https ãã£ã«ã¿ãªã³ã°ã䜿çšãã pfSense+Squid + Active Directory ã°ã«ãŒã ãã£ã«ã¿ãªã³ã°ã䜿çšããã·ã³ã°ã« ãµã€ã³ãªã³ (SSO)
ç°¡åãªèæ¯
å瀟ã¯ããŠãŒã¶ãŒãè¿œå ã®ãã¹ã¯ãŒããå ¥åããããšãªããWeb ã€ã³ã¿ãŒãã§ã€ã¹ãã管çã§ããããã«ãAD ããã®ãµã€ã (https ãå«ã) ãžã®ã¢ã¯ã»ã¹ãã°ã«ãŒãããšã«ãã£ã«ã¿ãªã³ã°ããæ©èœãåãããããã· ãµãŒããŒãå®è£ ããå¿ èŠããããŸããã è¯ãå¿çšã§ããã
æ£ããçãã¯ãKerio Control ã UserGate ãªã©ã®ãœãªã¥ãŒã·ã§ã³ãè³Œå ¥ããããšã§ããããã€ãã®ããã«ãéã¯ãããŸããããããŒãºã¯ãããŸãã
ããã§å€ãè¯ã Squid ã圹ã«ç«ã¡ãŸããããã¯ã Web ã€ã³ã¿ãŒãã§ã€ã¹ã¯ã©ãã§å ¥æã§ããã®ã§ãããã? ãµã ã¹ïŒïŒ é埳çã«æ代é ãã ã ãã㧠pfSense ã圹ã«ç«ã¡ãŸãã
説æ
ãã®èšäºã§ã¯ãSquid ãããã· ãµãŒããŒãæ§æããæ¹æ³ã«ã€ããŠèª¬æããŸãã
ãŠãŒã¶ãŒã®èªèšŒã«ã¯ Kerberos ã䜿çšãããŸãã
SquidGuard ã¯ãã¡ã€ã³ ã°ã«ãŒãã«ãããã£ã«ã¿ãªã³ã°ã«äœ¿çšãããŸãã
ç£èŠã«ã¯ Lightsquidãsqstatãããã³å
éš pfSense ç£èŠã·ã¹ãã ã䜿çšãããŸãã
ãŸããã·ã³ã°ã« ãµã€ã³ãªã³ (SSO) ãã¯ãããžã®å°å
¥ã«é¢é£ããäžè¬çãªåé¡ãã€ãŸããã¢ããªã±ãŒã·ã§ã³ãã·ã¹ãã ã¢ã«ãŠã³ãã䜿çšããŠã³ã³ãã¹ ã¢ã«ãŠã³ãã§ã€ã³ã¿ãŒãããããµãŒãã£ã³ããããšããåé¡ã解決ããŸãã
Squid ã®ã€ã³ã¹ããŒã«ã®æºå
pfSense ãããŒã¹ãšããŠã
ãã®äžã§ããã¡ã€ã³ ã¢ã«ãŠã³ãã䜿çšããŠãã¡ã€ã¢ãŠã©ãŒã«èªäœã®èªèšŒãæŽçããŸãã
éåžžã«éèŠïŒ
Squid ã®ã€ã³ã¹ããŒã«ãéå§ããåã«ãpfsense 㧠DNS ãµãŒããŒãæ§æããDNS ãµãŒããŒäžã§ãã® A ã¬ã³ãŒããš PTR ã¬ã³ãŒããäœæããæå»ããã¡ã€ã³ ã³ã³ãããŒã©ãŒã®æå»ãšå€ãããªãããã« NTP ãæ§æããå¿ èŠããããŸãã
ãããŠããããã¯ãŒã¯äžã§ãpfSense ã® WAN ã€ã³ã¿ãŒãã§ã€ã¹ãã€ã³ã¿ãŒãããã«æ¥ç¶ã§ããããã«ããããŒã«ã« ãããã¯ãŒã¯äžã®ãŠãŒã¶ãŒãããŒã 7445 ãš 3128 (ç§ã®å Žå㯠8080) ãå«ã LAN ã€ã³ã¿ãŒãã§ã€ã¹ã«æ¥ç¶ã§ããããã«ããŸãã
æºåã¯äžç«¯ã§ããïŒ pfSense ã§èªèšŒçšã®ãã¡ã€ã³ãšã® LDAP æ¥ç¶ã確ç«ãããŠãããæå»ã¯åæãããŠããŸãã? çŽ æŽãããã ã¡ã€ã³ããã»ã¹ãéå§ããæãæ¥ãŸããã
