Блог Андрея Боровкова

О СЕБЕ И О ТОМ ЧТО ИНТЕРЕСНО

Настраиваем Squid для авторизации в AD version 2.0

by Андрей Боровоков on 04.09.2013, no comments

squidКак авторизовать SQUID в AD с помощью SAMBA мы обсудили в предыдущей статье.
Теперь поговорим о том, как авторизовать SQUID В Microsoft Active Directory без участия Samba.
Дополнительным бонусом мы научимся еще проверять контент на вирусы.

 

 

Squid + i-cap + ldap auth

1) Устанавливаем ClamAV

2) Устанавливаем i-cap
./configure —enable-static —with-clamav=/usr —prefix=/usr/local/services/c_icap
make && make install

4)c-icap.conf:
#————————————————————————————————
# This file contains the default settings for c-icap

PidFile /var/run/c-icap.pid
CommandsSocket /var/run/c-icap/c-icap.ctl
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 600
StartServers 3
MaxServers 10
MinSpareThreads 10
MaxSpareThreads 20
ThreadsPerChild 10
MaxRequestsPerChild 0

Port 1344
User squid
Group squid

TmpDir /tmp
MaxMemObject 131072

ServerLog /var/log/squid/c_icap-server.log
AccessLog /var/log/squid/c_icap-access.log
#DebugLevel 3

ModulesDir /usr/local/services/c_icap/lib/c_icap
Module logger sys_logger.so
Module perl_handler perl_handler.so

sys_logger.Prefix «C-ICAP:»
sys_logger.Facility local1

Logger file_logger

acl localsquid_respmod src 127.0.0.1 type respmod
acl localsquid src 127.0.0.1
acl externalnet src 0.0.0.0/0.0.0.0
icap_access allow localsquid_respmod
icap_access allow localsquid
icap_access deny externalnet

ServicesDir /usr/local/services/c_icap/lib/c_icap
Service echo_module srv_echo.so
Service url_check_module srv_url_check.so
Service antivirus_module srv_clamav.so

ServiceAlias avscan srv_clamav?allow204=on&sizelimit=off&mode=simple

srv_clamav.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE
srv_clamav.SendPercentData 5
srv_clamav.StartSendPercentDataAfter 2M

# The Maximum object to be scanned.
srv_clamav.MaxObjectSize 50M
#The directory which clamav library will use as temporary.
srv_clamav.ClamAvTmpDir /tmp
#Sets the maximum number of files in archive.)i Set it to 0 to disable it
srv_clamav.ClamAvMaxFilesInArchive 0
#Sets the maximal archived file size. Set it to 0 to disable it.
srv_clamav.ClamAvMaxFileSizeInArchive 100M
#The maximal recursion level.Set it to 0 to disable it.
srv_clamav.ClamAvMaxRecLevel 5

# And here the viralator-like mode.
# where to save documents
srv_clamav.VirSaveDir /var/tmp
# from where the documents can be retrieved (you can find the get_file.pl script in contrib dir)
srv_clamav.VirHTTPServer «DUMMY»
# The refresh rate….
srv_clamav.VirUpdateTime 15
# For which filetypes the «virelator like mode» will be used.
srv_clamav.VirScanFileTypes ARCHIVE EXECUTABLE

#———————————————————————————————————
~/bin/c-icap
netstat -nlput | grep c-cap:

tcp 0 0 0.0.0.0:1344 0.0.0.0:* LISTEN 16730/c-icap

3) Устанавливаем SQUID:
./configure —prefix=/usr/local/services/squid —enable-basic-auth-helpers=»LDAP, NCSA» —enable-external-acl-helpers=ldap_group —enable-icap-client —with-icap=/usr/local/services/c_icap
make && make install

4) Тестируем хелперы:
а) заводим в AD юзера (н/р squid) для вычитывания инфы, заводим группу для доступа в Инет.
б) Проверяем юзера: ldapsearch -D «squid@pstlab.int» -x -W -b «dc=pstlab,dc=int» -h 192.168.0.4 -p 3268
в) Проверяем хелпер группы:
cd ~squid/libexec
./squid_ldap_group -R
-b «ou=enterprise,dc=ptslab,dc=int»
-D «cn=squid,ou=users,ou=enterprise,dc=ptslab,dc=int»
-w «xxxxxxx»
-f «(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=users,ou=enterprise,dc=ptslab,dc=int))»
-h 192.168.11.4 -p 3268
user_name group_name
OK
г) Проверяем хелпер юзеров:
./squid_ldap_auth -R -D squid@ptslab.int -w xxxxxxxx -b «dc=ptslab,dc=int» -f «sAMAccountName=%s» 192.168.0.4 -p 3268
user_name password
OK

5) Конфигурим SQUID изменяем SQUID.CONF:
auth_param basic program /usr/local/services/squid/libexec/squid_ldap_auth
-R -D squid@ptslab.int -w xxxxxx -b «dc=ptslab,dc=int» -f «sAMAccountName=%s» 192.168.0.4 -p 3268
auth_param basic children 5
auth_param basic realm PROXY AUTH
auth_param basic credentialsttl 2 hours

external_acl_type InetGroup %LOGIN /usr/local/services/squid/libexec/squid_ldap_group
-R -b «ou=enterprise,dc=ptslab,dc=int» -D «cn=squid,ou=users,ou=enterprise,dc=ptslab,dc=int» -w «xxxxxx»
-f «(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=users,ou=enterprise,dc=ptslab,dc=int))» -h 192.168.0.4 -p 3268

acl localhost proxy_auth REQUIRED src 127.0.0.1/32
acl localnet proxy_auth REQUIRED src 192.168.0.0/24
acl InetAccess external InetGroup inet_users

http_access allow InetAccess localnet
http_access allow InetAccess localhost
http_access deny all

icap_enable on
icap_preview_enable on
icap_preview_size 128
icap_service service_req reqmod_precache 1 icap://127.0.0.1:1344/srv_clamav
icap_service service_resp respmod_precache 0 icap://127.0.0.1:1344/srv_clamav
icap_class class_req service_req
icap_class class_resp service_resp
icap_access class_req allow all
icap_access class_resp allow all

6) Запускаем squid тестируем http://www.eicar.org/anti_virus_test_file.htm

Добавить комментарий