Squid-kerberos: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 23: | Zeile 23: | ||
= /etc/squid/squid.conf = | = /etc/squid/squid.conf = | ||
<pre> | <pre> | ||
| − | + | acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) | |
| − | + | acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) | |
| − | + | acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) | |
| − | + | acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines | |
| − | + | acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) | |
| − | + | acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) | |
| − | + | acl localnet src fc00::/7 # RFC 4193 local private network range | |
| − | + | acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines | |
| − | + | acl SSL_ports port 443 | |
| − | + | acl Safe_ports port 80 # http | |
| − | + | acl Safe_ports port 21 # ftp | |
| − | + | acl Safe_ports port 443 # https | |
| − | + | acl Safe_ports port 70 # gopher | |
| − | + | acl Safe_ports port 210 # wais | |
| − | ##### | + | acl Safe_ports port 1025-65535 # unregistered ports |
| − | + | acl Safe_ports port 280 # http-mgmt | |
| − | + | acl Safe_ports port 488 # gss-http | |
| − | # | + | acl Safe_ports port 591 # filemaker |
| − | + | acl Safe_ports port 777 # multiling http | |
| − | + | http_access deny !Safe_ports | |
| − | # | + | http_access deny CONNECT !SSL_ports |
| − | # | + | http_access allow localhost manager |
| − | # | + | http_access deny manager |
| − | |||
| − | |||
| − | |||
| − | |||
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/PROXY.keytab -d -i -s GSS_C_NO_NAME | auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/PROXY.keytab -d -i -s GSS_C_NO_NAME | ||
auth_param negotiate children 10 | auth_param negotiate children 10 | ||
auth_param negotiate keep_alive off | auth_param negotiate keep_alive off | ||
| − | |||
| − | |||
| − | |||
acl auth proxy_auth REQUIRED | acl auth proxy_auth REQUIRED | ||
| − | + | http_access allow auth | |
| − | + | include /etc/squid/conf.d/*.conf | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
http_access allow localhost | http_access allow localhost | ||
http_access deny all | http_access deny all | ||
| − | + | http_port 3128 | |
| + | coredump_dir /var/spool/squid | ||
| + | refresh_pattern ^ftp: 1440 20% 10080 | ||
| + | refresh_pattern ^gopher: 1440 0% 1440 | ||
| + | refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 | ||
| + | refresh_pattern . 0 20% 4320 | ||
</pre> | </pre> | ||
Version vom 2. Oktober 2024, 14:18 Uhr
als ads client aufnehmen
zuerst als client aufnehemen https://xinux.net/index.php/Ubuntu-ads-client#.2Fetc.2Fkrb5.conf
msktutils
- apt-get install msktutil
create computeraccount and a local keytab
- kinit administrator
PROXY="proxy.lab34.linuggs.de" DN="win2022.lab34.linux.de"
- msktutil -c -b "CN=Computers" -s HTTP/$PROXY -k /etc/squid/PROXY.keytab --computer-name PROXYSRV-HTTP --upn HTTP/$PROXY --server $DN -N
chown proxy.proxy /etc/squid3/PROXY.keytab
Kerberos Ticket update
- msktutil --auto-update --computer-name PROXYSRV-HTTP --server $DN -s HTTP/$PROXY -k /etc/squid/PROXY.keytab -N
Crontab
- echo "0 4 * * * msktutil --auto-update --computer-name PROXY --server $DN -s HTTP/$PROXY -k /etc/squid/PROXY.keytab -N" | crontab
/etc/default/squid3
- systemctl edit squid
Environment="KRB5_KTNAME=/etc/squid3/PROXY.keytab"
/etc/squid/squid.conf
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/PROXY.keytab -d -i -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive off acl auth proxy_auth REQUIRED http_access allow auth include /etc/squid/conf.d/*.conf http_access allow localhost http_access deny all http_port 3128 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
restart
service squid3 start
client Machine
Set your proxy to server dewey.xinux.org using port 3128. It is important that you use the fully qualified domain name and NOT the IP address.
debugging
sources
- http://roshan-g.blogspot.de/2014/05/squid-with-kerberos-and-ldap.html
- http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
- http://stackoverflow.com/questions/18075028/squid-integration-with-active-directory-best-practise
- http://manpages.ubuntu.com/manpages/trusty/man8/negotiate_kerberos_auth.8.html
- http://serverfault.com/questions/66556/getting-squid-to-authenticate-with-kerberos-and-windows-2008-2003-7-xp