我几乎没有尝试添加 Internet 访问组,该组适用于我们的终端,客户端只能看到几个站点。
我将它们称为 InternetUserTerminal,添加的行以粗体显示,这个房子的标准配置没有加粗的行。
但是得到一个无限循环,被阻止的网站仅适用于不良网站,因此标准用户将无法访问不良网站,受限访问仅允许浏览白名单,并且终端访问应该类似于受限,但具有另一个“白名单” - 终端列表。
有没有更聪明的方法来解决这个漏洞问题?用一个简单的答案来解决这个问题也很好,但是我还年轻,还在学习,所以如果你能花两分钟向我解释更聪明的方法,我会非常感激的!
/etc/squid3/squid.conf 配置文件
cache manager
cache_mgr [email protected]
provide basic authentication via ldap for clients not authenticated via kerberos/ntlm
auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=somewherein,dc=local" -D [email protected] -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h philipp.somewherein.local
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute
ldap authorisation
external_acl_type memberof %LOGIN /usr/lib/squid3/squid_ldap_group -R -K -b "dc=somewherein,dc=local" -D [email protected] -W /etc/squid3/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=System,ou=IT,ou=Verwaltung,ou=Somewherein,dc=somewherein,dc=local))" -h philipp.somewherein.local
acl for proxy auth and ldap authorizations
acl auth proxy_auth REQUIRED
aclname acltype typename activedirectorygroup
acl RestrictedAccess external memberof "/etc/squid3/restricted_access.txt"
acl StandardAccess external memberof "/etc/squid3/standard_access.txt"
acl FullAccess external memberof "/etc/squid3/full_access.txt"
**acl TerminalAccess external memberof "/etc/squid3/terminal_access.txt"**
acl allowedsites dstdomain "/etc/squid3/allowedsites.txt"
acl blockedsites dstdomain "/etc/squid3/blockedsites.txt"
**acl terminalsites dstdomain "/etc/squid3/terminalsites.txt"**
squid defaults
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
enforce authentication, order of rules is important for authorization levels
http_access deny !auth
prevent access to basic auth prompt for BlockedAccess users
http_access allow RestrictedAccess allowedsites auth
http_access deny RestrictedAccess
http_access allow FullAccess auth
**http_access allow TerminalAccess terminalsites auth**
**http_access deny TerminalAccess**
http_access deny blockedsites
http_access allow StandardAccess auth
DO NOT REMOVE THE FOLLOWING LINE
http_access allow auth
access_log /var/log/squid3/access.log squid !allowedsites
squid Debian defaults
http_port 3128
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320