pfSense+Squid tare da https tace + Alama guda ɗaya (SSO) tare da tace rukunin Active Directory
Bayani a takaice
Kamfanin yana buƙatar aiwatar da uwar garken wakili tare da ikon tace damar shiga shafuka (ciki har da https) ta ƙungiyoyi daga AD don kada masu amfani su shigar da ƙarin kalmomin shiga, kuma ana iya sarrafa su ta hanyar haɗin yanar gizo. Kyakkyawan aikace-aikacen, ba haka ba?
Amsar da ta dace ita ce siyan mafita kamar Kerio Control ko UserGate, amma kamar koyaushe babu kuɗi, amma akwai buƙata.
Wannan shine inda tsohuwar Squid ɗin ke zuwa don ceto, amma kuma - a ina zan iya samun hanyar yanar gizo? SAMS2? Dabi'a wanda ba ya aiki. Wannan shine inda pfSense ke zuwa don ceto.
Description
Wannan labarin zai bayyana yadda ake saita uwar garken wakili na Squid.
Za a yi amfani da Kerberos don ba da izini ga masu amfani.
Za a yi amfani da SquidGuard don tace ta ƙungiyoyin yanki.
Lightsquid, sqstat da tsarin sa ido na pfSense na ciki za a yi amfani da su don saka idanu.
Hakanan zai magance matsalar gama gari da ke da alaƙa da shigar da fasahar sa hannu guda ɗaya (SSO), wato aikace-aikacen da ke ƙoƙarin yin amfani da Intanet a ƙarƙashin asusun compass da tsarin asusun su.
Ana shirin shigar Squid
pfSense za a dauki a matsayin tushen,
A ciki wanda muke tsara ingantaccen aiki akan Tacewar zaɓi kanta ta amfani da asusun yanki.
Muhimmanci sosai!
Kafin ka fara saka Squid, kana buƙatar saita uwar garken DNS a cikin pfsense, yi rikodin A da rikodin PTR akan sabar DNS ɗin mu, kuma saita NTP don kada lokacin ya bambanta da lokacin akan mai sarrafa yanki.
Kuma a kan hanyar sadarwar ku, samar da damar WAN interface na pfSense don zuwa Intanet, da masu amfani a kan hanyar sadarwar gida don haɗawa da haɗin LAN, ciki har da tashar jiragen ruwa 7445 da 3128 (a cikin akwati na 8080).
An shirya duka? An kafa haɗin LDAP tare da yankin don izini akan pfSense kuma lokacin yana aiki tare? Mai girma. Lokaci ya yi da za a fara babban tsari.
Shigarwa da riga-kafi
Za a shigar da Squid, SquidGuard da LightSquid daga mai sarrafa fakitin pfSense a cikin sashin "System / Package Manager".
Bayan nasarar shigarwa, je zuwa "Services / Squid Proxy Server /" da farko, a cikin Local Cache tab, saita caching, na saita komai zuwa 0, saboda Ban ga ma'ana da yawa a cikin shafukan caching ba, masu bincike suna yin babban aiki tare da wannan. Bayan saitin, danna maɓallin "Ajiye" a ƙasan allon kuma wannan zai ba mu damar yin saitunan wakili na asali.
Babban saitunan sune kamar haka:
Tsohuwar tashar jiragen ruwa ita ce 3128, amma na fi son amfani da 8080.
Zaɓuɓɓukan da aka zaɓa a cikin Proxy Interface shafin suna tantance waɗanne mu'amalar uwar garken wakili za su saurare su. Tun da an gina wannan Tacewar zaɓi ta hanyar da ta ke kallon Intanet a matsayin WAN interface, ko da yake LAN da WAN na iya kasancewa a kan ƙananan ƙananan gida guda ɗaya, Ina ba da shawarar yin amfani da LAN don wakili.
Ana buƙatar Loopback don sqstat yayi aiki.
A ƙasa za ku sami saitunan wakili na Transparent (m) da kuma SSL Filter, amma ba ma buƙatar su, wakilin mu ba zai zama m, kuma don tace https ba za mu maye gurbin takardar shaidar ba (muna da kwararar takardu, banki). abokan ciniki, da sauransu), bari mu kalli musafaha kawai.
