{"id":797,"date":"2014-04-15T08:40:02","date_gmt":"2014-04-15T11:40:02","guid":{"rendered":"http:\/\/www.viazap.com.br\/?p=797"},"modified":"2014-04-15T08:40:31","modified_gmt":"2014-04-15T11:40:31","slug":"proxy-squid-com-squidguard-controle-de-banda-e-autenticacao-ntlm-no-samba-4-centos-6-5-64-bits-minimal","status":"publish","type":"post","link":"https:\/\/blog.clusterweb.com.br\/?p=797","title":{"rendered":"Proxy Squid com SquidGuard + Controle de Banda e Autentica\u00e7\u00e3o NTLM no Samba 4 (CentOS 6.5 – 64 bits Minimal)"},"content":{"rendered":"\n\n\n\n\n
Configura\u00e7\u00f5es iniciais<\/b><\/p>\n
Instalando reposit\u00f3rios:# rpm -Uvh http:\/\/fedora.uib.no\/epel\/6\/i386\/epel-release-6-8.noarch.rpm
\n# yum clean all
\n# yum -y update<\/strong><\/p>\n

Desativando o Firewall e o SELinux:<\/p>\n

# chkconfig iptables off
\n# chkconfig ip6tables off
\n# setenforce 0<\/strong><\/p>\n

# vi \/etc\/selinux\/config
\n\u00a0selinux=disabled\u00a0<\/sub><\/p>\n

Instalando depend\u00eancias e pacotes necess\u00e1rios:<\/p>\n

# yum -y install flex bison squid squidGuard samba samba-client samba-common samba-winbind pam_krb5 bind-utils httpd<\/strong><\/p>\n

Ajustando a inicializa\u00e7\u00e3o dos programas:<\/p>\n

# chkconfig httpd on
\n# chkconfig squid on
\n# chkconfig smb on
\n# chkconfig nmb on
\n# chkconfig winbind on<\/strong><\/p>\n

Ajustando resolu\u00e7\u00e3o de nomes:<\/p>\n

Obs.: fa\u00e7a primeiro um backup do arquivo original:<\/p>\n

# cp -Rfa \/etc\/resolv.conf{,.bkp}<\/strong><\/p>\n

# vi \/etc\/resolv.conf
\n\u00a0search\u00a0dominio.local
\nnameserver\u00a0192.168.100.11\u00a0\u00a0#\u00a0IP\u00a0DO\u00a0SERVIDOR\u00a0AD\u00a0OU\u00a0SAMBA\u00a04\u00a0<\/sub><\/p>\n

Executando testes:<\/p>\n

# nslookup dominio.local<\/strong>
\n\u00a0Server:\u00a0192.168.100.11
\nAddress:\u00a0192.168.100.11#53<\/sub><\/p>\n

Name:\u00a0\u00a0\u00a0dominio.local
\nAddress:\u00a0192.168.100.11<\/p>\n

Ajustando a hora:<\/p>\n

# yum -y install ntpdate
\n# ntpdate -u ntp.usp.br<\/strong>\u00a0\u00a0\u00a0\u00a0# Se tiver NTP da rede local aponte para o IP\/nome dele<\/p>\n

Configurando Kerberos<\/h1>\n

Fazer backup do arquivo de configura\u00e7\u00e3o:<\/p>\n

# cp -Rfa \/etc\/krb5.conf{,.bkp}
\n# rm -rf \/etc\/krb5.conf
\n# vi \/etc\/krb5.conf<\/strong><\/p>\n

[libdefaults]
\ndefault_realm = dominio.local
\nkrb4_config = \/etc\/krb.conf
\nkrb4_realms = \/etc\/krb.realms
\nkdc_timesync = 1
\nccache_type = 4
\nforwardable = true
\nproxiable = true
\nv4_instance_resolve = false
\nv4_name_convert = {
\nhost = {
\nrcmd = host
\nftp = ftp
\n}
\nplain = {
\nsomething = something-else
\n}
\n}
\nfcc-mit-ticketflags = true[realms]
\ndominio.local = {
\nkdc = 192.168.100.11
\nadmin_server = 192.168.100.11:749
\ndefault_server = 192.168.100.11
\n}<\/p>\n

[domain_realm]
\n.dominio.local=dominio.local
\ndominio.local=dominio.local<\/p>\n

[login]
\nkrb4_convert = true
\nkrb4_get_tickets = false<\/p>\n

[kdc]
\nprofile = \/etc\/krb5kdc\/kdc.conf<\/p>\n

[appdefaults]
\npam = {
\ndebug = false
\nticket_lifetime = 36000
\nrenew_lifetime = 36000
\nforwardable = true
\nkrb4_convert = false
\n}<\/p>\n

