Escolar Documentos
Profissional Documentos
Cultura Documentos
200.182.94.64/26
Fig 1
Como funciona?
Todo o tempo um dos nodos o Linux-Diretor ativo enquanto o
outro um hot stand-by. O diretor Linux ativo aceita o trfego atravs
do IP virtual 172.16.8.77 e balanceia entre os dois nodos utilizando o
LVS. Cada nodo monitora o outro atravs do Heartbeat e no caso do
diretor linux ativo falhar o nodo stand-by assume o IP virtual fazendo
"net.ipv4.conf.all.arp_ignore =
"net.ipv4.conf.eth0.arp_ignore
"net.ipv4.conf.eth1.arp_ignore
"net.ipv4.conf.eth2.arp_ignore
#echo "net.ipv4.conf.all.arp_announce =
#echo "net.ipv4.conf.eth0.arp_announce
#echo "net.ipv4.conf.eth1.arp_announce
#echo "net.ipv4.conf.eth2.arp_announce
#sysctl -p
auto lo
iface lo inet loopback
auto lo
iface lo inet loopback
auto lo:0
iface lo:0 inet static
address 172.16.8.77
netmask 255.255.255.255
pre-up sysctl -p > /dev/null
auto lo:0
iface lo:0 inet static
address 172.16.8.77
netmask 255.255.255.255
pre-up sysctl -p > /dev/null
auto eth0
iface eth0 inet static
address 192.168.251.5
netmask 255.255.255.252
network 192.168.251.4
broadcast 192.168.251.7
#
gateway
auto eth0
iface eth0 inet static
address 192.168.251.6
netmask 255.255.255.252
network 192.168.251.4
broadcast 192.168.251.7
#
gateway
auto eth1
iface eth1 inet static
address 200.182.94.2
netmask 255.255.255.192
network 200.182.94.0
broadcast 200.182.94.63
gateway 200.182.94.1
auto eth1
iface eth1 inet static
address 200.182.94.66
netmask 255.255.255.192
network 200.182.94.64
broadcast 200.192.94.127
#
gateway 200.192.94.65
auto eth2
iface eth2 inet static
address 172.16.8.83
netmask 255.255.248.0
network 172.16.8.0
broadcast 172.16.15.255
#
gateway 172.16.8.2
auto eth2
iface eth2 inet static
address 172.16.8.85
netmask 255.255.248.0
network 172.16.8.0
broadcast 172.16.15.255
#
gateway 172.16.8.2
modprobe
modprobe
modprobe
modprobe
modprobe
modprobe
modprobe
modprobe
ip_vs_dh
ip_vs_ftp
ip_vs
ip_vs_lblc
ip_vs_lblcr
ip_vs_lc
ip_vs_nq
ip_vs_rr
echo
echo
echo
echo
modprobe
modprobe
modprobe
modprobe
ip_vs_sed
ip_vs_sh
ip_vs_wlc
ip_vs_wrr
2.3 /etc/ha.d/ha.cf
logfacility
local0
bcast
eth0
#linux
mcast
eth0 225.0.0.1 694 1 0
auto_failback off
node
Proxy-Node1
node
Proxy-Node2
ping 172.16.8.2
respawn
hacluster
/usr/lib/heartbeat/ipfail
apiauth
ipfail
gid=haclient uid=hacluster
2.4 inicializao do servio:
/usr/sbin/update-rc.d -f heartbeat remove
/usr/sbin/update-rc.d heartbeat start 75 2 3 4 5 . stop 05 0 1 6 .
