Admin

You are currently browsing the articles from KomKid.Net matching the category Admin.

Ubuntu : Centralized Log Server & PHPSyslogViewer

ติดตั้ง Ubuntu 8.04 Server
1.Boot จากแผ่นติดตั้ง เลือกภาษาที่จะใช้ในการติดตั้ง : English
2.เลือกการติดตั้ง : Install Ubuntu Server
3.เลือกภาษาสำหรับระบบ : English
4.เลือกประเทศ : other -> Thailand
5.Detect keyboard layout : No -> Thailand -> Thailand
6.เลือกปุ่มเปลี่ยนภาษา : Alt+Shift
7.ตั้งชื่อ Server : Go Back (เพื่อกลับไปตั้งค่า IP)
8.ตั้งค่า Network : Configure network manually
8.1 IP Address : 192.168.0.251
8.2 Netmask : 255.255.255.0
8.3 Gateway : 192.168.0.3
8.4 Name server : 192.168.0.254
9.ตั้งชื่อ Server : Server1
10.Domain : sci.com
11.จัดการ Partition : Guided – use entire disk -> Yes
12.ตั้งชื่อ user : System Administrator -> sa
13.ตั้งรหัสผ่านและยืนยัน : *** -> ***
14.ตั้งค่า proxy :
15.เลือก Software ที่จะติดตั้ง : OpenSSH server
16.Restart (หลังจากนี้สามารถ ssh มาจากเครื่องอื่นได้)
17.Login ด้วย User ที่สร้าง
18.กรณีไม่ได้ตั้งค่า IP ในขั้นตอนที่ 8 ตั้งค่าได้โดยใช้คำสั่ง

1
sudo nano /etc/network/interfaces

แก้ไขให้เป็นดังนี้

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.0.251
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.3
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 192.168.0.254
dns-search sci.com

19.Update and Upgrade

1
2
3
sudo apt-get update
sudo apt-get upgrade
reboot

ติดตั้ง Time Server

1
2
sudo apt-get install ntp
sudo nano /etc/ntp.conf

แก้ไขให้เป็นดังนี้

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift

# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/

#statistics loopstats peerstats clockstats
#filegen loopstats file loopstats type day enable
#filegen peerstats file peerstats type day enable
#filegen clockstats file clockstats type day enable

# You do need to talk to an NTP server or two (or three).
server 203.185.69.60 dynamic
server time.navy.mi.th dynamic
server time.nist.gov dynamic
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10
broadcastdelay 0.008
keys /etc/ntp/keys

# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details.  The web page
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.
#restrict -4 default kod notrap nomodify nopeer noquery
restrict default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
#restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap

# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255

# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines.  Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

restart ntp service

1
sudo /etc/init.d/ntp restart

ตั้งค่า linux เครื่องอื่นให้มารับเวลาจากเครื่องนี้

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift

# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/

#statistics loopstats peerstats clockstats
#filegen loopstats file loopstats type day enable
#filegen peerstats file peerstats type day enable
#filegen clockstats file clockstats type day enable

# You do need to talk to an NTP server or two (or three). (192.168.0.251 is Log Server)
server 192.168.0.251

# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details.  The web page
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.
#restrict -4 default kod notrap nomodify nopeer noquery
#restrict -6 default kod notrap nomodify nopeer noquery
restrict default ignore

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
#restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated. (192.168.0.251 is Log Server)
restrict 192.168.0.251 mask 255.255.255.255 nomodify notrap noquery

# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255

# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines.  Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

ตั้งค่า Windows ให้มารับเวลาจากเครื่องนี้ โดยใช้ regedit.exe (save เป็นไฟล์นามสกุล .reg แล้ว double click)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config]
"AnnounceFlags"=dword:00000005
"MaxNegPhaseCorrection"=dword:00000e10
"MaxPosPhaseCorrection"=dword:00000e10

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters]
"NtpServer"="192.168.0.251,0x1"
"Type"="NTP"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient]
"SpecialPollInterval"=dword:00000384

