1 – Preparando o Ambiente
Adicionar as repos contrib e non-free no sources.list do apt.
vim /etc/apt/sources.lists deb http://debian.pop-sc.rnp.br/debian/ bullseye main contrib non-free deb-src http://debian.pop-sc.rnp.br/debian/ bullseye main contrib non-free
2 – Instalar e Testar o Squid
apt install squid
Configurar o squid com essas configurações
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -b "DC=minhaempresa,DC=local" -D "cn=e2guardian,cn=Users,dc=minhaempresa,dc=local" -w "Senha123" -f sAMAccountName=%s -h 192.168.200.3 auth_param basic children 20 auth_param basic realm Autentique-se no proxy para acessar a internet. auth_param basic credentialsttl 360 minutes ### --> Aqui é o momento quer o squid envia as requisições para o E2guardian cache_peer 127.0.0.1 parent 8080 0 login=*:password always_direct deny all never_direct allow all acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.200.0/24 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 8080 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 8080 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl password proxy_auth REQUIRED http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow password localnet http_access deny localnet http_access deny localhost http_access deny all http_port 3128 cache_mgr contato@cuidadodigital.com.br coredump_dir /var/spool/squid access_log /var/log/squid/access.log error_default_language pt-br visible_hostname proxy.minhaempresa.local
Habilitar e Iniciar os serviços
systemctl enable squid systemctl start squid
Realizar todos os testes antes de partir para o e2guardian, nesse momento vc ja deve autenticar no AD e navegar livremente com usuário e senha, se for o caso comente as linhas em que o o squid chama o e2guardian na porta 8080.
realize testes de consulta com AD com a seguinte linha de comando.
/usr/lib/squid/basic_ldap_auth -R -b "DC=minhaempresa,DC=local" -D "cn=e2guardian,cn=Users,dc=minhaempresa,dc=local" -w "Senha123" -f sAMAccountName=%s -h 192.168.200.3
Quando a sessão estiver establecida, digite o usuário e senha aperte Enter, uma resposta de OK deve ser apresentada.
3 – Instalando e Configurando o e2guardian
- Instlar, Habilitar e Iniciar os serviços
apt install e2guardian systemctl enable e2guardian systemctl start e2guardian
- Crie o diretório dos certificados e dê as permissões.
mkdir -p /etc/e2guardian/ssl/generatedcerts chmod 777 /etc/e2guardian/ssl/generatedcerts
- Crie o arquivo /etc/e2guardian/ssl/mkcert.sh e o execute:
touch /etc/e2guardian/ssl/mkcert.sh chmod 777 /etc/e2guardian/ssl/mkcert.sh
- Crie e execute os seguinte script
#!/bin/bash openssl genrsa 4096 > ca.key openssl req -new -x509 -days 3650 -key ca.key -out ca.pem openssl x509 -in ca.pem -outform DER -out ca.der openssl genrsa 4096 > cert.key
- Edite o e2guardian.conf e configure as respectivas diretivas.
enablessl = on cacertificatepath = '/etc/e2guardian/ssl/ca.pem' caprivatekeypath = '/etc/e2guardian/ssl/ca.key' certprivatekeypath = '/etc/e2guardian/ssl/cert.key' generatedcertpath = '/etc/e2guardian/ssl/generatedcerts/' language = 'ptbrazilian' logfileformat = 3
- Edite o e2guardianf1.conf e habilite a seguinte diretiva.
sslmitm = on
- Realize o download da blacklist extraia e salve em
https://www.shallalist.de/Downloads/shallalist.tar.gz /etc/e2guardian/lists/blacklists/
- Edite o arquivo bannedsitelist em /etc/e2guardian/lists/ e habilite as categorias desejada
.Include</etc/e2guardian/lists/blacklists/downloads/domains> .Include</etc/e2guardian/lists/blacklists/aggressive/domains> .Include</etc/e2guardian/lists/blacklists/fortunetelling/domains> .Include</etc/e2guardian/lists/blacklists/movies/domains> .Include</etc/e2guardian/lists/blacklists/radiotv/domains> .Include</etc/e2guardian/lists/blacklists/chat/domains> .Include</etc/e2guardian/lists/blacklists/sex/lingerie/domains> .Include</etc/e2guardian/lists/blacklists/spyware/domains> .Include</etc/e2guardian/lists/blacklists/dating/domains> .Include</etc/e2guardian/lists/blacklists/anonvpn/domains> .Include</etc/e2guardian/lists/blacklists/drugs/domains> .Include</etc/e2guardian/lists/blacklists/socialnet/domains> .Include</etc/e2guardian/lists/blacklists/porn/domains> .Include</etc/e2guardian/lists/blacklists/gamble/domains> .Include</etc/e2guardian/lists/blacklists/hacking/domains>
Obs importante caso ocorra algum erro de digitção ou alguma lista de domínios não for encontrada por daemon, o serviço continuará ativo porém a bannedsitelist desabilitará todas as listas que estão corretas.
Sobre o Autor