VyOSでWebプロキシ(Squid)を設定して利用することができます。クライアントPCからWebプロキシを経由してインターネットを閲覧する時にLDAP認証を利用することもできます。今回はクライアントPCからインターネット閲覧する時にADのユーザー情報で認証後、インターネット閲覧できるように設定します。Webプロキシが設定してあるVyOSに認証設定を追加します。以下を設定します。今回は下記内容で設定しています。
AD上でWebプロキシを利用可能なユーザー:OU ”Proxy”に属するユーザーのみ
AD管理者アカウントAdministratorをそのまま利用
ADサーバーのIPアドレス:192.168.129.135
set service webproxy authentication children '5'
set service webproxy authentication credentials-ttl '60'
set service webproxy authentication ldap base-dn 'ou=Proxy,dc=lab,dc=local'
set service webproxy authentication ldap bind-dn 'CN=Administrator,CN=Users,DC=lab,DC=local'
set service webproxy authentication ldap filter-expression 'sAMAccountName=%s'
set service webproxy authentication ldap password '【Password】'
set service webproxy authentication ldap port '389'
set service webproxy authentication ldap server '192.168.129.135'
set service webproxy authentication ldap username-attribute 'samAccountName'
set service webproxy authentication ldap version '3'
set service webproxy authentication method 'ldap'
set service webproxy authentication realm 'proxy-authentication'
VyOSのコマンド操作から利用できる認証方法はLDAP認証のみです。VyOSのWebプロキシはSquidを利用しています。Basic認証を利用したい場合は、Squid.confなどを直接書き換えれば利用できるかもしれません。ADのユーザーはこのように設定しています。
今回利用するユーザー名は”proxy”を含んでいます。
コマンドから確認するとこのようになります。
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>dsquery user -name *proxy*
"CN=proxy user1,OU=Proxy,DC=lab,DC=local"
"CN=proxy user2,OU=Proxy,DC=lab,DC=local"
"CN=proxy user3,OU=Proxy,DC=lab,DC=local"
"CN=proxy admin,OU=Proxy,DC=lab,DC=local"
"CN=proxy not-user1,CN=Users,DC=lab,DC=local"
"CN=proxy not-user2,CN=Users,DC=lab,DC=local"
"CN=proxy not-user3,CN=Users,DC=lab,DC=local"
C:\Windows\system32>
実際にクライアントPCからIEを起動してインターネットを閲覧します。IEを起動すると下記ポップアップが表示されます。アカウントとパスワードを入力し、OKをクリックします。
認証が成功するとインターネット閲覧が可能になります。
VyOSでアクセスログを確認すると下記のように確認できます。
vyos@vyos# sudo tail -n 81 /var/log/squid3/access.log
192.168.129.146 - - [13/May/2018:23:53:51 +0900] "GET http://www.msftconnecttest.com/connecttest.txt HTTP/1.1" 407 3733 TCP_DENIED:NONE
192.168.129.146 - lab\proxy%20user1 [13/May/2018:23:53:51 +0900] "GET http://www.msftconnecttest.com/connecttest.txt HTTP/1.1" 407 3836 TCP_DENIED:NONE
192.168.129.146 - - [13/May/2018:23:53:51 +0900] "GET http://www.msftconnecttest.com/connecttest.txt HTTP/1.1" 407 3733 TCP_DENIED:NONE
192.168.129.146 - lab\proxy%20user1 [13/May/2018:23:53:51 +0900] "GET http://www.msftconnecttest.com/connecttest.txt HTTP/1.1" 407 3836 TCP_DENIED:NONE
192.168.129.146 - - [13/May/2018:23:54:07 +0900] "GET http://www.msn.com/ja-jp/? HTTP/1.1" 407 5017 TCP_DENIED:NONE
192.168.129.146 - lab\proxy%20user1 [13/May/2018:23:54:07 +0900] "GET http://www.msn.com/ja-jp/? HTTP/1.1" 407 5120 TCP_DENIED:NONE
192.168.129.146 - proxy-user1 [13/May/2018:23:55:33 +0900] "GET http://www.msn.com/ja-jp/? HTTP/1.1" 200 423924 TCP_MISS:DIRECT
192.168.129.146 - proxy-user1 [13/May/2018:23:55:34 +0900] "GET http://www.msn.com/ja-jp/homepage/irisbannerajax HTTP/1.1" 204 872 TCP_MISS:DIRECT
192.168.129.146 - proxy-user1 [13/May/2018:23:55:34 +0900] "GET http://otf.msn.com/c.gif? HTTP/1.1" 200 664 TCP_MISS:DIRECT
192.168.129.146 - proxy-user1 [13/May/2018:23:55:34 +0900] "CONNECT sb.scorecardresearch.com:443 HTTP/1.0" 200 5464 TCP_MISS:DIRECT
192.168.129.146 - proxy-user1 [13/May/2018:23:55:34 +0900] "OPTIONS http://otf.msn.com/c.gif? HTTP/1.1" 200 468 TCP_MISS:DIRECT
