pfSense + Squid yokhala ndi kusefa kwa https + kusaina kumodzi (SSO) yokhala ndi kusefa kwa gulu la Active Directory
Mbiri yachidule
Kampaniyo inkafunika kukhazikitsa seva ya proxy yomwe imatha kusefa mwayi wopezeka pamasamba (kuphatikiza https) ndi magulu ochokera ku AD kuti ogwiritsa ntchito asalowetse mawu achinsinsi owonjezera, ndipo amatha kuyendetsedwa kuchokera pa intaneti. Kugwiritsa ntchito bwino, sichoncho?
Yankho lolondola lingakhale kugula mayankho monga Kerio Control kapena UserGate, koma monga nthawizonse palibe ndalama, koma pali chosowa.
Apa ndipamene Squid yabwino yakale imabwera kudzapulumutsa, koma kachiwiri - ndingapeze kuti mawonekedwe a intaneti? SAMS2? Zachikale mwamakhalidwe. Apa ndi pamene pfSense imabwera kudzapulumutsa.
mafotokozedwe
Nkhaniyi ifotokoza momwe mungakhazikitsire seva ya proxy ya Squid.
Kerberos idzagwiritsidwa ntchito kuvomereza ogwiritsa ntchito.
SquidGuard idzagwiritsidwa ntchito kusefa ndi magulu amtundu.
Lightsquid, sqstat ndi machitidwe amkati a pfSense adzagwiritsidwa ntchito powunikira.
Idzathetsanso vuto lomwe anthu ambiri amakumana nalo poyambitsa ukadaulo wa single Sign-on (SSO), womwe ndi mapulogalamu omwe amayesa kufufuza pa intaneti pansi pa akaunti ya kampasi ndi akaunti yawo yamakina.
Kukonzekera kukhazikitsa Squid
pfSense idzatengedwa ngati maziko,
Mkati momwe timakonzekera kutsimikizika pa firewall palokha pogwiritsa ntchito ma domain account.
Zofunika kwambiri!
Musanayambe kuyika Squid, muyenera kukonza seva ya DNS mu pfsense, pangani mbiri ya A ndi mbiri ya PTR pa seva yathu ya DNS, ndikukonzekera NTP kuti nthawi isakhale yosiyana ndi nthawi yomwe mumalamulira.
Ndipo pamaneti anu, perekani kuthekera kwa mawonekedwe a WAN a pfSense kuti apite pa intaneti, ndi ogwiritsa ntchito pa intaneti yakomweko kuti alumikizane ndi mawonekedwe a LAN, kuphatikiza pa madoko 7445 ndi 3128 (kwa ine 8080).
Zonse zakonzeka? Kodi kulumikizidwa kwa LDAP kumakhazikitsidwa ndi domeni kuti ivomerezedwe pa pfSense ndipo nthawiyo imalumikizidwa? Zabwino. Ndi nthawi kuyamba waukulu ndondomeko.
Kuyika ndi kukonzedweratu
Squid, SquidGuard ndi LightSquid zidzakhazikitsidwa kuchokera kwa woyang'anira phukusi la pfSense mu gawo la "System / Package Manager".
Pambuyo kukhazikitsa bwino, pitani ku "Services / Squid Proxy server /" ndipo choyamba, mu tabu ya Local Cache, sinthani caching, ndikuyika zonse ku 0, chifukwa Sindikuwona mfundo zambiri pamasamba osungira, asakatuli amachita ntchito yabwino ndi izi. Mukakhazikitsa, dinani batani la "Save" pansi pazenera ndipo izi zidzatipatsa mwayi wopanga zokonda zoyambira.
Zokonda zazikulu ndi izi:
Doko lokhazikika ndi 3128, koma ndimakonda kugwiritsa ntchito 8080.
Zosankha zomwe zili mu Proxy Interface tabu zimatsimikizira malo omwe seva yathu yotsatsira idzamvera. Popeza firewall iyi imamangidwa m'njira yoti imawoneka pa intaneti ngati mawonekedwe a WAN, ngakhale kuti LAN ndi WAN zitha kukhala pagawo limodzi lapafupi, ndikupangira kugwiritsa ntchito LAN kwa proxy.
Loopback ndiyofunikira kuti sqstat igwire ntchito.
Pansipa mupeza zosintha za Transparent (transparent) proxy, komanso SSL Filter, koma sitikuzifuna, proxy yathu sidzakhala yowonekera, ndipo pakusefa kwa https sitidzalowa m'malo mwa satifiketi (tili ndi kutuluka kwa zikalata, banki. makasitomala, etc.), tiyeni tingoyang'ana kugwirana chanza.