ã€ã³ã¹ããŒã«ãšäºåæ§æ
SquidãSquidGuardãããã³ LightSquid ã¯ããã·ã¹ãã / ããã±ãŒãž ãããŒãžã£ãŒãã»ã¯ã·ã§ã³ã® pfSense ããã±ãŒãž ãããŒãžã£ãŒããã€ã³ã¹ããŒã«ãããŸãã
ã€ã³ã¹ããŒã«ãæåããããããµãŒãã¹ / Squid ãããã· ãµãŒã㌠/ãã«ç§»åãããŸã [ããŒã«ã« ãã£ãã·ã¥] ã¿ãã§ãã£ãã·ã¥ãæ§æããŸãããã¹ãŠã 0 ã«èšå®ããŸãã ãµã€ãããã£ãã·ã¥ããããšã«ããŸãæå³ã¯ãªããšæããŸãããããã«é¢ããŠã¯ãã©ãŠã¶ãŒãããŸãæ©èœããŸãã èšå®åŸãç»é¢äžéšã®ãä¿åããã¿ã³ãæŒããšãåºæ¬çãªãããã·èšå®ãè¡ãããšãã§ããŸãã
äž»ãªèšå®ã¯æ¬¡ã®ãšããã§ãã
ããã©ã«ãã®ããŒã㯠3128 ã§ãããç§ã¯ 8080 ã䜿çšããããšã奜ã¿ãŸãã
[ãããã· ã€ã³ã¿ãŒãã§ã€ã¹] ã¿ãã§éžæãããã©ã¡ãŒã¿ã«ãã£ãŠããããã· ãµãŒããŒããªãã¹ã³ããã€ã³ã¿ãŒãã§ã€ã¹ã決ãŸããŸãã ãã®ãã¡ã€ã¢ãŠã©ãŒã«ã¯ã€ã³ã¿ãŒãããäžã§ WAN ã€ã³ã¿ãŒãã§ã€ã¹ãšããŠèŠããããã«æ§ç¯ãããŠãããããLAN ãš WAN ãåãããŒã«ã« ãµããããäžã«ååšããå Žåã§ãããããã·ãšã㊠LAN ã䜿çšããããšããå§ãããŸãã
sqstat ãæ©èœããã«ã¯ã«ãŒãããã¯ãå¿ èŠã§ãã
以äžã«ãééç (ééç) ãããã·èšå®ãš SSL ãã£ã«ã¿ãŒããããŸããããããã¯å¿ èŠãããŸããããããã·ã¯ééçã§ã¯ãããŸãããhttps ãã£ã«ã¿ãŒã®å Žåã蚌ææžã¯çœ®ãæããããŸãã (ããã¥ã¡ã³ã ãããŒãéè¡ããããŸã)ãã¯ã©ã€ã¢ã³ããªã©ïŒããã³ãã·ã§ã€ã¯ãèŠãŠã¿ãŸãããã
ãã®æ®µéã§ã¯ããã¡ã€ã³ ã³ã³ãããŒã©ãŒã«ç§»åãããã®äžã§èªèšŒã¢ã«ãŠã³ããäœæããå¿ èŠããããŸã (pfSense èªäœã§èªèšŒçšã«æ§æãããã¢ã«ãŠã³ãã䜿çšããããšãã§ããŸã)ã ããã¯éåžžã«éèŠãªèŠçŽ ã§ã - AES128 ãŸã㯠AES256 æå·åã䜿çšããå Žåã¯ãã¢ã«ãŠã³ãèšå®ã§é©åãªããã¯ã¹ããªã³ã«ããŠãã ããã
ãã¡ã€ã³ãå€æ°ã®ãã£ã¬ã¯ããªãæã€éåžžã«è€éãªãã©ã¬ã¹ãã§ããå ŽåããŸãã¯ãã¡ã€ã³ã .local ã§ããå Žåããã®ã¢ã«ãŠã³ãã«ã¯åçŽãªãã¹ã¯ãŒãã䜿çšããå¿ èŠãããå¯èœæ§ããããŸããã確å®ã§ã¯ãããŸããããã°ã¯æ¢ç¥ã§ãããè€éãªãã¹ã¯ãŒãã§ã¯æ©èœããªãå¯èœæ§ããããããç¹å®ã®ã±ãŒã¹ã確èªããå¿ èŠããããŸãã
ãã®åŸãkerberos ã®ã㌠ãã¡ã€ã«ãäœæãããã¡ã€ã³ ã³ã³ãããŒã©ãŒäžã§ç®¡çè
