Squid-Kit-ldap: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 95: | Zeile 95: | ||
*systemctl restart squid | *systemctl restart squid | ||
===Die Änderungen=== | ===Die Änderungen=== | ||
| − | *vi /etc/squid/ | + | *vi /etc/squid/squid.conf |
| + | acl localnet src 0.0.0.1-0.255.255.255 | ||
| + | acl localnet src 10.0.0.0/8 | ||
| + | acl localnet src 100.64.0.0/10 | ||
| + | acl localnet src 169.254.0.0/16 | ||
| + | acl localnet src 172.16.0.0/12 | ||
| + | acl localnet src 192.168.0.0/16 | ||
| + | acl localnet src fc00::/7 | ||
| + | acl localnet src fe80::/10 | ||
| + | acl SSL_ports port 443 | ||
| + | acl Safe_ports port 80 | ||
| + | acl Safe_ports port 21 | ||
| + | acl Safe_ports port 443 | ||
| + | acl Safe_ports port 70 | ||
| + | acl Safe_ports port 210 | ||
| + | acl Safe_ports port 1025-65535 | ||
| + | acl Safe_ports port 280 | ||
| + | acl Safe_ports port 488 | ||
| + | acl Safe_ports port 591 | ||
| + | acl Safe_ports port 777 | ||
| + | http_access deny !Safe_ports | ||
| + | http_access deny CONNECT !SSL_ports | ||
| + | http_access allow localhost manager | ||
| + | http_access deny manager | ||
| + | <span style="color:blue"># http_access allow localhost</span> | ||
| + | http_access deny to_localhost | ||
| + | http_access deny to_linklocal | ||
| + | include /etc/squid/conf.d/*.conf | ||
| + | auth_param basic program /usr/lib/squid/basic_ldap_auth -v 3 -b dc=it213,dc=int -D cn=admin,dc=it213,dc=int -w 123Start$ -f uid=%s -H ldaps://ldap.it213.int | ||
| + | auth_param basic children 20 startup=0 idle=1 | ||
| + | auth_param basic concurrency 0 | ||
| + | auth_param basic credentialsttl 500 seconds | ||
| + | auth_param basic realm it213 proxy server | ||
| + | auth_param basic casesensitive off | ||
| + | acl ldap-auth proxy_auth REQUIRED | ||
| + | <span style="color:red">external_acl_type ldap_group %LOGIN /usr/lib/squid/ext_ldap_group_acl -v 3 -b ou=groups,dc=it213,dc=int -D cn=admin,dc=it213,dc=int -w 123Start$ -f "(&(objectClass=posixGroup)(cn=%g)(memberUid=%u))" -H ldaps://ldap.it213.int</span> | ||
| + | <span style="color:red">acl teamleitung external ldap_group teamleitung</span> | ||
| + | <span style="color:red">acl agents external ldap_group agents</span> | ||
| + | <span style="color:red">http_access allow teamleitung</span> | ||
| + | <span style="color:red">acl badsites url_regex "/etc/squid/badsites.txt"</span> | ||
| + | <span style="color:red">http_access deny badsites agents</span> | ||
| + | <span style="color:red">http_access allow agents</span> | ||
| + | <span style="color:blue"># http_access allow ldap-auth</span> | ||
| + | http_access deny all | ||
| + | http_port 3128 | ||
| + | coredump_dir /var/spool/squid | ||
| + | refresh_pattern ^ftp: 1440 20% 10080 | ||
| + | refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 | ||
| + | refresh_pattern . 0 20% 4320 | ||
Version vom 2. April 2026, 13:56 Uhr
Auf dem LDAP Server
Wir legen 2 Gruppen an
- Wir trennen Benutzer nach Berechtigungen in Gruppen.
- Die Gruppe „teamleitung“ bekommt später vollen Zugriff, „agents“ wird eingeschränkt.
- ldapaddgroup teamleitung
- ldapaddgroup agents
- Benutzer werden den Gruppen zugeordnet.
- Die Gruppenzugehörigkeit steuert später den Zugriff im Squid.