[logging]
\ndefault = file:\/var\/log\/krb5libs.log
\nkdc = file:\/var\/log\/krb5kdc.log
\nadmin_server = file:\/var\/log\/kadmind.log<\/p>\n<\/div>\n

Para que n\u00e3o ocorra erros no Samba:<\/p>\n

# vi \/etc\/security\/limits.conf<\/strong><\/p>\n

Insira as informa\u00e7\u00f5es abaixo no final do arquivo:<\/p>\n

root hard nofile 131072
\nroot soft nofile 65536
\nmioutente hard nofile 32768
\nmioutente soft nofile 16384<\/div>\n

Ajustando Samba<\/h1>\n

Backup do arquivo de configura\u00e7\u00e3o:<\/p>\n

# cp -Rfa \/etc\/samba\/smb.conf{,.bkp}
\n# rm -rf \/etc\/samba\/smb.conf
\n# vi \/etc\/samba\/smb.conf<\/strong><\/p>\n

[global]
\nworkgroup = DOMINIO
\nrealm = DOMINIO.LOCAL
\nnetbios name = CentOS
\nserver string = Servidor Proxy CentOS
\nsecurity = ADS
\nauth methods = winbind
\npassword server = 192.168.100.11 # IP DO SAMBA 4
\nsocket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
\nload printers = No
\nprintcap name = cups
\ndisable spoolss = Yes
\nlocal master = No
\ndomain master = Yes
\nidmap uid = 10000-30000
\nidmap gid = 10000-30000
\nwinbind cache time = 15
\nwinbind enum users = Yes
\nwinbind enum groups = Yes
\nwinbind use default domain = Yes<\/div>\n

Fa\u00e7a um backup do arquivo\u00a0\/etc\/nsswitch.conf<\/span>:<\/p>\n

# cp \/etc\/nsswitch.conf{,.bkp}<\/strong><\/p>\n

Ajustar conforme arquivo abaixo:<\/p>\n

# vi \/etc\/nsswitch.conf<\/strong><\/p>\n

[…]
\npasswd: files winbind
\nshadow: files
\ngroup: files winbind
\n[…]<\/div>\n

Ajustando privil\u00e9gios:<\/p>\n

# gpasswd -a squid wbpriv<\/strong><\/p>\n

Iniciando servi\u00e7os:<\/p>\n

# \/etc\/init.d\/nmb start
\n# \/etc\/init.d\/smb start
\n# \/etc\/init.d\/winbind start<\/strong><\/p>\n

Ingressando o servidor no dom\u00ednio:<\/p>\n

# net ads join dominio.local -U administrador<\/strong>
\n\u00a0Enter\u00a0administrador’s\u00a0password:\u00a0[A\u00a0SENHA\u00a0DO\u00a0ADMINISTRADOR\u00a0DO\u00a0SAMBA\u00a04]
\nUsing\u00a0short\u00a0domain\u00a0name\u00a0—\u00a0DOMINIO
\nJoined\u00a0‘CENTOS’\u00a0to\u00a0realm\u00a0‘DOMINIO.LOCAL’\u00a0<\/sub><\/p>\n

Reinicie os servi\u00e7os<\/p>\n

# \/etc\/init.d\/smb restart
\n# \/etc\/init.d\/nmb restart
\n# \/etc\/init.d\/winbind restart<\/strong><\/p>\n

Verifique a comunica\u00e7\u00e3o:<\/p>\n

# wbinfo -t<\/strong>
\n\u00a0checking\u00a0the\u00a0trust\u00a0secret\u00a0for\u00a0domain\u00a0DOMINIO\u00a0via\u00a0RPC\u00a0calls\u00a0succeeded\u00a0<\/sub><\/p>\n

# wbinfo -u<\/strong>
\n\u00a0administrator
\njohnny
\nkrbtgt
\nguest\u00a0<\/sub><\/p>\n

# wbinfo -g<\/strong>
\n\u00a0allowed\u00a0rodc\u00a0password\u00a0replication\u00a0group
\nenterprise\u00a0read-only\u00a0domain\u00a0controllers
\ndenied\u00a0rodc\u00a0password\u00a0replication\u00a0group
\nread-only\u00a0domain\u00a0controllers
\ngroup\u00a0policy\u00a0creator\u00a0owners
\nras\u00a0and\u00a0ias\u00a0servers
\ndomain\u00a0controllers
\nenterprise\u00a0admins
\ndomain\u00a0computers
\ncert\u00a0publishers
\ndnsupdateproxy
\ndomain\u00a0admins
\ndomain\u00a0guests
\nschema\u00a0admins
\ndomain\u00a0users
\ndnsadmins
\ninternet-ti
\ninternet-comercial
\ninternet-diretoria\u00a0<\/sub><\/p>\n<\/div>\n<\/td>\n<\/tr>\n