æš©éã§ã³ãã³ã ããã³ãããéãã次ã®ããã«å
¥åããŸãã
# ktpass -princ HTTP/[email protected] -mapuser pfsense -pass 3EYldza1sR -crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All} -ptype KRB5_NT_PRINCIPAL -out C:keytabsPROXY.keytab
FQDN pfSense ãæå®ããå Žåã¯ãå¿
ã倧æåãšå°æåãåºå¥ããŠãã ãããmapuser ãã©ã¡ãŒã¿ãŒã«ãã¡ã€ã³ ã¢ã«ãŠã³ããšãã®ãã¹ã¯ãŒããå
¥åããcrypto ã§æå·åæ¹åŒãéžæããŸããäœæ¥ã«ã¯ rc4 ã䜿çšãã-out ãã£ãŒã«ãã§ã©ãã«äœ¿çšããããéžæããŸããå®æããããŒãã¡ã€ã«ãéä¿¡ããŸãã
ã㌠ãã¡ã€ã«ãæ£åžžã«äœæãããããããã pfSense ã«éä¿¡ããŸãããã®ããã« Far ã䜿çšããŸããããã³ãã³ããš putty ã®äž¡æ¹ã䜿çšããŠããŸãã¯ã蚺æã³ãã³ã ã©ã€ã³ãã»ã¯ã·ã§ã³ã® pfSense Web ã€ã³ã¿ãŒãã§ã€ã¹ãéããŠãããè¡ãããšãã§ããŸãã
ããã§ã/etc/krb5.conf ãç·šé/äœæã§ããããã«ãªããŸããã
ããã§ã/etc/krb5.keytab ã¯äœæããã㌠ãã¡ã€ã«ã§ãã
kinit ã䜿çšã㊠Kerberos ã®åäœãå¿ ã確èªããŠãã ãããåäœããªãå Žåã¯ããã以äžèªãã§ãæå³ããããŸããã
Squid èªèšŒãšèªèšŒãªãã®ã¢ã¯ã»ã¹ ãªã¹ãã®èšå®
Kerberos ãæ£åžžã«æ§æãããããããã Squid ã«åºå®ããŸãã
ãããè¡ãã«ã¯ãServicesSquid ãããã· ãµãŒããŒã«ç§»åããã¡ã€ã³èšå®ã®äžçªäžã«ç§»åãããšã[詳现èšå®] ãã¿ã³ããããŸãã
[ã«ã¹ã¿ã ãªãã·ã§ã³ (èªèšŒå)] ãã£ãŒã«ãã«ã次ã®ããã«å ¥åããŸãã
#ХелпеÑÑ
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -k /usr/local/etc/squid/squid.keytab -t none
auth_param negotiate children 1000
auth_param negotiate keep_alive on
#СпОÑкО ЎПÑÑÑпа
acl auth proxy_auth REQUIRED
acl nonauth dstdomain "/etc/squid/nonauth.txt"
#РазÑеÑеМОÑ
http_access allow nonauth
http_access deny !auth
http_access allow auth
ã©ã auth_param ããŽã·ãšãŒã ããã°ã©ã /usr/local/libexec/squid/negotiate_kerberos_auth - å¿ èŠãªèªèšŒ Kerberos ãã«ããŒãéžæããŸãã
