Squid网络代理基于Windows AD用户进行访问控制 _windows

金鞍玉勒寻芳客，未信我庐别有春。这篇文章主要讲述Squid网络代理基于Windows AD用户进行访问控制相关的知识，希望能为你提供帮助。
?squid是代理服务器和web缓存服务器，可以将使用cache缓存来提高web服务器的速度，此外还可以为公司内部提供网络代理上网。
具体场景如下：

文章图片

公司场景：
目前有一台可访问外网的squid服务器，用于内部设备连接外网使用，但是需要做到如下管控：

只有开通了上网权限的才可正常使用
需要集成windows AD域账号进行登录
可以方便审计上网的人员
方便用户切换IE上网代理

解决方案：

采用一台centos7服务器，安装Squid代理服务
将squid服务器加入AD域，集成AD账号信息
通过设置域权限组，只有加入到权限组的员工才能访问squid
采用批处理，一键切换ie代理设置

【Squid网络代理基于Windows AD用户进行访问控制】环境介绍：

linux服务器	centos7
AD服务器	windows server2012（域名：dgqy.com）
squid	3.5
smb	4.10
krb5
winbind

一、安装配置centos服务器 1.修改主机名-以test为例vim /etc/sysconfig/network

HOSTNAME = test

hostnamectl set-hostname test
2.配置dns解析-最好为域控制器vim /etc/resolv.conf

search dgqy.com nameserver 192.168.0.42

二、将linux服务器加入AD域 1.安装依赖软件

yum install -y libxml2-devel libcap-devel libtool-ltdl-devel openldap-devel yum -y install squid samba samba-client samba-commonsamba-common-tools samba-winbind samba-winbind-clients krb5-workstation ntpdate krb5-workstation krb5-libs pam_krb5 oddjob oddjob-mkhomedir adcli sssd realmd openldap-clients policycoreutils-python

2.修改kerberos 5 身份验证服务器的配置文件vim /etc/krb5.conf

# Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log[libdefaults] dns_lookup_realm = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt default_ccache_name = KEYRING:persistent:%uid # default_realm = EXAMPLE.COM default_realm = DGQY.COM dns_lookup_kdc = true [realms] # EXAMPLE.COM = #kdc = kerberos.example.com #admin_server = kerberos.example.com # DGQY.COM = kdc = 192.168.0.42 admin_server = DGQY.com [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM dgqy.com = DGQY.COM .dgqy.com = DGQY.COM

重启krb5服务
systemctl restart winbind
测试krb5配置

kinit 80310@DGQY.COM Password for 80310@DGQY.COM:

无报错则测试成功
3.配置sambavim /etc/samba/smb.conf
需要配置workgroup、realm、password servers

# See smb.conf.example for a more detailed config file or # read the smb.conf manpage. # Run testparm to verify the config is correct after # you modified it.[global] #--authconfig--start-line--# Generated by authconfig on 2022/05/12 09:08:34 # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) # Any modification may be deleted or altered by authconfig in futureworkgroup = DGQY password server = 192.168.0.42 realm = DGQY.COM security = ads idmap config * : range = 16777216-33554431 template shell = /bin/bash kerberos method = secrets only winbind use default domain = true winbind offline logon = true#--authconfig--end-line-- ; workgroup = SAMBA ; security = userpassdb backend = tdbsamprinting = cups printcap name = cups load printers = yes cups options = raw[homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes [printers] comment = All Printers path = /var/tmp printable = Yes create mask = 0600 browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @printadmin root force group = @printadmin create mask = 0664 directory mask = 0775

重启smb服务
service smb restart
4.linux加AD域

net ads join -U 80310

文章图片

重启smb 、winbind

systemctl restart smb systemctl restart winbind

5.验证加域是否完成wbinfo -t

文章图片

wbinfo -u

文章图片

6.验证ntlm_authntlm_auth --username=80310

文章图片

7.配置NSSvim /etc/nsswitch.conf

passwd:fileswinbind shadow:fileswinbind group:fileswinbind

三、新建AD域组此组名创建后请勿修改，因为关联至squid配置文件中

文章图片

文章图片

添加域用户到此组即可
四、安装squid 1.安装squidyum install -y squid
2.修改squid配置文件vim /etc/squid/squid.conf

