Iseva ebambeleyo yasimahla yeshishini elinegunya lommandla

pfSense+Squid ene-https yokucoca + itekhnoloji yokusayina enye (SSO) ngokucoca ngamaqela eActive Directory

Imvelaphi emfutshane

Ishishini elifunekayo ukuphumeza umncedisi we-proxy ngokukwazi ukucoca ukufikelela kwiisayithi (kuquka i-https) ngamaqela avela kwi-AD, ukwenzela ukuba abasebenzisi abazange bafake nayiphi na i-passwords eyongezelelweyo, kwaye ulawulo lunokwenziwa kwi-interface yewebhu. Asikho isicelo esibi, akunjalo?

Impendulo echanekileyo iya kuba kukuthenga izisombululo ezifana ne-Kerio Control okanye i-UserGate, kodwa njengesiqhelo akukho mali, kodwa kukho imfuneko.

Kulapho iSquid esidala esilungileyo esiza kusihlangula, kodwa kwakhona, ndingalufumana phi ujongano lwewebhu? SAMS2 Iphelelwe lixesha ngokokuziphatha. Apha kulapho ipfSense isiza khona.

inkcazelo

Eli nqaku liza kuchaza indlela yokuqwalasela umncedisi weSquid.
I-Kerberos iya kusetyenziswa ukugunyazisa abasebenzisi.
I-squidGuard iya kusetyenziselwa ukuhluza ngamaqela ommandla.

I-Lightsquid, i-sqstat kunye neenkqubo zangaphakathi zokubeka iliso ze-pfSense ziya kusetyenziswa ukubeka iliso.
Ingxaki eqhelekileyo enxulunyaniswa nokuphunyezwa kobuchwepheshe bokusayina-kwisinye (i-SSO) nayo iya kusonjululwa, oko kukuthi izicelo ezizama ukufikelela kwi-Intanethi phantsi kweakhawunti yekhampasi yeakhawunti yabo yenkqubo.

Ukulungiselela ukufaka iSkwidi

pfSense iya kusetyenziswa njengesiseko, Imiyalelo yokufakela.

Ngaphakathi apho siququzelela ukuqinisekiswa kwi-firewall ngokwayo usebenzisa i-akhawunti yesizinda. Umyalelo

Ibaluleke kakhulu!

Ngaphambi kokuba uqale ukufaka i-Squid, kufuneka uqwalasele iseva ye-DNS kwi-pfsense, wenze irekhodi ye-A kunye ne-PTR kuyo kwi-server yethu ye-DNS kwaye ulungiselele i-NTP ukwenzela ukuba ixesha lingahlukanga kwixesha lomlawuli wesizinda.

Kwaye kwinethiwekhi yakho, nikezela ngesakhono se-pfSense WAN ujongano lokufikelela kwi-Intanethi, kunye nabasebenzisi kwinethiwekhi yendawo ukuxhuma kwi-interface ye-LAN, kuquka nge-port 7445 kunye ne-3128 (kwimeko yam, i-8080).

Zonke zilungile? Ngaba i-domain iqhagamshelwe nge-LDAP yogunyaziso kwi-pfSense kwaye ixesha liyangqamaniswa? Kakhulu. Lixesha lokuba uqale inkqubo ephambili.

Ukufakela kunye noqwalaselo lwangaphambili

Siza kufaka i-Squid, i-SquidGuard kunye ne-LightSquid ukusuka kumphathi wephakheji ye-pfSense kwicandelo elithi "System/Package Manager".

Emva kofakelo oluyimpumelelo, yiya kwi "IiNkonzo / iseva ye-Squid Proxy /" kwaye okokuqala, kwi-Cache yeNdawo ithebhu, qwalasela i-caching, ndibeka yonke into ku-0, kuba Andiboni nto ingako kwiindawo zokugcina indawo; izikhangeli ziphethe kakuhle le nto. Emva kokuseta, cofa iqhosha elithi "Gcina" ezantsi kwesikrini kwaye oku kuya kusinika ithuba lokwenza useto lommeli olusisiseko.

Iisetingi eziphambili zezi zilandelayo:

Izibuko elingagqibekanga yi3128, kodwa ndikhetha ukusebenzisa i8080.

Iiparamitha ezikhethiweyo kwisithuba soNxibelelwano loMmeleli isithuba simisela ukuba loluphi ujongano lomncedisi weproxy ayakumamela. Ekubeni le firewall yakhiwe ngendlela yokuba ijonge kwi-Intanethi ngokusebenzisa i-WAN interface, nangona i-LAN kunye ne-WAN inokuba kwi-subnet yendawo efanayo, ndincoma ukusebenzisa i-LAN ye-proxy.

I-Loopback iyafuneka ukuze i-sqstat isebenze.