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer]
"Enabled"=dword:00000001

ติดตั้ง Syslog-NG และ PHP SYSLOGVIEWER
1.ติดตั้ง apache

1
sudo apt-get install apache2

2.ดาวน์โหลดและเตรียมติดตั้ง PHP SYSLOGVIEWER

1
2
3
wget http://jaist.dl.sourceforge.net/sourceforge/phpsyslogviewer/phpsyslogviewer-7.2.1.tar.bz2
tar xjvf phpsyslogviewer-7.2.1.tar.bz2
cd phpsyslogviewer-7.2.1

3.ติดตั้ง mysql-server

1
sudo apt-get install mysql-server

4.ติดตั้ง phpmyadmin ไว้ช่วยจัดการฐานข้อมูล

1
sudo apt-get install phpmyadmin

5.สร้างฐานข้อมูล

1
2
3
4
mysql -u root -p
mysql> create database syslogng;
mysql> exit;
mysql -u root -p syslogng < install/phpsyslogviewer.sql

6.ติดตั้ง php-cli

1
sudo apt-get install php5-cli

7.สร้างรายชื่อผู้ใช้

1
2
php install/newuser.sql.php
php install/newuser.sql.php | mysql -u root -p syslogng

8.สร้างหน้า web

1
2
3
4
cp -R htdocs /var/www/phpsyslogviewer
nano /var/www/phpsyslogviewer/config.php
chown root:www-data /var/www/phpsyslogviewer/config.php
chmod 440 /var/www/phpsyslogviewer/config.php

9.ลองเข้าดูได้ที่ http://192.168.0.251/phpsyslogviewer
10.เพิ่มความเร็วในการเก็บ log เข้า MySQL ด้วย speedupd

1
2
3
4
5
6
7
8
9
10
11
wget http://jaist.dl.sourceforge.net/sourceforge/phpsyslogviewer/speedupd-7.3.2.tar.bz2
tar xjvf speedupd-7.3.2.tar.bz2
cd speedup-7.3.2/
apt-get install debhelper cmake libdaemon-dev libconfuse-dev fakeroot
apt-get install build-essential libmysqlclient15-dev
dpkg-buildpackage -rfakeroot
cd ..
dpkg -i speedupd_7.3.0_i386.deb
nano /etc/speedupd.conf
update-rc.d speedupd defaults
/etc/init.d/speedupd start

ติดตั้ง Syslog-NG
1.ติดตั้ง

1
sudo apt-get install syslog-ng

2.ตั้งค่า

1
nano /etc/syslog-ng/syslog-ng.conf

ป้อนข้อมูลดังนี้

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
options {
recv_time_zone (+07:00);
send_time_zone (+07:00);
sync (0);
time_reopen (100);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (yes);
chain_hostnames(yes);
keep_hostname (yes);
};

source s_sys {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
internal();
#udp(ip(0.0.0.0) port(514));
#tcp(ip(0.0.0.0) port(514) keep-alive(yes));
};

destination d_mysql {
pipe("/var/log/mysql.pipe"
template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n")
template-escape(yes));
};

filter f_filter1 { facility (kern); };
filter f_filter2 { level(info..emerg) and not facility(mail,authpriv,cron); };
filter f_filter3 { facility(authpriv); };
filter f_filter4 { facility(mail); };
filter f_filter5 { level(emerg); };
filter f_filter6 { facility(uucp) or (facility(news) and level(crit..emerg)); };
filter f_filter7 { facility(local7); };
filter f_filter8 { facility(cron); };

log { source(s_sys); filter(f_filter1); destination(d_mysql); };
log { source(s_sys); filter(f_filter2); destination(d_mysql); };
log { source(s_sys); filter(f_filter3); destination(d_mysql); };
log { source(s_sys); filter(f_filter4); destination(d_mysql); };
log { source(s_sys); filter(f_filter5); destination(d_mysql); };
log { source(s_sys); filter(f_filter6); destination(d_mysql); };
log { source(s_sys); filter(f_filter7); destination(d_mysql); };
log { source(s_sys); filter(f_filter8); destination(d_mysql); };
#####################################################################