ã㌠-s æå³ã®ãã GSS_C_NO_NAME â ã㌠ãã¡ã€ã«ããã®ã¢ã«ãŠã³ãã®äœ¿çšãå®çŸ©ããŸãã
ã㌠-k æå³ã®ãã /usr/local/etc/squid/squid.keytab - ãã®ç¹å®ã® keytab ãã¡ã€ã«ã䜿çšããããšã決å®ããŸãã ç§ã®å Žåãããã¯äœæããã®ãšåã keytab ãã¡ã€ã«ã§ããããã /usr/local/etc/squid/ ãã£ã¬ã¯ããªã«ã³ããŒããŠååãå€æŽããŸãããsquid ã¯ãã®ãã£ã¬ã¯ããªãšåéã«ãªãããšãæãŸãªãã£ãããã§ããã©ãããããã®ãã£ã¬ã¯ããªã«ã¯åéãããªãã£ãããã§ããååãªæš©å©ã
ã㌠-t æå³ã®ãã -t ãªã - ãã¡ã€ã³ ã³ã³ãããŒã©ãŒãžã®åšæçãªèŠæ±ãç¡å¹ã«ããããšã§ããŠãŒã¶ãŒã 50 人ãè¶
ããå Žåã®è² è·ã倧å¹
ã«è»œæžãããŸãã
ãã¹ãäžã« -d ããŒãè¿œå ããããšãã§ããŸããã€ãŸãã蚺æãããå€ãã®ãã°ã衚瀺ãããŸãã
auth_param å 1000 ãããŽã·ãšãŒããã - åæã«å®è¡ã§ããèªèšŒããã»ã¹ã®æ°ã決å®ããŸã
auth_param 㧠keep_alive ãããŽã·ãšãŒããã - èªå¯ãã§ãŒã³ã®ããŒãªã³ã°äžã«æ¥ç¶ãåæããããšã¯ã§ããŸãã
acl èªèšŒ proxy_auth å¿
é - èªå¯ãééãããŠãŒã¶ãŒãå«ãã¢ã¯ã»ã¹å¶åŸ¡ãªã¹ããäœæããèŠæ±ããŸãã
acl nonauth dstdomain "/etc/squid/nonauth.txt" - å®å
ãã¡ã€ã³ãå«ãéèªèšŒã¢ã¯ã»ã¹ ãªã¹ãã«ã€ããŠã€ã«ã«éç¥ããŸãããã®ãªã¹ããžã®èª°ããåžžã«ã¢ã¯ã»ã¹ãèš±å¯ãããŸãã ãã¡ã€ã«èªäœãäœæãããã®äžã«æ¬¡ã®åœ¢åŒã§ãã¡ã€ã³ãå
¥åããŸãã
.whatsapp.com
.whatsapp.net
Whatsapp ãäŸãšããŠäœ¿çšãããã®ã¯ç¡é§ã§ã¯ãããŸãããWhatsapp ã¯èªèšŒã䌎ããããã·ã«éåžžã«å³ããã®ã§ãèªèšŒåã«èš±å¯ãããŠããªãå Žåã¯æ©èœããŸããã
http_access éèªèšŒãèš±å¯ãã - ãã®ãªã¹ããžã®ã¢ã¯ã»ã¹ãå
šå¡ã«èš±å¯ããŸã
http_ã¢ã¯ã»ã¹æåŠ !auth - æš©éã®ãªããŠãŒã¶ãŒã«ããä»ã®ãµã€ããžã®ã¢ã¯ã»ã¹ãçŠæ¢ããŸã
http_access èªèšŒãèš±å¯ãã - èš±å¯ããããŠãŒã¶ãŒã«ã¢ã¯ã»ã¹ãèš±å¯ããŸãã
ãã㧠Squid èªäœã®èšå®ã¯å®äºã§ããä»åºŠã¯ã°ã«ãŒãã«ãããã£ã«ã¿ãªã³ã°ãéå§ããŸãã
SquidGuard ã®æ§æ
ServicesSquidGuard ãããã· ãã£ã«ã¿ãŒã«ç§»åããŸãã
LDAP ãªãã·ã§ã³ã§ã¯ãkerberos èªèšŒã«äœ¿çšãããã¢ã«ãŠã³ãã®ããŒã¿ã次ã®åœ¢åŒã§å ¥åããŸãã
