This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
аутентификация_доступа_к_squid [2014/04/29 12:18] val [NCSA basic аутентификация] |
аутентификация_доступа_к_squid [2022/10/12 14:55] val [Создаем ключи сервиса и копируем иx на сервер] |
||
---|---|---|---|
Line 3: | Line 3: | ||
===== Kerberos GSSAPI аутентификация ===== | ===== Kerberos GSSAPI аутентификация ===== | ||
- | [[http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos]] | + | * [[http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos|Configuring a Squid Server to authenticate from Kerberos]] |
- | + | * [[http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory|Configuring a Squid Server to authenticate off Active Directory]] | |
- | [[http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/]] | + | * [[http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/|Squid kerberos authentication and ldap authorization in Active Directory]] |
==== Создаем ключи сервиса и копируем иx на сервер ==== | ==== Создаем ключи сервиса и копируем иx на сервер ==== | ||
Line 15: | Line 15: | ||
Login: gatehttp | Login: gatehttp | ||
Password: Pa$$w0rd | Password: Pa$$w0rd | ||
+ | |||
+ | New-ADUser -Name "gatehttp" -SamAccountName "gatehttp" -AccountPassword(ConvertTo-SecureString -AsPlainText 'Pa$$w0rd' -Force) -Enabled $true -ChangePasswordAtLogon $false | ||
</code> | </code> | ||
Пароль не меняется и не устаревает | Пароль не меняется и не устаревает | ||
Line 24: | Line 26: | ||
Название сервиса HTTP обязательно заглавными буквами | Название сервиса HTTP обязательно заглавными буквами | ||
<code> | <code> | ||
+ | C:\>setspn -L gatehttp | ||
+ | |||
C:\>ktpass -princ HTTP/gate.corpX.un@CORPX.UN -mapuser gatehttp -pass 'Pa$$w0rd' -out gatehttp.keytab | C:\>ktpass -princ HTTP/gate.corpX.un@CORPX.UN -mapuser gatehttp -pass 'Pa$$w0rd' -out gatehttp.keytab | ||
+ | |||
+ | C:\>setspn -L gatehttp | ||
+ | |||
+ | C:\>setspn -Q HTTP/gate.corpX.un | ||
</code> | </code> | ||
Line 44: | Line 52: | ||
</code> | </code> | ||
- | === Если в роли KDC выступает MIT (Ubuntu) === | + | === Если в роли KDC выступает MIT (Debian/Ubuntu) === |
<code> | <code> | ||
root@server:~# kadmin.local | root@server:~# kadmin.local | ||
Line 54: | Line 62: | ||
kadmin.local: exit | kadmin.local: exit | ||
+ | </code> | ||
+ | |||
+ | === Если в роли KDC выступает Samba4 === | ||
+ | |||
+ | * [[https://wiki.samba.org/index.php/Generating_Keytabs|wiki.samba.org Generating Keytabs]] | ||
+ | * [[http://www.delayer.org/2015/06/squid-samba4-ad-kerberos-auth.html|Squid + Samba4 AD Kerberos Authentication]] | ||
+ | |||
+ | <code> | ||
+ | server# samba-tool user create gatehttp 'Pa$$w0rd' | ||
+ | |||
+ | server# samba-tool user setexpiry gatehttp --noexpiry | ||
+ | |||
+ | server# samba-tool spn add HTTP/gate.corpX.un gatehttp | ||
+ | |||
+ | server# samba-tool spn list gatehttp | ||
+ | |||
+ | server# samba-tool domain exportkeytab gatehttp.keytab --principal=HTTP/gate.corpX.un | ||
</code> | </code> | ||
Line 71: | Line 96: | ||
</code> | </code> | ||
- | === Ubuntu === | + | === Debian/Ubuntu === |
<code> | <code> | ||
root@gate:~# ktutil | root@gate:~# ktutil | ||
Line 82: | Line 107: | ||
</code> | </code> | ||
- | === FreeBSD, Ubuntu === | + | === Debian/Ubuntu/FreeBSD === |
<code> | <code> | ||
gate# chmod +r /etc/krb5.keytab | gate# chmod +r /etc/krb5.keytab | ||
Line 90: | Line 115: | ||
<code> | <code> | ||
- | gate# cat squid.conf | + | gate# cat /etc/squid/conf.d/my.conf |
</code><code> | </code><code> | ||
- | ... | + | auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -d |
- | # OPTIONS FOR AUTHENTICATION | + | |
- | ... | + | |
- | #For Ubuntu10.04 | + | |
- | #auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d | + | |
- | #For Ubuntu12.04 | + | acl inetuser proxy_auth REQUIRED |
- | #auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d | + | |
- | #For FreeBSD | ||
- | #auth_param negotiate program /usr/local/libexec/squid/squid_kerb_auth -d | ||
- | ... | ||
- | # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS | ||
- | ... | ||
- | acl inetuser proxy_auth REQUIRED | ||
http_access allow inetuser | http_access allow inetuser | ||
- | # http_access allow localnet | ||
</code> | </code> | ||
Line 158: | Line 171: | ||
<code> | <code> | ||
- | # cat /etc/squid3/squid.conf | + | # cat /etc/squid/squid.conf |
</code><code> | </code><code> | ||
... | ... | ||
- | auth_param basic program /usr/lib/squid3/ncsa_auth /usr/etc/passwd | + | auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd |
... | ... | ||
</code><code> | </code><code> | ||
# mkdir /usr/etc/ | # mkdir /usr/etc/ | ||
- | # apt-get install apache2-utils | + | # apt install apache2-utils |
- | # touch /usr/etc/passwd | + | # touch /etc/squid/passwd |
- | # htpasswd /usr/etc/passwd user1 | + | # htpasswd /etc/squid/passwd user1 |
</code> | </code> | ||
Line 177: | Line 190: | ||
==== pam_unix (по умолчанию) ==== | ==== pam_unix (по умолчанию) ==== | ||
<code> | <code> | ||
- | # chmod u+s /usr/lib/squid3/pam_auth | + | # chmod u+s /usr/lib/squid/basic_pam_auth |
- | # cat /etc/squid3/squid.conf | + | # cat /etc/squid/squid.conf |
</code><code> | </code><code> | ||
... | ... | ||
- | auth_param basic program /usr/lib/squid3/pam_auth | + | auth_param basic program /usr/lib/squid/basic_pam_auth |
... | ... | ||
+ | </code> | ||
+ | |||
+ | Возможно, не обязательно | ||
+ | |||
+ | <code> | ||
+ | # cat /etc/pam.d/squid | ||
+ | </code><code> | ||
+ | auth sufficient pam_unix.so | ||
</code> | </code> | ||
==== pam_radius ==== | ==== pam_radius ==== |