Configurando o Squid<\/b><\/p>\n
Backup do arquivo de configura\u00e7\u00e3o:# cp -Rfa \/etc\/squid\/squid.conf{,.bkp}
\n# rm -rf \/etc\/squid\/squid.conf
\n# vi \/etc\/squid\/squid.conf<\/strong><\/p>\n
http_port 3128
\nmaximum_object_size 4096 KB
\nminimum_object_size 0 KB
\nmaximum_object_size_in_memory 64 KB
\ncache_mem 60 MB
\npipeline_prefetch on
\nfqdncache_size 1024refresh_pattern ^ftp:\u00a0\u00a0\u00a0\u00a0\u00a0 1440\u00a0\u00a020%\u00a0\u00a0 10080
\nrefresh_pattern ^gopher:\u00a0\u00a0\u00a0\u00a01440\u00a0\u00a00%\u00a0\u00a0\u00a01440
\nrefresh_pattern -i (\/cgi-bin\/|\\?) 0\u00a0\u00a0 0%\u00a0\u00a0\u00a00
\nrefresh_pattern .\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0 20%\u00a0\u00a0 4320<\/p>\n

cache_swap_low 90
\ncache_swap_high 95<\/p>\n

access_log \/var\/log\/squid\/access.log squid
\ncache_log \/var\/log\/squid\/cache.log
\ncache_store_log \/var\/log\/squid\/store.log
\ncache_dir ufs \/var\/spool\/squid 100 16 256<\/p>\n

logfile_rotate 10
\nhosts_file \/etc\/hosts<\/p>\n

acl SSL_ports port 443
\nacl Safe_ports port 80\u00a0\u00a0\u00a0\u00a0\u00a0# http
\nacl Safe_ports port 21\u00a0\u00a0\u00a0\u00a0\u00a0# ftp
\nacl Safe_ports port 443\u00a0\u00a0\u00a0\u00a0\u00a0# https
\nacl Safe_ports port 70\u00a0\u00a0\u00a0\u00a0\u00a0# gopher
\nacl Safe_ports port 210\u00a0\u00a0\u00a0\u00a0\u00a0# wais
\nacl Safe_ports port 1025-65535\u00a0# unregistered ports
\nacl Safe_ports port 280\u00a0\u00a0\u00a0\u00a0\u00a0# http-mgmt
\nacl Safe_ports port 488\u00a0\u00a0\u00a0\u00a0\u00a0# gss-http
\nacl Safe_ports port 591\u00a0\u00a0\u00a0\u00a0\u00a0# filemaker
\nacl Safe_ports port 777\u00a0\u00a0\u00a0\u00a0\u00a0# multiling http
\nacl CONNECT method CONNECT<\/p>\n

acl localhost src 127.0.0.1\/32
\nhttp_access allow localhost<\/p>\n

http_access deny !Safe_ports<\/p>\n

http_access deny CONNECT !SSL_ports<\/p>\n

acl NOCACHE url_regex “\/etc\/squid\/regras\/nocache.lst” \\?
\nno_cache deny NOCACHE<\/p>\n

auth_param ntlm program \/usr\/bin\/ntlm_auth –helper-protocol=squid-2.5-ntlmssp
\nauth_param ntlm children 30<\/p>\n

auth_param basic program \/usr\/bin\/ntlm_auth –helper-protocol=squid-2.5-basic
\nauth_param basic children 5
\nauth_param basic realm Squid proxy server
\nauth_param basic credentialsttl 2 hours<\/p>\n

acl autenticados proxy_auth REQUIRED<\/p>\n

redirect_program \/usr\/bin\/squidGuard -c \/etc\/squid\/squidGuard.conf
\nredirect_children 10<\/p>\n

http_access allow autenticados
\nhttp_access deny all
\nhttp_reply_access allow all
\nicp_access allow all
\nmiss_access allow all<\/p>\n

visible_hostname proxyauth.palacio.local
\nerror_directory \/usr\/share\/squid\/errors\/pt-br<\/p>\n

cache_effective_user squid
\ncoredump_dir \/var\/spool\/squid<\/p>\n

########\u00a0CONTROLE DE BANDA ############
\nacl Acesso_Rapido url_regex -i \\.(aspx?|css|jsp?|[js]?html?|rss|php|xml|txt|gif|jpe?g|png)$
\nacl Banda_Livre arp “\/etc\/squid\/acls\/Banda_Livre.lst”<\/p>\n

delay_pools 2
\ndelay_class 1 2
\ndelay_parameters 1 -1\/-1 -1\/-1 -1\/-1
\ndelay_access 1 allow Banda_Livre<\/p>\n

delay_class 2 2
\ndelay_parameters 2 614400\/614400\u00a061920\/619200\u00a0# Navegar a 60k
\ndelay_access 2 allow rede_local !Acesso_Rapido<\/p>\n<\/div>\n

