Собираю связку squid-kerberos+squidGuard-ldap на 10-ке. Сам сквид с авторизацией по керберосу нормально запустился, народ в нет ходит и даже по лдап группам ограничения применяются. Захотел резать все лишнее squidGuard-ом, для этого собрал его с поддержкой ldap и накидал вот такой конфиг
Код: Выделить всё
#
[size=85]# CONFIG FILE FOR SQUIDGUARD
#
dbhome /usr/local/db/squidguard/BL
logdir /var/log/squidGuard
#
# TIME RULES:
# abbrev for weekdays:
# s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat
#time workhours {
# weekly mtwhf 08:00 - 16:30
# date *-*-01 08:00 - 16:30
#}
ldapbinddn "proxysquid@domain.net"
ldapbindpass ********
ldapcachetime 300
#
# REWRITE RULES:
#
rewrite media {
s@.*\.mp3$@http://127.0.0.1/my.mp3@r
s@.*\.wma$@http://127.0.0.1/my.mp3@r
s@.*\.swf$@http://127.0.0.1/noflash.jpg@r
s@.*\.flv$@http://127.0.0.1/noflash.jpg@r
s@.*\.wmv$@http://127.0.0.1/stop.gif@r
s@.*\.avi$@http://127.0.0.1/stop.gif@r
s@.*\.mkv$@http://127.0.0.1/stop.gif@r
s@.*\.mov$@http://127.0.0.1/stop.gif@r
s@.*\.torrent$@http://127.0.0.1/stop.gif@r
s@.*\.exe$@http://127.0.0.1/stop.gif@r
s@.*\.vbs$@http://127.0.0.1/stop.gif@r
log rewr
}
#
# SOURCE ADDRESSES:
#
src INET_F {
ldapusersearch ldap://tseti.domain.net/dc=domain,dc=net?sAMAccountName?sub?(&(memberof=cn=G-INET-OSK-F,ou=squid,dc=domain,dc=net)(sAMAccountName=%s))
}
src INET_L {
ldapusersearch ldap://tseti.domain.net/dc=domain,dc=net?sAMAccountName?sub?(&(memberof=cn=G-INET-OSK-L,ou=squid,dc=domain,dc=net)(sAMAccountName=%s))
}
#
# DESTINATION CLASSES:
#
dest adv {
domainlist adv/domains
urllist adv/urls
log adv
redirect http://127.0.0.1/1x1.gif
}
dest anonvpn {
domainlist anonvpn/domains
urllist anonvpn/urls
log anonvpn
)
dest dating {
domainlist dating/domains
urllist dating/urls
log dating
redirect http://127.0.0.1/blocked.html
}
dest downloads {
domainlist downloads/domains
urllist downloads/urls
log downloads
redirect http://127.0.0.1/blocked.html
}
dest gamble {
domainlist gamble/domains
urllist gamble/urls
log gamble
redirect http://127.0.0.1/blocked.html
}
dest hacking {
domainlist hacking/domains
urllist hacking/urls
log hacking
redirect http://127.0.0.1/blocked.html
}
dest movies {
domainlist movies/domains
urllist movies/urls
log movies
redirect http://127.0.0.1/blocked.html
}
dest music {
domainlist music/domains
urllist music/urls
log music
redirect http://127.0.0.1/blocked.html
}
dest porn {
domainlist porn/domains
urllist porn/urls
log porn
redirect http://127.0.0.1/blocked.html
}
dest radiotv {
domainlist radiotv/domains
urllist radiotv/urls
log radiotv
redirect http://127.0.0.1/blocked.html
}
dest redirector {
domainlist redirector/domains
urllist redirector/urls
log redirector
redirect http://127.0.0.1/blocked.html
}
dest remotecontrol {
domainlist remotecontrol/domains
urllist remotecontrol/urls
log remotecontrol
redirect http://127.0.0.1/blocked.html
}
dest socialnet {
domainlist socialnet/domains
urllist socialnet/urls
log socialnet
redirect http://127.0.0.1/blocked.html
}
dest spyware {
domainlist spyware/domains
urllist spyware/urls
log spyware
redirect http://127.0.0.1/blocked.html
}
dest tracker {
domainlist tracker/domains
urllist tracker/urls
log tracker
redirect http://127.0.0.1/blocked.html
}
dest warez {
domainlist warez/domains
urllist warez/urls
log warez
redirect http://127.0.0.1/blocked.html
}
dest webradio {
domainlist webradio/domains
urllist webradio/urls
log webradio
redirect http://127.0.0.1/blocked.html
}
dest webtv {
domainlist webtv/domains
urllist webtv/urls
log webtv
redirect http://127.0.0.1/blocked.html
}
acl {
INET_F {
pass !adv !porn !spyware any
}
INET_L {
pass !adv !anonvpn !dating !downloads !gamble !hacking !movies !music !porn !radiotv !redirector !remotecontrol !socialnet !spyware !tracker !warez !webradio !webtv any
rewrite media
}
default {
pass local none
redirect http://127.0.0.1/blocked.html
log default
}
}[/size]