Pesquisar neste blog

terça-feira, 25 de novembro de 2008

Squid 2.6 com Suporte a ARP ACLs no CentOS 5.2

Segue um passo-a-passo de como habilitar o suporte a arp acls no squid 2.6 do CentOS 5.2

1 - Entrar no site abaixo e baixar o pacote src do squid.
http://centos.oi.com.br/5.2/os/SRPMS/

[root@centos redhat]# wget http://centos.oi.com.br/5.2/os/SRPMS/squid-2.6.STABLE6-5.el5_1.3.src.rpm
--07:23:03-- http://centos.oi.com.br/5.2/os/SRPMS/squid-2.6.STABLE6-5.el5_1.3.src.rpm
Resolving centos.oi.com.br... 200.222.115.42
Connecting to centos.oi.com.br|200.222.115.42|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1474027 (1.4M) [application/x-rpm]
Saving to: `squid-2.6.STABLE6-5.el5_1.3.
src.rpm'

100%[
=============================>] 1,474,027 117K/s in 13s

07:23:16 (112 KB/s) - `squid-2.6.STABLE6-5.el5_1.3.
src.rpm' saved [1474027/1474027]


2 - Instalando o fonte do squid

[root@centos redhat]# rpm -ivh squid-2.6.STABLE6-5.el5_1.3.src.rpm
1:squid ########################################### [100%]

3 - Editando o arquivo .spec

[root@centos redhat]# cd /usr/src/redhat/SPECS/
[root@centos SPECS]# vim squid.spec

Adicione o parâmetro abaixo aproximadamente na linha 85 do arquivo

--enable-arp-acl \


Para quem não tem instalado o rpmbuild execute o comando abaixo:

[root@centos SPECS]# yum install rpm-build

4 - Instalando dependencias do squid

[root@centos SPECS]# yum install linuxdoc-tools openldap-devel pam-devel

Se der problemas de dependência do openldap-devel como ocorreu no meu, faça o procedimento abaixo:

[root@centos SPECS]# wget http://centos.oi.com.br/5.2/os/i386/CentOS/openldap-devel-2.3.27-8.el5_1.3.i386.rpm

[root@centos SPECS]# yum install cyrus-sasl-devel
[root@centos SPECS]# rpm -ivh openldap-devel-2.3.27-8.el5_1.3.i386.rpm --force --nodeps
Preparing... ########################################### [100%]
1:openldap-devel ########################################### [100%]


5 - Criando o pacote com a nova opção

[root@centos SPECS]# rpmbuild -ba squid.spec

Entrar no diretório onde foi gerado o novo pacote rpm:

[root@centos redhat]# cd /usr/src/redhat/RPMS/i386/

Atualizando o pacote existente

[root@centos i386]# rpm -Uvh squid-2.6.STABLE6-5.3.i386.rpm
Preparing... ########################################### [100%]
1:squid ########################################### [100%]


Verificando se a nova opção foi habilitada:

[root@centos i386]# squid -v |grep arp
configure options: '--host=i686-redhat-linux-gnu' '--build=i686-redhat-linux-gnu' '--target=i386-redhat-linux' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--datadir=/usr/share' '--sysconfdir=/etc/squid' '--enable-epoll' '--enable-snmp' '--enable-arp-acl' '--enable-removal-policies=heap,lru' '--enable-storeio=aufs,coss,diskd,null,ufs' '--enable-ssl' '--with-openssl=/usr/kerberos' '--enable-delay-pools' '--enable-linux-netfilter' '--with-pthreads' '--enable-ntlm-auth-helpers=SMB,fakeauth' '--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group' '--enable-auth=basic,digest,ntlm' '--enable-digest-auth-helpers=password' '--with-winbind-auth-challenge' '--enable-useragent-log' '--enable-referer-log' '--disable-dependency-tracking' '--enable-cachemgr-hostname=localhost' '--enable-underscores' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL' '--enable-cache-digests' '--enable-ident-lookups' '--with-large-files' '--enable-follow-x-forwarded-for' '--enable-wccpv2' '--enable-fd-config' '--with-maxfd=16384' 'CFLAGS=-fPIE -Os -g -pipe -fsigned-char' 'LDFLAGS=-pie' 'build_alias=i686-redhat-linux-gnu' 'host_alias=i686-redhat-linux-gnu' 'target_alias=i386-redhat-linux'


Fazendo uma regra de exemplo editando o arquivo squid.conf:

[root@centos i386]# vim /etc/squid/squid.conf

acl mac arp 00:0C:29:84:32:A9
http_access deny mac

Reinicializando o serviço:

[root@centos i386]# service squid restart

Monitorando os logs:

[root@centos i386]# tail -f /var/log/squid/access.log

1227607222.602 0 intra.w3haus.poa TCP_DENIED/403 1606 GET http://linux.ittoolbox.com/groups/technical-functional/linuxadmin-l - NONE/- text/html




Nenhum comentário: