Category — Squid
Limit youtube
pake delaypool di squid aja…limitnya extention flvnya sama webnya…coba deh…Good luck..
untuk memaksa caching terhadap youtube ( sesuai wiki.squid-cache.org )
| Code: | |
 |
acl youtube dstdomain -i .youtube.com acl striming url_regex -i get_video\?video_id videodownload\? cache allow youtube cache allow striming |
dan harap di ingat untuk posisi tsb di atas sebaiknya diletakkan sebelum hierarchy_stoplistkemudian bisa di gabung ke delay_pool juga
 |
Code: |
|
delay_class 2 3 delay_access 2 allow warnet striming delay_access 2 deny all delay_parameters 2 -1/-1 -1/-1 3000/200000 |
hasilnya :
|
Code: |
|
Connection: 0×7f1da510 FD 149, read 555, wrote 6508975 FD desc: http://ash-v97.ash.youtube.com/get_video?video_id=YXF72VCyt5M in: buf 0×7fe65000, offset 0, size 4096 peer: 192.168.0.111:3317 me: 127.0.0.1:3127 nrequests: 1 defer: n 0, until 0 uri http://ash-v97.ash.youtube.com/get_video?video_id=YXF72VCyt5M log_type TCP_MISS out.offset 6508872, out.size 6508975 req_sz 555 entry 0×7d24e240/599CDB16D8D8DCB1395E960CD807BD8B old_entry 0×0/N/A start 1193286572.113589 (2131.525289 seconds ago) username - delay_pool 2 <= terkena delay |
untuk delay_pool saya tidak menggunakan domain youtube.com, karena ternyata untuk url streaming nya sebagian hanya menggunakan ip address biasa, sehingga menggunakan regex spt di atas saya rasa lebih efektif. silakan di eksperimen sendiri untuk regex nya, bisa dg menganalisa access.log atau kalau yg gampang menggunakan sqstat spt yg pernah di post di thread sebelah.semoga membantu
Related posts
January 1, 2008 2 Comments
Instalasi Squid, Banner Filter, Porn Filter, Limit Bandwith, Transparan Proxy
Instalasi Squid, Banner Filter, Porn Filter, Limit Bandwith, Transparan Proxy
1. Instalasi Banner Filter
Penempatan direktori Banner Filter harus didalam direktori www kita. misal saya di /usr/local/apache/htdocs .
download souce di http://phroggy.com/files/unix/bannerfilter-1.21.tar.gz
# wget http://phroggy.com/files/unix/bannerfilter-1.21.tar.gz
Ekstrak source bannerfilter-1.21.tar.gz :
[root@PROXYhanny]# tar -xzvf bannerfilter-1.21.tar.gz
Kemudian pindahkan hasil exstrak bannerfilter-1.21.tar.gz ke dalam /usr/local/apache/htdocs
# mv bannerfilter-1.21 /usr/local/apache/htdocs/bannerfilter
# cd /usr/local/apache/htdocs/bannerfilter
Edit file bannerfilter.conf
[root@PROXY bannerfilter]# mv bannerfilter.conf /etc
[root@PROXY bannerfilter]# vi /etc/bannerfilter.conf
Contoh isi bannerfilter.conf saya :
# Path to the directory containing the data files:
$DATA=’/usr/local/apache/htdocs/bannerfilter’;
# URL of the directory containing the HTML and graphics files
# (this must be accessible by the machine running Squid; it does
# not need to be accessible to the client machines):
$WWW=’http://www.rsds.or.id/bannerfilter/www’;
# Path to the banner log file if you want one, or leave empty (if
# specified, Squid must have write access to this file):
$LOG=”;
# $LOG=’/tmp/bannerlog.txt’;
# If you prefer not to see “Blocked”, use null.gif instead of
# banner.gif:
$BANNERGIF=’banner.gif’;
Penambahan script bannerfilter nantinya akan diletakan didalam squid.conf
redirect_program /usr/local/apache/htdocs/bannerfilter/redirector.pl
Didalam file squid.conf.hanny, sudah saya tambahkan script untuk menjalankan Banner Filter dan Porn Filter :
redirect_program /usr/local/apache/htdocs/bannerfilter/redirector.pl
acl porn url_regex “/usr/local/squid/etc/porn.txt”
http_access deny porn
“Jika anda tidak menginginkan Banner Filter atau Porn Filter berjalan, maka pada awal script Banner Filter atau Porn Filter dalam file squid.conf.hanny harus di beri tanda ” # ” :
#redirect_program /usr/local/apache/htdocs/bannerfilter/redirector.pl
#acl porn url_regex “/usr/local/squid/etc/porn.txt”
#http_access deny porn
3. Limit Bandwith
Dalam file squid.conf.hanny, juga sudah saya tambahkan script untuk menggunakan delay pool :
#———————— DELAY POLL KONFIGURASI HANNY —————————
#This is the most important part for shaping incoming traffic with Squid
#For detailed description see squid.conf file or docs at http://www.squid-cache.org
#We don’t want to limit downloads on our local network
acl magic_words1 url_regex -i 192.168.
