I-pfSense+Squid enokuhlunga kwe-https + ubuchwepheshe bokungena ngemvume okukodwa (SSO) ngokuhlunga ngamaqembu e-Active Directory
Ingemuva elifushane
Ibhizinisi lalidinga ukusebenzisa iseva elibamba elinekhono lokuhlunga ukufinyelela kumasayithi (okuhlanganisa no-https) ngamaqembu asuka ku-AD, ukuze abasebenzisi bangafaki noma yimaphi amaphasiwedi engeziwe, futhi nokuphatha kungenziwa kusukela kusixhumi esibonakalayo sewebhu. Akulona uhlelo olubi, akunjalo?
Impendulo elungile kungaba ukuthenga izixazululo ezifana Kerio Control noma UserGate, kodwa njengoba njalo ayikho imali, kodwa kunesidingo.
Yilapho i-squid endala esisiza khona, kodwa futhi, ngingasitholaphi isixhumi esibonakalayo sewebhu? SAMS2? Isiphelelwe yisikhathi ngokokuziphatha. Yilapho i-pfSense isiza khona.
Incazelo
Lesi sihloko sizochaza indlela yokumisa iseva elibamba le-squid.
I-Kerberos izosetshenziselwa ukugunyaza abasebenzisi.
I-squidGuard izosetshenziselwa ukuhlunga ngamaqembu wesizinda.
I-Lightsquid, sqstat kanye nezinhlelo zokuqapha ze-pfSense zangaphakathi zizosetshenziselwa ukuqapha.
Inkinga evamile ehlotshaniswa nokuqaliswa kobuchwepheshe bokungena ngemvume okukodwa (i-SSO) nayo izoxazululwa, okuyizinhlelo zokusebenza ezizama ukufinyelela i-inthanethi ngaphansi kwe-akhawunti yekhampasi ye-akhawunti yazo yesistimu.
Ilungiselela ukufaka i-squid
pfSense izosetshenziswa njengesisekelo,
Ngaphakathi kwakho sihlela ukuqinisekiswa kwe-firewall ngokwayo sisebenzisa ama-akhawunti wesizinda.
Baluleke kakhulu!
Ngaphambi kokuthi uqale ukufaka i-squid, udinga ukulungisa iseva ye-DNS nge-pfsense, wenze irekhodi A kanye nerekhodi le-PTR layo kuseva yethu ye-DNS futhi ulungiselele i-NTP ukuze isikhathi singahlukani nesikhathi esikumlawuli wesizinda.
Futhi kunethiwekhi yakho, nikeza ikhono lesixhumi esibonakalayo se-pfSense WAN ukufinyelela i-inthanethi, futhi kubasebenzisi abakunethiwekhi yendawo ukuxhuma kusixhumi esibonakalayo se-LAN, okuhlanganisa ne-port 7445 kanye ne-3128 (endabeni yami, 8080).
Konke sekumi ngomumo? Ingabe isizinda sixhunywe nge-LDAP ukuze sigunyazwe ku-pfSense futhi ingabe isikhathi siyavumelaniswa? Kuhle. Isikhathi sokuqala inqubo eyinhloko.
Ukufakwa kanye nokucushwa kwangaphambili
Sizofaka i-squid, i-squidGuard ne-LightSquid kusukela kumphathi wephakheji we-pfSense kusigaba esithi "Isiphathi Sesistimu/Iphakheji".
Ngemva kokufaka ngempumelelo, iya ku- "Services/Squid Proxy server/" futhi okokuqala, kuthebhu Yenqolobane Yasendaweni, lungisa i-caching, ngibeka yonke into ku-0, ngoba Angiboni iphuzu eliningi kumasayithi okulondoloza isikhashana; iziphequluli zikuphatha kahle lokhu. Ngemva kokusetha, cindezela inkinobho ethi "Londoloza" ngaphansi kwesikrini futhi lokhu kuzosinika ithuba lokwenza izilungiselelo eziyisisekelo zommeleli.
Izilungiselelo eziyinhloko zimi kanje:
Imbobo ezenzakalelayo ingu-3128, kodwa ngikhetha ukusebenzisa i-8080.
Amapharamitha akhethiwe kuthebhu ye-Proxy Interface anquma ukuthi iyiphi i-interface iseva yethu yommeleli ezolalela. Njengoba le firewall yakhiwe ngendlela yokuthi ibheke I-inthanethi ngesixhumi esibonakalayo se-WAN, nakuba i-LAN ne-WAN kungase kube ku-subnet yasendaweni efanayo, ngincoma ukusebenzisa i-LAN kummeleli.
I-Loopback iyadingeka ukuze i-sqstat isebenze.
