tachtler:squid_centos_7
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende Überarbeitung | ||
tachtler:squid_centos_7 [2017/10/19 12:50] – [Portal Splash Pages - Vorbereitungen] klaus | tachtler:squid_centos_7 [2017/10/19 16:45] (aktuell) – [ssl_bump-Konfiguration] klaus | ||
---|---|---|---|
Zeile 6884: | Zeile 6884: | ||
# Tachtler - ssl_bump configuration - | # Tachtler - ssl_bump configuration - | ||
# default: http_port 3128 | # default: http_port 3128 | ||
- | http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/ | + | http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/ |
- | always_direct allow all | + | |
ssl_bump server-first all | ssl_bump server-first all | ||
- | sslproxy_cert_error allow all | + | sslproxy_options NO_SSLv2, |
- | sslproxy_flags DONT_VERIFY_PEER | + | |
sslcrtd_program / | sslcrtd_program / | ||
sslcrtd_children 5 startup=1 idle=1 | sslcrtd_children 5 startup=1 idle=1 | ||
Zeile 6956: | Zeile 6954: | ||
# Tachtler - ssl_bump configuration - | # Tachtler - ssl_bump configuration - | ||
# default: http_port 3128 | # default: http_port 3128 | ||
- | http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/ | + | http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/ |
- | always_direct allow all | + | |
ssl_bump server-first all | ssl_bump server-first all | ||
- | sslproxy_cert_error allow all | + | sslproxy_options NO_SSLv2, |
- | sslproxy_flags DONT_VERIFY_PEER | + | |
sslcrtd_program / | sslcrtd_program / | ||
sslcrtd_children 5 startup=1 idle=1 | sslcrtd_children 5 startup=1 idle=1 | ||
Zeile 6972: | Zeile 6968: | ||
* '' | * '' | ||
* '' | * '' | ||
- | |||
- | * < | ||
- | Ermöglicht es dem [[http:// | ||
* < | * < | ||
Ermöglicht es dem [[http:// | Ermöglicht es dem [[http:// | ||
- | |||
- | * < | ||
- | Bestimmt das Verhalten des [[http:// | ||
:!: **HINWEIS** - **Aus Sicherheitsaspekten __sollte hier später__ '' | :!: **HINWEIS** - **Aus Sicherheitsaspekten __sollte hier später__ '' | ||
- | * < | + | * < |
- | Weist den [[http:// | + | Weist den [[http:// |
* < | * < | ||
Zeile 7702: | Zeile 7692: | ||
# splash screen configuration - start - | # splash screen configuration - start - | ||
- | # Set up the session helper in active mode. | + | acl proxy url_regex -i http:// |
- | external_acl_type session concurrency=100 ttl=60 negative_ttl=0 children-max=1 | + | |
+ | # Set up the session helper in active mode. Mind the wrap - this is one line: | ||
+ | external_acl_type session concurrency=100 ttl=3 %SRC / | ||
# Pass the LOGIN command to the session helper with this ACL | # Pass the LOGIN command to the session helper with this ACL | ||
acl session_login external session LOGIN | acl session_login external session LOGIN | ||
- | # Set up the normal session helper. | + | |
- | external_acl_type session_active_def concurrency=100 ttl=60 negative_ttl=0 children-max=1 %LOGIN / | + | |
# Normal session ACL as per simple example | # Normal session ACL as per simple example | ||
- | acl session_is_active external | + | acl session_is_active external |
# ACL to match URL | # ACL to match URL | ||
- | acl clicked_login_url url_regex -i http://www.squid.tachtler.net/ | + | acl clicked_login_url url_regex -i ^http:// |
# First check for the login URL. If present, login session | # First check for the login URL. If present, login session | ||
http_access allow clicked_login_url session_login | http_access allow clicked_login_url session_login | ||
+ | http_access allow proxy | ||
+ | |||
# If we get here, URL not present, so renew session or deny request. | # If we get here, URL not present, so renew session or deny request. | ||
http_access deny !session_is_active | http_access deny !session_is_active | ||
+ | |||
# Deny page to display | # Deny page to display | ||
- | deny_info | + | deny_info |
# splash screen configuration - stopp - | # splash screen configuration - stopp - | ||
Zeile 7749: | Zeile 7746: | ||
