Installasi PROXY LUSCA

Installasi PROXY SERVER LUSCA featuring storeurl.pl Kang Ucok Karnadi

Lanjutan http://pastebin.com/hkc9TFBb
Tuning Up

Optimalkan file system untuk proxy

tune2fs -m 0 /dev/sda5
tune2fs -m 0 /dev/sda6

If you need to know your drives labels type the following:

mount|grep ^'/dev'


tune2fs -o journal_data_writeback /dev/sda5
tune2fs -o journal_data_writeback /dev/sda6

Disabled fsck (file system check)

nano /etc/fstab

nano /etc/fstab
/cache-1  ext4  noatime,barrier=0,nodiratime,relatime,errors=remount-ro,data=writeback   0   0
/cache-2  ext4  noatime,barrier=0,nodiratime,relatime,errors=remount-ro,data=writeback   0   0

Adjusting tcp sockets and limits

decrease TCP TIME_WAIT setting, the default value (60 in Debian 6) is too high and will result in too many sockets in TIME_WAIT stait. To decrease waiting time, execute following command:

echo 4 >> /proc/sys/net/ipv4/tcp_fin_timeout
mv /etc/sysctl.conf /etc/sysctl.conf_
touch /etc/sysctl.conf

echo "kernel.panic = 30
kernel.panic_on_oops = 30
kernel.sysrq = 0
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
fs.file-max = 65536
vm.swappiness = 10
vm.vfs_cache_pressure=50
vm.mmap_min_addr = 4096
vm.overcommit_ratio = 0
vm.overcommit_memory = 0
kernel.shmmax = 268435456
kernel.shmall = 268435456
vm.min_free_kbytes = 65536
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.ip_forward = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.conf.all.bootp_relay = 0
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.tcp_dsack = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_fack = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_congestion_control = cubic
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_mem = 65536 131072 262144
net.ipv4.udp_mem = 65536 131072 262144
net.ipv4.tcp_rmem = 8192 87380 16777216
net.ipv4.udp_rmem_min = 16384
net.core.rmem_default = 87380
net.core.rmem_max = 16777216
net.ipv4.tcp_wmem = 8192 65536 16777216
net.ipv4.udp_wmem_min = 16384
net.core.wmem_default = 65536
net.core.wmem_max = 16777216
net.core.somaxconn = 32768
net.core.netdev_max_backlog = 4096
net.core.dev_weight = 64
net.core.optmem_max = 65536
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_orphans = 16384
net.ipv4.tcp_orphan_retries = 0
net.ipv4.ipfrag_high_thresh = 512000
net.ipv4.ipfrag_low_thresh = 446464
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1
net.unix.max_dgram_qlen = 50
net.ipv4.neigh.default.gc_thresh3 = 2048
net.ipv4.neigh.default.gc_thresh2 = 1024
net.ipv4.neigh.default.gc_thresh1 = 32
net.ipv4.neigh.default.gc_interval = 30
net.ipv4.neigh.default.proxy_qlen = 96
net.ipv4.neigh.default.unres_qlen = 6
net.ipv4.tcp_ecn = 1
net.ipv4.tcp_reordering = 3
net.ipv4.tcp_retries2 = 15
net.ipv4.tcp_retries1 = 3" >> /etc/sysctl.conf

echo 65536 > /proc/sys/fs/file-max
echo "*         soft        nofile          65536" >> /etc/security/limits.conf
echo "*         hard        nofile          65536" >> /etc/security/limits.conf
echo "root      soft        nofile          65536" >> /etc/security/limits.conf
echo "root      hard        nofile          65536" >> /etc/security/limits.conf
echo "proxy     soft        nofile          65536" >> /etc/security/limits.conf
echo "proxy     hard        nofile          65536" >> /etc/security/limits.conf
echo "session required        pam_limits.so" >> /etc/pam.d/common-session

modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe iptable_nat
modprobe ip_nat_ftp

echo "ip_tables
ip_conntrack
ip_conntrack_ftp
ip_conntrack_irc
iptable_nat
ip_nat_ftp" >> /etc/modules

echo "ulimit -Hn 65536
ulimit -Sn 65535" >> /etc/profile

save

# Installasi paket standart #

apt-get -y install gcc build-essential sharutils ccze libzip-dev automake1.9 make libfile-readbackwards-perl