Pakadali pano, tifunika kupita kwa woyang'anira dera lathu, ndikupanga akaunti yotsimikizira momwemo (mutha kugwiritsanso ntchito yomwe idakonzedwa kuti itsimikizidwe pa pfSense yokha). Nachi chinthu chofunikira kwambiri - ngati mukufuna kugwiritsa ntchito encryption ya AES128 kapena AES256 - fufuzani mabokosi oyenerera pazosintha za akaunti yanu.
Ngati dera lanu ndi nkhalango yovuta kwambiri yokhala ndi zolemba zambiri kapena domain yanu ndi .local, ndiye ZOTHANDIZA, koma osatsimikiza, kuti muyenera kugwiritsa ntchito mawu achinsinsi pa akauntiyi, cholakwikacho chimadziwika, koma mwina sangagwire ntchito ndi mawu achinsinsi ovuta, muyenera kuyang'ana vuto linalake.
Pambuyo pake, timapanga fayilo yofunikira ya kerberos, tsegulani chiwongolero cholamula ndi ufulu woyang'anira pawoyang'anira domain ndikulowetsa:
# ktpass -princ HTTP/[email protected] -mapuser pfsense -pass 3EYldza1sR -crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All} -ptype KRB5_NT_PRINCIPAL -out C:keytabsPROXY.keytab
Pomwe timawonetsa FQDN pfSense yathu, onetsetsani kuti mwalemekeza mlanduwo, lowetsani akaunti yathu ya domain ndi mawu achinsinsi mu mapuser parameter, ndipo mu crypto timasankha njira yolembera, ndidagwiritsa ntchito rc4 pantchito komanso m'munda womwe timasankha komwe timasankha. tidzatumiza fayilo yathu yomaliza.
Pambuyo popanga bwino fayiloyi, tidzatumiza ku pfSense yathu, ndinagwiritsa ntchito Far kwa izi, koma mukhoza kuchita izi ndi malamulo ndi putty kapena kudzera pa pfSense web interface mu gawo la "Diagnostics Command Line".
Tsopano titha kusintha/kupanga /etc/krb5.conf
komwe /etc/krb5.keytab ndi fayilo yofunika yomwe tidapanga.
Onetsetsani kuti muyang'ane ntchito ya kerberos pogwiritsa ntchito kinit, ngati sichigwira ntchito, palibe chifukwa chowerengera.
Kukonza Kutsimikizika kwa Squid ndi Mndandanda Wofikira popanda Kutsimikizika
Titakonza bwino ma kerberos, tizimanga ku Squid yathu.
Kuti tichite zimenezi, kupita ServicesSquid tidzakulowereni Seva ndi zoikamo waukulu kupita pansi kwambiri, kumeneko tidzapeza batani "MwaukadauloZida zoikamo".
Mugawo la Custom Options (Before Auth), lowetsani:
#Π₯Π΅Π»ΠΏΠ΅ΡΡ
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -k /usr/local/etc/squid/squid.keytab -t none
auth_param negotiate children 1000
auth_param negotiate keep_alive on
#Π‘ΠΏΠΈΡΠΊΠΈ Π΄ΠΎΡΡΡΠΏΠ°
acl auth proxy_auth REQUIRED
acl nonauth dstdomain "/etc/squid/nonauth.txt"
#Π Π°Π·ΡΠ΅ΡΠ΅Π½ΠΈΡ
http_access allow nonauth
http_access deny !auth
http_access allow authku auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth - amasankha wothandizira kerberos yemwe tikufuna.
Mphindi -s ndi tanthauzo GSS_C_NO_NAME - imatanthawuza kugwiritsa ntchito akaunti iliyonse kuchokera pafayilo yayikulu.
Mphindi -k ndi tanthauzo /usr/local/etc/squid/squid.keytab - imasankha kugwiritsa ntchito fayilo ya keytab. Kwa ine, iyi ndi fayilo yomweyi yomwe tidapanga, yomwe ndidakopera ku / usr / local / etc / squid / chikwatu ndikuchitcha dzina, chifukwa squid sanafune kukhala paubwenzi ndi bukhuli, mwachiwonekere panalibe. ufulu wokwanira.
Mphindi -t ndi tanthauzo - palibe - imalepheretsa zopempha za cyclic kwa woyang'anira madambwe, zomwe zimachepetsa kwambiri katundu ngati muli ndi ogwiritsa ntchito oposa 50.