# Squid normally listens to port 3128 | # Squid normally listens to port 3128 | ||
- | # Tachtler - ssl_bump configuration - | + | http_port 3128 |
- | # default: | + | |
- | http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/ | + | |
- | always_direct allow all | + | |
- | ssl_bump server-first all | + | |
- | sslproxy_cert_error allow all | + | |
- | sslproxy_flags DONT_VERIFY_PEER | + | |
- | sslcrtd_program / | + | |
- | sslcrtd_children 5 startup=1 idle=1 | + | |
# Uncomment and adjust the following to add a disk cache directory. | # Uncomment and adjust the following to add a disk cache directory. | ||
Zeile 7823: | Zeile 7812: | ||
# splash screen configuration - start - | # splash screen configuration - start - | ||
- | # Set up the session helper in active mode. | + | acl proxy url_regex -i http:// |
- | external_acl_type session concurrency=100 ttl=60 negative_ttl=0 children-max=1 | + | |
+ | # Set up the session helper in active mode. Mind the wrap - this is one line: | ||
+ | external_acl_type session concurrency=100 ttl=3 %SRC / | ||
# Pass the LOGIN command to the session helper with this ACL | # Pass the LOGIN command to the session helper with this ACL | ||
acl session_login external session LOGIN | acl session_login external session LOGIN | ||
- | # Set up the normal session helper. | + | |
- | external_acl_type session_active_def concurrency=100 ttl=60 negative_ttl=0 children-max=1 %LOGIN / | + | |
# Normal session ACL as per simple example | # Normal session ACL as per simple example | ||
- | acl session_is_active external | + | acl session_is_active external |
# ACL to match URL | # ACL to match URL | ||
- | acl clicked_login_url url_regex -i http://www.squid.tachtler.net/ | + | acl clicked_login_url url_regex -i ^http:// |
# First check for the login URL. If present, login session | # First check for the login URL. If present, login session | ||
http_access allow clicked_login_url session_login | http_access allow clicked_login_url session_login | ||
+ | http_access allow proxy | ||
+ | |||
# If we get here, URL not present, so renew session or deny request. | # If we get here, URL not present, so renew session or deny request. | ||
http_access deny !session_is_active | http_access deny !session_is_active | ||
+ | |||
# Deny page to display | # Deny page to display | ||
- | deny_info | + | deny_info |
# splash screen configuration - stopp - | # splash screen configuration - stopp - | ||
</ | </ | ||
- | * < | + | * < |
+ | Definition der der **ACL** '' | ||
+ | |||
+ | * <code bash> | ||
Erstellen eines **AKTIVEN-Session** mit einer **Anmeldungsdauer zum __TESTEN__** von **60 Sekunden** und unter Zuhilfenahme eines externen Programms ''/ | Erstellen eines **AKTIVEN-Session** mit einer **Anmeldungsdauer zum __TESTEN__** von **60 Sekunden** und unter Zuhilfenahme eines externen Programms ''/ | ||
- | * < | + | * < |
ACL welche die **Anmeldeinformationen** aus dem **AKTIVEN-Session** Hilfsprogramm ebenfalls an die **Session** bindet. | ACL welche die **Anmeldeinformationen** aus dem **AKTIVEN-Session** Hilfsprogramm ebenfalls an die **Session** bindet. | ||
- | * < | + | * < |
- | Erstellen einer **NORMALEN-Session** mit einer **Anmeldungsdauer zum __TESTEN__** von **60 Sekunden** und unter Zuhilfenahme eines externen Programms | + | ACL welche zutrifft, wenn die definierte URL, hier **URL - '' |
- | + | ||
- | | + | |
- | ACL zur Definition einer einfachen | + | |
- | * < | + | * < |
- | ACL welche zutrifft, wenn die definierte | + | Überprüfung, wenn die **URL - '' |
- | * < | + | * < |
- | Überprüfung, | + | Zugriff auf die Ressource welche in der **ACL** '' |
- | * < | + | * < |
- | Überprüfung, wenn die **URL - '' | + | Alle weiteren Zugriffe verweigern, bis die aktive Session mit der definierten URL, hier **URL - '' |
- | * < | + | * < |
- | Anzeige der sogenannten **'' | + | Anzeige der sogenannten **'' |
==== Portal Splash Pages - Test ==== | ==== Portal Splash Pages - Test ==== |
tachtler/squid_centos_7.1508410227.txt.gz · Zuletzt geändert: 2017/10/19 12:50 von klaus