# Installasi Squid untuk dependensi #
apt-get -y install squid squidclient squid-cgi

# Installasi Lusca #
/etc/init.d/squid stop
wget http://lusca-cache.googlecode.com/files/LUSCA_HEAD-r14809.tar.gz && tar xzvf LUSCA_HEAD-r14809.tar.gz && chmod 777 /LUSCA_HEAD-r14809 && cd /LUSCA_HEAD-r14809 && make distclean && bash bootstrap.sh
-------------------------------

wget  http://rixum.googlecode.com/files/LUSCA_HEAD-patch.tar.gz &&
tar -xvzf LUSCA_HEAD-patch.tar.gz &&
patch -p0 < 3xx-loop.diff &&
patch -p0 < async-issue.diff &&
patch -p0 < http-gzip.diff &&
patch -p0 < ignore-must-revalidate.diff &&
patch -p0 < improve-nn-parser.diff &&
patch -p0 < lusca-vary.diff &&
patch -p0 < segmentation-fault.diff

./configure --build=x86_64-linux-gnu --prefix=/usr --exec_prefix=/usr --bindir=/usr/sbin  --sbindir=/usr/sbin --libexecdir=/usr/lib/squid --sysconfdir=/etc/squid  --localstatedir=/var/spool/squid  --datadir=/usr/share/squid --enable-async-io --enable-epoll --enable-removal-policies=lru,heap  --with-aio --with-dl --enable-snmp --enable-delay-pools  --enable-htcp  --enable-cache-digests  --disable-unlinkd --enable-large-cache-files  --with-large-files --with-pthreads  --enable-storeio=aufs --enable-linux-netfilter --enable-arp-acl --enable-referer-log --enable-stacktraces --enable-truncate  --enable-http-violations --enable-follow-x-forwarded-for --disable-linux-tproxy --disable-ssl --disable-select --disable-poll --disable-dependency-tracking  --disable-auth --disable-ident-lookups --disable-wccp --disable-wccpv2  --enable-err-languages=English --enable-default-err-language=English  --with-maxfd=65535

make &&
make install

/etc/init.d/squid stop

cd /etc/squid
wget http://tempat-sampah.googlecode.com/svn/storeurl.pl
chmod +x /etc/squid/storeurl.pl
chown proxy:proxy /etc/squid/storeurl.pl

edit squid.conf sesuai kondisi
nano /etc/squid/squid.conf

hapus semua ganti pake yang simple dulu

# -----------------------------------------------------------------------------
#  SQUID CONFIGURATION FOR LUSCA
# -----------------------------------------------------------------------------
# ACCESS CONTROLS
# -----------------------------------------------------------------------------
acl QUERY urlpath_regex -i cgi-bin \? localhost
acl youtube_range url_regex -i .*youtube\.com\/videoplayback.*range\=.*$
acl youtube_range url_regex -i .s.youtube\.com
acl youtube_range url_regex -i .s2.youtube\.com
http_access deny youtube_range
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.2.0/24
#acl localnet src 192.168.3.0/24
acl SSL_ports port 443 563 81 10000
acl Safe_ports port 21 70 80 210 280 443 488 563 591 631 777 901 81 3128 3228 1025-65535
acl CONNECT method CONNECT
acl purge method PURGE
# acl block url_regex -i "/etc/squid/block.txt"
# http_access deny block
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
http_reply_access allow all
icp_access deny all
htcp_access deny all
htcp_clr_access deny all
reply_body_max_size 0 allow all