Kwa nthawi yonse yoyezetsa, mutha kuwonjezera -d key - i.e. diagnostics, zipika zambiri zidzawonetsedwa.
auth_param kambiranani ndi ana 1000 - imatsimikizira kuti ndi njira zingati zovomerezeka zomwe zingayendetsedwe panthawi imodzi
auth_param negotiate keep_alive on - samalola kuswa kulumikizana panthawi yovotera maunyolo ovomerezeka
acl auth proxy_auth ZOFUNIKA - imapanga ndipo imafuna mndandanda wowongolera mwayi womwe umaphatikizapo ogwiritsa ntchito omwe adutsa chilolezo
acl nonauth dstdomain "/etc/squid/nonauth.txt" - timadziwitsa nyamayi za mndandanda wa Nonauth, womwe uli ndi madera omwe akupita, komwe aliyense aziloledwa kulowa. Timapanga fayilo yokha, ndipo mkati mwake timalowetsa madambwe mumtundu
.whatsapp.com
.whatsapp.net
Whatsapp sichigwiritsidwa ntchito pachabe ngati chitsanzo - ndiyosankha kwambiri pa proxy ndi kutsimikizika ndipo sichigwira ntchito ngati sichiloledwa chisanatsimikizidwe.
http_access lolani nonauth - lolani kuti aliyense athe kupeza mndandandawu
http_access kukana !auth - timaletsa kugwiritsa ntchito osaloledwa kumasamba ena
http_access lolani auth - kulola mwayi kwa ogwiritsa ntchito ovomerezeka.
Ndizomwezo, squid mwiniwake wakonzedwa, tsopano ndi nthawi yoti muyambe kusefa ndi magulu.
Kukonza SquidGuard
Pitani ku Zosefera za ProxySquidGuard.
Muzosankha za LDAP timalowetsa deta ya akaunti yathu yomwe imagwiritsidwa ntchito potsimikizira kerberos, koma motere:
CN=pfsense,OU=service-accounts,DC=domain,DC=localNgati pali mipata kapena zilembo zosakhala zachilatini, cholembera chonsechi chiyenera kutsekedwa ndi mawu amodzi kapena awiri:
'CN=sg,OU=service-accounts,DC=domain,DC=local'
"CN=sg,OU=service-accounts,DC=domain,DC=local"Kenako, onetsetsani kuti mwachonga mabokosi awa:
Kudula DOMAINpfsense yosafunikira .LOCAL yomwe dongosolo lonse limakhudzidwa kwambiri.
Tsopano tikupita ku Gulu la Acl ndikumanga magulu athu olowera kumadera, ndimagwiritsa ntchito mayina osavuta monga gulu_0, gulu_1, ndi zina zotero mpaka 3, kumene 3 ndi mwayi wopita ku mndandanda woyera, ndi 0 - zonse ndizotheka.
Magulu amalumikizidwa motere:
ldapusersearch ldap://dc.domain.local:3268/DC=DOMAIN,DC=LOCAL?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=group_0%2cOU=squid%2cOU=service-groups%2cDC=DOMAIN%2cDC=LOCAL))sungani gulu lathu, pitani ku Times, komweko ndidapanga gap imodzi kutanthauza kuti idzagwira ntchito nthawi zonse, tsopano pitani ku Target Categories ndikupanga mindandanda mwakufuna kwathu, mutapanga mindandanda timabwerera kumagulu athu komanso mkati mwa gulu, gwiritsani ntchito mabatani kuti musankhe. ndani angapite, ndi amene sangapite .
LightSquid ndi sqstat
Ngati panthawi yokonzekera tinasankha loopback m'makonzedwe a squid ndikutsegula mwayi wopeza 7445 mu firewall pa intaneti yathu komanso pa pfSense palokha, ndiye popita ku Squid Proxy Reports Diagnostics, tikhoza kutsegula onse sqstat ndi Lighsquid, chifukwa chomaliza tidzafunika M'malo omwewo, bwerani ndi dzina lolowera ndi mawu achinsinsi, ndipo palinso mwayi wosankha mapangidwe.
Kukwanitsa
pfSense ndi chida champhamvu kwambiri chomwe chimatha kuchita zinthu zambiri - kuyitanitsa magalimoto komanso kuwongolera ogwiritsa ntchito intaneti ndi kachigawo kakang'ono ka magwiridwe antchito, komabe, mubizinesi yokhala ndi makina 500, izi zidathetsa vutoli ndikusunga. kugula proxy.
Ndikukhulupirira kuti nkhaniyi ithandiza wina kuthetsa vuto lomwe liri loyenera kwa mabizinesi apakatikati ndi akulu.
Source: www.habr.com