pfSense+Squid ine https kusefa + Single sign-on (SSO) ine Active Directory kusefa boka
Mhedziso shoma
Kambani yaida kushandisa proxy server ine kugona kusefa kupinda kune masaiti (kusanganisira https) nemapoka kubva kuAD kuitira kuti vashandisi vasaise mamwe mapassword, uye anogona kupihwa kubva pawebhu interface. Kushandisa kwakanaka, handizvo here?
Mhinduro chaiyo ingave yekutenga mhinduro dzakadai seKerio Control kana UserGate, asi senguva dzose hapana mari, asi pane chinodiwa.
Apa ndipo panouya squid yakanaka yekare kuzonunura, asi zvakare - ndingawane kupi web interface? SAMS2? Hachichashandi. Apa ndipo panouya pfSense kuzonunura.
tsananguro
Ichi chinyorwa chinotsanangura maitiro ekugadzirisa iyo Squid proxy server.
Kerberos ichashandiswa kupa mvumo vashandisi.
SquidGuard ichashandiswa kusefa nemapoka emadomasi.
Lightsquid, sqstat uye yemukati pfSense yekutarisa masisitimu achashandiswa pakutarisa.
Ichagadzirisawo dambudziko rakajairika rine chekuita nekuunzwa kwekamwe sign-on (SSO) tekinoroji, inova maapplication anoedza kusefa paInternet pasi peakaundi yekambasi neayo system account.
Kugadzirira kuisa Squid
pfSense ichatorwa sehwaro,
Mukati matinoronga kuvimbiswa pane firewall pachayo tichishandisa domain account.
Zvakanyanya kukosha!
Usati watanga kuisa squid, unofanirwa kugadzirisa iyo DNS server mu pfsense, ita A rekodhi uye PTR rekodhi payo paDNS server yedu, uye gadzirisa NTP kuitira kuti nguva isasiyane nenguva iri pane domain controller.
Uye panetiweki yako, ipa kugona kweiyo WAN interface yepfSense kuenda kuInternet, uye vashandisi vemunharaunda network kuti vabatane neLAN interface, kusanganisira pazviteshi 7445 uye 3128 (munyaya yangu 8080).
Zvese zvagadzirira? Ko iyo LDAP yekubatanidza inotangwa nedomendi yemvumo papfSense uye nguva yacho inowiriraniswa? Hukuru. Inguva yekutanga nzira huru.
Kuiswa uye pre-configuration
Squid, squidGuard uye LightSquid ichaiswa kubva kupfSense package maneja muchikamu che "System / Package Manager".
Mushure mekubudirira kuisirwa, enda ku "Services / squid Proxy server /" uye chekutanga pane iyo Local Cache tab, gadzirisa caching, ndinoisa zvese ku0, nekuti. Ini handisi kuona yakawanda nzvimbo yekuchengetera mawebhusaiti, mabhurawuza anoita basa rakakura neizvi. Mushure mekuseta, dzvanya bhatani re "Chengetedza" pazasi pechidzitiro uye izvi zvinotipa mukana wekuita zvakakosha zvigadziriso zveproxy.
Maseting makuru ndeaya anotevera:
Iyo default port ndeye 3128, asi ini ndinoda kushandisa 8080.
Maparamendi akasarudzwa muProxy Interface tebhu anoona kuti ndeipi inopindirana neproxy server yedu inoteerera. Sezvo iyi firewall yakavakwa nenzira yekuti inotarisa paInternet seWAN interface, kunyange zvazvo LAN neWAN inogona kunge iri pane imwechete subnet yemunharaunda, ndinokurudzira kushandisa LAN yeproxy.
Loopback inodiwa kuti sqstat ishande.
Pazasi iwe unowana iyo Transparent (yakajeka) proxy marongero, pamwe neSSL Filter, asi isu hatizvida, proxy yedu haizove pachena, uye kune https kusefa isu hatisi kuzotsiva chitupa (tine gwaro rinoyerera, bhangi. vatengi, nezvimwewo), ngatingotarisai kubata maoko.
Panguva ino, isu tinofanirwa kuenda kune yedu domain controller, gadzira account yechokwadi mairi (iwe unogona zvakare kushandisa iyo yakarongedzerwa kuvimbiswa pa pfSense pachayo). Hechino chinhu chakakosha - kana iwe uchifunga kushandisa AES128 kana AES256 encryption - tarisa mabhokisi akakodzera mune yako account marongero.