#We want to limit downloads of these type of files
#Put this all in one line
acl magic_words2 url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav
#We don’t block .html, .gif, .jpg and similar files, because they
#generally don’t consume much bandwith
#We have two different delay_pools
delay_pools 2
#First delay pool
#W don’t want to delay our local traffic
#There are three pool classes; here we will deal only with the second
delay_class 1 2
#-1/-1 mean that there are no limits
delay_parameters 1 -1/-1 -1/-1
#magic_words1: 192.168
delay_access 1 allow magic_words1
#Second delay pool
#we want to delay downloading files mentioned in magic_words2
delay_class 2 2
#The numbers here are values in bytes;
#we must remember that Squid doesn’t consider start/stop bits
#5000/150000 are values for the whole network
#5000/120000 are values for the single IP
#after downloaded files exceed about 150000 bytes,
#(or even twice or three times as much)
#they will continue to download at about 5000 bytes/s
delay_parameters 2 5000/150000 5000/120000
delay_access 2 allow magic_words2
#——————————————————————————–
“Jika anda tidak menginginkan Limit Bandwith berjalan, maka pada awal script delay poll dalam file squid.conf.hanny harus diberi tanda ” # “
#———————— DELAY POLL KONFIGURASI HANNY —————————
#This is the most important part for shaping incoming traffic with Squid
#For detailed description see squid.conf file or docs at http://www.squid-cache.org
#We don’t want to limit downloads on our local network
#acl magic_words1 url_regex -i 192.168.
#We want to limit downloads of these type of files
#Put this all in one line
acl magic_words2 url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav
#We don’t block .html, .gif, .jpg and similar files, because they
#generally don’t consume much bandwith
#We have two different delay_pools
#delay_pools 2
#First delay pool
#W don’t want to delay our local traffic
#There are three pool classes; here we will deal only with the second
#delay_class 1 2
#-1/-1 mean that there are no limits
#delay_parameters 1 -1/-1 -1/-1
#magic_words1: 192.168
#delay_access 1 allow magic_words1
#Second delay pool
#we want to delay downloading files mentioned in magic_words2
#delay_class 2 2
#The numbers here are values in bytes;
#we must remember that Squid doesn’t consider start/stop bits
#5000/150000 are values for the whole network
#5000/120000 are values for the single IP
#after downloaded files exceed about 150000 bytes,
#(or even twice or three times as much)
#they will continue to download at about 5000 bytes/s
#delay_parameters 2 5000/150000 5000/120000
#delay_access 2 allow magic_words2
#——————————————————————————–
Merubah nama file squid..conf yang asli dari komputer anda ke nama file lain. (sebagai back-up)
Dan merubah squid.conf.hanny menjadi squid.conf
# mv squid.conf squid.conf.punyaku
# mv squid.conf.hanny squid.conf
4. Instalasi Porn Filter
Buatlah terlebih dahulu file dengan nama porn.txt
# touch porn.txt
Isikan file porn.txt dengan site-site yang hendak anda tutup, misal www.17tahun.com
# vi porn.txt
isikan dengan kata 17tahun
Menjalankan squid
Memberi hak direktori squid dan bannerfilter agar proses berjalan lancar :
# chown -R squid.squid /usr/local/squid
# chown -R squid.squid /usr/local/apache/htdocs/bannerfilter
Jalankan daemon squid anda :
# /usr/local/squid/sbin/squid
Cek squid anda apakah jalan atau tidak :
# netstat -pln | grep squid
tcp 0 0 0.0.0.0 :8080 0.0.0.0:* LISTEN 777/(squid)
udp 0 0 0.0.0.0 :32771 0.0.0.0:* 777/(squid)
udp 0 0 0.0.0.0 :3130 0.0.0.0:* 777/(squid)
Jika keluar seperti hal diatas, maka squid anda telah berjalan !! rokokan dulu ah…: )
Test Squid Dari Komputer Client
Lakukan penge-test ping antar network anda, misal server anda mempunyai ip 192.168.0.1 dan ip windows client anda 192.1
Source : http://efnet.linux.or.id/docs
Related posts
December 31, 2007 No Comments
SQUID : Yang penting dipahami dalam konfigurasi Squid
Ini semua nya hal-hal yang sangat penting dipahami dalam konfigurasi squid
sumber : forum.linux.or.id
saya copas dimari biar gampang nyari (ngga capek2 lagi nge browse dari page 1 - 37 an 
)
saya sertakan juga id yang ngepost nya
dani
Junior Member
Baik sbg penutup topik ini sebelum saya amit mundur utk melanjutkan perjalanan lagi (pada awalnya sih memang hanya sekedar mampir kok) ada beberapa lagi utk sedikit menaikkan kinerjanya Squid lagi.
