Tutorial e2guardian com Squid Proxy Autenticando no com SSL e Blacklist no Debian 11

Tutorial e2guardian com Squid Proxy Autenticando no com SSL e Blacklist no Debian 11

1 – Preparando o Ambiente

Adicionar as repos contrib e non-free no sources.list do apt.

vim /etc/apt/sources.lists
deb http://debian.pop-sc.rnp.br/debian/ bullseye main contrib non-free
deb-src http://debian.pop-sc.rnp.br/debian/ bullseye main contrib non-free

 

2 – Instalar e Testar o Squid

apt install squid

Configurar o squid com essas configurações

auth_param basic program /usr/lib/squid/basic_ldap_auth -R -b "DC=minhaempresa,DC=local" -D "cn=e2guardian,cn=Users,dc=minhaempresa,dc=local" -w "Senha123" -f sAMAccountName=%s -h 192.168.200.3

auth_param basic children 20
auth_param basic realm Autentique-se no proxy para acessar a internet.
auth_param basic credentialsttl 360 minutes

### --> Aqui é o momento quer o squid envia as requisições para o E2guardian

cache_peer 127.0.0.1 parent 8080 0 login=*:password
always_direct deny all
never_direct allow all

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.200.0/24 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 8080
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 8080 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

acl password proxy_auth REQUIRED

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager

http_access allow password localnet

http_access deny localnet
http_access deny localhost
http_access deny all

http_port 3128
cache_mgr contato@cuidadodigital.com.br
coredump_dir /var/spool/squid
access_log /var/log/squid/access.log
error_default_language pt-br
visible_hostname proxy.minhaempresa.local

 

Habilitar e Iniciar os serviços

systemctl enable squid
systemctl start squid

Realizar todos os testes antes de partir para o e2guardian, nesse momento vc ja deve autenticar no AD e navegar livremente com usuário e senha, se for o caso comente as linhas em que o o squid chama o e2guardian na porta 8080.

realize testes de consulta com AD com a seguinte linha de comando.

/usr/lib/squid/basic_ldap_auth -R -b "DC=minhaempresa,DC=local" -D "cn=e2guardian,cn=Users,dc=minhaempresa,dc=local" -w "Senha123" -f sAMAccountName=%s -h 192.168.200.3

Quando a sessão estiver establecida, digite o usuário e senha aperte Enter, uma resposta de OK deve ser apresentada.

3 – Instalando e Configurando o e2guardian

  • Instlar, Habilitar e Iniciar os serviços
apt install e2guardian
systemctl enable e2guardian
systemctl start e2guardian
  • Crie o diretório dos certificados e dê as permissões.
mkdir -p /etc/e2guardian/ssl/generatedcerts
chmod 777 /etc/e2guardian/ssl/generatedcerts
  • Crie o arquivo /etc/e2guardian/ssl/mkcert.sh e o execute:
touch /etc/e2guardian/ssl/mkcert.sh
chmod 777 /etc/e2guardian/ssl/mkcert.sh
  • Crie e execute os seguinte script
#!/bin/bash
openssl genrsa 4096 > ca.key
openssl req -new -x509 -days 3650 -key ca.key -out ca.pem
openssl x509 -in ca.pem -outform DER -out ca.der
openssl genrsa 4096 > cert.key
  • Edite o e2guardian.conf e configure as respectivas diretivas.
enablessl = on
cacertificatepath = '/etc/e2guardian/ssl/ca.pem'
caprivatekeypath = '/etc/e2guardian/ssl/ca.key'
certprivatekeypath = '/etc/e2guardian/ssl/cert.key'
generatedcertpath = '/etc/e2guardian/ssl/generatedcerts/'

language = 'ptbrazilian'
logfileformat = 3
  • Edite o e2guardianf1.conf e habilite a seguinte diretiva.
sslmitm = on
  • Realize o download da blacklist extraia e salve em
https://www.shallalist.de/Downloads/shallalist.tar.gz

/etc/e2guardian/lists/blacklists/
  • Edite o arquivo bannedsitelist em /etc/e2guardian/lists/ e habilite as categorias desejada
.Include</etc/e2guardian/lists/blacklists/downloads/domains>
.Include</etc/e2guardian/lists/blacklists/aggressive/domains>
.Include</etc/e2guardian/lists/blacklists/fortunetelling/domains>
.Include</etc/e2guardian/lists/blacklists/movies/domains>
.Include</etc/e2guardian/lists/blacklists/radiotv/domains>
.Include</etc/e2guardian/lists/blacklists/chat/domains>
.Include</etc/e2guardian/lists/blacklists/sex/lingerie/domains>
.Include</etc/e2guardian/lists/blacklists/spyware/domains>
.Include</etc/e2guardian/lists/blacklists/dating/domains>
.Include</etc/e2guardian/lists/blacklists/anonvpn/domains>
.Include</etc/e2guardian/lists/blacklists/drugs/domains>
.Include</etc/e2guardian/lists/blacklists/socialnet/domains>
.Include</etc/e2guardian/lists/blacklists/porn/domains>
.Include</etc/e2guardian/lists/blacklists/gamble/domains>
.Include</etc/e2guardian/lists/blacklists/hacking/domains>

 

Obs importante caso ocorra algum erro de digitção ou alguma lista de domínios não for encontrada por daemon, o serviço continuará ativo porém a bannedsitelist desabilitará todas as listas que estão corretas.

 

Sobre o Autor

Diego Elcain administrator