Kana nzvimbo yako iri sango rakaoma zvikuru rine nhamba huru yedhairekitori kana nzvimbo yako iri .local, zvino ZVINOGONA, asi kwete chokwadi, kuti uchafanira kushandisa password iri nyore yeakaunti iyi, bug inozivikanwa, asi inogona kungosashanda nepassword yakaoma, unofanirwa kutarisa pane imwe nyaya.
Mushure meizvozvo, isu tinogadzira kiyi faira ye kerberos, vhura yekumisikidza yekuraira ine kodzero dzemaneja pane domain controller uye pinda:
# ktpass -princ HTTP/[email protected] -mapuser pfsense -pass 3EYldza1sR -crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All} -ptype KRB5_NT_PRINCIPAL -out C:keytabsPROXY.keytab
Kwatinoratidza yedu FQDN pfSense, ive shuwa yekuremekedza nyaya, isa yedu domain account nepassword yayo mune mapuser parameter, uye mucrypto tinosarudza nzira yekunyorera, ndakashandisa rc4 yebasa uye mumunda we-out watinosarudza kwatino. tichatumira yedu yapera kiyi faira.
Mushure mekubudirira kugadzira iyo kiyi faira, tinoitumira kune yedu pfSense, ndakashandisa Kure kune izvi, asi iwe unogona zvakare kuita izvi zvese nemirairo uye putty kana kuburikidza nepfSense web interface muchikamu che "Diagnostics Command Line".
Iye zvino tinogona kugadzirisa/kugadzira /etc/krb5.conf
apo /etc/krb5.keytab ndiyo faira rekiyi yatakagadzira.
Iva nechokwadi chekutarisa kushanda kwe kerberos uchishandisa kinit, kana isingashande, hapana chikonzero chekuverenga mberi.
Kugadzirisa squid Kusimbisa uye Kuwanikwa Rondedzero pasina Kusimbisa
Mushure mekubudirira kugadzirisa kerberos, isu tichaisunga kune yedu squid.
Kuti uite izvi, enda kuServiceSquid Proxy Server uye muzvirongwa zvikuru dzika pasi pasi, ipapo tichawana bhatani "Advanced settings".
Muchikamu Chekuita Sarudzo (Pamberi peAuth), pinda:
#Π₯Π΅Π»ΠΏΠ΅ΡΡ
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -k /usr/local/etc/squid/squid.keytab -t none
auth_param negotiate children 1000
auth_param negotiate keep_alive on
#Π‘ΠΏΠΈΡΠΊΠΈ Π΄ΠΎΡΡΡΠΏΠ°
acl auth proxy_auth REQUIRED
acl nonauth dstdomain "/etc/squid/nonauth.txt"
#Π Π°Π·ΡΠ΅ΡΠ΅Π½ΠΈΡ
http_access allow nonauth
http_access deny !auth
http_access allow authkupi Auth_param negotiate chirongwa /usr/local/libexec/squid/negotiate_kerberos_auth - inosarudza yechokwadi kerberos mubatsiri watinoda.
Key -s zvine zvazvinoreva GSS_C_NO_NAME - inotsanangura kushandiswa kwechero account kubva kune kiyi faira.
Key -k zvine zvazvinoreva /usr/local/etc/squid/squid.keytab - inosarudza kushandisa iyi chaiyo keytab faira. Mune yangu, iyi ndiyo imwechete keytab faira yatakagadzira, iyo yandakakopa kune / usr / yemunharaunda / etc / squid / dhairekitori uye ndokuitumidza zita, nekuti squid yaisada kushamwaridzana neiyo dhairekitori, sezviri pachena pakanga pasina. kodzero dzakakwana.
Key -t zvine zvazvinoreva - hapana - inodzima zvikumbiro zve cyclic kune domain controller, izvo zvinoderedza zvakanyanya mutoro pairi kana uine vanopfuura makumi mashanu vashandisi.
