Proxy Squid com SquidGuard + Controle de Banda e Autenticação NTLM no Samba 4 (CentOS 6.5 – 64 bits Minimal) – …::: ClusterWeb®

Configurações iniciais Instalando repositórios:# rpm -Uvh http://fedora.uib.no/epel/6/i386/epel-release-6-8.noarch.rpm # yum clean all # yum -y update Desativando o Firewall e o SELinux: # chkconfig iptables off # chkconfig ip6tables off # setenforce 0 # vi /etc/selinux/config _{selinux=disabled} Instalando dependências e pacotes necessários: # yum -y install flex bison squid squidGuard samba samba-client samba-common samba-winbind pam_krb5 bind-utils httpd Ajustando a inicialização dos programas: # chkconfig httpd on # chkconfig squid on # chkconfig smb on # chkconfig nmb on # chkconfig winbind on Ajustando resolução de nomes: Obs.: faça primeiro um backup do arquivo original: # cp -Rfa /etc/resolv.conf{,.bkp} # vi /etc/resolv.conf _{search dominio.local nameserver 192.168.100.11 # IP DO SERVIDOR AD OU SAMBA 4} Executando testes: # nslookup dominio.local _{Server: 192.168.100.11 Address: 192.168.100.11#53} Name: dominio.local Address: 192.168.100.11 Ajustando a hora: # yum -y install ntpdate # ntpdate -u ntp.usp.br # Se tiver NTP da rede local aponte para o IP/nome dele Configurando Kerberos Fazer backup do arquivo de configuração: # cp -Rfa /etc/krb5.conf{,.bkp} # rm -rf /etc/krb5.conf # vi /etc/krb5.conf [libdefaults] default_realm = dominio.local krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true[realms] dominio.local = { kdc = 192.168.100.11 admin_server = 192.168.100.11:749 default_server = 192.168.100.11 } [domain_realm] .dominio.local=dominio.local dominio.local=dominio.local [login] krb4_convert = true krb4_get_tickets = false [kdc] profile = /etc/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } [logging] default = file:/var/log/krb5libs.log kdc = file:/var/log/krb5kdc.log admin_server = file:/var/log/kadmind.log Para que não ocorra erros no Samba: # vi /etc/security/limits.conf Insira as informações abaixo no final do arquivo: root hard nofile 131072 root soft nofile 65536 mioutente hard nofile 32768 mioutente soft nofile 16384 Ajustando Samba Backup do arquivo de configuração: # cp -Rfa /etc/samba/smb.conf{,.bkp} # rm -rf /etc/samba/smb.conf # vi /etc/samba/smb.conf [global] workgroup = DOMINIO realm = DOMINIO.LOCAL netbios name = CentOS server string = Servidor Proxy CentOS security = ADS auth methods = winbind password server = 192.168.100.11 # IP DO SAMBA 4 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No printcap name = cups disable spoolss = Yes local master = No domain master = Yes idmap uid = 10000-30000 idmap gid = 10000-30000 winbind cache time = 15 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes Faça um backup do arquivo /etc/nsswitch.conf: # cp /etc/nsswitch.conf{,.bkp} Ajustar conforme arquivo abaixo: # vi /etc/nsswitch.conf […] passwd: files winbind shadow: files group: files winbind […] Ajustando privilégios: # gpasswd -a squid wbpriv Iniciando serviços: # /etc/init.d/nmb start # /etc/init.d/smb start # /etc/init.d/winbind start Ingressando o servidor no domínio: # net ads join dominio.local -U administrador _{Enter administrador’s password: [A SENHA DO ADMINISTRADOR DO SAMBA 4] Using short domain name — DOMINIO Joined ‘CENTOS’ to realm ‘DOMINIO.LOCAL’} Reinicie os serviços # /etc/init.d/smb restart # /etc/init.d/nmb restart # /etc/init.d/winbind restart Verifique a comunicação: # wbinfo -t _{checking the trust secret for domain DOMINIO via RPC calls succeeded} # wbinfo -u _{administrator johnny krbtgt guest} # wbinfo -g _{allowed rodc password replication group enterprise read-only domain controllers denied rodc password replication group read-only domain controllers group policy creator owners ras and ias servers domain controllers enterprise admins domain computers cert publishers dnsupdateproxy domain admins domain guests schema admins domain users dnsadmins internet-ti internet-comercial internet-diretoria}
Configurando o Squid Backup do arquivo de configuração:# cp -Rfa /etc/squid/squid.conf{,.bkp} # rm -rf /etc/squid/squid.conf # vi /etc/squid/squid.conf http_port 3128 maximum_object_size 4096 KB minimum_object_size 0 KB maximum_object_size_in_memory 64 KB cache_mem 60 MB pipeline_prefetch on fqdncache_size 1024refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/\|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_swap_low 90 cache_swap_high 95 access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log cache_dir ufs /var/spool/squid 100 16 256 logfile_rotate 10 hosts_file /etc/hosts acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl localhost src 127.0.0.1/32 http_access allow localhost http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl NOCACHE url_regex “/etc/squid/regras/nocache.lst” \? no_cache deny NOCACHE auth_param ntlm program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 auth_param basic program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy server auth_param basic credentialsttl 2 hours acl autenticados proxy_auth REQUIRED redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf redirect_children 10 http_access allow autenticados http_access deny all http_reply_access allow all icp_access allow all miss_access allow all visible_hostname proxyauth.palacio.local error_directory /usr/share/squid/errors/pt-br cache_effective_user squid coredump_dir /var/spool/squid ######## CONTROLE DE BANDA ############ acl Acesso_Rapido url_regex -i \.