基于 WordPress | 主题由 mg12 提供 | 通过 XHTML 1.1CSS 3 验证

  • 建立proxy服务器记录

    公司需要对网络进行限制,简单记录

    1 基础系统centos 4.6
    2 使用samba的winbind将系统与AD域联系,方便用户管理
    3 使用syslog-ng做日志服务器
    4 使用squid作为用户代理,sarg做squid日志分析

    squid.conf

    http_port 3128
    cache_mem  1024 MB
    maximum_object_size 8192 KB
    cache_dir ufs /usr/local/squid/cache 25000 16 256
    cache_access_log /usr/local/squid/logs/access.log
    cache_log /usr/local/squid/logs/cache.log
    cache_store_log /usr/local/squid/logs/store.log
    emulate_httpd_log off
    mime_table /usr/local/squid/etc/mime.conf
    pid_filename /usr/local/squid/logs/squid.pid
    debug_options ALL,1
    log_fqdn off
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl Safe_ports port 80 21 443 563 8080 7080
    acl CONNECT method CONNECT
    acl all src 0.0.0.0/0.0.0.0
    acl Creative src 192.168.8.0/255.255.255.0
    acl Engineer src 192.168.9.0/255.255.255.0
    acl QUERY urlpath_regex cgi-bin \?
    acl mmxfile urlpath_regex -i \.mp3$
    acl localserver dst 192.168.0.0/24
    acl office dst a.b.c.d
    no_cache deny QUERY
    no_cache deny mmxfile
    no_cache deny localserver
    no_cache deny office
    http_access deny !Safe_ports
    http_access deny Engineer
    http_access deny Creative
    http_access allow localhost
    http_access deny all
    cache_mgr lyou@test.com
    cache_effective_user squid
    cache_effective_group squid
    visible_hostname 11sha.TEST.COM
    dns_testnames www.google.com
    logfile_rotate 5
    append_domain .TEST.COM
    memory_pools on
    memory_pools_limit 1500 MB
    cachemgr_passwd disable all

    sarg.conf

    language English
    access_log /usr/local/squid/logs/access.log
    graphs yes
    graph_days_bytes_bar_color orange
    title “Squid User Access Reports”
    font_face Tahoma,Verdana,Arial
    header_color darkblue
    header_bgcolor blanchedalmond
    font_size 11px
    header_font_size 11px
    title_font_size 13px
    background_color white
    text_color #000000
    text_bgcolor lavender
    title_color green
    logo_image none
    logo_text_color #000000
    image_size 80 45
    background_image none
    temporary_dir /tmp
    output_dir /var/www/html/squid-reports
    resolve_ip no
    topuser_sort_field BYTES reverse
    user_sort_field BYTES reverse
    exclude_users none
    exclude_hosts none
    useragent_log none
    date_format e
    per_user_limit none
    lastlog 0
    remove_temp_files yes
    index yes
    index_tree file
    overwrite_report no
    records_without_userid ip
    use_comma no
    topsites_num 100
    topsites_sort_order CONNECT D
    index_sort_order D
    report_type topusers topsites sites_users users_sites date_time denied auth_failures site_user_time_date downloads
    long_url no
    charset UTF-8
    show_successful_message yes
    topuser_fields NUM DATE_TIME USERID CONNECT BYTES %BYTES IN-CACHE-OUT USED_TIME MILISEC %TIME TOTAL AVERAGE
    user_report_fields CONNECT BYTES %BYTES IN-CACHE-OUT USED_TIME MILISEC %TIME TOTAL AVERAGE
    topuser_num 10
    www_document_root /var/www/html
    download_suffix “zip,arj,bzip,gz,ace,doc,iso,adt,bin,cab,com,dot,drv$,lha,lzh,mdb,mso,ppt,rtf,src,shs,sys,exe,dll,mp3,avi,mpg,mpeg”
    ulimit 20000

    设置apache访问权限,只有域用户组engineering才能查

    /etc/pam.d/httpd

    auth       sufficient   /lib/security/pam_winbind.so
    auth       required     /lib/security/pam_stack.so service=system-auth
    account    sufficient   /lib/security/pam_winbind.so
    account    required     /lib/security/pam_stack.so service=system-auth

    /etc/httpd/conf.d/access.conf

    <Location /squid-reports>
    order deny,allow                  #以ip地址做权限控制
    deny from all
    allow from 192.168.12.40
    <IfModule mod_auth_sys_group.c>   #以AD的用户组做权限鉴别,需要mod_auth_pam
    AuthPAM_Enabled on
    AuthType Basic
    AuthName “Engineer Repository”
    Require group Engineering
    </IfModule>
    </Location>

    5 安装openfire取代QQ MSN SKYPE,作为内部用户的聊天工具。

    此工具支持LDAP,可以直接将域用户添加,安装配置也十分简单方便。并且支持中文,跨平台,windows和linux都有相应版本。
    客户端上既可使用自带的spark,也可以使用pidgin。确实简单好用。

    6 iptables做部分过滤

    7 安装XDMCP使用远程X终端,配合winbind,域用户可直接登录,方便管理(使用gnome)

    /etc/pam.d/gdm

    auth sufficient /lib/security/pam_winbind.so
    auth       required     pam_env.so
    auth       required     pam_stack.so service=system-auth
    auth       required     pam_nologin.so
    account    sufficient   /lib/security/pam_winbind.so
    account    required     pam_stack.so service=system-auth
    password   required     pam_stack.so service=system-auth
    session    required     pam_stack.so service=system-auth
    session    required     pam_loginuid.so
    session    optional     pam_console.so
    session    required     pam_mkhomedir.so skel=/etc/skel umask=0077

    经验证,以上红色标记的log日志,当文件超过2G时squid会crash,因此可以将其设为none, 或者logfile_rotate大于1。

    • No Related Post
    2008年7月11日17:31
    标签: , ,
    订阅评论
  • « 单网卡多网段dhcp配置 建立最简单的X环境 »
目前还没有任何评论.

发表评论

XHTML: 您可以使用这些标签: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="">
置顶