Kwenguva yekuedzwa, iwe unogona zvakare kuwedzera -d kiyi - i.e. diagnostics, mamwe matanda acharatidzwa.
auth_param taurirana nevana 1000 - inotarisa kuti vangani panguva imwe chete yekubvumidza maitiro anogona kuitwa
auth_param negotiate keep_alive on - haibvumiri kuputsa kubatana panguva yekuvhota kweketani yemvumo
acl auth proxy_auth INODIWA - inogadzira uye inoda runyorwa rwekutonga runosanganisira vashandisi vakapasa mvumo
acl nonauth dstdomain "/etc/squid/nonauth.txt" - Isu tinozivisa squid nezve nonauth yekuwana runyorwa, iyo ine nzvimbo dzekuenda, uko munhu wese anogara achibvumidzwa kupinda. Isu tinogadzira iyo faira pachayo, uye mukati mayo tinopinda domains mune iyo fomati
.whatsapp.com
.whatsapp.net
Whatsapp haisi nhando inoshandiswa semuenzaniso - inosarudza zvakanyanya nezve proxy ine huchokwadi uye haishande kana isingatenderwe isati yasimbiswa.
http_access inobvumira nonauth - bvumidza kupinda kune iyi runyorwa kune wese munhu
http_access ramba !auth - tinorambidza kupinda kwevashandisi vasina mvumo kune mamwe masaiti
http_access bvumira auth - bvumira kuwana kune vashandisi vane mvumo.
Ndizvozvo, squid pachayo inogadziriswa, ikozvino yave nguva yekutanga kusefa nemapoka.
Kugadzirisa SquidGuard
Enda kune ServicesSquidGuard Proxy Sefa.
MuLDAP Sarudzo tinoisa data reakaundi yedu inoshandiswa kerberos authentication, asi mune inotevera fomati:
CN=pfsense,OU=service-accounts,DC=domain,DC=localKana paine nzvimbo kana mavara asiri echiLatin, iyi yese yekupinda inofanirwa kuvharirwa mune imwechete kana kaviri makotesheni:
'CN=sg,OU=service-accounts,DC=domain,DC=local'
"CN=sg,OU=service-accounts,DC=domain,DC=local"Zvadaro, iva nechokwadi chekutarisa mabhokisi aya:
Kucheka zvisina basa DOMAINpfsense .LOCAL iyo iyo system yese iri very sensitive.
Iye zvino tinoenda kuGroup Acl uye tinosunga mapoka edu ekuwana domain, ndinoshandisa mazita akareruka seboka_0, boka_1, nezvimwewo kusvika ku3, apo 3 inopinda chete kune chena chinyorwa, uye 0 - zvose zvinogoneka.
Mapoka akabatanidzwa sezvinotevera:
ldapusersearch ldap://dc.domain.local:3268/DC=DOMAIN,DC=LOCAL?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=group_0%2cOU=squid%2cOU=service-groups%2cDC=DOMAIN%2cDC=LOCAL))save our group, enda kuTimes, ikoko ndakagadzira imwe gap kureva kuti kugara uchishanda, ikozvino enda kuTarget Categories ugadzire malist nekufunga kwedu, kana tagadzira mazita tinodzokera kumagroup edu uye mukati megroup nemabhatani tinosarudza vanogona kuenda. kupi, uye ndiani asingagoni kupi .
LightSquid uye sqstat
Kana panguva yekugadzirisa isu takasarudza loopback mumaseting esquid uye tikavhura kugona kuwana 7445 mufirewall zvese patiweki yedu uye papfSense pachayo, zvino kana tichienda kuSquid Proxy Reports Diagnostics, tinogona kuvhura zvese zviri zviviri sqstat uye Lighsquid, nokuda kwekupedzisira tichada Munzvimbo imwe chete, huya nezita rekushandisa uye password, uye panewo mukana wekusarudza dhizaini.
Kukwana
pfSense chishandiso chine simba kwazvo chinogona kuita zvinhu zvakawanda - zvese zviri zviviri traffic proxying uye kutonga pamusoro pekuwana mushandisi paInternet chingori chidimbu chekushanda kwese, zvisinei, mubhizinesi rine michina mazana mashanu, izvi zvakagadzirisa dambudziko uye zvakachengetwa pa. kutenga proxy.
Ndinovimba chinyorwa ichi chichabatsira mumwe munhu kugadzirisa dambudziko rakanyatsokodzera kune epakati uye makuru mabhizinesi.
Source: www.habr.com