Apha ngezantsi uya kufumana useto lwe-proxy eNgaphandle, kunye ne-SSL Filter, kodwa asiyifuni, i-proxy yethu ayiyi kubonakala, kwaye ngenxa yokucoca i-https asiyi kujongana nokutshintshwa kwesatifikethi (emva koko, sinolawulo loxwebhu. , abathengi bebhanki, njl.), Makhe sijonge ukuxhawula izandla.

Kweli nqanaba, kufuneka siye kwisilawuli sesizinda sethu, senze iakhawunti kuyo ukuze ingqinwe (ungasebenzisa leyo uyilungiselele ubunyani bepfSense ngokwayo). Eyona nto ibaluleke kakhulu apha kukuba ujonge ukusebenzisa i-AES128 okanye i-AES256 encryption, khangela iibhokisi ezifanelekileyo kwiisetingi zeakhawunti yakho.

Ukuba indawo yakho ilihlathi elintsonkothileyo elinenani elikhulu labalawuli okanye i-domain yakho yi .yendawo, ngoko POSSIBLY, kodwa hayi ngokuqinisekileyo, kuya kufuneka usebenzise igama eliyimfihlo elilula kule akhawunti, i-bug iyaziwa, kodwa ngobunzima. Igama lokugqitha isenokungasebenzi, kufuneka ujonge imeko ethile.

Emva kwayo yonke le nto, senza ifayile ephambili yeKerberos, kwisilawuli sesizinda, vula umyalelo okhawulezayo ngamalungelo omlawuli kwaye ungene:

# ktpass -princ HTTP/[email protected] -mapuser pfsense -pass 3EYldza1sR -crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All} -ptype KRB5_NT_PRINCIPAL -out C:keytabsPROXY.keytab

Apho sibonisa i-FQDN yethu pfSense, qiniseka ukuba uyalihlonipha ityala, kwiparamitha ye-masper sifaka iakhawunti yethu yesizinda kunye negama eliyimfihlo, kwaye kwi-crypto sikhetha indlela yokubethela, ndisebenzise i-rc4 emsebenzini nakwibala eliphumayo sikhetha apho. siya kuthumela ifayile yethu esele ilungisiwe.
Emva kokwenza ngempumelelo ifayile engundoqo, siya kuyithumela kwi-pfSense yethu, ndisebenzise iFar kule nto, kodwa unokukwenza oku usebenzisa imiyalelo, i-putty okanye nge-interface yewebhu ye-pfSense kwicandelo elithi "DiagnosticsCommand Line".

Ngoku sinokuhlela ukudala /etc/krb5.conf

apho /etc/krb5.keytab yifayile yesitshixo esiyenzileyo.

Qiniseka ukuba ujonge ukusebenza kweKerberos usebenzisa i-kinit; ukuba ayisebenzi, akukho sizathu sokufunda ngokubhekele phaya.

Ukuqwalasela uQinisekiso lweskwidi kwaye akukho Luhlu lokuFikelela lokuQinisekisa

Emva kokuqwalasela ngempumelelo iKerberos, siya kuyincamathisela kwiskwidi yethu.

Ukwenza oku, yiya kwi-ServiceSquid Proxy Server kwaye kwiisetingi eziphambili, yiya ezantsi, apho siya kufumana iqhosha elithi "Useto oluPhezulu".

Kwindawo yoKhetho lwesiSiko (Ngaphambi ko-Auth), ngenisa:

#Хелперы
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -k /usr/local/etc/squid/squid.keytab -t none
auth_param negotiate children 1000
auth_param negotiate keep_alive on
#Списки доступа
acl auth proxy_auth REQUIRED
acl nonauth dstdomain "/etc/squid/nonauth.txt" 
#Разрешения 
http_access allow nonauth 
http_access deny !auth
http_access allow auth

apho Auth_param inkqubo yothethathethwano /usr/yasekuhlaleni/libexec/squid/negotiate_kerberos_auth — khetha umncedi wobubhali weKerberos esimdingayo.

Ngundoqo -s ngentsingiselo GSS_C_NO_NAME — imisela ukusetyenziswa kwayo nayiphi na iakhawunti kwifayile yesitshixo.

Ngundoqo -k ngentsingiselo /usr/local/etc/squid/squid.keytab — imisela ukusebenzisa le fayile yesitshixo. Kwimeko yam, le yifayile yesitshixo esiyenzileyo, endiyikhuphele kwi/usr/local/etc/squid/ directory kwaye ndiyiqambe igama ngokuba isquid asifuni ukuba ngumhlobo nalo luhlu, kucacile ukuba andinalo. amalungelo aneleyo.