## 中略 ##
192.168.129.146 - proxy-user1 [13/May/2018:23:57:19 +0900] "CONNECT px.ads.linkedin.com:443 HTTP/1.0" 200 3512 TCP_MISS:DIRECT
192.168.129.146 - proxy-user1 [13/May/2018:23:57:19 +0900] "CONNECT sam.msn.com:443 HTTP/1.0" 200 36954 TCP_MISS:DIRECT
192.168.129.146 - proxy-user1 [13/May/2018:23:57:19 +0900] "CONNECT sam.msn.com:443 HTTP/1.0" 200 5615 TCP_MISS:DIRECT
192.168.129.146 - proxy-user1 [13/May/2018:23:57:19 +0900] "CONNECT choices.truste.com:443 HTTP/1.0" 200 16875 TCP_MISS:DIRECT
192.168.129.146 - proxy-user1 [13/May/2018:23:57:19 +0900] "CONNECT ad.adsrvr.org:443 HTTP/1.0" 200 64868 TCP_MISS:DIRECT
192.168.129.146 - proxy-user1 [13/May/2018:23:57:19 +0900] "CONNECT www.msn.com:443 HTTP/1.0" 200 6308 TCP_MISS:DIRECT
192.168.129.146 - proxy-user1 [13/May/2018:23:57:19 +0900] "CONNECT pr-bh.ybp.yahoo.com:443 HTTP/1.0" 200 5365 TCP_MISS:DIRECT
192.168.129.146 - proxy-user1 [13/May/2018:23:57:20 +0900] "GET http://ping.chartbeat.net/ping? HTTP/1.1" 200 362 TCP_MISS:DIRECT
192.168.129.146 - proxy-user1 [13/May/2018:23:58:35 +0900] "GET http://ping.chartbeat.net/ping? HTTP/1.1" 200 362 TCP_MISS:DIRECT
192.168.129.146 - proxy-user1 [14/May/2018:00:00:28 +0900] "GET http://sin1-ib.adnxs.com/vevent? HTTP/1.1" 200 905 TCP_MISS:DIRECT
192.168.129.146 - proxy-user1 [14/May/2018:00:00:50 +0900] "GET http://ping.chartbeat.net/ping? HTTP/1.1" 200 362 TCP_MISS:DIRECT
[edit]
vyos@vyos#
ADのイベントログを確認すると下記のように確認できます。
利用権限のないユーザーでログインします。
アカウント、パスワードを入れ、OKをクリックしても何も表示されません。VyOSのログを確認すると拒否されていることを確認できます。
vyos@vyos# sudo tail -n 25 /var/log/squid3/access.log
192.168.129.137 - - [14/May/2018:00:48:51 +0900] "CONNECT uhf.microsoft.com:443 HTTP/1.0" 407 3847 TCP_DENIED:NONE
192.168.129.137 - - [14/May/2018:00:48:51 +0900] "CONNECT img-prod-cms-rt-microsoft-com.akamaized.net:443 HTTP/1.0" 407 3951 TCP_DENIED:NONE
192.168.129.137 - - [14/May/2018:00:48:56 +0900] "GET http://ipv6.msftconnecttest.com/connecttest.txt HTTP/1.1" 407 3759 TCP_DENIED:NONE
192.168.129.137 - - [14/May/2018:00:48:56 +0900] "GET http://www.msftconnecttest.com/connecttest.txt HTTP/1.1" 407 3755 TCP_DENIED:NONE
192.168.129.137 - - [14/May/2018:00:48:56 +0900] "GET http://www.msftconnecttest.com/connecttest.txt HTTP/1.1" 407 3733 TCP_DENIED:NONE
192.168.129.137 - - [14/May/2018:00:49:26 +0900] "CONNECT ieonline.microsoft.com:443 HTTP/1.0" 407 3866 TCP_DENIED:NONE
192.168.129.137 - proxy-not-user1 [14/May/2018:00:49:26 +0900] "CONNECT ieonline.microsoft.com:443 HTTP/1.0" 407 3969 TCP_DENIED:NONE
192.168.129.137 - - [14/May/2018:00:49:54 +0900] "GET http://www.msftconnecttest.com/connecttest.txt HTTP/1.1" 407 3733 TCP_DENIED:NONE
192.168.129.137 - proxy-not-user1 [14/May/2018:00:49:54 +0900] "GET http://www.msftconnecttest.com/connecttest.txt HTTP/1.1" 407 3836 TCP_DENIED:NONE
192.168.129.137 - - [14/May/2018:00:49:54 +0900] "GET http://www.msftconnecttest.com/connecttest.txt HTTP/1.1" 407 3733 TCP_DENIED:NONE
192.168.129.137 - proxy-not-user1 [14/May/2018:00:49:54 +0900] "GET http://www.msftconnecttest.com/connecttest.txt HTTP/1.1" 407 3836 TCP_DENIED:NONE
今回のVyOSのConfigは下記となります。参考まで。
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| vyos@vyos:~$ show configuration commands | |
| vyos@vyos# run show configuration commands | |
| set interfaces ethernet eth0 address 'dhcp' | |
| set interfaces ethernet eth0 duplex 'auto' | |
| set interfaces ethernet eth0 hw-id '00:0c:29:02:82:5f' | |