1. Naikkan prioritas Squid via nice –20 (-20 tertinggi, terserah dinaikkan sampai berapa, intinya supaya diproses dg prioritas lebih tinggi dibanding daemon yg lain, default prio=0). Mis. startup skrip: /usr/bin/nice -n –20 squid -DNY ….
2. Naikkan batasan FD (file deskriptor) juga saat startup: ulimit -HSn 8192
3. Bukalah sebanyak mungkin port utk akses keluar (bukan ke dalam lho): echo 1024 32768 > /proc/sys/net/ipv4/ip_local_port_range
3. Perbandingkan sistem operasi yg lain, siapa tahu ternyata ada yg lebih cepat utk Squid? http://bulk.fefe.de/scalability/
Secara umum kesimpulannya:
1. Pergunakanlah atau sebarkanlah direktori cache Squid pada banyak hardisk (kecil2 dg jumlah banyak lebih baik daripada besar2 dg jumlah sedikit).
2. Pergunakanlah RAM sebesar mungkin (yg juga terrefleksikan ke ukuran direktori cache-nya).
3. Pergunakanlah FS (file system) yg berkecepatan tinggi (mis. ReiserFS, noatime, notail) dg metode aufs.
4. Kompilasi ulang Squid dg opsi2 minimum yg dibutuhkan supaya lebih gesit dan jangan lupa menambah kemampuan threads hardisk-nya.
5. Saran Adam Aube: kurangi ukuran maksimum object yg bisa di-cache jika ternyata lebih pelan aksesnya (artinya penghematan bw harus seimbang dg kecepatan akses) spt posting2 sebelumnya.
‘That’s it! You now have the fastest squid on your block’, kata si Joe Cooper, he he he …..
Begitu saja, semoga kontribusi saya ada manfaatnya dan harapan saya kita bisa saling bantu teman-teman yg lain yg membutuhkan. Siapa tahu suatu saat terjadi kerjasama antar Squid di IIX? Mohon maaf jika ada kekurang-akuratan informasi, namanya juga selalu dalam kondisi belajar. ‘Always keep your mind open and nothing is impossible’
Cheers,
Dani
NB: Siapa tahu nanti saya mampir lagi jika Squid versi 3 sudah dikuasai, semoga …..
Related posts
December 31, 2007 No Comments
SQUID | High-performance Proxy caching server
High-performance Proxy caching server
wawan bahtiar, System Administration
PT. Cakra Lintas Nusantara
sysadmin[at]cakralintas.net.id
Publish © 2005 Wawan Bahtiar a/n PT. Cakra Lintas Nusantara, Amacom Building, Jl. By Pass Ngurah Rai 274 Jimbaran, Bali Indonesia.
Diperbolehkan untuk diperbanyak, disebarluaskan dan atau perubahan pada dokumen ini, asal dengan menyertakan penulis dan konten hak milik.
Daftar isi :
1. Pendahuluan
1.1 Apa itu Squid ?
1.2 Apa itu Internet Object caching ?
2. Installasi Squid
3. Konfigurasi dan Optimasi squid
4. Paramater lain Tunning System Squid
5. Penutup
1. Pendahuluan
1.1 Apa itu Squid ?
Squid adalah high-performance proxy caching server untuk web klien, yang sudah mendukung FTP, ghoper, dan HTTP data object. Berbeda dengan software caching yang lama, squid menangani semua permintaan tunggal (single), non-blocking, I/O-driven proses.