# Source from remote client
source s_client {
tcp(ip(0.0.0.0) port(514) keep-alive(yes) max-connections(300));
udp(ip(0.0.0.0) port(514));
};
log {source(s_client); destination(d_mysql); };

3.สร้างคำสั่งสำหรับเขียนลง mysql

1
nano /usr/local/bin/syslog2mysql.sh

ป้อนคำสั่งดังนี้

1
2
3
4
5
6
7
8
9
#!/bin/bash
if [ ! -e /var/log/mysql.pipe ]
then
mkfifo /var/log/mysql.pipe
fi
while [ -e /var/log/mysql.pipe ]
do
mysql -u root --password=*** syslogng < /var/log/mysql.pipe > /dev/null
done

ทำให้คำสั่ง execute ได้

1
chmod +x /usr/local/bin/syslog2mysql.sh

4.ทำให้ script run ทุกครั้งที่ boot

1
nano /etc/init.d/syslog2mysql

ป้อนคำสั่งดังนี้

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/bin/sh
# run syslog2mysql.sh at boot

case "$1" in
'start')
sh /usr/local/bin/syslog2mysql.sh &
;;
'stop')
;;
*)
echo "Usage: $0 { start | stop }"
;;
esac
exit 0

ทำให้ execute ได้แล้วเพิ่ม startup link ใน RC

1
2
sudo chmod +x /etc/init.d/syslog2mysql
sudo update-rc.d syslog2mysql defaults

run script แล้วก็ restart syslog-ng

1
2
/etc/init.d/syslog2mysql start
/etc/init.d/syslog-ng restart

5.ติดตั้ง Syslog-NG ที่ Linux Server เครื่องอื่นและตั้งค่าให้ส่ง log มาเก็บที่เครื่องนี้

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
options {
sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (yes);
keep_hostname (yes);
};

source s_sys {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
internal();
#udp(ip(0.0.0.0) port(514));
#tcp(ip(0.0.0.0) port(5149) keep-alive(yes));
};

destination logserver { tcp("192.168.0.251" port(514)); };

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" sync(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };

filter f_filter1   { facility(kern); };
filter f_filter2   { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); };
filter f_filter3   { facility(authpriv); };
filter f_filter4   { facility(mail); };
filter f_filter5   { level(emerg); };
filter f_filter6   { facility(uucp) or (facility(news) and level(crit..emerg)); };
filter f_filter7   { facility(local7); };
filter f_filter8   { facility(cron); };
# Remove the 'squid' log entries from 'user' log facility
filter f_remove { not program("squid"); };

log { source(s_sys); filter(f_filter1); destination(d_cons); };
log { source(s_sys); filter(f_filter1); destination(d_kern); };
log { source(s_sys); filter(f_filter2); filter(f_remove); destination(d_mesg); };
log { source(s_sys); filter(f_filter3); destination(d_auth); };
log { source(s_sys); filter(f_filter4); destination(d_mail); };
log { source(s_sys); filter(f_filter5); destination(d_mlal); };
log { source(s_sys); filter(f_filter6); destination(d_spol); };
log { source(s_sys); filter(f_filter7); destination(d_boot); };
log { source(s_sys); filter(f_filter8); destination(d_cron); };

filter f_squid { program("squid") and facility(user); };

destination d_squid {
file("/var/log/$HOST/$YEAR/$MONTH/squid.$YEAR-$MONTH-$DAY"
owner(root) group(adm) perm(665)
create_dirs(yes) dir_perm(0775));
};
log { source(s_sys); filter(f_squid); destination(d_squid); };

log { source(s_sys); destination(logserver); };

6.ส่ง Log จาก Windows Server มาเครื่องนี้
6.1 Download Lasso (Windows Event Collector) จาก http://open.loglogic.com
6.2 ตั้งค่า hostlist.ini