| set interfaces ethernet eth0 smp_affinity 'auto' | |
| set interfaces ethernet eth0 speed 'auto' | |
| set interfaces ethernet eth1 address '10.0.0.1/24' | |
| set interfaces ethernet eth1 duplex 'auto' | |
| set interfaces ethernet eth1 hw-id '00:0c:29:02:82:69' | |
| set interfaces ethernet eth1 smp_affinity 'auto' | |
| set interfaces ethernet eth1 speed 'auto' | |
| set interfaces loopback 'lo' | |
| set nat source rule 1 description 'Internal-to-External-NAPT' | |
| set nat source rule 1 outbound-interface 'eth0' | |
| set nat source rule 1 source address '10.0.0.0/8' | |
| set nat source rule 1 translation address 'masquerade' | |
| set service dhcp-server disabled 'false' | |
| set service dhcp-server shared-network-name dhcp-pool-1 authoritative 'disable' | |
| set service dhcp-server shared-network-name dhcp-pool-1 description 'lab-1-dhcp' | |
| set service dhcp-server shared-network-name dhcp-pool-1 subnet 10.0.0.0/24 default-router '10.0.0.1' | |
| set service dhcp-server shared-network-name dhcp-pool-1 subnet 10.0.0.0/24 dns-server '10.0.0.1' | |
| set service dhcp-server shared-network-name dhcp-pool-1 subnet 10.0.0.0/24 domain-name 'lab.local' | |
| set service dhcp-server shared-network-name dhcp-pool-1 subnet 10.0.0.0/24 domain-search 'lab.local' | |
| set service dhcp-server shared-network-name dhcp-pool-1 subnet 10.0.0.0/24 lease '86400' | |
| set service dhcp-server shared-network-name dhcp-pool-1 subnet 10.0.0.0/24 start 10.0.0.64 stop '10.0.0.223' | |
| set service dhcp-server shared-network-name dhcp-pool-1 subnet 10.0.0.0/24 static-route destination-subnet '172.16.0.0/24' | |
| set service dhcp-server shared-network-name dhcp-pool-1 subnet 10.0.0.0/24 static-route router '10.0.0.2' | |
| set service dns forwarding cache-size '150' | |
| set service dns forwarding listen-on 'eth0' | |
| set service dns forwarding listen-on 'eth1' | |
| set service dns forwarding name-server '8.8.8.8' | |
| set service ssh port '22' | |
| set service webproxy authentication children '5' | |
| set service webproxy authentication credentials-ttl '60' | |
| set service webproxy authentication ldap base-dn 'ou=Proxy,dc=lab,dc=local' | |
| set service webproxy authentication ldap bind-dn 'CN=Administrator,CN=Users,DC=lab,DC=local' | |
| set service webproxy authentication ldap filter-expression 'sAMAccountName=%s' | |
| set service webproxy authentication ldap password '【Password】' | |
| set service webproxy authentication ldap port '389' | |
| set service webproxy authentication ldap server '192.168.129.135' | |
| set service webproxy authentication ldap username-attribute 'samAccountName' | |
| set service webproxy authentication ldap version '3' | |
| set service webproxy authentication method 'ldap' | |
| set service webproxy authentication realm 'proxy-authentication' | |
| set service webproxy cache-size '100' | |
| set service webproxy default-port '3128' | |
| set service webproxy listen-address 192.168.129.133 'disable-transparent' | |
| set service webproxy listen-address 192.168.129.133 port '3128' | |
| set service webproxy url-filtering squidguard auto-update update-hour '0' | |
| set service webproxy url-filtering squidguard default-action 'allow' | |
| set service webproxy url-filtering squidguard 'enable-safe-search' | |
| set service webproxy url-filtering squidguard local-ok 'amazon.co.jp' | |