4.0 Rsync:
4.1 Download do Rsync
http://samba.anu.edu.au/ftp/rsync/rsync-2.6.8.tar.gz
4.2 compilao e instalao:
./configure
make
make install
4.3 Configurao do servidor
4.3.1 /etc/rsyncd.conf:
pid file = /var/run/rsyncd.pid
max connections = 5
use chroot = yes
uid = root
hosts allow = 192.168.251.5
hosts deny = *
[squid_confs]
path = /etc/squid
read only = false
[sarg_logs]
path = /var/www/html/squid-reports
read only = false
4.3.2 /etc/init.d/rsyncd
#!/bin/sh
rsync daemon
#chmod +x /etc/init.d/rsyncd
#ln s ../init.d/rsyncd /etc/rc2.d/S88rsync
#! /bin/bash
#sincronizacao do squid.conf
/usr/local/bin/rsync -u -t /etc/squid/squid.conf 192.168.251.6::squid_confs/squid.conf
/usr/local/bin/rsync -u -t 192.168.251.6::squid_confs/squid.conf /etc/squid/squid.conf
#
#sincronizacao do conteudo_bloqueado
#
/usr/local/bin/rsync -u -t /etc/squid/acls/conteudo_bloqueado
192.168.251.6::squid_confs/acls/conteudo_bloqueado
/usr/local/bin/rsync -u -t 192.168.251.6::squid_confs/acls/conteudo_bloqueado
/etc/squid/acls/conteudo_bloqueado
#
#sincronizacao do conteudo_liberado
#
/usr/local/bin/rsync -u -t /etc/squid/acls/conteudo_liberado
192.168.251.6::squid_confs/acls/conteudo_liberado
/usr/local/bin/rsync -u -t 192.168.251.6::squid_confs/acls/conteudo_liberado
/etc/squid/acls/conteudo_liberado
#
#sincronizacao do usuarios_ilimitados
#
/usr/local/bin/rsync -u -t /etc/squid/acls/usuarios_ilimitados
192.168.251.6::squid_confs/acls/usuarios_ilimitados
/usr/local/bin/rsync -u -t 192.168.251.6::squid_confs/acls/usuarios_ilimitados
/etc/squid/acls/usuarios_ilimitados
#
#sincronizacao do usuarios_parciais
#
/usr/local/bin/rsync -u -t /etc/squid/acls/usuarios_parciais
192.168.251.6::squid_confs/acls/usuarios_parciais
/usr/local/bin/rsync -u -t 192.168.251.6::squid_confs/acls/usuarios_parciais
/etc/squid/acls/usuarios_parciais
#
#reload das configuracoes
/etc/init.d/squid reload
5.0 Smb_auth:
5.1 Download:
http://www.hacom.nl/~richard/software/smb_auth-0.05.tar.gz
5.2 Configurao
tar xvzf smb_auth-0.05.tar.gz
cd smb_auth-0.05
vi Makefile
Alterar o SAMBAPREFIX para:
SAMBAPREFIX=/usr
make
make install
5.3 Configurao servidor de domnio:
Criar arquivo proxyauth na pasta netlogon do servidor de domnio eleito
para autenticao.
*ps para autenticao de outros domnios a relao de confiana tem
que estar funcionando corretamente.
5.4 Parcela de autenticao no squid.conf
auth_param basic program /usr/local/bin/smb_auth -W guarulhos -U
172.16.8.39 saude -P guarulhos -W sica -P guarulhos -W educ P guarulhos -W biblioteca -P guarulhos -W dcc -P guarulhos -W drh -P
guarulhos -W dti -P guarulhos -W financas -P guarulhos -W
obras -P guarulhos -W planejamento -P guarulhos -W sdu3 -P
guarulhos -W sema -P guarulhos -W juridico -P guarulhos
6.0 CONFIGURAO SQUID
6.1 Foram criados os arquivos
/etc/squid/acls/
conteudo_bloqueado
conteudo_liberado
ips_bibliotecas
usuarios_ilimitados
usuarios_restritos
Para cadastro dos alvos das diretivas de acesso.
