain on Windows to download the file.
5 Statistics
5.1 Installing SARG from Source
If gcc has not been installed before, now is the time:
# yum install -y gcc gd gd-devel make wget # wget http://liquidtelecom.dl.sourceforge.net/project/sarg/sarg/sarg-2.3.10/sarg-2.3.10.tar.gz # tar -xvzf sarg-2.3.10.tar.gz # cd sarg-2.3.10 # ./configure # make In the file po / Makefile.in.in, the gettext version is specified as 0.18, so that there was no error during make install, you need to change to 0.19:
# make install 5.2 Configuring SARG
The standard configuration file /usr/local/etc/sarg.conf is better to save:
# mv /usr/local/etc/sarg.conf /usr/local/etc/sarg.conf.default Now create the sarg.conf file with the following content:
access_log /var/log/squid/access.log output_dir /var/www/html/squid-reports date_format e overwrite_report yes language UTF-8 5.3 Report generation schedule using cron
# crontab -e Add a line:
55 23 * * * /usr/local/bin/sarg -xd day-0 This line indicates that reports will be generated every day and for the current day at 23:55
5.4 Web server configuration
The previously installed web server can also be assigned the task of displaying reports, with a request to enter a login and password for authorization. Create the file /etc/httpd/conf.d/sarg.conf with the following contents:
sarg.conf
Alias ​​/ reports / var / www / html / squid-reports /
<Directory / var / www / html / squid-reports />
AuthType Basic
AuthName "Basic Authentication"
AuthUserFile /etc/httpd/conf/.htpasswd
require valid-user
AddDefaultCharset UTF-8
<Directory / var / www / html / squid-reports />
AuthType Basic
AuthName "Basic Authentication"
AuthUserFile /etc/httpd/conf/.htpasswd
require valid-user
AddDefaultCharset UTF-8
5.5 Authorization on a site with statistics
Generate login and password file for authorization
# htpasswd -c /etc/httpd/conf/.htpasswd administrator Restart apache2 :
# systemctl restart httpd When you try to open sq.example.ru/reports, you will be prompted to enter your login and password. In case of successful authorization, you can view the statistics.
6 Group Policy
Everything here is ambiguous and may depend on some features. In the current task, it was a reasonable decision to exclude the possibility of installing a proxy server for the user, or disabling the “Automatic detection of parameters”.
6.1 GPO Editing
To prohibit the input of a proxy server or change the settings for automatic detection of parameters, you can use Group Policy. We create and associate a group policy with an OU, for example, office .
Editing Group Policy:
User → Policies → Administrative Templates → Windows Components → Internet Explorer
In this directory, find the parameters and translate into "Enabled" status:
"Prohibit changing proxy settings"
"Disable automatic parameter changes"
In conclusion, I can say this, this configuration has been working successfully since the spring of 2016, and has proven itself well. All questions will be happy to answer.
UPD # 1: 12.11.16
1 The extra lines of ports 3128 and 3129 were removed from the squid config.
2 included selinux and added rules.
3 The certificate generation was removed from the manual (it works without it)
4 Minor fixes
UPD # 2: 11/20/16
1 Extra lines have been removed from krb5.conf config
2 Added method of integration with AD through Msktutil
3 Forwarding added
4 Updated archive with squid and dependencies.
Source: https://habr.com/ru/post/314918/
All Articles