Transparent Proxy Menggunakan Squid

Squid adalah caching proxy untuk jaringan yang mendukung HTTP, HTTPS, FTP, dan lainnya. Squid berfungsi meng-cache data yang diminta oleh pengguna seperti web dan ftp.

Langkah-langkah instalasi squid seperti dibawah ini:

1. Login sebagai root, kemudian bikin direktory, group, user untuk squid, sebelumnya saya membuat partisi hardisk sebesar 20G untuk menyimpan cache squid dan nama direktorynya /CACHE

more /etc/fstab

…….

/dev/sda8 /CACHE reiserfs defaults,notail,noatime 1 2

…….

mkdir -p /app/squid

groupadd squid

useradd squid -d /app/squid -g squid

chown -R squid.squid /app/squid

chown -R squid.squid /CACHE

2. Masuk sebagai user squid dan download source code squid kemudian extrak

su – squid

wget -c -b -t0 -o donlot.log ftp://squid.cbn.net.id/pub/squid/squid-3/STABLE/squid-3.0.STABLE6.tar.bz2

tail -f donlot.log

……………. 100%

tar jxvf squid-3.0.STABLE6.tar.bz2

cd squid-3.0.STABLE6

3. Bikin script configure seperti berikut

mcedit cfg-squid

./configure \
–prefix=/app/squid/system \
–enable-gnuregex \
–enable-async-io=24 \
–with-aufs-threads=24 \
–with-pthreads \
–with-aio \
–with-dl \
–enable-storeio=aufs,diskd \
–enable-icmp \
–enable-delay-pools \
–disable-wccp \
–disable-internal-dns \
–enable-snmp \
–enable-cache-digests \
–enable-default-err-languages=English \
–enable-err-languages=English \
–enable-linux-netfilter \
–disable-ident-lookups \
–disable-hostname-checks \
–enable-underscores

4. Ubah mode ato permission file menjadi execute, jalankan script, kemudian install

chmod +x cfg-squid

./cfg-squid

make all && make install

5. Edit squid.conf seperti berikut
cd ~

cd system/etc

mv squid.conf squid.conf.aseli

pico squid.conf

################ PORT SQUID ##############
http_port ip_local:porttransparent
http_port ip_public:port transparent
http_port 127.0.0.1:port transparent
#icp_port 56670
#htcp_port 0
##########################################

udp_incoming_address 0.0.0.0

#icp_query_timeout 90
maximum_icp_query_timeout 2000
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

acl apache rep_header Server ^Apache

################ MEM USAGE ###############
# jumlah memori dari 1/3 memori
cache_mem 48 MB
##########################################

redirect_rewrites_host_header off
emulate_httpd_log off

## no client ip ##
forwarded_for off
##################

cache_swap_high 99%
cache_swap_low 98%

maximum_object_size 16384 KB
minimum_object_size 4 KB
maximum_object_size_in_memory 12 KB

######### DOMAIN NAME SERVER #############
dns_nameservers 202.xxx.xxx.xx 202.xxx.xxx.xx
dns_children 40
ipcache_size 5120
ipcache_low 98
ipcache_high 99
fqdncache_size 5120

############# CACHE DIRECTORY ####################
# Rumus cache_dir –> [[[ X/13 ] / 256] / 256] * 2
cache_dir aufs /CACHE 20000 45 256
##################################################