1
localhost,*6

6.3 ตั้งค่า lasso.ini

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
SkipInitDLLScan,0
LogAppliance,192.168.0.251
RepositoryPath,C:\Program Files\Lasso\LassoRepository\
SpoolPath,C:\Program Files\Lasso\LassoRepository\Spool\
EventPollInterval,10
SpoolFileSize,1.0
WatermarkWriteInterval,100
MaxTraceFileSize,20
MaxNumWorkerThreads,4
DllLoadInterval,3600
HighWaterMarks,ON
#DefaultLassoShare,LassoShare=C:\LassoTemp
CheckHostListInterval,3600
NewHostSkipHistorical,0
EnableShareDlls,1
CheckRemHostAvail,0
EnableAdminSharesIfDisabled,0
DebugLevel,0
LogLevel,1
DebugHostFileSize,20
AccessReport,0

6.4 start service Lasso Windows Event Collector

Written by Komkid on February 17th, 2010 with no comments.
Read more articles on Admin and Internet and Networking and Ubuntu.

Squid : Custom error page

blocked
หน้าตาสำหรับแสดงผลกรณีมี error ของ squid เช่น กรณีถูกบล็อก(ERR_ACCESS_DENIED) แก้ไขได้ที่ /usr/share/squod/errors/
โดยสามารถใช้ Variable ได้ด้วย ดังนี้

%B URL with FTP %2f hack
%c Squid error code
%d seconds elapsed since request received (not yet implemented)
%e errno
%E strerror()
%f FTP request line
%F FTP reply line
%g FTP server message
%h cache hostname
%H server host name
%i client IP address
%I server IP address
%L contents of err_html_text config option
%M Request Method
%m Error message returned by external auth helper
%p URL port
%P Protocol
%R Full HTTP Request
%S squid default signature
%s caching proxy software with version
%t local time
%T UTC
%U URL without password
%u URL with password (Squid-2.5 and later only)
%w cachemgr email address
%z dns server error message

ตัวอย่าง ERR_ACCESS_DENIED

1
2
3
4
5
6
7
8
9
10
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF8">
<TITLE>ERROR: The requested URL could not be retrieved</TITLE>
<STYLE type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-serif}PRE{font-family:sans-serif}--></STYLE>
</HEAD><BODY bgcolor="#000000">
 <div align="center">
  <img src="http://intranet.sci.com/sci/blocked.jpg" border="0" alt="Access dinied">
  </div>
<br>
<div align="center">Web นี้ถูก block ในช่วงเวลา 8:00-12:00 น. และ 13:00-17:40 น. หากมีความจำเป็นต้องใช้งาน กรุณาแจ้ง งทส.</div>

Written by Komkid on January 28th, 2010 with no comments.
Read more articles on Admin and Networking and Programming and Ubuntu.

Logon Script : Map Network Drive

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
' MapNetworkDrive.vbs
' VBScript to map a network drive to a UNC Path.
' Author Guy Thomas http://computerperformance.co.uk/
' Version 2.3 - September 2005
' -----------------------------------------------------------------'
Option Explicit
Dim objNetwork
Dim strDriveLetter, strRemotePath
strDriveLetter = "P:"
strRemotePath = "\\server2\public_data"
 
' Purpose of script to create a network object. (objNetwork)
' Then to apply the MapNetworkDrive method.  Result J: drive
Set objNetwork = CreateObject("WScript.Network")
 
objNetwork.MapNetworkDrive strDriveLetter, strRemotePath
WScript.Quit
 
' End of Example VBScript.

Written by Komkid on January 27th, 2010 with no comments.
Read more articles on Admin and Networking and Programming.

Service ports for firewall configuration

DHCP
*UDP 67, 2535

DNS
*UDP 53
*TCP 53,139, 445

Symantec Systen Center
*TCP 2967

Written by Komkid on January 26th, 2010 with no comments.
Read more articles on Admin and IT Tips and Networking.

