The agent server used by the company is based on the Linux system, and sometimes there are more or less problems. It directly affects users' normal Internet access. I have been busy with other projects and have no time to adjust and optimize them. Not long ago, Linux system burst...
The agent server used by the company is based on the Linux system, and sometimes there are more or less problems. It directly affects users' normal Internet access. I have been busy with other projects and have no time to adjust and optimize them. Not long ago, the Linux system suddenly failed to enter the GNU/GNOME desktop environment, prompting me to make up my mind to re-plan and deploy a proxy server system that meets the needs of the current application environment.
Before deployment, let's take a look at the system environment of the existing proxy server: this proxy server uses Redhat Linux 8. x is the Squid 2.3 proxy server in NCSAR authentication mode. Because the system is outdated and lacks stability, there are also the following shortcomings:
1. due to Squid configuration problems, the system cannot automatically release the disk space occupied by Squid Cache and logs, and Squid service is often suspended due to insufficient disk space, manually delete cache and logs to release disk space.
2. it is necessary to set different passwords for different users on the proxy server. in the past, there were not many employees in the company, but it was not very troublesome. However, with the development of the company, the number of employees increased significantly, it increases the workload of IT administrators and makes it difficult to ensure consistency with Windows domain accounts;
3. the client cannot use the account authentication mode integrated with AD. users need to repeatedly enter the user name and password each time they access the Internet, greatly reducing the user experience.
4. different user permissions are not set for different Internet access groups;
5. The failure to monitor users' access to the Internet directly affects the normal business behavior of the company's network.
Therefore, IT is not difficult to find that the proxy server needs to be maintained frequently, which affects the efficiency of IT staff. Starting from the current situation of the company, we can re-plan the functions of the proxy server as follows:
1. the disk space occupied by Squid can be automatically reclaimed under one condition;
2. verify the user's identity using the user account information on the AD server to avoid repeated user information setting;
3. three user permissions are provided:
1. deny all permissions;
2. Internet access is allowed, but video, audio, and executable files cannot be downloaded;
3. unlimited access to any Internet resources;
4. IT administrators can view users' Internet access logs and monitor users' Internet access behavior;
Now that our goal is very clear, we will not talk nonsense. let's start with the theme!
I. system environment:
1. CentOS 5.0 Linux
2. squid-2.6.STABLE6-4.el5
3. samba-3.0.23c-2.el5.2.0.2
4. sarg-2.2.1-1.el5.rf
5. winbind
6. krb5
II. modify the configuration file of the kerberos 5 authentication service (unless otherwise stated, all work in root user mode ):
Run the following command:
[Root @ proxy ~] # Vim/etc/krb5.conf
The modified krb5.conf is:
1 [logging]
2 default = FILE:/var/log/krb5libs. log
3 kdc = FILE:/var/log/krb5kdc. log
4 admin_server = FILE:/var/log/kadmind. log
5
6 [libdefaults]
7 default_realm = COMPANY. COM # default domain name (Realm)
8 dns_lookup_realm = false
9 dns_lookup_kdc = false
10 ticket_lifetime = 24 h
11 forwardable = yes
12
13 [realms]
14 COMPANY. COM = {
15 kdc = adsrv.company.com: 88 # specify the name or IP address of the KDC server.
16 admin_server = adsrv.company.com: 749 # specify the name or IP address of the management server.
17 default_domain = company.com # default domain name (domain)
18}
19
20 [domain_realm] # correspondence between domain and realm
21 .company.com = COMPANY. COM
22 company.com = COMPANY. COM
23
24 [kdc]
25 profile =/var/kerberos/krb5kdc/kdc. conf
26
27 [appdefaults]
28 pam = {
29 debug = false
30 ticket_lifetime = 36000
31 renew_lifetime = 36000
32 forwardable = true
33 krb4_convert = false
34}
III. use Kinit tools to test whether the krb5 settings are correct
Run the following command:
[Root @ proxy ~] # Kinit administrator@COMPANY.COM
Prompt to enter the user administrator password. enter the correct password and return the following information:
Kinit: NOTICE: ticket renewable lifetime is 1 week
Or directly return to the command line status. Other prompts can be error messages. Make sure that your Linux system and Windows domain server have the same time zone settings. Otherwise, the system cannot communicate with the Active Directory server normally.
IV. Samba configuration
Because the configuration of the samba server is not involved here, the whole configuration content is not put here, but only the part required to set up the Squid proxy server is shown as follows:
1 [global]
2 idmap gid = 10000-20000
3 idmap uid = 10000-20000
4 password server = 192.168.21.21
5 workgroup = COMPANY # NetBios name of the domain
6os level = 20
7 encrypt passwords = yes
8 security = ads # Set to Windows Active Directory security-ADS verification
9 realm = COMPANY. COM # verify the domain realm, which must be capitalized
10 winbind use default domain = yes
The items listed above need to be modified according to the actual situation.
