Squid网络代理基于Windows AD用户进行访问控制

Posted 2022-05-17 小先2

​ squid是代理服务器和web缓存服务器，可以将使用cache缓存来提高web服务器的速度，此外还可以为公司内部提供网络代理上网。

具体场景如下：

公司场景：

目前有一台可访问外网的squid服务器，用于内部设备连接外网使用，但是需要做到如下管控：

• 只有开通了上网权限的才可正常使用

• 需要集成windows AD域账号进行登录

• 可以方便审计上网的人员

• 方便用户切换IE上网代理

解决方案：

• 采用一台centos7服务器，安装Squid代理服务

• 将squid服务器加入AD域，集成AD账号信息

• 通过设置域权限组，只有加入到权限组的员工才能访问squid

• 采用批处理，一键切换ie代理设置

环境介绍：

linux服务器	centos7
AD服务器	windows server2012（域名：dgqy.com）
squid	3.5
smb	4.10
krb5
winbind

一、安装配置centos服务器

1.修改主机名-以test为例

vim /etc/sysconfig/network

HOSTNAME = test

hostnamectl set-hostname test

2.配置dns解析-最好为域控制器

vim /etc/resolv.conf

search dgqy.com
nameserver 192.168.0.42

二、将linux服务器加入AD域

1.安装依赖软件

yum install -y libxml2-devel libcap-devel libtool-ltdl-devel openldap-devel
yum -y install squid samba samba-client samba-common  samba-common-tools samba-winbind samba-winbind-clients krb5-workstation ntpdate krb5-workstation krb5-libs pam_krb5 oddjob oddjob-mkhomedir adcli sssd realmd openldap-clients policycoreutils-python

2.修改kerberos 5 身份验证服务器的配置文件

vim /etc/krb5.conf

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
 default_ccache_name = KEYRING:persistent:%uid
# default_realm = EXAMPLE.COM
 default_realm = DGQY.COM
 dns_lookup_kdc = true
[realms]
# EXAMPLE.COM = 
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# 

 DGQY.COM = 
  kdc = 192.168.0.42
  admin_server = DGQY.com
 

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
 dgqy.com = DGQY.COM
 .dgqy.com = DGQY.COM

重启krb5服务

systemctl restart winbind

测试krb5配置

 kinit 80310@DGQY.COM
 Password for 80310@DGQY.COM:

无报错则测试成功

3.配置samba

vim /etc/samba/smb.conf

需要配置workgroup、realm、password servers

# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run testparm to verify the config is correct after
# you modified it.

[global]
#--authconfig--start-line--

# Generated by authconfig on 2022/05/12 09:08:34
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   workgroup = DGQY
   password server = 192.168.0.42
   realm = DGQY.COM
   security = ads
   idmap config * : range = 16777216-33554431
   template shell = /bin/bash
   kerberos method = secrets only
   winbind use default domain = true
   winbind offline logon = true

#--authconfig--end-line--
;       workgroup = SAMBA
;       security = user

        passdb backend = tdbsam

        printing = cups
        printcap name = cups
        load printers = yes
        cups options = raw

[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes
[printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No
[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @printadmin root
        force group = @printadmin
        create mask = 0664
        directory mask = 0775

重启smb服务

service smb restart

4.linux加AD域

net ads join -U 80310

重启smb 、winbind

systemctl restart smb
systemctl restart winbind

5.验证加域是否完成

wbinfo -t

wbinfo -u

6.验证ntlm_auth

ntlm_auth --username=80310

7.配置NSS

vim /etc/nsswitch.conf

passwd:     files  winbind
shadow:     files  winbind
group:      files  winbind

三、新建AD域组

此组名创建后请勿修改，因为关联至squid配置文件中

添加域用户到此组即可

四、安装squid

1.安装squid

yum install -y squid

2.修改squid配置文件

vim /etc/squid/squid.conf

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#AD 认证
#
auth_param ntlm program /usr/bin/ntlm_auth  --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param basic program /usr/bin/ntlm_auth  --helper-protocol=squid-2.5-basic
auth_param basic children 50
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
auth_param basic realm Squid proxy-caching web Server

#验证Windows AD Group (network_proxy_enable组内的用户)
#ttl 为 组内用户删除后，cache内保存时间，单位s，例如此为删除用户后，可继续使用10分钟
#negative_ttl 为 添加用户到组内后，cache更新时间，单位s，例如此为添加用户后，需要1分钟后才可使用
external_acl_type wbinfo_check ttl=600  negative_ttl=60 %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl
acl allowed_group external wbinfo_check network_proxy_enable
acl NTLMUsers proxy_auth REQUIRED
http_access allow  allowed_group NTLMUsers
http_access deny all

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
cache_mem 512 MB 
cache_dir ufs /var/spool/squid 100 16 256
cache_effective_user squid
cache_effective_group squid
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\\?) 0     0%      0
refresh_pattern .               0       20%     4320

3.开通内核转发

vim /etc/sysctl.conf

net.ipv4.ip_forward=1

sysctl -p 生效

4.检查配置文件语法

squid -k parse

5.初始化cache目录

squid -z

6.修改winbind管道权限

chown –R root:squid /var/lib/samba/winbindd_privileged
chmod –R 750 /var/cache/samba/winbindd_privileged

7.加入开机项

systemctl enable smb
systemctl enable winbind
systemctl enable squid

8.重启所有服务

systemctl restart smb
systemctl restart winbind
systemctl restart squid

五、测试访问

打开ie设置

输入后即可正常访问

六、（可选）批处理一键切换IE代理

参考网上大神的脚本（侵删）

IEproxy.bat：一键设置/取消Windows本地IE代理服务器地址 – Qwluoye博客 (qwblog.cn)

修改脚本中ip与port即可

set ip=192.168.0.152
set port=3128

@echo off
@echo.
echo ╔══════════════════════════╗
echo ║   Windows IE代理 设置/取消一键脚本  ║
echo ╚══════════════════════════╝
@echo.
echo============================================================
@echo.
echo         (1) 一键取消IE本地代理
@echo.
echo         (2) 一键设置IE本地代理
@echo.
@echo.
echo============================================================
@echo.
:start
set /p switch=请输入对应数字继续： 
if %switch% equ 2 goto enable
if %switch% equ 1 goto disable
echo 无效的参数
goto done

:enable
@echo.
set ip=192.168.0.152
@echo.
set port=3128
@echo off
rem echo 请根据实际情况做修改， Window7/10测试Ok
rem ========= EnableProxy =================================
@echo.
echo 初始化工具.....
@echo.
reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f
reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyServer /d "" /f
reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyOverride /t REG_SZ /d 0 /f
echo 设置代理服务器
@echo.
@echo.
reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f
reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyServer /d "%ip%:%port%" /f
reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyOverride /t REG_SZ /d "" /f
echo 已成功设置代理
@echo.
@echo.
goto done

:disable
@echo off
@echo.
echo 开始取消IE代理......
@echo.
reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f
reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyServer /d "" /f
reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyOverride /t REG_SZ /d 0 /f
echo 代理服务器设置已经清空
@echo.
@echo.
reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f
reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyServer /d "" /f
reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyOverride /t REG_SZ /d "" /f
echo 已成功取消代理服务器
@echo.
@echo.
goto done

:done
echo Done
goto start

rem echo Qwluoye原创编写，博客qwblog.cn