Ngezansi uzothola izilungiselelo zommeleli we-Transparent, kanye nesihlungi se-SSL, kodwa asizidingi, ummeleli wethu ngeke abe sobala, futhi ngokuhlunga kwe-https ngeke sibhekane nokushintshwa kwesitifiketi (phela, sinokuphathwa kwedokhumenti , amaklayenti asebhange, njll.), Ake sibheke ukuxhawula izandla.
Kulesi sigaba, sidinga ukuya kusilawuli sesizinda sethu, sidale i-akhawunti kuso ukuze siqinisekiselwe ubuqiniso (ungaphinda usebenzise leso osilungiselele ukuqinisekiswa ku-pfSense uqobo). Isici esibaluleke kakhulu lapha ukuthi uma uhlose ukusebenzisa ukubethela kwe-AES128 noma kwe-AES256, khetha amabhokisi afanele kuzilungiselelo ze-akhawunti yakho.
Uma isizinda sakho siyihlathi eliyinkimbinkimbi elinenombolo enkulu yezinkomba noma isizinda sakho singese-.local, POSSIBLY, kodwa hhayi ngokuqinisekile, kuzodingeka usebenzise igama-mfihlo elilula kule akhawunti, iphutha liyaziwa, kodwa eliyinkimbinkimbi. iphasiwedi ingase imane ingasebenzi, udinga ukuhlola icala elithile.
Ngemuva kwakho konke lokhu, sakha ifayela elingukhiye le-Kerberos, kusilawuli sesizinda, vula umyalo womyalo ngamalungelo omlawuli bese ufaka:
# ktpass -princ HTTP/[email protected] -mapuser pfsense -pass 3EYldza1sR -crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All} -ptype KRB5_NT_PRINCIPAL -out C:keytabsPROXY.keytab
Lapho sibonisa i-FQDN pfSense yethu, qiniseka ukuthi uyalihlonipha icala, kupharamitha ye-maser sifaka i-akhawunti yethu yesizinda kanye nephasiwedi yayo, futhi ku-crypto sikhetha indlela yokubhala ngemfihlo, ngisebenzise i-rc4 emsebenzini nasensimini yokuphuma lapho sikhetha khona. sizothumela ifayela lethu elingukhiye elenziwe ngomumo.
Ngemva kokudala ngempumelelo ifayela elingukhiye, sizolithumela ku-pfSense yethu, ngisebenzise i-Far kulokhu, kodwa futhi ungakwenza lokhu usebenzisa imiyalo, i-putty noma ngokusebenzisa isixhumi esibonakalayo sewebhu se-pfSense engxenyeni ethi "DiagnosticsCommand Line".
Manje sesingakwazi ukuhlela ukudala /etc/krb5.conf
lapho /etc/krb5.keytab kuyifayela elingukhiye esidalile.
Qiniseka ukuthi uhlola ukusebenza kwe-Kerberos usebenzisa i-kinit; uma kungasebenzi, asikho isidingo sokufunda ngokuqhubekayo.
Ilungiselela ukuqinisekiswa kwe-squid futhi Alukho Uhlu Lokufinyelela Lokuqinisekisa
Ngemva kokumisa ngempumelelo i-Kerberos, sizoyinamathisela ku-squid yethu.
Ukuze wenze lokhu, iya ku-ServicesSquid Proxy Server futhi kuzilungiselelo eziyinhloko, iya phansi impela, lapho sizothola inkinobho ethi "Izilungiselelo Ezithuthukisiwe".
Kunkambu Yezinketho Ngokwezifiso (Ngaphambi Kwe-Auth), faka:
#Хелперы
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -k /usr/local/etc/squid/squid.keytab -t none
auth_param negotiate children 1000
auth_param negotiate keep_alive on
#Списки доступа
acl auth proxy_auth REQUIRED
acl nonauth dstdomain "/etc/squid/nonauth.txt"
#Разрешения
http_access allow nonauth
http_access deny !auth
http_access allow authlapho auth_param uhlelo lokuxoxisana /usr/local/libexec/squid/negotiate_kerberos_auth — ikhetha umsizi wokuqinisekisa we-Kerberos esimdingayo.
Ukhiye -s ngencazelo GSS_C_NO_NAME - inquma ukusetshenziswa kwanoma iyiphi i-akhawunti efayeleni elingukhiye.
Ukhiye -k ngencazelo /usr/local/etc/squid/squid.keytab — inquma ukusebenzisa leli fayela elithile lethebhu yokhiye. Endabeni yami, leli yifayela elifanayo le-keytab esilidalile, engalikopisha ku-directory / usr / yendawo / njll / squid / futhi ngaliqamba kabusha, ngoba i-squid yayingafuni ukuba umngane walolo lwazi, ngokusobala angizange. babe namalungelo anele.
Ukhiye -t ngencazelo -akekho - ikhubaza izicelo zomjikelezo kusilawuli sesizinda, okunciphisa kakhulu umthwalo kuso uma unabasebenzisi abangaphezu kuka-50.