A wannan mataki, muna buƙatar zuwa ga mai sarrafa yankinmu, ƙirƙirar asusun tantancewa a ciki (zaka iya amfani da wanda aka saita don tabbatarwa akan pfSense kanta). Anan akwai muhimmiyar mahimmanci - idan kuna da niyyar amfani da ɓoye AES128 ko AES256 - duba akwatunan da suka dace a cikin saitunan asusunku.
Idan yankinku wani daji ne mai sarkakiya mai tarin kundayen adireshi ko kuma yankinku .na gida ne, to yana YIWU, amma ba tabbas ba, dole ne ku yi amfani da kalmar sirri mai sauƙi don wannan asusun, an san kwaro, amma shi maiyuwa kawai bazai aiki tare da hadadden kalmar sirri ba, kuna buƙatar bincika takamaiman lamari.
Bayan haka, mun ƙirƙiri babban fayil don kerberos, buɗe umarni da sauri tare da haƙƙin gudanarwa akan mai sarrafa yanki kuma shigar da:
# ktpass -princ HTTP/[email protected] -mapuser pfsense -pass 3EYldza1sR -crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All} -ptype KRB5_NT_PRINCIPAL -out C:keytabsPROXY.keytab
Inda muka nuna FQDN pfSense ɗin mu, tabbatar da mutunta lamarin, shigar da asusun yankinmu da kalmar wucewar sa a cikin mapuser parameter, kuma a cikin crypto mun zaɓi hanyar ɓoyewa, na yi amfani da rc4 don aiki kuma a cikin filin fita za mu zaɓi inda muke. zai aika da gama key fayil.
Bayan ƙirƙirar babban fayil ɗin cikin nasara, za mu aika zuwa pfSense ɗinmu, Na yi amfani da Far don wannan, amma kuna iya yin wannan duka tare da umarni da putty ko ta hanyar haɗin yanar gizo na pfSense a cikin sashin "Layin Layin Bincike".
Yanzu za mu iya gyara/create /etc/krb5.conf
inda /etc/krb5.keytab shine babban fayil ɗin da muka ƙirƙira.
Tabbatar duba aikin kerberos ta amfani da kinit, idan bai yi aiki ba, babu ma'ana a kara karantawa.
Haɓaka Tabbacin Squid da Lissafin shiga ba tare da Tabbaci ba
Bayan an tsara kerberos cikin nasara, za mu ɗaure shi zuwa Squid ɗin mu.
Don yin wannan, je zuwa ServicesSquid Proxy Server kuma a cikin manyan saitunan je zuwa ƙasa sosai, a can za mu sami maɓallin "Advanced settings".
A cikin filin Zaɓuɓɓuka na Musamman (Kafin Auth), shigar:
#Хелперы
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -k /usr/local/etc/squid/squid.keytab -t none
auth_param negotiate children 1000
auth_param negotiate keep_alive on
#Списки доступа
acl auth proxy_auth REQUIRED
acl nonauth dstdomain "/etc/squid/nonauth.txt"
#Разрешения
http_access allow nonauth
http_access deny !auth
http_access allow authina auth_param negotiate shirin /usr/local/libexec/squid/negotiate_kerberos_auth - yana zaɓar mataimakan kerberos na tabbatarwa da muke buƙata.
Key -s tare da ma'ana GSS_C_NO_NAME - yana bayyana amfani da kowane asusu daga babban fayil ɗin.
Key -k tare da ma'ana /usr/local/etc/squid/squid.keytab - ya yanke shawarar yin amfani da wannan takamaiman fayil ɗin maɓalli. A cikin yanayina, wannan shine fayil ɗin keytab ɗin da muka ƙirƙira, wanda na kwafi zuwa /usr/local/etc/squid/ directory kuma na sake masa suna, saboda squid ba ya son zama abokai da wannan littafin, a fili babu. isashen hakkoki.
Key -t tare da ma'ana - babu - yana kashe buƙatun keken keke zuwa mai sarrafa yanki, wanda ke rage nauyi sosai idan kuna da masu amfani sama da 50.
Don tsawon lokacin gwajin, Hakanan zaka iya ƙara maɓallin -d - watau bincike, ƙarin rajistan ayyukan za a nuna.
auth_param tattaunawa yara 1000 - Yana ƙayyade adadin hanyoyin izini na lokaci guda da za a iya tafiyar da su
auth_param tattaunawa ci gaba da rayuwa - baya bada izinin karya haɗin gwiwa yayin zaɓen sarkar izini
acl auth proxy_auth ANA BUKATAR - ƙirƙira kuma yana buƙatar lissafin ikon shiga wanda ya haɗa da masu amfani waɗanda suka wuce izini
acl nonauth dstdomain "/etc/squid/nonauth.txt" - muna sanar da squid game da jerin hanyoyin shiga mara izini, wanda ya ƙunshi wuraren da ake nufi, wanda koyaushe za a ba kowa damar shiga. Muna ƙirƙirar fayil ɗin kanta, kuma a ciki muna shigar da yanki a cikin tsari
.whatsapp.com
.whatsapp.net
WhatsApp ba a banza ana amfani dashi azaman misali - yana da kyau sosai game da wakili tare da tantancewa kuma ba zai yi aiki ba idan ba a yarda da shi ba kafin tantancewa.
http_access ba da izini ba - ba da damar shiga wannan jerin ga kowa da kowa
http_access hana !auth - mun haramta samun dama ga masu amfani mara izini zuwa wasu shafuka
http_access ba da izini - ba da damar samun dama ga masu amfani masu izini.
Shi ke nan, squid da kansa an daidaita shi, yanzu lokaci ya yi da za a fara tacewa ta ƙungiyoyi.
Ana saita SquidGuard
Je zuwa ServicesSquidGuard Proxy Filter.
A cikin Zaɓuɓɓukan LDAP muna shigar da bayanan asusun mu da aka yi amfani da shi don tabbatar da kerberos, amma a cikin tsari mai zuwa:
CN=pfsense,OU=service-accounts,DC=domain,DC=localIdan akwai filaye ko haruffan Latin, wannan gabaɗayan shigarwar yakamata a haɗa shi cikin ƙira ɗaya ko biyu:
'CN=sg,OU=service-accounts,DC=domain,DC=local'
"CN=sg,OU=service-accounts,DC=domain,DC=local"Na gaba, tabbatar da duba waɗannan akwatuna:
Don yanke DOMAINpfsense mara amfani .LOCAL wanda duk tsarin yana da matukar damuwa.
Yanzu muna zuwa rukunin Acl kuma mu ɗaure ƙungiyoyin shiga yankin mu, Ina amfani da sunaye masu sauƙi kamar group_0, group_1, da sauransu har zuwa 3, inda 3 ke samun dama ga jerin fari kawai, da 0 - duk abin da zai yiwu.
An haɗa ƙungiyoyi kamar haka:
ldapusersearch ldap://dc.domain.local:3268/DC=DOMAIN,DC=LOCAL?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=group_0%2cOU=squid%2cOU=service-groups%2cDC=DOMAIN%2cDC=LOCAL))sai ka ajiye group din mu, kaje Times, a can na samar da tazara daya ma'ana kullum zatayi aiki, yanzu kaje Target Categories ka kirkiri lists bisa ga ra'ayinmu, bayan mun kirkiri lists sai mu koma groups dinmu da cikin group din, sai kayi amfani da maballin ka zaba. wanda zai iya zuwa inda, kuma wanda ba zai iya zuwa inda.
LightSquid da sqstat
Idan yayin tsarin daidaitawa mun zaɓi madauki a cikin saitunan squid kuma mun buɗe ikon samun damar shiga 7445 a cikin Tacewar zaɓi duka akan hanyar sadarwar mu da kan pfSense kanta, sannan lokacin zuwa Squid Proxy Reports Diagnostics, zamu iya buɗe duka biyu sqstat da Lighsquid cikin sauƙi, na karshen za mu buƙaci A wuri guda, fito da sunan mai amfani da kalmar wucewa, sannan akwai damar da za a zabi zane.
Ƙarshe
pfSense babban kayan aiki ne mai ƙarfi wanda zai iya yin abubuwa da yawa - duka hanyar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirga da sarrafa damar mai amfani zuwa Intanet kaɗan ne kawai na dukkan ayyukan, duk da haka, a cikin masana'antar da ke da injuna 500, wannan ya warware matsalar kuma ya sami ceto a kan. sayen wakili.
Ina fatan wannan labarin zai taimaka wa wani ya warware matsalar da ta dace da matsakaici da manyan masana'antu.
source: www.habr.com