Squid menyimpan meta data dan terutama hot-object yang di simpan di RAM, menyimpan DNS lookups, mendukung non-blocking DNS lookups, dan implementasi negative-caching jika permintaan gagal.
Squid mendukung SSL, access kontrol yang banyak, dan full request logging. Dengan menggunakan lightweight internet cache protokol, squid cache dapat dibuat dalam suatu hirarki atau mesh untuk meningkatkan penghematan bandwidth.
Squid terdiri dari program server utama squid, sebuah Domain Name System lookup (program dnsserver), beberapa program tambahan untuk permintaan menulis ulang dan melakukan authentication, dan beberapa tools management client. Ketika squid dijalankan, itu akan menambah jumlah proses dnsserver, masing-masing bertugas sendiri-sendiri, blocking Domain Name System (DNS) lookup. Ini akan mengurangi waktu tunggu DNS lookups.
1.2 Apa itu Internet Object caching ?
Internet Object caching adalah suatu cara untuk menyimpan hasil permintaan internet-object. (seperti, data yang ada dari HTTP, FTP, dan ghoper protokol) untuk membuat sistem dekat dengan permintaan daripada ke sumber aslinya. Web browser dapat menggunakan lokal squid cache sebagai proxy HTTP server, ini akan mengurangi waktu akses seperti halnya penghematan bandwidth.
2. Installasi Squid
Paket-paket yang dibutuhkan :
- compiler gcc dan tool pendukung compiler (development program)
- malloc, program memori utilisasi
- Squid source program (tarball)
Download paket dan install :
root@proxy root# mkdir /download
root@proxy download# cd /download
root@proxy download# wget http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE14.tar.gz
root@proxy download# wget ftp://ftp.gnu.org/gnu/malloc.tar.gz
Sebelum installasi squid, pastikan program squid lama anda yang mungkin sudah terinstall di sistem untuk di uninstall dulu.
root@proxy root# rpm -qa |grep squid
squid-2.5STABLE6
root@proxy root# rpm -e squid-2.5STABLE6
Installasi semua paket squid :
root@proxy download# tar xzf malloc.tar.gz
root@proxy download# cd malloc
root@proxy malloc# vi Makefile
—-semula—–
# Use this on System V.
#CPPFLAGS = -DUSG
—————
diubah —
—-menjadi—–
# Use this on System V.
CPPFLAGS = -DUSG
—————
root@proxy malloc# make
root@proxy malloc# cp libmalloc.a /usr/lib/libgnumalloc.a
root@proxy malloc# cp malloc.h /usr/include/gnumalloc.h
Tunning system sebelum installasi squid (ini maksudnya, untuk mengaktifkan langsung pada saat kompile squid), tujuannya untuk menaikkan File Deskriptor (FD) , memperbesar proses penggunaan file :
root@proxy malloc# vi /etc/security/limits.conf
* Soft nofile 8192
* Hard nofile 8192
root@proxy malloc# ulimit -HSn 8192
root@proxy malloc# ulimit -n
8192
Installasi Core Squid program :
root@proxy malloc# cd /download
root@proxy download# tar squid-2.5.STABLE10.tar.gz
root@proxy download# cd squid-2.5.STABLE10
root@proxy squid-2.5.STABLE10# ./configure \
–prefix=/usr –exec-prefix=/usr –bindir=/usr/bin \
–sbindir=/usr/sbin –libexecdir=/usr/libexec \
–datadir=/usr/share/squid –sysconfdir=/etc/squid \
–sharedstatedir=/usr/com –localstatedir=/var \
–libdir=/usr/lib –includedir=/usr/include \
–infodir=/usr/share/info –mandir=/usr/share/man \
–libexecdir=/usr/lib/squid \
–enable-gnuregex \
–enable-async-io=24 \
–with-aufs-threads=24 \
–with-pthreads \
–with-aio \
–with-dl \
–enable-storeio=aufs \
–enable-removal-policies=heap \
–enable-icmp \
–enable-delay-pools \
–disable-wccp \
–enable-snmp \
–enable-ssl \
–enable-cache-digests \
–enable-default-err-languages=English \
–enable-err-languages=English \
–enable-poll \
–enable-linux-netfilter \
–disable-ident-lookups \
–disable-hostname-checks \
–enable-underscores \
–enable-cachemgr-hostname=localhost
Catatan: 7 baris paling atas adalah penyesuaian konfigurasi dari sistem yang ada di redhat/fedora. dan untuk opsi-opsi silahkan kompile jika dibutuhkan, kalau tidak dibutuhkan jangan dimasukkan pada saat kompile.
