Jumat, 29 Maret 2013

Squid Sebagai Transparent Proxy

Pada kesempatan kali ini saya akan mencoba menjelaskan sedikit mengenai squid sebagai transparent proxy. Kenapa squid? karena cukup familiar dalam hal cache proxy dan sudah teruji tingkat kehandalanya.



Squid adalah caching proxy untuk jaringan yang mendukung HTTP, HTTPS, FTP, dan lainnya. Squid berfungsi meng-cache data yang diminta oleh pengguna seperti web dan ftp.

Langkah-langkah instalasi squid seperti dibawah ini:
1. Login sebagai root, kemudian bikin direktory, group, user untuk squid, sebelumnya saya membuat partisi hardisk sebesar 20G untuk menyimpan cache squid dan nama direktorynya /CACHE
more /etc/fstab
…….
/dev/sda8 /CACHE reiserfs defaults,notail,noatime 1 2
…….
mkdir -p /app/squid
groupadd squid
useradd squid -d /app/squid -g squid
chown -R squid.squid /app/squid
chown -R squid.squid /CACHE
2. Masuk sebagai user squid dan download source code squid kemudian extrak
su - squid
wget -c -b -t0 -o donlot.log ftp://squid.cbn.net.id/pub/squid/squid-3/STABLE/squid-3.0.STABLE6.tar.bz2
tail -f donlot.log
……………. 100%
tar jxvf squid-3.0.STABLE6.tar.bz2
cd squid-3.0.STABLE6
3. Bikin script configure seperti berikut
mcedit cfg-squid
./configure \
–prefix=/app/squid/system \
–enable-gnuregex \
–enable-async-io=24 \
–with-aufs-threads=24 \
–with-pthreads \
–with-aio \
–with-dl \
–enable-storeio=aufs,diskd \
–enable-icmp \
–enable-delay-pools \
–disable-wccp \
–disable-internal-dns \
–enable-snmp \
–enable-cache-digests \
–enable-default-err-languages=English \
–enable-err-languages=English \
–enable-linux-netfilter \
–disable-ident-lookups \
–disable-hostname-checks \
–enable-underscores
4. Ubah mode ato permission file menjadi execute, jalankan script, kemudian install
chmod +x cfg-squid
./cfg-squid
make all && make install
5. Edit squid.conf seperti berikut
cd ~
cd system/etc
mv squid.conf squid.conf.aseli
pico squid.conf
################ PORT SQUID ##############
http_port ip_local:porttransparent
http_port ip_public:port transparent
http_port 127.0.0.1:port transparent
#icp_port 56670
#htcp_port 0
##########################################
udp_incoming_address 0.0.0.0
#icp_query_timeout 90
maximum_icp_query_timeout 2000
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
acl apache rep_header Server ^Apache
################ MEM USAGE ###############
# jumlah memori dari 1/3 memori
cache_mem 48 MB
##########################################
redirect_rewrites_host_header off
emulate_httpd_log off
## no client ip ##
forwarded_for off
##################
cache_swap_high 99%
cache_swap_low 98%
maximum_object_size 16384 KB
minimum_object_size 4 KB
maximum_object_size_in_memory 12 KB
######### DOMAIN NAME SERVER #############
dns_nameservers 202.xxx.xxx.xx 202.xxx.xxx.xx
dns_children 40
ipcache_size 5120
ipcache_low 98
ipcache_high 99
fqdncache_size 5120
############# CACHE DIRECTORY ####################
# Rumus cache_dir –> [[[ X/13 ] / 256] / 256] * 2
cache_dir aufs /CACHE 20000 45 256
##################################################
store_dir_select_algorithm round-robin
cache_store_log none
#ftp_user squid@localhost
#ftp_list_width 32
#ftp_passive on
request_header_max_size 100 KB
request_body_max_size 5 MB
refresh_pattern ^ftp: 10080 95% 241920 reload-into-ims override-lastmod
refresh_pattern -i exe$ 2880 1000% 262800
refresh_pattern -i zip$ 2880 1000% 262800
refresh_pattern -i tar\.gz$ 2880 1000% 262800
refresh_pattern -i tgz$ 2880 1000% 262800
refresh_pattern -i rar$ 2880 1000% 262800
