Archiv štítku: Squid

Zprovoznění; Windows update přes Squid

acl localnet src 10.10.0.0/24

#========== Access list pro Windows Update ==========

acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com

acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com

http_access allow CONNECT wuCONNECT localnet
http_access allow windowsupdate localnet

range_offset_limit -1
maximum_object_size 200 MB
quick_abort_min -1
# Add one of these lines for each of the websites you want to cache.

refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims

refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims

refresh_pattern -i my.windowsupdate.website.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims


# DONT MODIFY THESE LINES
refresh_pattern \^ftp:           1440    20%     10080
refresh_pattern \^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

Squid v AD

Nejdřív NTP

nastavíme do samba.conf

#GLOBAL PARAMETERS
[global]
  workgroup = DINTERNAL
  realm = DOMAIN.INTERNAL
  preferred master = no
  server string = squid proxy server
  security = ADS
  encrypt passwords = yes
  log level = 3
  log file = /var/log/samba/%m
  max log size = 50
  printcap name = cups
  printing = cups
  winbind enum users = Yes
  winbind enum groups = Yes
  winbind use default domain = Yes
  winbind nested groups = Yes
  winbind trusted domains only = Yes
  winbind cache time = 3600
  winbind separator = +
  template shell = /bin/bash

do hosts přidat řádek s adresou serveru s plným i zkráceným jménem

spustit připojení k doméně a konfiguraci přihlašování do ad

authconfig \
--update \
--kickstart \
--enablewinbind \
--enablewinbindauth \
--smbsecurity=ads \
--smbworkgroup=$ADSWorkgroup \
--smbrealm=$ADSDomain \
--smbservers=$ADSServer \
--winbindjoin=$AdminUser \
--winbindtemplatehomedir=/home/%U \
--winbindtemplateshell=/bin/bash \
--enablewinbindusedefaultdomain \
--enablelocauthorize

konfigurace squidu

### NTLM
auth_param ntlm \
   program /usr/bin/ntlm_auth \
   --diagnostics \
   --helper-protocol=squid-2.5-ntlmssp \
   --domain=DINTERNAL
auth_param ntlm children 10
auth_param ntlm keep_alive off

### LDAP
auth_param basic \
   program /usr/lib/squid/squid_ldap_auth \
   -R -b "dc=DOMAIN,dc=INTERNAL" \
   -D user@domain.internal \
   -W /etc/squid/ldappass.txt \
   -f sAMAccountName=%s \
   -h dc.domain.internal
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute

### access list
acl auth proxy_auth REQUIRED

### vynutime overeni klientu
http_access deny !auth
http_access allow auth

spusteni sluzeb

/sbin/chkconfig winbind on
/sbin/service winbind start
/sbin/chkconfig smb on
/sbin/service smb start