Ngesikhathi sokuhlolwa, ungakwazi futhi ukwengeza i- -d switch - i.e. ukuxilongwa, amalogi amaningi azoboniswa.
auth_param xoxisana nezingane 1000 - inquma ukuthi zingaki izinqubo zokugunyazwa ngasikhathi sinye ezingaqalwa
auth_param xoxisana qhubeka_uphila - ivimbela ukuxhumana ekunqanyulweni ngenkathi kuvotwa iketango lokugunyazwa
I-acl auth proxy_auth IYADINGEKA — kwakha futhi kudinga uhlu lokulawula ukufinyelela oluhlanganisa abasebenzisi abagunyaziwe
i-acl nonauth dstdomain "/etc/squid/nonauth.txt" — sazisa i-squid ngohlu lokufinyelela okungelonauth, oluqukethe izizinda lapho wonke umuntu eyohlala evunyelwe ukufinyelela kuzo. Sakha ifayela ngokwalo, futhi sifaka izizinda ngaphakathi kwalo ngefomethi
.whatsapp.com
.whatsapp.net
I-Whatsapp isetshenziswa njengesibonelo ngesizathu - ikhetha kakhulu mayelana nama-proxies okuqinisekisa futhi ngeke isebenze uma ingavunyelwe ngaphambi kokuqinisekisa.
http_access vumela i-nonauth — vumela ukufinyelela kulolu hlu kuwo wonke umuntu
http_access phika !auth - sivimbela ukufinyelela kwamanye amasayithi kubasebenzisi abangagunyaziwe
http_access vumela i-auth - vumela ukufinyelela kubasebenzisi abagunyaziwe.
Yilokho, i-squid ngokwayo imisiwe, manje yisikhathi sokuqala ukuhlunga ngamaqembu.
Isetha i-squidGuard
Iya kusihlungi sommeleli we-ServiceSquidGuard.
Ezinkethweni ze-LDAP sifaka imininingwane ye-akhawunti yethu esetshenziselwa ukuqinisekiswa kwe-Kerberos, kodwa ngefomethi elandelayo:
CN=pfsense,OU=service-accounts,DC=domain,DC=localUma kunezikhala noma izinhlamvu ezingezona ezesiLatini, konke lokhu okufakwayo kufanele kufakwe kucaphuno olulodwa noma olukabili:
'CN=sg,OU=service-accounts,DC=domain,DC=local'
"CN=sg,OU=service-accounts,DC=domain,DC=local"Okulandelayo, qiniseka ukuthi ukhetha lawa mabhokisi:
Ukusika i-DOMAINpfsense engadingekile .INDAWO lapho lonke uhlelo luzwela kakhulu.
Manje ake siye ku-Group Acl futhi sibophe amaqembu ethu okufinyelela kwesizinda, ngisebenzisa amagama alula njengeqembu_0, iqembu_1, njll. kufika ku-3, lapho u-3 esho ukufinyelela kuphela ohlwini olumhlophe, futhi u-0 usho ukuthi konke kuyenzeka.
Amaqembu axhunywe kanje:
ldapusersearch ldap://dc.domain.local:3268/DC=DOMAIN,DC=LOCAL?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=group_0%2cOU=squid%2cOU=service-groups%2cDC=DOMAIN%2cDC=LOCAL))we save our group, go to Times, khona ngenza igebe elilodwa okusho ukuthi liyohlala lisebenza, manje singena kumaTarget Categories bese sidala ama list ngokubona kwethu, emva kokudala ama list sibuyela emagroupini ethu nangaphakathi kwegroup sisebenzisa izinkinobho. ukukhetha ukuthi ubani ongaya kuphi futhi ongayi lapho .
I-LightSquid ne-sqstat
Uma ngesikhathi senqubo yokusetha sikhethe i-loopback kuzilungiselelo ze-squid futhi savula amandla okufinyelela ku-7445 ku-firewall kokubili kunethiwekhi yethu naku-pfSense ngokwayo, lapho-ke siya ku-DiagnosticsSquid Proxy Reports singavula kalula kokubili i-sqstat ne-Lighsquid, ekugcineni sizodinga Lapho ungathola igama lokungena nephasiwedi, futhi ungakhetha nomklamo.
Ukuqedela
I-pfSense iyithuluzi elinamandla elingenza izinto eziningi - ukufaka ummeleli nokulawula ukufinyelela komsebenzisi ku-inthanethi kuwuhlamvu nje lwawo wonke umsebenzi, nokho, ebhizinisini elinemishini engu-500, yaxazulula inkinga futhi yasivumela ukuthi songe. ekuthengeni i-proxy.
Ngithemba ukuthi lesi sihloko sizosiza othile ukuxazulula inkinga efanele kakhulu kumabhizinisi aphakathi nendawo namakhulu.
Source: www.habr.com