refresh_pattern -i rpm$ 2880 1000% 262800
refresh_pattern -i pdf$ 2880 1000% 262800
refresh_pattern -i bin$ 0 300% 999999 ignore-reload
refresh_pattern -i dat$ 0 300% 999999 ignore-reload
refresh_pattern -i swf$ 0 300% 999999 ignore-reload
refresh_pattern -i xfs$ 0 800% 999999 ignore-reload
refresh_pattern -i gpf$ 0 800% 999999 ignore-reload
refresh_pattern -i rgz$ 0 800% 999999 ignore-reload
refresh_pattern -i \.class$ 43200 90% 86400
refresh_pattern -i gif$ 21600 700% 999999
refresh_pattern -i jpeg$ 21600 700% 999999
refresh_pattern -i jpg$ 21600 700% 999999
refresh_pattern -i png$ 21600 600% 999999
refresh_pattern -i jpe$ 21600 600% 999999
refresh_pattern -i tif$ 0 500% 999999
refresh_pattern -i xbm$ 0 500% 999999
refresh_pattern -i xpm$ 0 500% 999999
refresh_pattern -i xwd$ 0 500% 999999
refresh_pattern -i pict$ 0 500% 999999
refresh_pattern -i ief$ 0 500% 999999
# satu baris
refresh_pattern http://photos.friendster.com/.*\.(jpeg|jpg|gif|swf) 21600 999% 999999 override-lastmod override-expire ignore-reload reload-into-ims
# satu baris
refresh_pattern http://*.yimg.com/.*\.(jpeg|jpg|gif|swf) 21600 999% 999999 override-lastmod override-expire ignore-reload reload-into-ims
# satu baris
refresh_pattern windowsupdate.com/.*\.(cab|exe|dll) 259200 95% 259200 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-private
# satu baris
refresh_pattern download.microsoft.com/.*\.(cab|exe|dll) 259200 95% 259200 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-private
# satu baris
refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|psf) 259200 95% 259200 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-private
# satu baris
refresh_pattern ^ftp: 20160 95% 259200 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-private
# satu baris
refresh_pattern . 240 95% 259200 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-private
#
refresh_pattern cgi-bin 1 20% 2
refresh_pattern \.html$ 1 20% 2
refresh_pattern \.asp$ 1 20% 2
refresh_pattern \.acgi$ 1 20% 2
refresh_pattern \.cgi$ 1 20% 2
refresh_pattern \.pl$ 1 20% 2
refresh_pattern \.shtml$ 1 20% 2
refresh_pattern \.php3$ 1 20% 2
refresh_pattern \.php$ 1 20% 2
refresh_pattern \? 1 20% 2
refresh_pattern . 960 90% 43200
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
#reference_age 30 days
quick_abort_min 16 KB
quick_abort_max 16 KB
quick_abort_pct 95
negative_ttl 2 minutes
positive_dns_ttl 6 hours
negative_dns_ttl 4 minutes
range_offset_limit 0 KB
connect_timeout 1 minutes
peer_connect_timeout 30 seconds
read_timeout 15 minutes
request_timeout 30 seconds
query_icmp on
half_closed_clients off
shutdown_lifetime 30 seconds
#siteselect_timeout 4 seconds
#redirect_children 10
#client_lifetime 5 day
####### CONFIGURATION IP NETWORK #########
#acl all src 0.0.0.0/0.0.0.0
acl my_network src 192.168.1.0/255.255.255.0
acl localhost src 127.0.0.1/255.255.255.255
tcp_outgoing_address ip_public my_network
############ ACL ACCESS/BLOK #############
# satu baris
acl UPDT dstdomain .windowsupdate.com update.microsoft.com windowsupdate.microsoft.com v5stats.windowsupdate.microsoft.com download.microsoft.com rs.update.microsoft.com stats.update.microsoft.com
#
acl YMM dstdomain radio.music.yahoo.com
acl manager proto cache_object
#acl block dstdomain http://www.youtube.com youtube.com
#acl allowed src “/app/squid/allow/allowed.ip”
#acl localweb dstdomain “/app/squid/allow/localweb”
#acl parno_sites url_regex -i “/app/squid/block/sex”
#acl block url_regex -i “/app/squid/block/weblock.txt”