CN=pfsense,OU=service-accounts,DC=domain,DC=local
ã¹ããŒã¹ãŸãã¯éã©ãã³æåãããå Žåã¯ããã®ãšã³ããªå šäœãäžéåŒçšç¬ŠãŸãã¯äºéåŒçšç¬Šã§å²ãå¿ èŠããããŸãã
'CN=sg,OU=service-accounts,DC=domain,DC=local'
"CN=sg,OU=service-accounts,DC=domain,DC=local"
次ã«ã次ã®ããã¯ã¹ãå¿ ããã§ãã¯ããŠãã ããã
äžèŠãªDOMAINpfsenseãåæããã«ã¯
次ã«ãã°ã«ãŒã Acl ã«ç§»åãããã¡ã€ã³ ã¢ã¯ã»ã¹ ã°ã«ãŒãããã€ã³ãããŸããgroup_0ãgroup_1 ãªã©ã®åçŽãªååãæ倧 3 ãŸã§äœ¿çšããŸãã3 ã¯ãã¯ã€ã ãªã¹ããžã®ã¢ã¯ã»ã¹ã®ã¿ã0 ã¯ãã¹ãŠãå¯èœã§ãã
ã°ã«ãŒãã¯æ¬¡ã®ããã«ãªã³ã¯ãããŸãã
ldapusersearch ldap://dc.domain.local:3268/DC=DOMAIN,DC=LOCAL?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=group_0%2cOU=squid%2cOU=service-groups%2cDC=DOMAIN%2cDC=LOCAL))
ã°ã«ãŒããä¿åããã¿ã€ã ãºã«ç§»åããŸããããã§ãåžžã«æ©èœããããšãæå³ããã®ã£ããã XNUMX ã€äœæããŸããã次ã«ãã¿ãŒã²ãã ã«ããŽãªã«ç§»åããèªç±è£éã§ãªã¹ããäœæããŸãããªã¹ããäœæããåŸãã°ã«ãŒãã«æ»ããã°ã«ãŒãå ã§ãã¿ã³ã䜿çšããŠéžæããŸã誰ãã©ãã«è¡ããŠã誰ãã©ãã«è¡ããªãã®ãã
LightSquid ãš sqstat
æ§æããã»ã¹äžã«ãsquid èšå®ã§ã«ãŒãããã¯ãéžæãããããã¯ãŒã¯ãš pfSense èªäœã®äž¡æ¹ã§ãã¡ã€ã¢ãŠã©ãŒã«ã® 7445 ã«ã¢ã¯ã»ã¹ããæ©èœãéããå ŽåãSquid ãããã· ã¬ããŒãã®èšºæã«ç§»åãããšãsqstat ãš sqstat ã®äž¡æ¹ãç°¡åã«éãããšãã§ããŸãã LighsquidãåŸè ã®å Žåã¯ãåãå Žæã§ãŠãŒã¶ãŒåãšãã¹ã¯ãŒããèãåºãããã¶ã€ã³ãéžæããæ©äŒããããŸãã
ÐавеÑÑеМОе
pfSense ã¯ãå€ãã®ããšãå®è¡ã§ããéåžžã«åŒ·åãªããŒã«ã§ãããã©ãã£ã㯠ãããã·ãšã€ã³ã¿ãŒããããžã®ãŠãŒã¶ãŒ ã¢ã¯ã»ã¹ã®å¶åŸ¡ã¯äž¡æ¹ãšããæ©èœå šäœã®ã»ãã®äžéšã«ãããŸãããã500 å°ã®ãã·ã³ãããäŒæ¥ã§ã¯ãããã«ãã£ãŠåé¡ã解決ãããã³ã¹ããç¯çŽãããŸããããããã·ãè³Œå ¥ããã
ãã®èšäºããäžèŠæš¡ããã³å€§èŠæš¡äŒæ¥ã«é¢é£ããåé¡ã®è§£æ±ºã«åœ¹ç«ã€ããšãé¡ã£ãŠããŸãã
åºæïŒ habr.com