root@proxy squid-2.5.STABLE10# mkdir /var/log/squid
root@proxy squid-2.5.STABLE10# chown -R squid:squid /var/log/squid
root@proxy squid-2.5.STABLE10# make all && make install
root@proxy squid-2.5.STABLE10# strip /usr/lib/squid/*
root@proxy squid-2.5.STABLE10# strip /usr/sbin/squid
3. Konfigurasi dan Optimasi squid
Konfigurasi squid :
http_port 3128
icp_port 3130
ssl_unclean_shutdown on
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 6 MB
cache_swap_low 98
cache_swap_high 99
maximum_object_size 128 MB
maximum_object_size_in_memory 32 KB
ipcache_size 8192
ipcache_low 98
ipcache_high 99
fqdncache_size 8192
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
cache_dir aufs /cache1 5000 10 256
cache_dir aufs /cache2 5000 10 256
cache_dir aufs /cache3 5000 10 256
cache_access_log /var/log/squid/access.log
#cache_access_log none
cache_log /var/log/squid/cache.log
cache_store_log none
emulate_httpd_log off
pid_filename /var/run/squid.pid
mime_table /etc/squid/mime.conf
log_fqdn off
memory_pools off
client_netmask 255.255.255.255
ftp_user squid@newhack.org
ftp_list_width 32
ftp_passive on
ftp_sanitycheck on
refresh_pattern ^ftp: 10080 95% 241920 reload-into-ims override-lastmod
refresh_pattern . 180 95% 120960 reload-into-ims override-lastmod
quick_abort_min 0
quick_abort_max 0
quick_abort_pct 98
negative_ttl 2 minutes
half_closed_clients off
read_timeout 15 minutes
client_lifetime 2 hours
pconn_timeout 60 seconds
request_timeout 1 minutes
shutdown_lifetime 10 seconds
positive_dns_ttl 60 seconds
negative_dns_ttl 30 seconds
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1
acl lan src 192.168.0.0/24 192.168.1.0/24
acl to_localhost dst 127.0.0.0/8
acl PURGE method PURGE
acl POST method POST
acl IpAddressOnly url_regex ^http://[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/$
acl IpAddressOnly url_regex ^http://[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$
acl GETONLY method GET
acl VIRUS urlpath_regex winnt/system32/cmd.exe?
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl snmppublic snmp_community public
# Hotmail workaround
header_access Accept-Encoding deny all
http_access allow localhost
http_access allow lan
http_access allow manager lan
http_access allow PURGE localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny PURGE
http_access deny VIRUS
http_access deny all
http_reply_access allow all
icp_access allow lan
icp_access deny all
miss_access allow lan
miss_access deny all
cachemgr_passwd passwordku all
cache_mgr proxy@newhack.org
cache_effective_user squid
cache_effective_group squid
visible_hostname proxies3.newhack.org
unique_hostname proxy.newhack.org
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
httpd_accel_no_pmtu_disc on
logfile_rotate 7
forwarded_for on
icp_hit_stale on
log_icp_queries off
query_icmp on
buffered_logs off
strip_query_terms off
icon_directory /usr/share/squid/icons
error_directory /usr/share/squid/errors/English
store_avg_object_size 13 KB
store_objects_per_bucket 10
client_db on
snmp_port 3401
snmp_access allow snmppublic lan
snmp_access deny all
coredump_dir /cache1
reload_into_ims on
pipeline_prefetch on
ie_refresh on
vary_ignore_expire on
Tips Optimasi Squid :
Jika ada beberapa situs terdekat yg mungkin hanya 1 hop, di-by pass saja supaya kerja Squid benar-benar utk yg jaraknya jauh (hopnya banyak).
hierarchy_stoplist cgi-bin ? localhost domain-anda.com isp-anda.com domainku.web.id
acl QUERY urlpath_regex cgi-bin \? localhost domain-anda.com isp-anda.com domainku.web.id
no_cache deny QUERY
Dari pengalaman dan rekomendasi 6 MB akan lebih cepat dan biarkan Squid bekerja lebih keras lagi.
cache_mem 6 MB
cache_swap_low 98
cache_swap_high 99
Maksimum obyek di hardisk dan di memori diupayakan lebih besar shg byte hit lebih tinggi (bisa dinaikkan lagi jika hardisk berkecepatan tinggi dan jumlahnya banyak dg memori yg lebih besar pula).
maximum_object_size 128 MB
maximum_object_size_in_memory 32 KB
Jika memori 512 MB atau lebih besar silahkan cache diperbesar.
ipcache_size 2048
ipcache_low 98
ipcache_high 99
Untuk heap replacement saya memakai LFUDA utk cache hardisk dan GDSF utk cache memori dg alasan di hardisk diprioritaskan obyek yg ukuran besar-besar dan di memori obyek yg ukurannya kecil-kecil utk disimpan.