Criando a pasta de cache:<\/p>\n

# mkdir \/etc\/squid\/cache
\n# mkdir -p \/etc\/squid\/cache\/1
\n# chown squid:squid -R \/etc\/squid\/cache\/
\n# service squid start<\/strong><\/p>\n

Inicializa\u00e7\u00e3o autom\u00e1tica do Squid:<\/p>\n

# chkconfig squid on<\/strong><\/p>\n<\/div>\n<\/td>\n<\/tr>\n

Configurando o SquidGuard<\/b><\/p>\n
# vi \/etc\/squid\/squidGuard.conf<\/strong><\/p>\n
# Diretorio das Listas de Bloqueiodbhome \/var\/squidGuard\/db
\nlogdir \/var\/log\/squidGuard<\/p>\n

# Autenticacao LDAP<\/p>\n

ldapbinddn\u00a0\u00a0 cn=squid,ou=INTERNET,dc=palacio,dc=local
\nldapbindpass\u00a0 password
\nldapcachetime\u00a060<\/p>\n

# Grupos de Bloqueio<\/p>\n

src ACESSOLIVRE {
\nldapusersearch ldap:\/\/192.168.100.11:3268\/dc=palacio,dc=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=ACESSOLIVRE%2cou=INTERNET%2cdc=palacio%2cdc=local))
\n}<\/p>\n

src ACESSOREDESSOCIAIS {
\nldapusersearch ldap:\/\/192.168.100.11:3268\/dc=palacio,dc=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=ACESSOREDESSOCIAIS%2cou=INTERNET%2cdc=palacio%2cdc=local))
\n}<\/p>\n

src ACESSOVIDEOS {
\nldapusersearch ldap:\/\/192.168.100.11:3268\/dc=palacio,dc=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=ACESSOVIDEOS%2cou=INTERNET%2cdc=palacio%2cdc=local))
\n}<\/p>\n

## Listas de Bloqueio ( Filtragem ) Usando duas listas Bigblaclist e Shallalist<\/p>\n

# Big Blacklist<\/p>\n

dest porn {
\ndomainlist\u00a0\u00a0\u00a0blacklists\/porn\/domains
\nurllist\u00a0\u00a0\u00a0\u00a0 blacklists\/porn\/urls
\n#\u00a0\u00a0\u00a0 expessionlist\u00a0 blacklists\/porn\/expressions
\n}<\/p>\n

dest audio-video {
\ndomainlist\u00a0\u00a0\u00a0blacklists\/audio-video\/domains
\nurllist\u00a0\u00a0\u00a0\u00a0 blacklists\/audio-video\/urls
\n}<\/p>\n

# Shallalist<\/p>\n

dest porn2 {
\ndomainlist\u00a0\u00a0\u00a0BL\/porn\/domains
\nurllist\u00a0\u00a0\u00a0\u00a0 BL\/porn\/urls
\n}<\/p>\n

dest socialnet {
\ndomainlist\u00a0\u00a0\u00a0BL\/socialnet\/domains
\nurllist\u00a0\u00a0\u00a0\u00a0 BL\/socialnet\/urls
\n}<\/p>\n

# Controle de Acessos ( ACLs )<\/p>\n

acl\u00a0\u00a0 {<\/p>\n

ACESSOLIVRE\u00a0{
\npass !porn !porn2
\n}<\/p>\n

ACESSOREDESSOCIAIS\u00a0{
\npass socialnet !porn !porn2 !audio-video
\n}<\/p>\n

ACESSOVIDEOS {
\npass audio-video !porn !porn2 !socialnet
\n}<\/p>\n

default {
\npass !porn !porn2 !socialnet !audio-video
\nredirect http:\/\/192.168.100.16\/cgi-bin\/squidGuard-simple.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
\n}
\n}<\/p>\n<\/div>\n

Baixe as listas dentro do diret\u00f3rio\u00a0\/var\/squidGuard\/db<\/span>, eu, particularmente, uso as duas listas abaixo:<\/p>\n