|
|
(Hi ha 18 revisions intermèdies sense mostrar fetes per un usuari) |
Línia 1: |
Línia 1: |
− | {{en desenvolupament}}
| |
− | {|align=left|__TOC__|}
| |
| | | |
− | == Adaptar un Proxy o DnsServices per bloquejar publicitat ==
| |
− | === Introducció ===
| |
− | Configurarem un servidor DNSServices (bind9) / Proxy3 / Cloudy que eliminarà els anuncis de les pàgines web.
| |
− |
| |
− | === Requisits ===
| |
− | Es parteix d'un servidor [[Debian]]/[[Ubuntu]]/[[Cloudy]] configurat com a servidor de noms o [[guifi-proxy3]].
| |
− |
| |
− | == Instal·lació i configuració ==
| |
− | Entrem per ssh a la màquina:
| |
− | * Actualitzem els paquets
| |
− | apt-get update
| |
− | apt-get upgrade
| |
− | === Instal·lació de freeradius ===
| |
− | * Instal·lem el paquet freeRADIUS i les dependencies
| |
− | apt-get install freeradius
| |
− | * Instal·lem el mòdul ldap
| |
− | apt-get install freeradius-ldap
| |
− | === Configurar freeradius ===
| |
− | * Editem l'arxiu de configuració <code>/etc/freeradius/radiusd.conf</code>
| |
− | No s'utilitza EAP, eliminem la linea <code>$INCLUDE eap.conf</code>. Excepte això, la resta de l'arxiu <code>radiusd.conf</code> queda per defecte.
| |
− | prefix = /usr
| |
− | exec_prefix = /usr
| |
− | sysconfdir = /etc
| |
− | localstatedir = /var
| |
− | sbindir = ${exec_prefix}/sbin
| |
− | logdir = /var/log/freeradius
| |
− | raddbdir = /etc/freeradius
| |
− | radacctdir = ${logdir}/radacct
| |
− |
| |
− | name = freeradius
| |
− |
| |
− | confdir = ${raddbdir}
| |
− | run_dir = ${localstatedir}/run/${name}
| |
− |
| |
− | db_dir = ${raddbdir}
| |
− |
| |
− | libdir = /usr/lib/freeradius
| |
− | pidfile = ${run_dir}/${name}.pid
| |
− |
| |
− | user = freerad
| |
− | group = freerad
| |
− |
| |
− | max_request_time = 30
| |
− | cleanup_delay = 5
| |
− | max_requests = 1024
| |
− |
| |
− | listen {
| |
− | type = auth
| |
− | ipaddr = *
| |
− | port = 0
| |
− | }
| |
− |
| |
− | listen {
| |
− | ipaddr = *
| |
− | port = 0
| |
− | type = acct
| |
− | }
| |
− |
| |
− | hostname_lookups = no
| |
− | allow_core_dumps = no
| |
− |
| |
− | regular_expressions = yes
| |
− | extended_expressions = yes
| |
− |
| |
− | log {
| |
− | destination = files
| |
− | file = ${logdir}/radius.log
| |
− | syslog_facility = daemon
| |
− | stripped_names = no
| |
− | auth = no
| |
− | auth_badpass = no
| |
− | auth_goodpass = no
| |
− | }
| |
− |
| |
− | checkrad = ${sbindir}/checkrad
| |
− |
| |
− | security {
| |
− | max_attributes = 200
| |
− | reject_delay = 1
| |
− | status_server = yes
| |
− | }
| |
− |
| |
− | proxy_requests = yes
| |
− | $INCLUDE proxy.conf
| |
− | $INCLUDE clients.conf
| |
− |
| |
− | thread pool {
| |
− | start_servers = 5
| |
− | max_servers = 32
| |
− | min_spare_servers = 3
| |
− | max_spare_servers = 10
| |
− | max_requests_per_server = 0
| |
− | }
| |
− |
| |
− | modules {
| |
− | $INCLUDE ${confdir}/modules/
| |
− | }
| |
− |
| |
− | instantiate {
| |
− | exec
| |
− | expr
| |
− | expiration
| |
− | logintime
| |
− | }
| |
− |
| |
− | $INCLUDE policy.conf
| |
− | $INCLUDE sites-enabled/
| |
− | * Editem l'arxiu de configuració <code>/etc/freeradius/clients.conf</code>
| |
− | Definim la clau d'accés al servidor freeradius i les subxarxes que hi tindràn accés. Per defecte és "testing1234", és recomanable canviar-la.
