naos 2017/11/01 14:04

SQUID3 + SQUIDGUARD + PRIVOXY + CLAMAV + RPZ + LDAP + SARG

testé sur Debian 8 Jessie

SQUID3

# apt update && apt upgrade

# apt install squid3

# cp /etc/squid3/squid.{conf,save}

# nano -c /etc/squid3/squid.conf

Ajoutez ces lignes:

acl lan src 192.168.0.0/24		             ~ligne 1056
http_access allow lan				     ~ligne 1211
url_rewrite_program /usr/bin/squidGuard		     ~ligne 4168
 
request_header_access Referer deny all		     ~ligne 4855
request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access Cache-Control deny all
 
visible_hostname proxy.DOMAIN			     ~ligne 5184
 
forwarded_for off				     ~ligne 7354

SQUIDGUARD

# apt install squidguard

# systemctl restart squid3

$ wget http://dsi.ut-capitole.fr/blacklists/download/blacklists.tar.gz

$ tar -xzf blacklists.tar.gz

# cp -R blacklists/* /var/lib/squidguard/db/

Téléchargez puis modifiez le fichier https://nuage.polaris62.fr/s/ESX2oF8jsiZT7WX, il s'agit de la page notification d'interdiction d'accès.

# chmod +x /usr/lib/cgi-bin/squidGuard.cgi

# nano /etc/apache2/sites-available/000-default.conf

Ajoutez ces lignes dans le bloc virtualhost:

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
      AllowOverride None
      Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
      Order allow,deny
      Deny from all
      Allow from 127.0.0.1
</Directory>

# mv /etc/squidguard/squidGuard.conf /etc/squidguard/squidGuard.save

# nano /etc/squidguard/squidGuard.conf

#
# CONFIG FILE FOR SQUIDGUARD
#
# Caution: do NOT use comments inside { }
#
 
dbhome /var/lib/squidguard/db
logdir /var/log/squidguard
 
dest agressif {
	domainlist agressif/domains
	urllist agressif/urls
}
 
dest adult {
	domainlist adult/domains
	urllist adult/urls
	expressionlist adult/very_restrictive_expression
}
 
dest celebrity {
        domainlist celebrity/domains
        urllist celebrity/urls
}
 
dest ddos {
        domainlist ddos/domains
}
 
dest mixed_adult {
        domainlist mixed_adult/domains
        urllist mixed_adult/urls
}
 
dest drogue {
        domainlist drogue/domains
        urllist drogue/urls
}
 
dest download {
        domainlist download/domains
        urllist download/urls
}
 
dest games {
        domainlist games/domains
        urllist games/urls
}
 
dest gambling {
        domainlist gambling/domains
        urllist gambling/urls
}
 
 
dest malware {
        domainlist malware/domains
        urllist malware/urls
}
 
dest marketingware {
        domainlist marketingware/domains
        urllist marketingware/urls
}
 
dest mobile-phone {
        domainlist mobile-phone/domains
        urllist mobile-phone/urls
}
 
dest phishing {
        domainlist phishing/domains
        urllist phishing/urls
}
 
dest publicite {
        domainlist publicite/domains
        urllist publicite/urls
}
 
dest remote-control {
        domainlist remote-control/domains
        urllist remote-control/urls
}
 
dest strict_redirector {
        domainlist strict_redirector/domains
        urllist strict_redirector/urls
        expressionlist strict_redirector/expressions
}
 
dest sect {
        domainlist sect/domains
        urllist sect/urls
}
 
dest shortener {
        domainlist shortener/domains
        urllist shortener/urls
}
 
dest tricheur {
        domainlist tricheur/domains
	urllist tricheur/urls
}
 
dest warez {
        domainlist warez/domains
        urllist warez/urls
}
 
dest associations_religieuses {
        domainlist associations_religieuses/domains
}
 
dest arjel {
        domainlist arjel/domains
}
 
dest astrology {
        domainlist astrology/domains
        urllist astrology/urls
}
 
 
dest dangerous_material {
        domainlist dangerous_material/domains
        urllist dangerous_material/urls
}
 
 
acl {
	default {
	pass !agressif !adult !mixed_adult !celebrity !ddos !drogue !download !games !gambling !malware !marketingware !mobile-phone !phishing !publicite !remote-control !strict_redirector !sect !shortener !tricheur !warez !associations_religieuses !arjel !astrology !dangerous_material all
	redirect http://127.0.0.1/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
	}
}

# ln -s /etc/squidguard/squidGuard.conf /etc/squid3/

# chown -R proxy:proxy /var/log/squid3 /var/lib/squidguard

# squidGuard -d -b -P -C all ( à chaque changement du fichier squidGuard.conf )

# chown -R proxy:proxy /var/log/squid3 /var/lib/squidguard

# systemctl restart squid3 ( à chaque modification des fichiers de configuration squid3 et squidGuard )

Vérifiez le fonctionnement de squidGuard avec un navigateur en passant par le proxy port 3128 (sur firefox extension pratique: Proxy Switcher), le site blacklisté sera redirigé.

