Bloquear Grupos do AD no Squid [RESOLVIDO] [Squid/Iptables]

1. Bloquear Grupos do AD no Squid [RESOLVIDO]

Enviado em 04/07/2012 - 11:02h

Ola,

Recentemente instalei o Squid3 numa maquina integrado com o AD do Windows 2008, tudo esta funcionando maravilhosamente, porem eu precisava fazer o bloqueio de sites, mas naum sei como fazer isto, pois eu queria fazer o bloqueio por Grupo do AD..

Eu sei colocar aregras de bloqueio simples, porem nao sei como bloquear os Grupo.

segue meu squid.conf

# Portas (padrão 3128)
#########################################
http_port 3128

# OTIMIZANDO CONEXÕES
#########################################
hierarchy_stoplist cgi-bin ?
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

# Logs
########################################
access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log

# ============================================================================
# =================== Autenticação no Windows 2008 =========================
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl AuthorizedUsers proxy_auth REQUIRED

# ACLs
#########################################

# acls de origem
# =======================================
acl localhost src 127.0.0.1/32
# rede dmz (rede servidores)
#acl dmz src 192.168.0.0/24
# rede administrativo (rede setor administrativo)
acl administrativo src 192.168.0.0/24
# rede acadêmica (rede setor acadêmico)
#acl academica src 172.16.0.0/24
### admins (IPs com acesso administrador do squid - não usam proxy para navegar)
#acl admins src 172.16.10.180/32

acl allDest dst all
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 25 # smtp
acl Safe_ports port 110 # pop3
acl Safe_ports port 587 # ssmtp
acl Safe_ports port 80 # http
acl Safe_ports port 81 # Unimed
acl Safe_ports port 82 # Unimed
acl Safe_ports port 83 # Unimed
acl Safe_ports port 8080 # tomcat
acl Safe_ports port 8443 # tomcat - ssl
acl Safe_ports port 10000 # webmin
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
#acl Safe_ports port 901 # SWAT
acl Safe_ports port 4500 # Biblioteca USP dedalus
acl Safe_ports port 2083 # CPANEL
acl Safe_ports port 2631 # Conectividade Social
acl Safe_ports port 1494 # Sigov
acl Safe_ports port 8333 # WMWARE SERVER
acl manager proto cache_object
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge

acl sites_deny dstdomain -i "/etc/squid3/acls/sites-proibidos"
acl sites_allow dstdomain -i "/etc/squid3/acls/sites-permitidos"
acl caixa dstdomain -i .caixa.gov.br
acl update dstdomain -i Windowsupdate.microsoft.com au.download.Windowsupdate.com
acl admin src "/etc/squid3/acls/admin"

http_access allow admin
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow update
http_access deny sites_deny !sites_allow
http_access allow all AuthorizedUsers

http_access allow caixa
always_direct allow caixa
http_reply_access allow all
http_access deny all

icp_access allow all
miss_access allow all
dns_nameservers 17.0.0.1

# SNMP
acl snmpro snmp_community local
snmp_access allow snmpro all
snmp_port 3401

# ============================================================================
# ======================= Configuracoes Diversas ============================
# Email do administrador
cache_mgr suporteti@santacasaolimpia.com.br
# Host visível
visible_hostname SQSERVER.SCM.OLIMPIA.COM.BR
# Linguagem dos erros
error_directory /usr/share/squid3/errors/Portuguese
# Evita que sejam feitos coredumps.
coredump_dir /var/spool/squid3
# Numero de arquivos de log rotacionados a guardar.
logfile_rotate 4

quando eu montei eu segui um tutorial do Vol
http://www.vivaolinux.com.br/artigo/Integrando-autenticacao-do-Squid-ao-Active-Directory

Alguem ae pode me ajudar????

2. Re: Bloquear Grupos do AD no Squid [RESOLVIDO]

Enviado em 04/07/2012 - 14:40h

Olá amigo, da uma olhada nesse tutorial, veja se ajuda em algo:

http://www.vivaolinux.com.br/dica/Autenticando-Squid-3-no-Active-Directory-do-Windows-Server-2008-64...

