#!/usr/bin/perl ############################################################################################# # $Id: getSquidConf 3463 2009-01-08 16:32:40Z misterT $ # Script cgi-bin utilise par se3-internet pour generer un extrait de squidGuard.conf a partir des plages sauvees en SQL # Sur le proxy il faut lancer wget http://:909/cgi-bin/getSquidConf # Seul le SE3 et le proxy renseigné peuvent acceder a ce cgi-bin # Les autre machines recoivent une erreur 401 Unauthorized # Debut du projet: Decembre 2008 # Auteur MrT - Sebastien TACK CRDP Basse Normandie # A partir des scripts initiaux de Denis Bonnenfant. ############################################################################################# use Se; use DBI; use CGI; use Socket; # Adresses IP, qui peut lire ce script # proxy = lcsIp ? slisip ? ipProxySe3Internet # Fixer ce choix dans l'interface # Ou se trouvre le squidguard (LCS/Slis/Ailleurs ) -> quel est son IP - menu configuration se3-internet # ICI = slapdIp $ipproxy = "$ipProxySe3Internet"; $ipici = "$slapdIp"; $iprecu = $ENV{'REMOTE_ADDR'}; #filtrage par nom host pour VM $test_host_reel = gethostbyaddr(inet_aton($iprecu),AF_INET); $test_host = gethostbyaddr(inet_aton($ipproxy),AF_INET); $test_ici = gethostbyaddr(inet_aton($ipici),AF_INET); $flux = "# ".localtime(time)."\n"; $flux.="# Transmission vers $test_host_reel($iprecu) en provenance de $test_ici($ipici)\n"; $flux .="# Fichier genere par SE3 - module se3-internet\n\n"; $flux .="#-- DEBUT_TIME_RULES --#\n\n"; # Connexion Mysql $dsn = "DBI:mysql:database=$connexionDb;host=$mysqlServerIp"; $dbh = DBI->connect($dsn, $mysqlServerUsername, $mysqlServerPw ) or die "Echec connexion"; $requete = "SELECT * FROM squid_plages where 1 order by `nom`; "; $sth = $dbh->prepare($requete); $sth->execute(); while(@row = $sth->fetchrow_array){ $id = $row['0']; $requete2 = "SELECT * FROM squid_horaire where id_plage='$id'; "; $flux .= "time $row[1] {\n"; $sth2 = $dbh->prepare($requete2); $sth2->execute(); while(my @row2 = $sth2->fetchrow_array){ $flux.="\t@row2[4] @row2[2] - @row2[3]\n"; } $flux .= "}\n\n"; } $flux .="#-- FIN_TIME_RULES --#\n\n"; $flux.="#-- DEBUT_SOURCE_ADDRESSES --#\n\n"; $flux.="src internet {\n"; $flux.="\t# laisse passer tous les postes ayant les droits internet\n"; $flux.="\tldapipsearch ldap://$slapdIp/$computersDn?iphostnumber?sub?(&(&(objectclass=iphost)(iphostnumber=%s))(destinationIndicator=*:interne*:tous))\n"; $flux.="}\n"; $flux.="src internet-pause {\n"; $flux.="\t# laisse passer tous les postes internet-pause durant les pauses\n"; $flux.="\tldapipsearch ldap://$slapdIp/$computersDn?iphostnumber?sub?(&(&(objectclass=iphost)(iphostnumber=%s))(destinationIndicator=*:internet-pause:*))\n"; $flux.="}\n"; $flux.="src internet-cours {\n"; $flux.="\t# laisse passer tous les postes internet-cours sauf durant les pauses \n"; $flux.="\tldapipsearch ldap://$slapdIp/$computersDn?iphostnumber?sub?(&(&(objectclass=iphost)(iphostnumber=%s))(destinationIndicator=*:internet-cours:*))\n"; $flux.="}\n"; $flux.="src internet-soir {\n"; $flux.="\t# laisse passer tous les postes internet-soir le soir\n"; $flux.