store_dir_select_algorithm round-robin
cache_store_log none

#ftp_user squid@localhost
#ftp_list_width 32
#ftp_passive on

request_header_max_size 100 KB
request_body_max_size 5 MB

refresh_pattern ^ftp: 10080 95% 241920 reload-into-ims override-lastmod
refresh_pattern -i exe$ 2880 1000% 262800
refresh_pattern -i zip$ 2880 1000% 262800
refresh_pattern -i tar\.gz$ 2880 1000% 262800
refresh_pattern -i tgz$ 2880 1000% 262800
refresh_pattern -i rar$ 2880 1000% 262800
refresh_pattern -i rpm$ 2880 1000% 262800
refresh_pattern -i pdf$ 2880 1000% 262800
refresh_pattern -i bin$ 0 300% 999999 ignore-reload
refresh_pattern -i dat$ 0 300% 999999 ignore-reload
refresh_pattern -i swf$ 0 300% 999999 ignore-reload
refresh_pattern -i xfs$ 0 800% 999999 ignore-reload
refresh_pattern -i gpf$ 0 800% 999999 ignore-reload
refresh_pattern -i rgz$ 0 800% 999999 ignore-reload
refresh_pattern -i \.class$ 43200 90% 86400
refresh_pattern -i gif$ 21600 700% 999999
refresh_pattern -i jpeg$ 21600 700% 999999
refresh_pattern -i jpg$ 21600 700% 999999
refresh_pattern -i png$ 21600 600% 999999
refresh_pattern -i jpe$ 21600 600% 999999
refresh_pattern -i tif$ 0 500% 999999
refresh_pattern -i xbm$ 0 500% 999999
refresh_pattern -i xpm$ 0 500% 999999
refresh_pattern -i xwd$ 0 500% 999999
refresh_pattern -i pict$ 0 500% 999999
refresh_pattern -i ief$ 0 500% 999999

# satu baris
refresh_pattern http://photos.friendster.com/.*\.(jpeg|jpg|gif|swf) 21600 999% 999999 override-lastmod override-expire ignore-reload reload-into-ims

# satu baris

refresh_pattern http://*.yimg.com/.*\.(jpeg|jpg|gif|swf) 21600 999% 999999 override-lastmod override-expire ignore-reload reload-into-ims

# satu baris
refresh_pattern windowsupdate.com/.*\.(cab|exe|dll) 259200 95% 259200 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-private

# satu baris
refresh_pattern download.microsoft.com/.*\.(cab|exe|dll) 259200 95% 259200 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-private

# satu baris
refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|psf) 259200 95% 259200 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-private

# satu baris
refresh_pattern ^ftp: 20160 95% 259200 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-private

# satu baris
refresh_pattern . 240 95% 259200 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-private

#
refresh_pattern cgi-bin 1 20% 2
refresh_pattern \.html$ 1 20% 2
refresh_pattern \.asp$ 1 20% 2
refresh_pattern \.acgi$ 1 20% 2
refresh_pattern \.cgi$ 1 20% 2
refresh_pattern \.pl$ 1 20% 2
refresh_pattern \.shtml$ 1 20% 2
refresh_pattern \.php3$ 1 20% 2
refresh_pattern \.php$ 1 20% 2
refresh_pattern \? 1 20% 2
refresh_pattern . 960 90% 43200
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440

#reference_age 30 days
quick_abort_min 16 KB
quick_abort_max 16 KB
quick_abort_pct 95

negative_ttl 2 minutes
positive_dns_ttl 6 hours
negative_dns_ttl 4 minutes
range_offset_limit 0 KB
connect_timeout 1 minutes
peer_connect_timeout 30 seconds
read_timeout 15 minutes
request_timeout 30 seconds
query_icmp on
half_closed_clients off
shutdown_lifetime 30 seconds

#siteselect_timeout 4 seconds
#redirect_children 10
#client_lifetime 5 day

####### CONFIGURATION IP NETWORK #########
#acl all src 0.0.0.0/0.0.0.0
acl my_network src 192.168.1.0/255.255.255.0
acl localhost src 127.0.0.1/255.255.255.255

tcp_outgoing_address ip_public my_network

############ ACL ACCESS/BLOK #############

# satu baris
acl UPDT dstdomain .windowsupdate.com update.microsoft.com windowsupdate.microsoft.com v5stats.windowsupdate.microsoft.com download.microsoft.com rs.update.microsoft.com stats.update.microsoft.com

#
acl YMM dstdomain radio.music.yahoo.com
acl manager proto cache_object

#acl block dstdomain http://www.youtube.com youtube.com

#acl allowed src “/app/squid/allow/allowed.ip”
#acl localweb dstdomain “/app/squid/allow/localweb”
#acl parno_sites url_regex -i “/app/squid/block/sex”
#acl block url_regex -i “/app/squid/block/weblock.txt”