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
Idealnya ruang di hardisk yg anda pakai hanya sekitar 70% dari total krn semakin penuh Squid akan semakin pelan mencari tempat kosong, mis. utk cache 1 GB maka yg dipakai hanya 700MB (jangan 1GB dipakai semuanya). Jangan lupa hanya 1 direktori per drive krn faktor penghambat adalah kecepatan spindle hardisk lho, bukan terus dg memperbanyak direktori pada 1 hd akan mempercepat (hd orde milidetik, memori orde nanodetik). Jadi mending hardisknya banyak tapi ukurannya kecil-kecil daripada hanya 1 berukuran besar. Terus jika OS-nya Linux pakailah FS-nya Reiser (versi 4 tercepat) dg metode akses aufs. Diskd optimal di FreeBSD tetapi tidak di Linux lho. Jangan lupa di partisi tsb noatime dan notail diaktifkan spy tidak menambah ekstra write saat menulis atau membaca. Intinya hardisk adalah faktor penghambat terbesar di Squid.
saran kira2 70% dari 16GB
cache_dir aufs /cachez 12000 28 256
atau (utk ruang 4GB-an per hardisk)
cache_dir aufs /cachehardisk1 3000 8 256
cache_dir aufs /cachehardisk2 3000 8 256
cache_dir aufs /cachehardisk3 3000 8 256
cache_dir aufs /cachehardisk4 3000 8 256
Logging untuk info yg vital saja dan diusahakan file-file log ada di hardisk tersendiri spy tidak mempengaruhi kecepatan direktori cache utamanya.
log_fqdn off
log_icp_queries off
cache_log none
cache_store_log none
Dengan memaksa sedikit supaya akses obyek lebih intensif di lokal Squid dan waktu simpan ditambah sebelum proses validasi terjadi (mis. validasi terjadi per 3 jam dg penyimpanan obyek terlama 3 bulan, utk ftp bisa lebih lama lagi).
refresh_pattern ^ftp: 10080 95% 241920 reload-into-ims override-lastmod
refresh_pattern . 180 95% 120960 reload-into-ims override-lastmod
Toleransi aborting dihilangkan saja.
quick_abort_min 0
quick_abort_max 0
quick_abort_pct 98
Mematikan dan merekonfigurasi Squid jangan terlalu cepat krn bisa mengakibatkan integritas file kacau.
shutdown_lifetime 10 seconds
Tidak perlu reservasi memori.
memory_pools off
Penting utk relasi dg sibling dg mengukur respons-nya via ICP dan ICMP.
icp_hit_stale on
query_icmp on
Penting utk meningkatkan refresh pattern lebih lanjut.
reload_into_ims on
pipeline_prefetch on
vary_ignore_expire on
Sekali lagi Squid diperlukan utk mengambil yg jaraknya jauh, jarak dekat langsung saja
acl local-dst dst semuaalamatlokal semuaalamatipygdekat
acl local-domain dstdomain localhost domain-anda.com isp-anda.com domainku.web.id
always_direct allow localhost local-dst local-domain
always_direct deny all
Sys-V init squid :
