pfSense + Squid nrog https filtering + Ib qho kos npe rau (SSO) nrog Active Directory pawg lim
Cov keeb kwm luv luv
Lub tuam txhab xav tau los siv lub npe neeg rau zaub mov nrog lub peev xwm los lim kev nkag mus rau cov chaw (xws li https) los ntawm pab pawg los ntawm AD kom cov neeg siv tsis nkag mus rau lwm tus password ntxiv, thiab tuaj yeem tswj hwm los ntawm lub vev xaib interface. Daim ntawv thov zoo, puas yog?
Cov lus teb raug yuav yog los yuav cov kev daws teeb meem xws li Kerio Control lossis UserGate, tab sis ib txwm tsis muaj nyiaj, tab sis muaj qhov xav tau.
Qhov no yog qhov zoo qub Squid los cawm, tab sis dua - qhov twg kuv tuaj yeem tau txais lub web interface? SAMS 2? Morally obsolete. Qhov no yog qhov chaw pfSense los cawm.
piav qhia
Kab lus no yuav piav qhia yuav ua li cas teeb tsa Squid proxy server.
Kerberos yuav raug siv los tso cai rau cov neeg siv.
SquidGuard yuav raug siv los lim los ntawm pawg sau npe.
Lightsquid, sqstat thiab sab hauv pfSense kev saib xyuas yuav raug siv los saib xyuas.
Nws tseem yuav daws tau ib qho teeb meem uas cuam tshuam nrog kev taw qhia ntawm ib qho kev kos npe rau (SSO) thev naus laus zis, uas yog cov ntawv thov uas sim siv Internet nyob rau hauv tus account compass nrog lawv tus account system.
Npaj rau nruab Squid
pfSense yuav raug coj los ua lub hauv paus,
Nyob rau hauv uas peb npaj authentication ntawm lub firewall nws tus kheej siv sau nyiaj.
Tseem ceeb heev!
Ua ntej koj pib txhim kho Squid, koj yuav tsum teeb tsa DNS server hauv pfsense, ua cov ntaub ntawv A thiab PTR cov ntaub ntawv rau nws ntawm peb DNS server, thiab teeb tsa NTP kom lub sijhawm tsis txawv ntawm lub sijhawm ntawm tus tswj hwm sau npe.
Thiab ntawm koj lub network, muab lub peev xwm rau WAN interface ntawm pfSense mus rau Is Taws Nem, thiab cov neeg siv ntawm lub network hauv zos txuas mus rau LAN interface, suav nrog ntawm cov chaw nres nkoj 7445 thiab 3128 (hauv kuv rooj plaub 8080).
Txhua yam npaj txhij? Puas yog LDAP kev twb kev txuas tau tsim nrog tus sau rau kev tso cai ntawm pfSense thiab lub sijhawm synchronized? Zoo heev. Nws yog lub sijhawm los pib cov txheej txheem tseem ceeb.
Installation thiab pre-configuration
Squid, SquidGuard thiab LightSquid yuav raug teeb tsa los ntawm pfSense tus thawj tswj pob hauv ntu "System / Package Manager".
Tom qab ua tiav kev teeb tsa, mus rau "Services / Squid Proxy server /" thiab ua ntej ntawm tag nrho cov, hauv Local Cache tab, teeb tsa caching, Kuv teeb txhua yam rau 0, vim tias Kuv tsis pom ntau qhov chaw hauv caching chaw, browsers ua haujlwm zoo nrog qhov no. Tom qab teeb tsa, nias lub pob "Txuag" nyob hauv qab ntawm lub vijtsam thiab qhov no yuav muab sijhawm rau peb los ua cov npe npe yooj yim.
Cov chaw tseem ceeb yog raws li nram no:
Qhov chaw nres nkoj default yog 3128, tab sis kuv nyiam siv 8080.
Cov kev xaiv tsis nyob hauv Proxy Interface tab txiav txim siab qhov cuam tshuam ntawm peb lub npe neeg rau zaub mov yuav mloog. Txij li thaum lub firewall no tau tsim nyob rau hauv xws li ib txoj kev uas nws saib hauv Is Taws Nem raws li WAN interface, txawm tias LAN thiab WAN tuaj yeem nyob ntawm tib lub subnet hauv zos, kuv pom zoo kom siv LAN rau lub npe.
Loopback yog xav tau rau sqstat ua haujlwm.
Hauv qab no koj yuav pom Transparent (pob tshab) tso npe tso npe, nrog rau SSL Lim, tab sis peb tsis xav tau lawv, peb lub npe yuav tsis pob tshab, thiab rau https filtering peb yuav tsis hloov daim ntawv pov thawj (peb muaj cov ntaub ntawv ntws, bank cov neeg siv khoom, thiab lwm yam), cia peb saib ntawm kev sib tuav tes.