3. Re: Bloquear Grupos do AD no Squid [RESOLVIDO]

Enviado em 05/07/2012 - 01:24h

Desculpe amigo Lucas, mas nao consegui....

4. Re: Bloquear Grupos do AD no Squid [RESOLVIDO]

Enviado em 27/07/2012 - 16:13h

Pessoal, consegui, com ajuda de um Membro aqui do VoL ele bem dizer fez tudo para mim, vou postar o resultado para quem tiver interessado.

# Bem vindo ao Proxy Squid
##########################################

# Portas (padrão 3128)
#########################################
http_port 192.168.1.50:3128

# OTIMIZANDO CONEXÕES
#########################################
hierarchy_stoplist cgi-bin ?
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

# Logs
########################################
access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log

acl redelocal src 192.168.1.0/32
acl localhost src 192.168.1.50/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl SSL_ports port 443 563
acl Safe_ports port 25 # smtp
acl Safe_ports port 110 # pop3
acl Safe_ports port 587 # ssmtp
acl Safe_ports port 80 # http
acl Safe_ports port 81 # Unimed
acl Safe_ports port 82 # Unimed
acl Safe_ports port 83 # Unimed
acl Safe_ports port 84 # Unimed
acl Safe_ports port 8080 # tomcat
acl Safe_ports port 8443 # tomcat - ssl
acl Safe_ports port 10000 # webmin
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 1863 # msn
#acl Safe_ports port 901 # SWAT
acl Safe_ports port 4500 # Biblioteca USP dedalus
acl Safe_ports port 2083 # CPANEL
acl Safe_ports port 2631 # Conectividade Social
acl Safe_ports port 1494 # Sigov
acl Safe_ports port 8333 # WMWARE SERVER
acl manager proto cache_object
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge

# ============================================================================
# =================== Autenticação no Windows 2008 =========================
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 12 hours
acl Autenticados proxy_auth REQUIRED

#################################################################################
Grupos do AD

external_acl_type nt_group %LOGIN /usr/lib/squid3/wbinfo_group.pl
acl ad_AcessoAdministrativo external nt_group AcessoAdministrativo
acl ad_AcessoAuditoria external nt_group AcessoAuditoria
acl ad_AcessoFarmarcia external nt_group AcessoFarmacia
acl ad_AcessoRecepcao external nt_group AcessoRecepcao
acl ad_AcessoBloqueado external nt_group AcessoBloqueado

acl sites_deny url_regex -i "/etc/squid3/acls/sites-proibidos"
acl sites_allow url_regex -i "/etc/squid3/acls/sites-permitidos"

#Definindo Controle de Acesso

http_access allow sites_allow
http_access deny sites_deny
http_access allow ad_AcessoAdministrativo
http_access allow ad_AcessoAuditoria
http_access allow ad_AcessoFarmarcia
http_access allow ad_AcessoRecepcao
http_access allow ad_AcessoBloqueado
http_access deny localhost
http_access allow autenticados redelocal
http_access allow all

icp_access allow all
miss_access allow all
dns_nameservers 17.0.0.1

# SNMP
acl snmpro snmp_community local
snmp_access allow snmpro all
snmp_port 3401

# ============================================================================
# ======================= Configuracoes Diversas ============================
# Email do administrador
cache_mgr suporteti@santacasaolimpia.com.br
# Host visível
visible_hostname SQSERVER.SCM.OLIMPIA.COM.BR
# Linguagem dos erros
error_directory /usr/share/squid3/errors/Portuguese
# Evita que sejam feitos coredumps.
coredump_dir /var/spool/squid3
# Numero de arquivos de log rotacionados a guardar.
logfile_rotate 4

Obrigado pessoal!

Bloquear Grupos do AD no Squid [RESOLVIDO]

Responder tópico