##########################################
acl SSL_ports port 443 563 5000
acl Safe_ports port 80 # http
acl Safe_ports port 81 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 110 # pop
acl Safe_ports port 25 # smtp
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-6659 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8100 # http
acl CONNECT method CONNECT
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
############ ACCESS LIST ##############
http_access allow my_network !YMM !UPDT
#http_access deny block_sites
http_access allow manager localhost
http_access allow localhost
http_access deny manager
http_access deny all
#
# CACHE MANAGER
cache_mgr me@localhost
cachemgr_passwd 123123 all
icp_access allow all
#reply_body_max_size 0 allow all
cache_effective_user squid
cache_effective_group squid
visible_hostname SQUIDKU-LHO
#
# Access Log File
access_log /app/squid/system/var/logs/access.log squid
logfile_rotate 2
#http_reply_access allow all
#ident_lookup_access deny all
#announce_period 1 day
#announce_host yahoo.com
#announce_port 3131
log_icp_queries off
buffered_logs on
#tcp_recv_bufsize 0 bytes
#tcp_recv_bufsize 0 bytes
store_avg_object_size 10 MB
store_objects_per_bucket 40
netdb_low 900
netdb_high 1000
#icon_directory /system/squid/share/icons
#error_directory /system/squid/share/errors/English
#minimum_retry_timeout 5 seconds
maximum_single_addr_tries 3
coredump_dir /tmp
pipeline_prefetch on
ie_refresh on
unique_hostname SQUIDKU
#high_memory_warning 200 mb
# DELAY POOLS !!
#############################################
# acl
acl admin src 192.168.x.x 192.168.x.x
acl staff url_regex -i 192.168.x.41 – 192.168.x.48
acl umum url_regex -i 192.168.x.50 – 192.168.x.85
# exstentions file yang dibatasin bandwithnya wat didownload ;p
# satu baris
acl download urlpath_regex [-i] \.EXE$ \.exe$ \.cab$ \.dll$ \.tar.gz$ \.gz$ \.tgz$ \.tar.bz2$ \.rpm$ \.spm$ \.zip$ \.tar$ \.iso$ \.rar$ \.xls$ \.mpeg$ \.avi$ \.mp3$ \.mp4$ \.wav$ \.iso$ \.rm$ \.mwv$ \.dat$ \.rar$ \.psf$ \.asf$ \.3gp$ \.mov$
# bandwidth unlimited
delay_pools 4
delay_class 1 1
delay_parameters 1 -1/-1
delay_access 1 allow admin
delay_access 1 deny all
# bandwidth 1,5 kbytes/sec, bila file yang diakses melebihi 64Kbte
delay_class 2 1
delay_parameters 2 1500/64000
delay_access 2 allow staff
delay_access 2 deny all
# bandwidth 1 kbytes/sec, bila file yang diakses melebihi 32 Kbyte
delay_class 3 1
delay_parameters 3 1000/32000
delay_access 3 allow umum
delay_access 3 deny all
#
#delay_class 4 1
#delay_parameters 4 1000/16000
#delay_access 4 allow download
#delay_access 4 deny all
6. Membuat cache/swap dan jalankan squid
system/bin/squid -z
system/bin/squid -s YD
7. Periksa apakah squid sudah berjalan
pstree
|-squid—squid-+-40*[dnsserver]
|               |-unlinkd
|               `-24*[{squid}]
8. Rotasi access.log, store.log squid
export VISUAL=mcedit
crontab -e
0 0 * * * /app/squid/system/sbin/squid -k rotate
9. Keluar dari user squid, kembali menjadi root
logout (Ctrl+d)
10. Tambahkan di rc.local
mcedit /etc/rc.d/rc.local
ulimit -HSn 8192 echo 1024 32768 > /proc/sys/net/ipv4/ip_local_port_range
# SQUID
/bin/su – squid -c “/app/squid/system/sbin/squid -s YD”

Demikian tulisan singkat mengenai  Squid Sebagai Transparent Proxy. Tulisan ini saya ambil dari blog kawan seperjuangan saya dari jaman kuliah dulu sampai sekarang. Semoga tulisan mengenai Squid Sebagai Transparent Proxy dapat menambah wawasan anda dalam hal proxy server dan dunia linux.

Thank's to Kuli Bangunan

0 komentar:

Posting Komentar