Squid and Active Directory

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443        # https
acl SSL_ports port 563        # snews
acl SSL_ports port 873        # rsync
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl Safe_ports port 631        # cups
acl Safe_ports port 873        # rsync
acl Safe_ports port 901        # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

acl webblocked url_regex '/etc/squid/webblocked.txt'
acl day_am time 08:00-12:00
acl day_pm time 13:00-17:40
http_access deny webblocked day_am
http_access deny webblocked day_pm

#Block MSN
acl msn_users src '/etc/squid/msn_user_list.txt'
acl msn_server req_mime_type application/x-msn-messenger
acl msn_url url_regex -i gateway.dll

#Block MSN
http_access deny !msn_users msn_server day_am
http_access deny !msn_users msn_server day_pm
http_access deny !msn_users msn_url day_am
http_access deny !msn_users msn_url day_pm

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost

icp_access allow all

http_port 8080
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern .        0    20%    4320
#logformat combined
cache_access_log /var/log/squid/access.log
#cache_access_log syslog combined
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

extension_methods REPORT MERGE MKACTIVITY CHECKOUT

hosts_file /etc/hosts

coredump_dir /var/spool/squid

#http_access allow all

# Active Directory
####################################################################################################
auth_param basic program /usr/lib/squid/ldap_auth -R -b "dc=sci,dc=com" -D "cn=Administrator,cn=Users,dc=sci,dc=com" -w "***" -f "sAMAccountName=%s" -h 192.168.0.1
    auth_param basic children 5
    auth_param basic realm Squid proxy-caching web server
    auth_param basic credentialsttl 5 minutes

external_acl_type InetGroup %LOGIN /usr/lib/squid/squid_ldap_group -R -b "dc=sci,dc=com" -D "cn=Administrator,cn=Users,dc=sci,dc=com" -w "***" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=InternetUser,dc=sci,dc=com))" -h 192.168.0.1

acl localnet proxy_auth REQUIRED src 192.168.0.0/24
acl InetAccess external InetGroup InetAllow
http_access allow InetAccess
####################################################################################################
http_access deny all

ตัวอย่างนี้ Active Directory ของ domain sci.com อยู่บน Server 192.168.0.1
วิธีการก็คือ สร้าง Security Group (InetAllow) แล้ว add user ที่มีสิทธิใช้งาน internet ได้ให้เป็น member ของ group นี้

จากนั้นก็เอา Security Group ไปไว้ใน OU ชื่อ InternetUser ดังรูป
Users_in_Active_Directory

ในส่วนของ squid.conf
ตั้งค่าให้ใช้การ authen ผ่าน LDAP

1
auth_param basic program /usr/lib/squid/ldap_auth -R -b "dc=sci,dc=com" -D "cn=Administrator,cn=Users,dc=sci,dc=com" -w "***" -f "sAMAccountName=%s" -h 192.168.0.1

จากนั้นสร้าง external_acl_type ชื่อ InetGroup ให้ไปตรวจสอบจาก OU ที่ชื่อ InternetUser

1
external_acl_type InetGroup %LOGIN /usr/lib/squid/squid_ldap_group -R -b "dc=sci,dc=com" -D "cn=Administrator,cn=Users,dc=sci,dc=com" -w "***" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=InternetUser,dc=sci,dc=com))" -h 192.168.0.1

แล้วก็สร้าง ACL ชื่อ InetAccess ให้ตรวจสอบกับ InetGroup โดยอนุญาตให้ Group InetAllow ผ่าน

1
acl InetAccess external InetGroup InetAllow

จากนั้นก็อนุญาตให้ User Group ที่ผ่าน acl ชื่อ InetAccess ใช้ internet ได้ นอกนั้นห้าม (โดยต้อง login ผ่าน proxy ด้วย)

1
2
3
4
acl InetAccess acl localnet proxy_auth REQUIRED src 192.168.0.0/24
acl InetAccess external InetGroup InetAllow
http_access allow InetAccess
http_access deny all

Written by Komkid on January 26th, 2010 with no comments.
Read more articles on Admin and Networking.

« Older articles

Newer articles »