Nyob rau theem no, peb yuav tsum tau mus rau peb tus neeg tswj hwm sau npe, tsim ib tus lej pov thawj hauv nws (koj tuaj yeem siv qhov uas tau teeb tsa rau kev lees paub ntawm pfSense nws tus kheej). Nov yog qhov tseem ceeb heev - yog tias koj npaj siab yuav siv AES128 lossis AES256 encryption - khij lub thawv tsim nyog hauv koj tus account nqis.
Yog hais tias koj tus sau yog ib tug complex hav zoov nrog ib tug loj tus naj npawb ntawm cov directory los yog koj domain yog .local, ces nws yog POSSIBLE, tab sis tsis paub tseeb, uas koj yuav tau siv ib tug yooj yim lo lus zais rau tus account no, kab yog paub, tab sis nws tej zaum yuav tsis ua hauj lwm nrog ib tug complex lo lus zais, koj yuav tsum tau mus xyuas ntawm ib tug tshwj xeeb rooj plaub.
Tom qab ntawd, peb tsim cov ntaub ntawv tseem ceeb rau kerberos, qhib qhov kev hais kom ua nrog cov thawj coj txoj cai ntawm tus tswj hwm sau npe thiab nkag mus:
# ktpass -princ HTTP/[email protected] -mapuser pfsense -pass 3EYldza1sR -crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All} -ptype KRB5_NT_PRINCIPAL -out C:keytabsPROXY.keytab
Qhov twg peb qhia peb FQDN pfSense, nco ntsoov hwm rooj plaub, nkag mus rau peb tus lej sau npe thiab nws tus password hauv mapuser parameter, thiab hauv crypto peb xaiv txoj kev encryption, kuv siv rc4 rau kev ua haujlwm thiab hauv-tawm teb peb xaiv qhov twg peb. yuav xa peb cov ntaub ntawv tseem ceeb tiav.
Tom qab ua tiav cov ntaub ntawv tseem ceeb, peb yuav xa nws mus rau peb pfSense, Kuv siv Far rau qhov no, tab sis koj tuaj yeem ua qhov no ob qho tib si nrog cov lus txib thiab putty lossis los ntawm pfSense web interface hauv ntu "Diagnostics Command Line".
Tam sim no peb tuaj yeem hloov kho / tsim /etc/krb5.conf
qhov twg /etc/krb5.keytab yog cov ntaub ntawv tseem ceeb uas peb tsim.
Nco ntsoov xyuas kev ua haujlwm ntawm kerberos siv kinit, yog tias nws tsis ua haujlwm, tsis muaj qhov taw qhia hauv kev nyeem ntxiv.
Configuring Squid Authentication thiab Access List yam tsis muaj kev lees paub
Tom qab ua tiav kev teeb tsa kerberos, peb yuav ceev nws rau peb Squid.
Txhawm rau ua qhov no, mus rau ServicesSquid Proxy Server thiab hauv cov chaw tseem ceeb mus rau hauv qab kawg, peb yuav pom lub pob "Advanced settings".
Hauv Cov Kev Xaiv Kev Cai (Ua ntej Auth), sau:
#Π₯Π΅Π»ΠΏΠ΅ΡΡ
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -k /usr/local/etc/squid/squid.keytab -t none
auth_param negotiate children 1000
auth_param negotiate keep_alive on
#Π‘ΠΏΠΈΡΠΊΠΈ Π΄ΠΎΡΡΡΠΏΠ°
acl auth proxy_auth REQUIRED
acl nonauth dstdomain "/etc/squid/nonauth.txt"
#Π Π°Π·ΡΠ΅ΡΠ΅Π½ΠΈΡ
http_access allow nonauth
http_access deny !auth
http_access allow authqhov twg auth_param kev sib tham program /usr/local/libexec/squid/negotiate_kerberos_auth - xaiv tus authentication kerberos pab peb xav tau.
Ntsiab -s nrog lub ntsiab lus GSS_C_NO_NAME - txhais cov kev siv ntawm ib tus account los ntawm cov ntaub ntawv tseem ceeb.
Ntsiab -k nrog lub ntsiab lus /usr/local/etc/squid/squid.keytab - txiav txim siab siv cov ntaub ntawv keytab tshwj xeeb no. Hauv kuv cov ntaub ntawv, qhov no yog tib cov ntaub ntawv tseem ceeb uas peb tau tsim, uas kuv tau theej rau /usr/local/etc/squid/ directory thiab renamed nws, vim hais tias cov squid tsis xav ua phooj ywg nrog cov directory, thaj tsis muaj. muaj cai txaus.
Ntsiab -t nrog lub ntsiab lus -t tsis - lov tes taw cyclic thov rau tus tswj hwm, uas txo cov load ntawm nws yog tias koj muaj ntau dua 50 tus neeg siv.