Une autre méthode de vérification existe en ligne de commande:

# echo "http://porn.com 127.0.0.1/ - - GET" | squidGuard -d -c /etc/squid3/squidGuard.conf
 
2017-11-01 14:04:09 [2771] INFO: New setting: dbhome: /var/lib/squidguard/db
2017-11-01 14:04:09 [2771] INFO: New setting: logdir: /var/log/squidguard
2017-11-01 14:04:09 [2771] init domainlist /var/lib/squidguard/db/agressif/domains
2017-11-01 14:04:09 [2771] INFO: loading dbfile /var/lib/squidguard/db/agressif/domains.db
2017-11-01 14:04:09 [2771] init urllist /var/lib/squidguard/db/agressif/urls
2017-11-01 14:04:09 [2771] INFO: loading dbfile /var/lib/squidguard/db/agressif/urls.db
2017-11-01 14:04:09 [2771] init domainlist /var/lib/squidguard/db/porn/domains
2017-11-01 14:04:09 [2771] INFO: loading dbfile /var/lib/squidguard/db/porn/domains.db
2017-11-01 14:04:09 [2771] init urllist /var/lib/squidguard/db/porn/urls
2017-11-01 14:04:09 [2771] INFO: loading dbfile /var/lib/squidguard/db/porn/urls.db
2017-11-01 14:04:09 [2771] init domainlist /var/lib/squidguard/db/adult/domains
2017-11-01 14:04:09 [2771] INFO: loading dbfile /var/lib/squidguard/db/adult/domains.db
2017-11-01 14:04:09 [2771] init urllist /var/lib/squidguard/db/adult/urls
2017-11-01 14:04:09 [2771] INFO: loading dbfile /var/lib/squidguard/db/adult/urls.db
2017-11-01 14:04:09 [2771] init expressionlist /var/lib/squidguard/db/adult/very_restrictive_expression
2017-11-01 14:04:09 [2771] INFO: squidGuard 1.5 started (1509541449.121)
2017-11-01 14:04:09 [2771] INFO: squidGuard ready for requests (1509541449.231)
OK rewrite-url="http://google.fr"
2017-11-01 14:04:09 [2771] INFO: squidGuard stopped (1509541449.266)

Si cela ne fonctionne pas vérifiez que les fichiers dans /var/lib/squidguard/db appartiennent à proxy:proxy

Les logs sont disponibles dans ces répertoires:

/var/log/squid3
/var/log/squidguard

PRIVOXY

# apt install privoxy

# nano /etc/squid3/squid.conf

Ajoutez à la fin du fichier:

cache_peer 127.0.0.1 parent 8118 0 no-query
never_direct allow all
always_direct deny all

# systemctl restart squid3

Vérifiez l'accessibilité de privoxy en allant sur http://p.p.

Vérifiez le fonctionnement de squidGuard en allant sur un site qui devrait être bloqué.

CLAMAV

# apt-get install clamav clamav-freshclam

# apt-get install gcc make curl libcurl4-gnutls-dev c-icap libicapapi-dev

# cd /tmp/

$ wget https://sourceforge.net/projects/squidclamav/files/latest/download

$ tar zxvf download

$ cd squidclamav-6.16

# ./configure –with-c-icap=/usr/local/c-icap/

# make

# make install

# nano /etc/default/c-icap

Assurez-vous d'avoir cette ligne:

START=yes

# nano /etc/c-icap/c-icap.conf

Ajoutez:

Service squidclamav squidclamav.so

# nano -c /etc/squid3/squid.conf

Ajoutez ces lignes:

icap_enable on						                                ~ligne 6528
adaptation_send_client_ip on		                                                ~ligne 6649
adaptation_send_username on			                                        ~ligne 6660
icap_client_username_header X-Authenticated-User                                        ~ligne 6666
 
icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav	~ligne 6763
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow all

# systemctl restart squid3

# nano /etc/c-icap/squidclamav.conf

Assurez-vous d'avoir ces lignes:

safebrowsing 1
#redirect http://proxy.domain.dom/cgi-bin/clwarn.cgi

# systemctl restart clamav-daemon

# systemctl restart c-icap

# systemctl restart squid3

Testez le fonctionnement de l'antivirus sur le site:

http://securite-informatique.info/virus/eicar/

RPZ

# vim /etc/bind/named.conf.local

Ajoutez:

zone "rpz" IN {
 type master;
 file "/etc/bind/db.rpz";
 allow-query {none;};
};

