Код: Выделить всё
uname -a
FreeBSD xxxxxxxxxxxxxx 9.2-RELEASE-p12 FreeBSD 9.2-RELEASE-p12 #1: Sat Oct 18 15:33:00 NOVT 2014
Код: Выделить всё
squid -v
Squid Cache: Version 3.4.10
configure options: '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--disable-arch-native' '--disable-eui' '--disable-cache-digests' '--enable-delay-pools' '--disable-ecap' '--disable-esi' '--disable-follow-x-forwarded-for' '--disable-htcp' '--disable-icap-client' '--disable-icmp' '--disable-ident-lookups' '--disable-ipv6' '--enable-kqueue' '--with-large-files' '--disable-http-violations' '--without-nettle' '--disable-snmp' '--enable-ssl' '--disable-ssl-crtd' '--disable-stacktraces' '--disable-ipf-transparent' '--disable-ipfw-transparent' '--disable-pf-transparent' '--without-nat-devpf' '--disable-forw-via-db' '--enable-wccp' '--enable-wccpv2' '--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam LDAP SASL' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group LDAP_group kerberos_ldap_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=ufs aufs diskd' '--enable-disk-io=AIO Blocking IpcIo Mmapped DiskThreads DiskDaemon' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file' '--with-openssl=/usr' '--disable-optimizations' '--enable-debug-cbdata' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd9.2' 'build_alias=amd64-portbld-freebsd9.2' 'CC=cc' 'CFLAGS=-pipe -I/usr/local/include -I/usr/local/include -I/usr/include -g -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS= -L/usr/local/lib -L/usr/local/lib -pthread -Wl,-rpath,/usr/lib:/usr/local/lib -L/usr/lib -fstack-protector' 'LIBS=' 'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-pipe -I/usr/local/include -I/usr/local/include -I/usr/include -g -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing' 'CPP=cpp'
Код: Выделить всё
cat /etc/krb5.conf
[libdefaults]
default_realm = XXXX.XXXX.XXXX
dns_lookup_kdc = no
dns_lookup_realm = no
default_keytab_name = /etc/krb5.keytab
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
[realms]
XXXX.XXXX.XXXX = {
kdc = 192.168.xxx.xxx
kdc = 192.168.xxx.xxx
admin_server = 192.168.xxx.xxx
admin_server = 192.168.xxx.xxx
default_domain = xxxx.xxxx.xxxx
}
[domain_realm]
.xxxx.xxxx.xxxx = XXXX.XXXX.XXXX
xxxx.xxxx.xxxx = XXXX.XXXX.XXXX
[logging]
kdc = FILE:/var/log/kerberos/kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
Код: Выделить всё
cat /usr/local/etc/squid/squid.conf
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d -s HTTP/x.XXXX.XXXX.XXXX@XXXX.XXXX.XXXX
auth_param negotiate children 20
auth_param negotiate keep_alive on
dns_nameservers 127.0.0.1 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 8.8.8.8
acl localnet src 192.168.xxx.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
cache deny all
no_cache deny all
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
### allow list
acl acl_rabota url_regex "/usr/local/etc/squid/allow_list/rabota"
acl acl_novosti url_regex "/usr/local/etc/squid/allow_list/novosti"
acl acl_search url_regex "/usr/local/etc/squid/allow_list/search"
acl acl_working url_regex "/usr/local/etc/squid/allow_list/working"
### deny list
acl acl_social url_regex "/usr/local/etc/squid/deny_list/social"
acl acl_anonimaizer url_regex "/usr/local/etc/squid/deny_list/anonimaizer"
acl acl_media url_regex "/usr/local/etc/squid/deny_list/media"
acl acl_porno url_regex "/usr/local/etc/squid/deny_list/porno"
acl acl_chats url_regex "/usr/local/etc/squid/deny_list/chats"
external_acl_type ldap_search ttl=300 negative_ttl=300 %LOGIN \
/usr/local/libexec/squid/ext_ldap_group_acl \
-R -b "DC=xxxx,DC=xxxx,DC=xxxx" \
-f "(&(objectclass=user)(sAMAccountName=%v)(memberof=CN=%a,OU=xxxx,DC=xxxx,DC=xxxx,DC=xxxx))" \
-D "user@xxxx.xxxx.xxxx" -W "/usr/local/etc/squid/authpw" \
-K -d -h 192.168.xxx.xxx 192.168.xxx.xxx
acl acl_all_internet external ldap_search all_internet
acl acl_rabota_only external ldap_search rabota_only
acl acl_not_internet external ldap_search not_internet
acl acl_standart_internet external ldap_search standart_internet
acl acl_working_internet external ldap_search working_internet
#---------- Rules for all_internet group ----------#
http_access allow acl_all_internet
#---------- Rules for standart_internet group ----------#
http_access deny acl_standart_internet acl_social
http_access deny acl_standart_internet acl_anonimaizer
http_access deny acl_standart_internet acl_media
http_access deny acl_standart_internet acl_chats
http_access deny acl_standart_internet acl_porno
http_access allow acl_standart_internet
#---------- RULES for working_internet group ----------#
http_access deny acl_working_internet acl_social
http_access deny acl_working_internet acl_anonimaizer
http_access deny acl_working_internet acl_media
http_access deny acl_working_internet acl_chats
http_access deny acl_working_internet acl_porno
http_access allow acl_working_internet acl_rabota
http_access allow acl_working_internet acl_novosti
http_access allow acl_working_internet acl_search
http_access allow acl_working_internet acl_working
#---------- Rules for rabota_only group ----------#
http_access allow acl_rabota_only acl_rabota
#---------- Rules for not_internet group ----------#
http_access deny acl_not_internet
http_access deny all
http_port 3128
shutdown_lifetime 10.00 seconds
#maximum_object_size 32 MB
#cache_dir ufs /usr/local/squid/cache 2048 16 256
access_log stdio:/usr/local/squid/logs/access.log squid
cache_store_log stdio:/usr/local/squid/logs/store.log
cache_log /usr/local/squid/logs/cache.log
coredump_dir /usr/local/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320