Rau lub sijhawm ntawm kev xeem, koj tuaj yeem ntxiv qhov tseem ceeb -d - piv txwv li kev kuaj mob, ntau cov cav yuav raug tso tawm.
auth_param sib tham me nyuam 1000 - txiav txim seb muaj pes tsawg cov txheej txheem kev tso cai ib txhij tuaj yeem khiav
auth_param sib tham keep_alive rau - tsis tso cai rau ua txhaum txoj kev sib txuas thaum lub sijhawm pov npav ntawm cov saw kev tso cai
acl auth proxy_auth xav tau - tsim thiab xav tau cov npe tswj kev nkag uas suav nrog cov neeg siv uas tau dhau kev tso cai
acl nonauth dstdomain "/etc/squid/nonauth.txt" - peb qhia rau cov squid txog cov npe nonauth nkag mus, uas muaj cov hom phiaj, uas txhua tus neeg yuav tsum tau tso cai nkag mus tas li. Peb tsim cov ntaub ntawv nws tus kheej, thiab hauv nws peb nkag mus rau hauv hom ntawv
.whatsapp.com
.whatsapp.net
Whatsapp tsis yog qhov tsis muaj txiaj ntsig siv los ua piv txwv - nws yog qhov nyuaj heev txog lub npe nrog kev lees paub thiab yuav tsis ua haujlwm yog tias nws tsis tso cai ua ntej kev lees paub.
http_access pub nonauth - tso cai nkag mus rau cov npe no rau txhua tus
http_access deny !auth - peb txwv tsis pub nkag mus rau cov neeg siv tsis tau tso cai rau lwm qhov chaw
http_access pub auth - tso cai nkag mus rau cov neeg siv tau tso cai.
Ntawd yog nws, squid nws tus kheej tau teeb tsa, tam sim no nws yog lub sijhawm los pib lim los ntawm pawg.
Configuring SquidGuard
Mus rau ServicesSquidGuard Proxy Filter.
Hauv LDAP Options peb nkag mus rau cov ntaub ntawv ntawm peb tus account siv rau kerberos authentication, tab sis nyob rau hauv hom hauv qab no:
CN=pfsense,OU=service-accounts,DC=domain,DC=localYog tias muaj qhov chaw lossis cov cim tsis yog Latin, tag nrho cov ntawv nkag yuav tsum tau muab kaw rau hauv ib lossis ob nqe lus:
'CN=sg,OU=service-accounts,DC=domain,DC=local'
"CN=sg,OU=service-accounts,DC=domain,DC=local"Tom ntej no, nco ntsoov xyuas cov thawv no:
Txhawm rau txiav qhov tsis tsim nyog DOMAINpfsense .LOCAL uas tag nrho cov system yog rhiab heev.
Tam sim no peb mus rau Pawg Acl thiab khi peb cov npe nkag mus rau pawg, Kuv siv cov npe yooj yim xws li group_0, group_1, thiab lwm yam mus txog 3, qhov twg 3 tsuas yog nkag mus rau cov npe dawb, thiab 0 - txhua yam ua tau.
Cov pab pawg tau txuas raws li hauv qab no:
ldapusersearch ldap://dc.domain.local:3268/DC=DOMAIN,DC=LOCAL?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=group_0%2cOU=squid%2cOU=service-groups%2cDC=DOMAIN%2cDC=LOCAL))txuag peb pab pawg, mus rau Sijhawm, muaj kuv tsim ib qhov sib txawv lub ntsiab lus kom ua haujlwm ib txwm, tam sim no mus rau Cov Hom Phiaj thiab tsim cov npe ntawm peb qhov kev txiav txim siab, tom qab tsim cov npe peb rov qab mus rau peb pab pawg thiab sab hauv pab pawg nrog cov nyees khawm peb xaiv leej twg tuaj yeem mus. qhov twg, thiab leej twg tsis tuaj yeem nyob qhov twg.
LightSquid thiab sqstat
Yog hais tias thaum lub sij hawm configuration txheej txheem peb xaiv ib tug loopback nyob rau hauv lub squid chaw thiab qhib lub peev xwm nkag mus rau 7445 nyob rau hauv lub firewall ob peb lub network thiab ntawm pfSense nws tus kheej, ces thaum mus rau Squid Proxy Reports Diagnostics, peb tau yooj yim qhib ob sqstat thiab Lighsquid, rau tom kawg peb yuav xav tau Nyob rau hauv tib qhov chaw, tuaj nrog tus username thiab password, thiab tseem muaj lub sijhawm los xaiv tus tsim.
Ua tiav
pfSense yog ib lub cuab yeej muaj zog heev uas tuaj yeem ua tau ntau yam - ob qho tib si kev tso npe thiab kev tswj hwm cov neeg siv nkag mus rau hauv Is Taws Nem tsuas yog ib feem ntawm tag nrho cov haujlwm, txawm li cas los xij, hauv kev lag luam nrog 500 lub tshuab, qhov no daws qhov teeb meem thiab txuag rau. muas ib lub npe.
Kuv vam tias tsab xov xwm no yuav pab ib tug neeg daws qhov teeb meem uas cuam tshuam rau cov lag luam nruab nrab thiab loj.
Tau qhov twg los: www.hab.com