SquidGuard + NTLM не блокирует
-
ПРивет, всем!
Имею 2.3.3-RELEASE (amd64)
Squid+SquidGuard(http://www.shallalist.de/Downloads/shallalist.tar.gz)_LightSquid+samba(Настраивал по статье https://pf2ad.mundounix.com.br/en/index.html)
Беда следующего характера, хочу рулить разрешениями в squidguard через AD.
Как только в Proxy filter SquidGuard: General settingsGeneral settings выставляю галку Enable LDAP Filter со всеми параметрами
, то ничего не фильтруется, любой пользователь сразу имеет полный доступ ко всему .
common ACl deny all
SquidGuard configuration filelogdir /var/squidGuard/log dbhome /var/db/squidGuard ldapbinddn cn=exadm,cn=builtin,dc=company,dc=ru ldapbindpass 7777777 ldapprotover 3 stripntdomain true striprealm true # pftest src pftest { } # dest blk_BL_adv { domainlist blk_BL_adv/domains urllist blk_BL_adv/urls } # #здесь еще куча урлов # rew safesearch { s@(google..*/search?.*q=.*)@&safe=active@i s@(google..*/images.*q=.*)@&safe=active@i s@(google..*/groups.*q=.*)@&safe=active@i s@(google..*/news.*q=.*)@&safe=active@i s@(yandex..*/yandsearch?.*text=.*)@&fyandex=1@i s@(search.yahoo..*/search.*p=.*)@&vm=r&v=1@i s@(search.live..*/.*q=.*)@&adlt=strict@i s@(search.msn..*/.*q=.*)@&adlt=strict@i s@(.bing..*/.*q=.*)@&adlt=strict@i } # acl { # default { pass !in-addr none redirect http://192.168.211.4:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u } }
Proxy config
# This file is automatically generated by pfSense # Do not edit manually ! http_port 192.168.211.4:3128 icp_port 0 dns_v4_first off pid_filename /var/run/squid/squid.pid cache_effective_user squid cache_effective_group proxy error_default_language ru icon_directory /usr/local/etc/squid/icons visible_hostname company proxy server cache_mgr 01@company.ru access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log none netdb_filename /var/squid/logs/netdb.state pinger_enable on pinger_program /usr/local/libexec/squid/pinger logfile_rotate 30 debug_options rotate=30 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src 192.168.208.0/22 forwarded_for on uri_whitespace strip acl dynamic urlpath_regex cgi-bin ? cache deny dynamic cache_mem 64 MB maximum_object_size_in_memory 256 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA minimum_object_size 0 KB maximum_object_size 4 MB offline_mode off cache_swap_low 90 cache_swap_high 95 cache allow all # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|?) 0 0% 0 refresh_pattern . 0 20% 4320 #Remote proxies # Setup some default acls # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. # acl localhost src 127.0.0.1/32 acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3129 1025-65535 acl sslports port 443 563 # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. #acl manager proto cache_object acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections # From 3.2 further configuration cleanups have been done to make things easier and safer. # The manager, localhost, and to_localhost ACL definitions are now built-in. # http_access allow localhost request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc # Reverse Proxy settings # Package Integration url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf url_rewrite_bypass off url_rewrite_children 16 startup=8 idle=4 concurrency=0 # Custom options before auth auth_param negotiate program /usr/local/libexec/squid/negotiate_wrapper_auth --ntlm /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/local/libexec/squid/negotiate_kerberos_auth -s GSS_C_NOME auth_param negotiate children 20 auth_param negotiate keep_alive off # Pure NTLM auth_param ntlm program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 20 auth_param ntlm keep_alive off auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -b 'dc=company,dc=ru' -D 'exadm@company.ru' -w '7777777' -f sAMAccountName=%s -h v-krr-dc.company.ru auth_param basic children 20 auth_param basic credentialsttl 1 minute auth_param basic children 5 auth_param basic realm Давай блять, жги auth_param basic credentialsttl 5 minutes acl password proxy_auth REQUIRED # Custom options after auth http_access allow password localnet # Default block all to be sure http_access deny allsrc
-
Доброе.
Сквид - прозрачный ? ЛДАП фильтр проверяли на корректность ? -
Доброе.
Сквид - прозрачный ? ЛДАП фильтр проверяли на корректность ?сквид не прозрачный, подскажите пожалуйста как проверить на корректность лдап фильтр?