| |
− | client localhost {
| |
− | ipaddr = 127.0.0.1
| |
− | secret = testing1234
| |
− | nastype = other
| |
− | }
| |
− |
| |
− | client 192.168.0.0/16 {
| |
− | secret = testing1234
| |
− | nastype = other
| |
− | }
| |
− |
| |
− | client 10.0.0.0/8 {
| |
− | secret = testing1234
| |
− | nastype = other
| |
− | }
| |
− | === Configurar freeradius-ldap ===
| |
− | * Editem l'arxiu de configuració <code>/etc/freeradius/modules/ldap</code>
| |
− | Adaptem els paràmetres perquè coincideixin amb el domini guifi.net. Afegim “set_auth_type = yes” dins la secció '''ldap'''
| |
− | ldap {
| |
− | server = "ldap.guifi.net"
| |
− | server = "ldap2.guifi.net"
| |
− | port = "636"
| |
− | identity = "uid=proxyldap2011,o=proxyusers,dc=guifi,dc=net"
| |
− | password = proxyaproxy2011
| |
− | basedn = "o=proxyusers,dc=guifi,dc=net"
| |
− | filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
| |
− | ldap_connections_number = 5
| |
− | timeout = 4
| |
− | timelimit = 3
| |
− | net_timeout = 1
| |
− | dictionary_mapping = ${confdir}/ldap.attrmap
| |
− | edir_account_policy_check = no
| |
− | set_auth_type = yes
| |
− | }
| |
− | * Editem l'arxiu de configuració <code>/etc/freeradius/sites-available/default</code>
| |
− | Editem l'arxiu <code>default</code>, assegurant-nos que <code>ldap</code> queda inclòs a les seccions "authorize" i "authenticate". Suprimim altres opcions com ara "unix" dins d'aquestes seccions.
| |
− | authorize {
| |
− | ldap
| |
− | }
| |
− | authenticate {
| |
− | Auth-Type LDAP {
| |
− | ldap
| |
− | }
| |
− | }
| |
− | preacct {
| |
− | }
| |
− | accounting {
| |
− | }
| |
− | session {
| |
− | radutmp
| |
− | }
| |
− | post-auth {
| |
− | exec
| |
− | Post-Auth-Type REJECT {
| |
− | attr_filter.access_reject
| |
− | }
| |
− | }
| |
− | pre-proxy {
| |
− | }
| |
− | post-proxy {
| |
− | }
| |
− | * Editem l'arxiu de configuració <code>/etc/freeradius/sites-available/inner-tunnel</code>
| |
− | Fem el mateix amb l'arxiu <code>inner-tunnel</code>
| |
− | server inner-tunnel {
| |
− | authorize {
| |
− | ldap
| |
− | }
| |
− | authenticate {
| |
− | Auth-Type LDAP {
| |
− | ldap
| |
− | }
| |
− | }
| |
− | session {
| |
− | radutmp
| |
− | }
| |
− | post-auth {
| |
− | Post-Auth-Type REJECT {
| |
− | attr_filter.access_reject
| |
− | }
| |
− | }
| |
− | pre-proxy {
| |
− | }
| |
− | post-proxy {
| |
− | }
| |
− | }
| |
− | == Verificació i prova d'autenticació ==
| |
− | === Verificació del servidor ===
| |
− | /etc/init.d/freeradius stop
| |
− | freeradius -X
| |
− |
| |
− | Resposta:
| |
− | FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu, built on Jan 5 2010 at 02:56:18
| |
− | Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
| |
− |
| |
− | Starting - reading configuration files ...
| |
− |
| |
− | radiusd: #### Loading Realms and Home Servers ####
| |
− | radiusd: #### Loading Clients ####
| |
− | radiusd: #### Instantiating modules ####
| |
− | radiusd: #### Loading Virtual Servers ####
| |
− | radiusd: #### Opening IP addresses and Ports ####
| |
− |
| |
− | Listening on authentication address * port 1812
| |
− | Listening on accounting address * port 1813
| |
− | Listening on proxy address * port 1814
| |
− | Ready to process requests.
| |
− | :Servidor operatiu
| |
− |
| |
− | === Prova d'autenticació d'usuaris ===
| |
− | Obrim una segona finestra '''ssh'''
| |
− | radtest ''usuari.guifi'' ''password'' 127.0.0.1 1812 testing1234
| |
− |
| |
− | Posar un usuari i password de proxy que estigui operatiu.
| |
− | Resposta:
| |
− | Sending Access-Request of id 37 to 127.0.0.1 port 1812
| |
− | User-Name = "usuari.guifi"
| |
− | User-Password = "password"
| |
− | NAS-IP-Address = 127.0.0.1
| |
− | NAS-Port = 1812
| |
− | rad_recv: '''Access-Accept''' packet from host 127.0.0.1 port 1812, id=37, length=20
| |
− |
| |
− | Resposta "'''Access-Accept'''"
| |
− | :L'usuari s'ha validat correctament!
| |
− |
| |
− | == Veure també ==
| |
− | * [[LDAP]]
| |
− | * [[Servidor Proxy]]
| |
− |
| |
− | == Referències ==
| |
− | * [http://paulgporter.net/2013/07/14/freeradius-ldaps/ Configuring FreeRADIUS for LDAP over SSL Authentication] per Paul Gerard Porter [ENG]
| |
− | * [http://freeradius.org/ Web Oficial]
| |
− |
| |
− | [[Categoria:Servidor]]
| |