# # Recommended minimum configuration: ## Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8# RFC1918 possible internal network acl localnet src 172.16.0.0/12# RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7# RFC 4193 local private network range acl localnet src fe80::/10# RFC 4291 link-local (directly plugged) machinesacl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT# # Recommended minimum Access Permission configuration: #AD 认证 # auth_param ntlm program /usr/bin/ntlm_auth--helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 50 auth_param basic program /usr/bin/ntlm_auth--helper-protocol=squid-2.5-basic auth_param basic children 50 auth_param basic credentialsttl 2 hours auth_param basic casesensitive off auth_param basic realm Squid proxy-caching web Server#验证Windows AD Group (network_proxy_enable组内的用户) #ttl 为组内用户删除后，cache内保存时间，单位s，例如此为删除用户后，可继续使用10分钟 #negative_ttl 为添加用户到组内后，cache更新时间，单位s，例如此为添加用户后，需要1分钟后才可使用 external_acl_type wbinfo_check ttl=600negative_ttl=60 %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl acl allowed_group external wbinfo_check network_proxy_enable acl NTLMUsers proxy_auth REQUIRED http_access allowallowed_group NTLMUsers http_access deny all# Deny requests to certain unsafe ports http_access deny !Safe_ports# Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports# Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager# We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost# # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS ## Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost# And finally deny all other access to this proxy http_access deny all# Squid normally listens to port 3128 http_port 3128# Uncomment and adjust the following to add a disk cache directory. cache_mem 512 MB cache_dir ufs /var/spool/squid 100 16 256 cache_effective_user squid cache_effective_group squid # Leave coredumps in the first cache dir coredump_dir /var/spool/squid# # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern -i (/cgi-bin/|\\?) 00%0 refresh_pattern .020%4320

3.开通内核转发vim/etc/sysctl.conf

net.ipv4.ip_forward=1

sysctl -p 生效
4.检查配置文件语法squid -k parse
5.初始化cache目录squid -z
6.修改winbind管道权限

chown –R root:squid /var/lib/samba/winbindd_privileged chmod –R 750 /var/cache/samba/winbindd_privileged

7.加入开机项

systemctl enable smb systemctl enable winbind systemctl enable squid

8.重启所有服务

systemctl restart smb systemctl restart winbind systemctl restart squid

五、测试访问打开ie设置

文章图片

文章图片

输入后即可正常访问
六、（可选）批处理一键切换IE代理参考网上大神的脚本（侵删）
IEproxy.bat：一键设置/取消Windows本地IE代理服务器地址 – Qwluoye博客 (qwblog.cn)
修改脚本中ip与port即可
set ip=192.168.0.152
set port=3128

@echo off @echo. echo ╔══════════════════════════╗ echo ║Windows IE代理设置/取消一键脚本║ echo ╚══════════════════════════╝ @echo. echo============================================================ @echo. echo(1) 一键取消IE本地代理 @echo. echo(2) 一键设置IE本地代理 @echo. @echo. echo============================================================ @echo. :start set /p switch=请输入对应数字继续： if %switch% equ 2 goto enable if %switch% equ 1 goto disable echo 无效的参数 goto done:enable @echo. set ip=192.168.0.152 @echo. set port=3128 @echo off rem echo 请根据实际情况做修改， Window7/10测试Ok rem ========= EnableProxy ================================= @echo. echo 初始化工具..... @echo. reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyServer /d "" /f reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyOverride /t REG_SZ /d 0 /f echo 设置代理服务器 @echo. @echo. reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyServer /d "%ip%:%port%" /f reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyOverride /t REG_SZ /d "" /f echo 已成功设置代理 @echo. @echo. goto done:disable @echo off @echo. echo 开始取消IE代理...... @echo. reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyServer /d "" /f reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyOverride /t REG_SZ /d 0 /f echo 代理服务器设置已经清空 @echo. @echo. reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyServer /d "" /f reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyOverride /t REG_SZ /d "" /f echo 已成功取消代理服务器 @echo. @echo. goto done:done echo Done goto startrem echo Qwluoye原创编写，博客qwblog.cn