V. use the ntlm verification program to test whether the previous configuration is correct.
Restart the Linux server if necessary before testing. However, you can try to restart samba and winbind services only to achieve the same purpose (haha ...... Luck !) :
[Root @ proxy ~] # Service winbind restart
[Root @ proxy ~] # Service smb restart
After restarting the system or the above services, run the following command:
[Root @ proxy ~] # Ntlm_auth-username = administrator
Prompt to enter the user administrator password. enter the correct password and return the following information:
NT_STATUS_ OK: NT_STATUS_ OK (0x0)
If the returned result is as described above, it means that the domain account administrator has passed the AD authentication. You can start the next step.
VI. configure NSS (Name Service Switch)
NSS stands for Name Service Switch. For more information about the functions, see http://en.wikipedia.org/wiki/name_service_switch. the configuration is as follows:
Passwd: files winbind
Group: files winbind
Other parts do not need to be changed.
VII. Squid Configuration
Since it is a proxy server, Squid settings are of course the top priority. The following describes Squid settings based on different implementation functions:
1. configure a third-party authentication program for Squid
1 # enable squid-2.5-ntlmssp as a secondary protocol for ntlm authentication mode
2auth_param ntlm program/usr/bin/ntlm_auth -- helper-protocol = squid-2.5-ntlmssp
3auth_param ntlm children 5
4auth_param ntlm keep_alive on
5
6 # enable squid-2.5-basic as the auxiliary protocol for basic authentication mode
7auth_param basic program/usr/bin/ntlm_auth -- helper-protocol = squid-2.5-basic
8auth_param basic children 5
9auth_param basic realm Squid proxy-caching web server
10auth_param basic credentialsttl 2 hours
11auth_param basic casesensitive off
12
13 # The following parameters are important to ensure that Squid can implement different access control policies for different user groups.
14external_acl_type NT_global_group % LOGIN/usr/lib/squid/wbinfo_group.pl
2. configure the user access control list
1 # Map internet global groups in AD to ProxyUsers
2acl ProxyUsers external NT_global_group internet
3 # Map the nolimitedinternet global group in AD to noLimited
4acl NoLimited external NT_global_group nolimitedinternet
5 # This statement ensures that all users must be authenticated
6acl AuthenticatedUsers proxy_auth REQUIRED
7 # define file types that cannot be downloaded
8acl InvalidFiles urlpath_regex-I \. mp3 $ \. avi $ \. rmvb $ \. mpg $ \. rm $ \. wma $ \. wmv $ \. scr $ \. exe $ \. ocx $ \. dll $ \. com $
9 # define the domain name and IP address that cannot be accessed, which are stored in the files "denyDomain. list" and "denyIP. list"
10acl denyDomain dstdomain "/etc/squid/denyDomain. list"
11acl denyIP dst "/etc/squid/denyIP. list"
12
13 # Allow NoLimited users to access any Internet Resources
14http_access allow AuthenticatedUsers NoLimited
15http_access deny denyDomain
16http_access deny denyIP
17http_access deny InvalidFiles
18
19 # prohibit users from accessing the domain name and IP address in denyDomain. list and denyIP. list, and prohibit downloading the file type specified by InvalidFiles
20http_access allow AuthenticatedUsers ProxyUsers
21acl all src 0.0.0.0/0.0.0.0
22acl manager proto cache_object
23acl localhost src 127.0.0.1/255.255.255.255
24acl to_localhost dst 127.0.0.0/8
25acl SSL_ports port 443
26acl Safe_ports port 80 # http
27acl Safe_ports port 21 # ftp
28acl Safe_ports port 443 # https
29acl Safe_ports port 70 # gopher
30acl Safe_ports port 210 # wais
31acl Safe_ports port 1025-65535 # unregistered ports
32acl Safe_ports port 280 # http-mgmt
33acl Safe_ports port 488 # gss-http
34acl Safe_ports port 591 # filemaker
35acl Safe_ports port 777 # multiling http
36acl CONNECT method CONNECT
Note the positions of the two statements in this configuration. The first statement is "http_access allow AuthenticatedUsers NoLimited" and the second "http_access allow AuthenticatedUsers ProxyUsers". The two statements apply permissions to user groups, but the difference is location, in the ACL configuration statement of Squid, different permissions are determined in order. You must pay more attention to it.
VIII. change winbind pipeline permissions
You must not forget this. without the winbind pipeline's sufficient permissions, the system cannot verify the user's identity. The command is as follows:
[Root @ proxy ~] # Chown-R root: squid/var/cache/samba/winbindd_privileged
[Root @ proxy ~] # Chmod-R 750/var/cache/samba/winbindd_privileged
IX. restart all related services
The command is as follows:
[Root @ proxy ~] # Service smb restart
[Root @ proxy ~] # Service winbind restart
[Root @ proxy ~] # Service squid restart
So far, we have successfully completed the configuration of the squid proxy server. Next, we also need to give IT administrators the ability to view and monitor users' Internet access behavior.
Installation and configuration of X. Sarg
For simplicity, download the binary installation package and run the following command to obtain the binary installation package:
[Root @ proxy ~] # Http://dag.wieers.com/rpm/packages/sarg/sarg-2.2.1-1.el5.rf.i386.rpm
The installation is easier. if you have nothing to say, execute the following command:
[Root @ proxy ~] # Rpm-Uvh sarg-2.2.1-1.el5.rf.i386.rpm
After the installation, restart the Apache server.