="\tldapipsearch ldap://$slapdIp/$computersDn?iphostnumber?sub?(&(&(objectclass=iphost)(iphostnumber=%s))(destinationIndicator=*:internet-soir:*))\n"; $flux.="}\n"; $flux.="src intranet {\n"; $flux.="\t# filtre tous les postes ayant les droits intranet \n"; $flux.="\tldapipsearch ldap://$slapdIp/$computersDn?iphostnumber?sub?(&(&(objectclass=iphost)(iphostnumber=%s))(destinationIndicator=*:intranet*))\n"; $flux.="}\n"; $flux.="src aucun {\n"; $flux.="\t# filtre tous les postes ayant les droits aucun (punis ou non configurés) \n"; $flux.="\tldapipsearch ldap://$slapdIp/$computersDn?iphostnumber?sub?(&(&(objectclass=iphost)(iphostnumber=%s))(destinationIndicator=*:aucun:*))\n"; $flux.="}\n"; $flux.="#-- FIN_SOURCE_ADDRESSES --#\n\n"; $flux.="#-- DEBUT_ACL --#\n\n"; $flux.="acl {\n"; $flux.="\tsurf-bypass {\n"; $flux.="\t\tpass whitelists !lcs !ads !aggressive !audio-video !drugs !gambling !hacking !porn !violence !warez\n"; $flux.="\t\tredirect #REDIRECT#\n"; $flux.="\t}\n"; $flux.="\tproxy-ftp {\n"; $flux.="\t\tpass whitelists !lcs !ads !aggressive !audio-video !drugs !gambling !hacking !porn !violence !warez\n"; $flux.="\t\tredirect #REDIRECT#\n"; $flux.="\t}\n"; $flux.="\tinternet-pause within pause {\n"; $flux.="\t\tpass whitelists !lcs !ads !aggressive !audio-video !drugs !gambling !hacking !porn !violence !warez !in-addr\n"; $flux.="\t\tredirect #REDIRECT#\n"; $flux.="\t}\n"; $flux.="\tinternet-soir within soir {\n"; $flux.="\t\tpass whitelists !lcs !ads !aggressive !audio-video !drugs !gambling !hacking !porn !violence !warez !in-addr\n"; $flux.="\t\tredirect #REDIRECT#\n"; $flux.="\t}\n"; $flux.="\tinternet-cours within pause {\n"; $flux.="\t\tpass whitelists none\n"; $flux.="\t\tredirect #REDIRECT#\n"; $flux.="\t} else {\n"; $flux.="\t\tpass whitelists !lcs !ads !aggressive !audio-video !drugs !gambling !hacking !porn !violence !warez !in-addr\n"; $flux.="\t\tredirect #REDIRECT#\n"; $flux.="\t}\n"; $flux.="\tinternet {\n"; $flux.="\t\tpass whitelists !lcs !ads !aggressive !audio-video !drugs !gambling !hacking !porn !violence !warez !in-addr\n"; $flux.="\t\tredirect #REDIRECT#\n"; $flux.="\t}\n"; $flux.="\tintranet {\n"; $flux.="\t\tpass whitelists none\n"; $flux.="\t\tredirect #REDIRECT#\n"; $flux.="\t}\n"; $flux.="\taucun {\n"; $flux.="\t\tpass none\n"; $flux.="\t\tredirect $hostname/se3-internet/charte_internet.php\n"; $flux.="\t}\n"; $flux.="\tdefault {\n"; $flux.="\t\tpass none\n"; $flux.="\t\tredirect $hostname/se3-internet/connexions_portables.php\n"; $flux.="\t}\n"; $flux.="}\n"; $flux.="#-- FIN_ACL --#\n\n"; $sth -> finish; $dbh -> disconnect; #Filtrer et Sortir les informations. $q = new CGI; #Liste de parametres fournis @params = $q->param(); $flux.= @params[0]; if ( (($iprecu cmp $ipproxy) == 0) || (($iprecu cmp $ipici) == 0 ) || (($test_host_reel cmp $test_ici) == 0 ) ) { # CAS FILTRAGE IP OK print $q->header('text/plain'); print $flux; exit; } else { # CAS FILTRAGE IP KO print $q->header(-status=>'401',-type=>'text/html'), $q->start_html(-title=>'401 Unauthorized'), '

Unauthorized !

'; exit; }