root@proxy root# vi /etc/init.d/squid
#!/bin/bash
# squid This shell script takes care of starting and stopping
# Squid Internet Object Cache
#
# chkconfig: - 90 25
# description: Squid - Internet Object Cache. Internet object caching is \
# a way to store requested Internet objects (i.e., data available \
# via the HTTP, FTP, and gopher protocols) on a system closer to the \
# requesting site than to the source. Web browsers can then use the \
# local Squid cache as a proxy HTTP server, reducing access time as \
# well as bandwidth consumption.
# pidfile: /var/run/squid.pid
# config: /etc/squid/squid.conf
PATH=/usr/bin:/sbin:/bin:/usr/sbin
export PATH
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
# check if the squid conf file is present
[ -f /etc/squid/squid.conf ] || exit 0
if [ -f /etc/sysconfig/squid ]; then
. /etc/sysconfig/squid
fi
# don’t raise an error if the config file is incomplete
# set defaults instead:
SQUID_OPTS=${SQUID_OPTS:-”-DY”}
SQUID_PIDFILE_TIMEOUT=${SQUID_PIDFILE_TIMEOUT:-20}
SQUID_SHUTDOWN_TIMEOUT=${SQUID_SHUTDOWN_TIMEOUT:-100}
# determine the name of the squid binary
[ -f /usr/sbin/squid ] && SQUID=squid
[ -z "$SQUID" ] && exit 0
prog=”$SQUID”
# determine which one is the cache_swap directory
CACHE_SWAP=`sed -e ’s/#.*//g’ /etc/squid/squid.conf | \
grep cache_dir | awk ‘{ print $3 }’`
[ -z "$CACHE_SWAP" ]
RETVAL=0
start() {
for adir in $CACHE_SWAP; do
if [ ! -d $adir/00 ]; then
echo -n “init_cache_dir $adir… ”
$SQUID -z -F -D >> /var/log/squid/squid.out 2>&1
fi
done
echo -n $”Starting $prog: ”
ulimit -HSn 2048
/bin/nice –20 $SQUID $SQUID_OPTS >> /var/log/squid/squid.out 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
timeout=0;
while : ; do
[ ! -f /var/run/squid.pid ] || break
if [ $timeout -ge $SQUID_PIDFILE_TIMEOUT ]; then
RETVAL=1
break
fi
sleep 1 && echo -n “.”
timeout=$((timeout+1))
done
fi
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$SQUID
[ $RETVAL -eq 0 ] && echo_success
[ $RETVAL -ne 0 ] && echo_failure
echo
return $RETVAL
}
stop() {
echo -n $”Stopping $prog: ”
$SQUID -k check >> /var/log/squid/squid.out 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ] ; then
$SQUID -k shutdown &
rm -f /var/lock/subsys/$SQUID
timeout=0
while : ; do
[ -f /var/run/squid.pid ] || break
if [ $timeout -ge $SQUID_SHUTDOWN_TIMEOUT ]; then
echo
return 1
fi
sleep 2 && echo -n “.”
timeout=$((timeout+2))
done
echo_success
echo
else
echo_failure
echo
fi
return $RETVAL
}
reload() {
$SQUID $SQUID_OPTS -k reconfigure
}
restart() {
stop
start
}
condrestart() {
[ -e /var/lock/subsys/squid ] && restart || :
}
rhstatus() {
status $SQUID
$SQUID -k check
}
probe() {
return 0
}
case “$1″ in
start)
start
;;
stop)
stop
;;
reload)
reload
;;
restart)
restart
;;
condrestart)
condrestart
;;
status)
rhstatus
;;
probe)
exit 0
;;
*)
echo $”Usage: $0 {start|stop|status|reload|restart|condrestart}”
exit 1
esac
exit $?
4. Paramater lain Tunning System Squid :
Edit di /etc/sysctl.conf, dan tambahkan di bawah ini:
root@proxy root# vi /etc/sysctl.conf
# add port outgoing
net.ipv4.ip_local_port_range = 1024 32768
Tunning di fstab :
edit di /etc/fstab, harusnya seperti ini yg harus sama yg di ubah (biasanya ada tambahan noatime/notail, untuk jenis mounting yg lain biarkan saja, jangan diubah):
/dev/hda1 / reiserfs defaults,noatime 1 1
/dev/hda6 /boot reiserfs defaults,noatime 1 2
/dev/hda7 /var reiserfs defaults,noatime 1 2
/dev/hda8 /usr reiserfs defaults,noatime 1 2
/dev/hda9 /home reiserfs defaults,noatime 1 2
/dev/sda1 /cache01 reiserfs noatime,notail 0 0
/dev/sda2 /cache02 reiserfs noatime,notail 0 0
/dev/sdb1 /cache03 reiserfs noatime,notail 0 0
/dev/sdb2 /cache04 reiserfs noatime,notail 0 0
Check yg melakukan koneksi ke squid :
root@proxy root# tail -f /var/log/squid/access.log
5. Penutup
Terimakasih :
http://forum.linux.or.id (mas dani, fish, fai, firewaxx, dan semua barudak forum.linux.or.id)
http://www.squid-cache.org/Doc/FAQ/FAQ.html
nb.