| set service webproxy url-filtering squidguard local-ok 'rakuten.co.jp' | |
| set service webproxy url-filtering squidguard local-ok 'microsoft.com' | |
| set service webproxy url-filtering squidguard local-ok 'windowsupdate.com' | |
| set service webproxy url-filtering squidguard local-ok 'live.com' | |
| set service webproxy url-filtering squidguard redirect-url 'http://www.google.com' | |
| set system config-management commit-revisions '20' | |
| set system console device ttyS0 speed '9600' | |
| set system host-name 'vyos' | |
| set system login user vyos authentication encrypted-password '$1$【Password】' | |
| set system login user vyos authentication plaintext-password '' | |
| set system login user vyos level 'admin' | |
| set system name-server '8.8.8.8' | |
| set system name-server '8.8.4.4' | |
| set system ntp server 'ntp.nict.jp' | |
| set system package auto-sync '1' | |
| set system package repository community components 'main' | |
| set system package repository community distribution 'helium' | |
| set system package repository community password '' | |
| set system package repository community url 'http://packages.vyos.net/vyos' | |
| set system package repository community username '' | |
| set system syslog global facility all level 'notice' | |
| set system syslog global facility protocols level 'debug' | |
| set system time-zone 'Asia/Tokyo' | |
| [edit] | |
| vyos@vyos# |
下記のようにsquid.confから設定を確認することもできます。
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| vyos@vyos# cat /etc/squid3/squid.conf | |
| # | |
| # autogenerated by vyatta-update-webproxy.pl | |
| # | |
| acl manager proto cache_object | |
| acl localhost src 127.0.0.1/32 | |
| acl to_localhost dst 127.0.0.0/8 | |
| acl net src all | |
| acl SSL_ports port 443 | |
| acl Safe_ports port 80 # http | |
| acl Safe_ports port 21 # ftp | |
| acl Safe_ports port 443 # https | |
| acl Safe_ports port 70 # gopher | |
| acl Safe_ports port 210 # wais | |
| acl Safe_ports port 1025-65535 # unregistered ports | |
| acl Safe_ports port 280 # http-mgmt | |
| acl Safe_ports port 488 # gss-http | |
| acl Safe_ports port 591 # filemaker | |
| acl Safe_ports port 777 # multiling http | |
| acl CONNECT method CONNECT | |
| auth_param basic children 5 | |
| auth_param basic credentialsttl 60 minute | |
| auth_param basic realm proxy-authentication | |
| auth_param basic program /usr/lib/squid3/squid_ldap_auth -v 3 -b "ou=Proxy,dc=lab,dc=local" -D "CN=Administrator,CN=Users,DC=lab,DC=local" -w 【Password】 -f sAMAccountName=%s -u samAccountName -p 389 -R -h 192.168.129.135 | |
| acl auth proxy_auth REQUIRED | |
| http_access allow auth | |
| http_access allow manager localhost | |
| http_access deny manager | |
| http_access deny !Safe_ports | |
| http_access deny CONNECT !SSL_ports | |
| http_access allow localhost | |
| http_access allow net | |
| http_access deny all | |
| cache_dir ufs /var/spool/squid3 100 16 256 | |
| cache_mem 20 MB | |
| access_log /var/log/squid3/access.log common | |
| cache_store_log none | |
| http_port 192.168.129.133:3128 | |
| forwarded_for off | |
| redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf | |
| redirect_children 8 | |
| redirector_bypass on | |
| [edit] | |
| vyos@vyos# |
ADのイベントログでLDAP関連のログを表示したい場合に確認すると良い記事
Active Directory Diagnostic Logging
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc961809(v=technet.10)