# vim /etc/bind/named.conf.options

Ajoutez:

    response-policy { zone "rpz"; };

# vim /etc/bind/db.rpz

$TTL 1H
@       IN       SOA       ns1.DOMAIN.TLD. root.DOMAIN.TLD. (
                           1
                           1H
                           15m
                           30d
                           2h )
@      IN      NS      ns1.
@      IN      A       127.0.0.1
 
www.youtube.com            CNAME restrict.youtube.com.
m.youtube.com              CNAME restrict.youtube.com.
youtubei.googleapis.com    CNAME restrict.youtube.com.
youtube.googleapis.com     CNAME restrict.youtube.com.
www.youtube-nocookie.com   CNAME restrict.youtube.com.
google.com                 CNAME forcesafesearch.google.com.
www.google.com             CNAME forcesafesearch.google.com.
google.fr                  CNAME forcesafesearch.google.com.
www.google.fr              CNAME forcesafesearch.google.com.
google-analytics.com       CNAME   .
*.google-analytics.com     CNAME   .

# systemctl restart bind9

# systemctl status bind9

LDAP

# apt-get install slapd ldap-utils

# vim /etc/ldap/ldap.conf

#
# LDAP Defaults
#
 
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
 
BASE    dc=DOMAIN,dc=TLD
URI     ldap://127.0.0.1 ldap://127.0.0.1:666
 
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
 
# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

# dkpg-reconfigure slapd

Omit OpenLDAP server configuration? 	                        No
Organization name: 	                                        <pick something>
Administrator password: 	                                <same password as before>
Confirm password: 	                                        <same password as before>
Database backend to use: 	                                MDB
Do you want the database to be removed when slapd is purged? 	No
Move old database? 	                                        Yes
Allow LDAPv2 protocol? 	                                        No 

# ldapsearch -x

# cd /etc/ldap

# vim base.ldif

dn: ou=people,dc=internal,dc=DOMAIN,dc=TLD
objectClass: organizationalUnit
ou: people
 
dn: ou=groups,dc=internal,dc=DOMAIN,dc=TLD
objectClass: organizationalUnit
ou: groups

# ldapadd -x -D cn=MANAGER,dc=DOMAIN,dc=TLD -W -f base.ldif

# ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config

# nano /etc/phpldapadmin/config.php

$servers->setValue('server','name','My LDAP Server');
$servers->setValue('server','host','VOTRE_IP');
$servers->setValue('server','port',389);
$servers->setValue('server','base',array('dc=DOMAIN,dc=TLD'));
$servers->setValue('login','bind_id','cn=MANAGER,dc=DOMAIN,dc=TLD');
$servers->setValue('login','attr','dn');

# nano /etc/squid3/squid.conf

DANS L'ORDRE

Ajouter:
auth_param basic program /usr/lib/squid3/basic_ldap_auth -b "ou=SQUIDGROUP,dc=DOMAIN,dc=TLD" -f "uid=%s" -h VOTRE_IP
auth_param basic children 5
auth_param basic realm Web-Proxy
auth_param basic credentialsttl 1 minute
Commenter les acl localnet
Ajouter: acl ldap-auth proxy_auth REQUIRED
Commenter:
#http_access allow localnet
#http_access allow localhost
#http_access allow lan
S'assurer d'avoir ces lignes:
http_access allow ldap-auth
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all

# nano /etc/apache2/conf-available/phpldapadmin.conf

remplacer: Allow from
par: Allow from VOTRE_IP_LOCALE

# systemctl restart apache2

Allez sur https://VOTRE_IP_LOCALE/phpldapadmin

Créez un groupe squid et ajoutez des utilisateurs de type “simpleSecurityObject”

SARG

# apt install sarg

# nano /etc/sarg/sarg-reports.conf

# nano /etc/sarg/sarg.conf

access_log /var/log/squid3/access.log
graphs yes
graph_days_bytes_bar_color orange
output_dir /var/lib/sarg
resolve_ip yes

# nano /etc/apache2/conf-available/sarg.conf

    Alias /sarg /var/lib/sarg
 
<Directory "/var/lib/sarg">
    # add access permission
 
    Require local
    Require ip 127.0.0.1
</Directory>

# a2enconf sarg

# systemctl restart apache2

# sarg-reports today

# crontab -e

00 01 * * 1 sarg-reports daily

Vous pouvez maintenant consulter l'interface SARG, remarquez que l'historique de navigation est affiché par nom d'utilisateur créé par LDAP.

http://127.0.0.1/sarg

  • squid3_squidguard_privoxy_clamav.txt
  • Dernière modification: 2019/04/20 19:04
  • par naos