# http-mgmt
7.1 Download
http://prdownloads.sourceforge.net/sarg/sarg-2.2.1.tar.gz?download
index_sort_order D
/etc/ha.d/sarg.sh
>>Nodo1
#!/bin/bash
cat /var/log/squid/access.log > /var/log/squid/access_log_total
rsh 192.168.251.6 cat /var/log/squid/access.log >> /var/log/squid/access_log_total
echo "" >/var/log/squid/access.log
rsh 192.168.251.6 "echo "" >/var/log/squid/access.log"
/usr/bin/sarg
/usr/local/bin/rsync -u -t -r /var/www/html/squid-reports/* 192.168.251.6::sarg_logs/
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:ping-death - [0:0]
:syn-flood - [0:0]
:port-scan - [0:0]
#-A OUTPUT -o eth1 -j ACCEPT
-A INPUT -i eth1 -p tcp ! --syn -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -i eth2 -p tcp -d 172.16.8.83 --dport 3128 -j DROP
-A INPUT -i eth2 -p tcp -m tcp -s 172.16.0.0/16 -j ACCEPT
-A INPUT -i eth2 -p udp -m udp -s 172.16.0.0/16 -j ACCEPT
-A OUTPUT -o eth2 -p tcp -m tcp -d 172.16.0.0/16 -j ACCEPT
-A OUTPUT -o eth2 -p udp -m udp -d 172.16.0.0/16 -j ACCEPT
-A INPUT -i eth2 -s 172.16.8.2 -p icmp -j ACCEPT
-A INPUT -i eth1 -s 201.28.8.201 -p udp --sport 53 -j ACCEPT
-A INPUT -i eth1 -s 201.28.8.130 -p udp --sport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --syn -o eth2 ! -d 172.16.8.39/32 -j DROP
-A FORWARD -i eth2 -o eth1 -p tcp -m tcp -s 172.16.0.0/16 -j ACCEPT
-A FORWARD -i eth2 -o eth1 -p udp -m udp -s 172.16.0.0/16 -j ACCEPT
-A FORWARD -i eth1 -o eth2 -p tcp -m tcp -d 172.16.0.0/16 -j ACCEPT
-A FORWARD -i eth1 -o eth2 -p udp -m udp -d 172.16.0.0/16 -j ACCEPT
-A OUTPUT -o eth2 -p icmp -d 172.16.8.2 -j ACCEPT
-A OUTPUT -o eht1 -p udp --dport 53 -j ACCEPT
-A OUTPUT -o eth1 -p tcp --syn -j ACCEPT
-A OUTPUT -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:ping-death - [0:0]
:syn-flood - [0:0]
:port-scan - [0:0]
#-A OUTPUT -o eth1 -j ACCEPT
-A INPUT -i eth1 -p tcp ! --syn -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -i eth2 -p tcp -d 172.16.8.85 --dport 3128 -j DROP
-A INPUT -i eth2 -p tcp -m tcp -s 172.16.0.0/16 -j ACCEPT
-A INPUT -i eth2 -p udp -m udp -s 172.16.0.0/16 -j ACCEPT
-A OUTPUT -o eth2 -p tcp -m tcp -d 172.16.0.0/16 -j ACCEPT
-A OUTPUT -o eth2 -p udp -m udp -d 172.16.0.0/16 -j ACCEPT
-A INPUT -i eth2 -s 172.16.8.2 -p icmp -j ACCEPT
-A INPUT -i eth1 -s 201.28.8.201 -p udp --sport 53 -j ACCEPT
-A INPUT -i eth1 -s 201.28.8.130 -p udp --sport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --syn -o eth2 ! -d 172.16.8.39/32 -j DROP
Referncias:
http://www.howtoforge.com/high_availability_loadbalanced_apache_clu
ster_p2
http://www.linux-ha.org/
www.ultramonkey.org
www.linuxvirtualserver.org
http://ha.linuxchix.org.br/
http://www.vergenet.net/linux/ldirectord/
http://www.drbd.org/
http://samba.anu.edu.au/ftp/rsync/README
http://samba.anu.edu.au/rsync/
http://squid-cache.org
http://www.hacom.nl/~richard/software/smb_auth.html
http://www.netfilter.org/
Elaborado por Denis M. P. Anjos
denismarcelo@guarulhos.sp.gov.br