(aspx?\|css\|jsp?\|[js]?html?\|rss\|php\|xml\|txt\|gif\|jpe?g\|png)$ acl Banda_Livre arp “/etc/squid/acls/Banda_Livre.lst” delay_pools 2 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 -1/-1 delay_access 1 allow Banda_Livre delay_class 2 2 delay_parameters 2 614400/614400 61920/619200 # Navegar a 60k delay_access 2 allow rede_local !Acesso_Rapido Criando a pasta de cache: # mkdir /etc/squid/cache # mkdir -p /etc/squid/cache/1 # chown squid:squid -R /etc/squid/cache/ # service squid start Inicialização automática do Squid: # chkconfig squid on
Configurando o SquidGuard # vi /etc/squid/squidGuard.conf # Diretorio das Listas de Bloqueiodbhome /var/squidGuard/db logdir /var/log/squidGuard # Autenticacao LDAP ldapbinddn cn=squid,ou=INTERNET,dc=palacio,dc=local ldapbindpass password ldapcachetime 60 # Grupos de Bloqueio src ACESSOLIVRE { ldapusersearch ldap://192.168.100.11:3268/dc=palacio,dc=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=ACESSOLIVRE%2cou=INTERNET%2cdc=palacio%2cdc=local)) } src ACESSOREDESSOCIAIS { ldapusersearch ldap://192.168.100.11:3268/dc=palacio,dc=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=ACESSOREDESSOCIAIS%2cou=INTERNET%2cdc=palacio%2cdc=local)) } src ACESSOVIDEOS { ldapusersearch ldap://192.168.100.11:3268/dc=palacio,dc=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=ACESSOVIDEOS%2cou=INTERNET%2cdc=palacio%2cdc=local)) } ## Listas de Bloqueio ( Filtragem ) Usando duas listas Bigblaclist e Shallalist # Big Blacklist dest porn { domainlist blacklists/porn/domains urllist blacklists/porn/urls # expessionlist blacklists/porn/expressions } dest audio-video { domainlist blacklists/audio-video/domains urllist blacklists/audio-video/urls } # Shallalist dest porn2 { domainlist BL/porn/domains urllist BL/porn/urls } dest socialnet { domainlist BL/socialnet/domains urllist BL/socialnet/urls } # Controle de Acessos ( ACLs ) acl { ACESSOLIVRE { pass !porn !porn2 } ACESSOREDESSOCIAIS { pass socialnet !porn !porn2 !audio-video } ACESSOVIDEOS { pass audio-video !porn !porn2 !socialnet } default { pass !porn !porn2 !socialnet !audio-video redirect http://192.168.100.16/cgi-bin/squidGuard-simple.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u } } Baixe as listas dentro do diretório /var/squidGuard/db, eu, particularmente, uso as duas listas abaixo: Shalla’s Blacklists :: http://www.shallalist.de/ URLBlacklist :: http://urlblacklist.com/?sec=download Descompacte: # tar -zxvf bigblacklist.tar.gz # tar -zxvf shallalist.tar.gz Criar os bancos: # squidGuard -b -u -C all Monitorar os logs do SquidGuard: # tail -f /var/log/squidGuard/squidGuard.log Após completar o processo (que, dependendo da quantidade de listas, pode demorar um pouco), vamos dar as permissões devidas: # chown -R squid:squid /var/squidGuard/db/* # find /var/squidGuard/db -type f \| xargs chmod 644 # find /var/squidGuard/db -type d \| xargs chmod 755 # squid -k reconfigure Criando uma whitelist autorizando o acesso aos sites manualmente: Adicione uma nova ACL: # vi /etc/squid/squidGuard.conf dest white { domainlist white/domains urllist white/urls }default { pass white !porn !porn2 !socialnet !audio-video redirect http://192.168.100.16/cgi-bin/squidGuard-simple.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u } } A ACL white será lida primeiro e o acesso às páginas especificadas no arquivo será liberado. Criar a pasta e os arquivos: # mkdir /var/lib/squidguard/db/white # touch /var/lib/squidguard/db/white/domains # touch /var/lib/squidguard/db/white/urls Onde: Arquivo domains para domínios liberados por completo. Exemplo: “google.com.br”. Arquivo urls para páginas. Exemplo: “vivaolinux.com.br/contribuir/artigo/”, sempre um por linha. Obs.: em qualquer alteração feita nos arquivos dbs, se faz necessário atualizar a conversão das listas e reiniciar o Squid: # chown -R squid:squid /var/squidGuard/db/* # find /var/squidGuard/db -type f \| xargs chmod 644 # find /var/squidGuard/db -type d \| xargs chmod 755 # squidGuard -b -u -C all # squid -k reconfigure

Versão para Impressão

Configurando Kerberos

Ajustando Samba