Telah dicoba dan dibuktikan oleh saya pribadi menggunakan OS Trustix Secure Linux dan Ubuntu Server
//Dengan Spek PC :
Processor CoreDuo 3.0Ghz
Memory DDR2 2GB
HDD 40GB | OS System
SCSI ;
9,2GB 10K RPM | Cache1
9,2GB 10K RPM | Cache2
9,2GB 10K RPM | Cache3
Source : http://newhack.org/?pilih=news&aksi=lihat&id=33
Related posts
December 31, 2007 No Comments
Linux: Setup a transparent proxy with Squid in three easy steps
Server Configuration
- Step #1 : Squid configuration so that it will act as a transparent proxy
- Step #2 : Iptables configuration
- a) Configure system as router
- b) Forward all http requests to 3128 (DNAT)
- Step #3: Run scripts and start squid service
First, Squid server installed (use up2date squid) and configured by adding following directives to file:
# vi /etc/squid/squid.conf
Modify or add following squid directives:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
Where,
- httpd_accel_host virtual: Squid as an httpd accelerator
- httpd_accel_port 80: 80 is port you want to act as a proxy
- httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as a proxy.
- httpd_accel_uses_host_header on: Header is turned on which is the hostname from the URL.
- acl lan src 192.168.1.1 192.168.2.0/24: Access control list, only allow LAN computers to use squid
- http_access allow localhost: Squid access to LAN and localhost ACL only
- http_access allow lan: — same as above –
Here is the complete listing of squid.conf for your reference (grep will remove all comments and sed will remove all empty lines, thanks to David Klein for quick hint ):
# grep -v “^#” /etc/squid/squid.conf | sed -e ‘/^$/d’
OR, try out sed (thanks to kotnik for small sed trick)
# cat /etc/squid/squid.conf | sed ‘/ *#/d; /^ *$/d’
Output:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
cache_mem 1024 MB
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname myclient.hostname.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/spool/squid
Iptables configuration
Next, I had added following rules to forward all http requests (coming to port 80) to the Squid server port 3128 :
iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j DNAT –to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128
Here is complete shell script. Script first configure Linux system as router and forwards all http request to port 3128 (Download the fw.proxy shell script):
#!/bin/sh
# squid server IP
SQUID_SERVER=“192.168.1.1?
# Interface connected to Internet
INTERNET=“eth0?
# Interface connected to LAN
LAN_IN=“eth1?
# Squid port
SQUID_PORT=“3128?
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables –table nat –append POSTROUTING –out-interface $INTERNET -j MASQUERADE
iptables –append FORWARD –in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
Save shell script. Execute script so that system will act as a router and forward the ports:
# chmod +x /etc/fw.proxy
# /etc/fw.proxy
# service iptables save
# chkconfig iptables on
Start or Restart the squid:
# /etc/init.d/squid restart
# chkconfig squid on
Desktop / Client computer configuration
Point all desktop clients to your eth1 IP address (192.168.2.1) as Router/Gateway (use DHCP to distribute this information). You do not have to setup up individual browsers to work with proxies.
How do I test my squid proxy is working correctly?
See access log file /var/log/squid/access.log:
# tail -f /var/log/squid/access.log
Above command will monitor all incoming request and log them to /var/log/squid/access_log file. Now if somebody accessing a website through browser, squid will log information.
Problems and solutions
(a) Windows XP FTP Client
All Desktop client FTP session request ended with an error:
Illegal PORT command.
I had loaded the ip_nat_ftp kernel module. Just type the following command press Enter and voila!
# modprobe ip_nat_ftp
Please note that modprobe command is already added to a shell script (above).
(b) Port 443 redirection
I had block out all connection request from our router settings except for our proxy (192.168.1.1) server. So all ports including 443 (https/ssl) request denied. You cannot redirect port 443, from debian mailing list, “Long answer: SSL is specifically designed to prevent “man in the middle” attacks, and setting up squid in such a way would be the same as such a “man in the middle” attack. You might be able to successfully achive this, but not without breaking the encryption and certification that is the point behind SSL“.
Therefore, I had quickly reopen port 443 (router firewall) for all my LAN computers and problem was solved.
(c) Squid Proxy authentication in a transparent mode
You cannot use Squid authentication with a transparently intercepting proxy
source : http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
Related posts
December 30, 2007 1 Comment