##########################################
acl SSL_ports port 443 563 5000
acl Safe_ports port 80 # http
acl Safe_ports port 81 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 110 # pop
acl Safe_ports port 25 # smtp
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-6659 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8100 # http
acl CONNECT method CONNECT

# Deny requests to unknown ports
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

############ ACCESS LIST ##############
http_access allow my_network !YMM !UPDT
#http_access deny block_sites

http_access allow manager localhost
http_access allow localhost
http_access deny manager
http_access deny all

#
# CACHE MANAGER
cache_mgr me@localhost
cachemgr_passwd 123123 all

icp_access allow all
#reply_body_max_size 0 allow all
cache_effective_user squid
cache_effective_group squid
visible_hostname SQUIDKU-LHO

#
# Access Log File
access_log /app/squid/system/var/logs/access.log squid
logfile_rotate 2

#http_reply_access allow all
#ident_lookup_access deny all
#announce_period 1 day
#announce_host yahoo.com
#announce_port 3131

log_icp_queries off
buffered_logs on

#tcp_recv_bufsize 0 bytes
#tcp_recv_bufsize 0 bytes

store_avg_object_size 10 MB
store_objects_per_bucket 40
netdb_low 900
netdb_high 1000

#icon_directory /system/squid/share/icons
#error_directory /system/squid/share/errors/English
#minimum_retry_timeout 5 seconds

maximum_single_addr_tries 3
coredump_dir /tmp
pipeline_prefetch on
ie_refresh on
unique_hostname SQUIDKU
#high_memory_warning 200 mb

# DELAY POOLS !!
#############################################

# acl
acl admin src 192.168.x.x 192.168.x.x
acl staff url_regex -i 192.168.x.41 – 192.168.x.48
acl umum url_regex -i 192.168.x.50 – 192.168.x.85

# exstentions file yang dibatasin bandwithnya wat didownload ;p

# satu baris
acl download urlpath_regex [-i] \.EXE$ \.exe$ \.cab$ \.dll$ \.tar.gz$ \.gz$ \.tgz$ \.tar.bz2$ \.rpm$ \.spm$ \.zip$ \.tar$ \.iso$ \.rar$ \.xls$ \.mpeg$ \.avi$ \.mp3$ \.mp4$ \.wav$ \.iso$ \.rm$ \.mwv$ \.dat$ \.rar$ \.psf$ \.asf$ \.3gp$ \.mov$

# bandwidth unlimited
delay_pools 4
delay_class 1 1
delay_parameters 1 -1/-1
delay_access 1 allow admin
delay_access 1 deny all

# bandwidth 1,5 kbytes/sec, bila file yang diakses melebihi 64Kbte
delay_class 2 1
delay_parameters 2 1500/64000
delay_access 2 allow staff
delay_access 2 deny all

# bandwidth 1 kbytes/sec, bila file yang diakses melebihi 32 Kbyte
delay_class 3 1
delay_parameters 3 1000/32000
delay_access 3 allow umum
delay_access 3 deny all

#
#delay_class 4 1
#delay_parameters 4 1000/16000
#delay_access 4 allow download
#delay_access 4 deny all

6. Membuat cache/swap dan jalankan squid

system/bin/squid -z

system/bin/squid -s YD

7. Periksa apakah squid sudah berjalan

pstree

|-squid—squid-+-40*[dnsserver]
|               |-unlinkd
|               `-24*[{squid}]

8. Rotasi access.log, store.log squid

export VISUAL=mcedit

crontab -e

0 0 * * * /app/squid/system/sbin/squid -k rotate

9. Keluar dari user squid, kembali menjadi root

logout (Ctrl+d)

10. Tambahkan di rc.local

mcedit /etc/rc.d/rc.local

ulimit -HSn 8192 echo 1024 32768 > /proc/sys/net/ipv4/ip_local_port_range

# SQUID
/bin/su – squid -c “/app/squid/system/sbin/squid -s YD”

About Agus Firdaus

Just me ..

2 responses to “Transparent Proxy Menggunakan Squid”

  1. piju says :

    bagus sekali.
    tp kenapa refresh_pattern nya bertindih ?

  2. Syam says :

    hi this syam

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: