1 – Preparando o Ambiente
Adicionar as repos contrib e non-free no sources.list do apt.
vim /etc/apt/sources.lists
deb http://debian.pop-sc.rnp.br/debian/ bullseye main contrib non-free
deb-src http://debian.pop-sc.rnp.br/debian/ bullseye main contrib non-free
2 – Instalar e Testar o Squid
apt install squid
Configurar o squid com essas configurações
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -b “DC=minhaempresa,DC=local” -D “cn=e2guardian,cn=Users,dc=minhaempresa,dc=local” -w “Senha123” -f sAMAccountName=%s -h 192.168.200.3
auth_param basic children 20
auth_param basic realm Autentique-se no proxy para acessar a internet.
auth_param basic credentialsttl 360 minutes### –> Aqui é o momento quer o squid envia as requisições para o E2guardian
cache_peer 127.0.0.1 parent 8080 0 login=*:password
always_direct deny all
never_direct allow allacl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.200.0/24 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machinesacl SSL_ports port 8080
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 8080 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECTacl password proxy_auth REQUIRED
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny managerhttp_access allow password localnet
http_access deny localnet
http_access deny localhost
http_access deny allhttp_port 3128
cache_mgr [email protected]
coredump_dir /var/spool/squid
access_log /var/log/squid/access.log
error_default_language pt-br
visible_hostname proxy.minhaempresa.local
Habilitar e Iniciar os serviços
systemctl enable squid
systemctl start squid
Realizar todos os testes antes de partir para o e2guardian, nesse momento vc ja deve autenticar no AD e navegar livremente com usuário e senha, se for o caso comente as linhas em que o o squid chama o e2guardian na porta 8080.
realize testes de consulta com AD com a seguinte linha de comando.
/usr/lib/squid/basic_ldap_auth -R -b “DC=minhaempresa,DC=local” -D “cn=e2guardian,cn=Users,dc=minhaempresa,dc=local” -w “Senha123” -f sAMAccountName=%s -h 192.168.200.3
quando a sessão estiver establecida, digite o usuário e senha aperte Enter, uma resposta de OK deve ser apresentada.
3 – Instalando e Configurando o e2guardian
apt install e2guardian
Habilitar e Iniciar os serviços
systemctl enable e2guardian
systemctl start e2guardian
Crie o diretório dos certificados e dê as permissões.
mkdir -p /etc/e2guardian/ssl/generatedcerts
chmod 777 /etc/e2guardian/ssl/generatedcerts
Crie o arquivo /etc/e2guardian/ssl/mkcert.sh e o execute:
touch /etc/e2guardian/ssl/mkcert.sh
chmod 777 /etc/e2guardian/ssl/mkcert.sh
Insira o seguinte script
#!/bin/bash
openssl genrsa 4096 > ca.key
openssl req -new -x509 -days 3650 -key ca.key -out ca.pem
openssl x509 -in ca.pem -outform DER -out ca.der
openssl genrsa 4096 > cert.key
Edite o e2guardian.conf e configure as respectivas diretivas.
enablessl = on
cacertificatepath = ‘/etc/e2guardian/ssl/ca.pem’
caprivatekeypath = ‘/etc/e2guardian/ssl/ca.key’
certprivatekeypath = ‘/etc/e2guardian/ssl/cert.key’
generatedcertpath = ‘/etc/e2guardian/ssl/generatedcerts/’language = ‘ptbrazilian’
logfileformat = 3
Edite o e2guardianf1.conf e habilite a seguinte diretiva.
sslmitm = on
Realize o download da blacklist extraia e salve em
https://www.shallalist.de/Downloads/shallalist.tar.gz
/etc/e2guardian/lists/blacklists/
Edite o arquivo bannedsitelist em /etc/e2guardian/lists/ e habilite as categorias desejada
.Include</etc/e2guardian/lists/blacklists/downloads/domains>
.Include</etc/e2guardian/lists/blacklists/aggressive/domains>
.Include</etc/e2guardian/lists/blacklists/fortunetelling/domains>
.Include</etc/e2guardian/lists/blacklists/movies/domains>
.Include</etc/e2guardian/lists/blacklists/radiotv/domains>
.Include</etc/e2guardian/lists/blacklists/chat/domains>
.Include</etc/e2guardian/lists/blacklists/sex/lingerie/domains>
.Include</etc/e2guardian/lists/blacklists/spyware/domains>
.Include</etc/e2guardian/lists/blacklists/dating/domains>
.Include</etc/e2guardian/lists/blacklists/anonvpn/domains>
.Include</etc/e2guardian/lists/blacklists/drugs/domains>
.Include</etc/e2guardian/lists/blacklists/socialnet/domains>
.Include</etc/e2guardian/lists/blacklists/porn/domains>
.Include</etc/e2guardian/lists/blacklists/gamble/domains>
.Include</etc/e2guardian/lists/blacklists/hacking/domains>
Obs importante caso ocorra algum erro de digitção ou alguma lista de domínios não for encontrada por daemon, o serviço continuará ativo porém a bannedsitelist desabilitará todas as listas que estão corretas.
Sobre o Autor