Ngundoqo -t ngentsingiselo -akukho nanye - ikhubaza izicelo ze-cyclical kumlawuli wesizinda, onciphisa kakhulu umthwalo kuyo ukuba unabasebenzisi abangaphezu kwe-50.
Ngexesha lovavanyo, ungongeza kwakhona i--d switch - oko kukuthi i-diagnostics, iilogi ezininzi ziya kuboniswa.
Auth_param thethana nabantwana nge1000 - imisela ukuba zingaphi iinkqubo zogunyaziso zangaxeshanye ezinokusungulwa
Auth_param thethana gcina_uphila - kuthintela uxhulumaniso ukuba luqhawulwe ngelixa uvotela ikhonkco lokugunyazisa
I-acl auth proxy_auth IYAFUNEKA — uyila kwaye ufuna uluhlu lolawulo lofikelelo olubandakanya abasebenzisi abagunyazisiweyo
i-acl nonauth dstdomain "/etc/squid/nonauth.txt" — siyazisa iskwidi malunga noluhlu lofikelelo lwe-nonauth, oluqulethe imimandla yendawo apho wonke umntu uya kuhlala evunyelwe ukufikelela. Senza ifayile ngokwayo, kwaye singenise imimandla ngaphakathi kuyo kwifomathi

.whatsapp.com
.whatsapp.net

I-Whatsapp isetyenziswa njengomzekelo ngesizathu-ikhetheke kakhulu malunga ne-proxies yokuqinisekisa kwaye ayiyi kusebenza ukuba ayivumelekanga phambi kokuqinisekiswa.
http_access vumela i-nonauth -vumela ukufikelela kolu luhlu kumntu wonke
http_ufikelelo khanyela !igunya — siyakwalela ukufikelela kwezinye iisayithi kubasebenzisi abangagunyaziswanga
http_access vumela auth — vumela ukufikelela kubasebenzisi abagunyazisiweyo.
Yiloo nto, iSquid ngokwayo iqwalaselwe, ngoku lixesha lokuqalisa ukuhluza ngamaqela.

Ukumisela iSquidGuard

Yiya kwiSihluzo soMmeli weeNkonzoSquidGuard.

KwiiKhetho ze-LDAP sifaka iinkcukacha zeakhawunti yethu esetyenziselwa uqinisekiso lwe-Kerberos, kodwa ngolu hlobo lulandelayo:

CN=pfsense,OU=service-accounts,DC=domain,DC=local

Ukuba kukho izithuba okanye oonobumba abangengabo abesiLatini, olungeno lulonke kufuneka luvalwe ngokucaphula okukodwa okanye kabini:

'CN=sg,OU=service-accounts,DC=domain,DC=local'
"CN=sg,OU=service-accounts,DC=domain,DC=local"

Okulandelayo, qiniseka ukuba uqwalasela ezi bhokisi:

Ukuqhawula okungafunekiyo DOMAINpfsense DOMAIN.INDAWO apho yonke inkqubo inovakalelo kakhulu.

Ngoku makhe siye kwiQela le-Acl kwaye sibophe amaqela ethu okufikelela kwisizinda, ndisebenzisa amagama alula njengeqela_0, iqela_1, njl ukuya kwi-3, apho i-3 ithetha ukufikelela kuphela kuluhlu olumhlophe, kwaye i-0 ithetha ukuba yonke into inokwenzeka.

Amaqela adityaniswe ngolu hlobo lulandelayo:

ldapusersearch ldap://dc.domain.local:3268/DC=DOMAIN,DC=LOCAL?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=group_0%2cOU=squid%2cOU=service-groups%2cDC=DOMAIN%2cDC=LOCAL))

sigcina iqela lethu, siye ku-Times, apho ndidale i-gap enye ethetha ukuba iya kuhlala isebenza, ngoku siya kwii-Target Categories kwaye senze uluhlu ngokubona kwethu, emva kokudala uluhlu sibuyela kumaqela ethu kwaye ngaphakathi kweqela sisebenzisa amaqhosha. ukukhetha ukuba ngubani onokuya phi kwaye ngubani ongayi apho .

I-LightSquid kunye ne-sqstat

Ukuba ngexesha lenkqubo yokuseta sikhethe i-loopback kwiisethingi zesquid kwaye savula ukukwazi ukufikelela kwi-7445 kwi-firewall zombini kwinethiwekhi yethu nakwi-pfSense ngokwayo, ngoko xa sisiya kwiiNgxelo ze-DiagnosticsSquid Proxy sinokuvula ngokulula zombini i-sqstat kunye ne-Lighsquid, umva siya kuyidinga Apho unokuza negama lokungena kunye negama lokugqitha, kwaye unokukhetha noyilo.

Ukugqiba

I-pfSense sisixhobo esinamandla kakhulu esinokwenza izinto ezininzi-i-proxying traffic kunye nokulawula ukufikelela komsebenzisi kwi-Intanethi yinkozo nje yomsebenzi wonke, nangona kunjalo, kwishishini elinoomatshini abangama-500, yayisombulula ingxaki kwaye yasivumela ukuba sigcine. ekuthengeni ummeli.

Ndiyathemba ukuba eli nqaku liya kunceda umntu ukusombulula ingxaki efanelekileyo kakhulu kumashishini aphakathi kunye namakhulu.

umthombo: www.habr.com