- ldapadduser wilma teamleitung
- ldapadduser betty teamleitung
- ldapadduser fred agents
- ldapadduser barney agents
- Setzt die Passwörter für die Benutzer.
- Diese werden für die Anmeldung am Proxy verwendet.
- ldapsetpasswd wilma
- ldapsetpasswd betty
- ldapsetpasswd fred
- ldapsetpasswd barney
Auf dem SQUID Server
Authentifizierung mit LDAP
- Authentifizierung erfolgt gegen einen LDAP-Server.
- TLS sollte verwendet werden, damit Benutzername und Passwort nicht im Klartext übertragen werden.
- Benötigte Pakete für LDAP-Unterstützung.
ldap-utils enthält Tools zum Testen der Verbindung.
Installation
- apt install libldap2 ldap-utils
Wenn noch nicht geschehen
- apt install squid-openssl
Wir testen die Verbindung zum LDAP Server
- Wir erstellen die Konfiguration
- vi /etc/ldap/ldap.conf
BASE dc=it213,dc=int URI ldaps://ldap.it213.int ldap_version
Kommen wir auf den Ldap Server?
- ldapsearch -x
Verschlüsselung ok?
- openssl s_client -host ldap.it213.int -port 636
Die Konfiguration
Wir fangen wieder bei null an
- cd /etc/squid
- grep "^[^#]" squid.conf.org > squid.conf
Die Änderungen
- vi /etc/squid/squid.conf
acl localnet src 0.0.0.1-0.255.255.255 acl localnet src 10.0.0.0/8 acl localnet src 100.64.0.0/10 acl localnet src 169.254.0.0/16 acl localnet src 172.16.0.0/12 acl localnet src 192.168.0.0/16 acl localnet src fc00::/7 acl localnet src fe80::/10 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager # http_access allow localhost http_access deny to_localhost http_access deny to_linklocal include /etc/squid/conf.d/*.conf auth_param basic program /usr/lib/squid/basic_ldap_auth -v 3 -b dc=it213,dc=int -D cn=admin,dc=it213,dc=int -w 123Start$ -f uid=%s -H ldaps://ldap.it213.int auth_param basic children 20 startup=0 idle=1 auth_param basic concurrency 0 auth_param basic credentialsttl 500 seconds auth_param basic realm it213 proxy server auth_param basic casesensitive off acl ldap-auth proxy_auth REQUIRED http_access allow ldap-auth http_access deny all http_port 3128 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
Neu starten
- systemctl restart squid
Die Änderungen
- vi /etc/squid/squid.conf
acl localnet src 0.0.0.1-0.255.255.255 acl localnet src 10.0.0.0/8 acl localnet src 100.64.0.0/10 acl localnet src 169.254.0.0/16 acl localnet src 172.16.0.0/12 acl localnet src 192.168.0.0/16 acl localnet src fc00::/7 acl localnet src fe80::/10 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager # http_access allow localhost http_access deny to_localhost http_access deny to_linklocal include /etc/squid/conf.d/*.conf auth_param basic program /usr/lib/squid/basic_ldap_auth -v 3 -b dc=it213,dc=int -D cn=admin,dc=it213,dc=int -w 123Start$ -f uid=%s -H ldaps://ldap.it213.int auth_param basic children 20 startup=0 idle=1 auth_param basic concurrency 0 auth_param basic credentialsttl 500 seconds auth_param basic realm it213 proxy server auth_param basic casesensitive off acl ldap-auth proxy_auth REQUIRED external_acl_type ldap_group %LOGIN /usr/lib/squid/ext_ldap_group_acl -v 3 -b ou=groups,dc=it213,dc=int -D cn=admin,dc=it213,dc=int -w 123Start$ -f "(&(objectClass=posixGroup)(cn=%g)(memberUid=%u))" -H ldaps://ldap.it213.int acl teamleitung external ldap_group teamleitung acl agents external ldap_group agents http_access allow teamleitung acl badsites url_regex "/etc/squid/badsites.txt" http_access deny badsites agents http_access allow agents # http_access allow ldap-auth http_access deny all http_port 3128 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320