# -----------------------------------------------------------------------------
# NETWORK OPTIONS
# -----------------------------------------------------------------------------

http_port 3229 transparent
tcp_outgoing_tos 0x30 localnet
zph_mode tos
zph_local 0x30
zph_parent 0
zph_option 136

icp_port 0
htcp_port 0
snmp_port 0
snmp_access deny all

# -----------------------------------------------------------------------------
# PARENT/SIBLING CACHE OPTIONS
# -----------------------------------------------------------------------------
hierarchy_stoplist localhost cgi-bin \? localhost


# -----------------------------------------------------------------------------
# OPTIONS WHICH AFFECT THE CACHE SIZE
# -----------------------------------------------------------------------------
cache_mem 16 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir aufs /cache-1 30000 30 256
cache_dir aufs /cache-2 30000 30 256
maximum_object_size 600 MB
cache_swap_low 90
cache_swap_high 95
update_headers off

# -----------------------------------------------------------------------------
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# -----------------------------------------------------------------------------
#access_log none
access_log /var/log/squid/access.log
cache_log /dev/null
cache_store_log none
logfile_rotate 5
log_ip_on_direct off
log_icp_queries off
buffered_logs off
netdb_filename none
pid_filename /var/run/squid.pid
storeurl_rewrite_program /etc/squid/storeurl.pl
storeurl_rewrite_children 15
storeurl_rewrite_concurrency 30
dns_nameservers 203.130.208.18
dns_nameservers 203.130.193.74
dns_nameservers 208.67.222.222
dns_nameservers 208.67.220.220
dns_nameservers 180.131.144.144
dns_nameservers 180.131.145.145

# -----------------------------------------------------------------------------
# OPTIONS FOR TUNING THE CACHE
# -----------------------------------------------------------------------------
#REFRESH PATTERN TUNNING
##############################################################
# pictures & images
refresh_pattern -i \.(gif|png|jpeg|jpg|bmp|tif|tiff|ico)$ 10080 50% 43200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-auth ignore-private
refresh_pattern -i \.(xml|html|htm|js|txt|css|php)$ 10080 50% 43200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-auth

#sound, video & multimedia
refresh_pattern -i \.(flv|x-flv|mov|avi|qt|mpg|mpeg|swf)$ 10080 50% 43200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache
refresh_pattern -i \.(wav|mp3|mp4|au|mid)$ 10080 50% 43200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-auth ignore-private

# files
refresh_pattern -i \.(iso|deb|rpm|zip|tar|kom|tgz|ram|rar|bin|ppt|doc)$ 10080 90% 43200 ignore-no-cache ignore-auth
refresh_pattern -i \.(zip|gz|arj|lha|lzh)$ 10080 100% 43200 override-expire ignore-no-cache ignore-auth
refresh_pattern -i \.(rar|tgz|tar|exe|bin)$ 10080 100% 43200 override-expire ignore-no-cache ignore-auth
refresh_pattern -i \.(hqx|pdf|rtf|doc|swf)$ 10080 100% 43200 override-expire ignore-no-cache ignore-auth
refresh_pattern -i \.(inc|cab|ad|txt|dll)$ 10080 100% 43200 override-expire ignore-no-cache ignore-auth

# dynamic content
refresh_pattern ^http://(.*?)/get_video\? 10080 90% 999999 override-expire ignore-no-cache ignore-private
refresh_pattern ^http://(.*?)/videoplayback\? 10080 90% 999999 override-expire ignore-no-cache ignore-private
refresh_pattern -i (get_video\?|videoplayback\?id|videoplayback.*id) 161280 50000% 525948 override-expire ignore-reload

# -- refresh pattern for specific sites -- #
refresh_pattern ^http://*.indowebster.com.*/.* 720 100% 10080 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-auth
refresh_pattern ^http://*.blogspot.com/.* 720 100% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http://*.wordpress.com/.* 720 100% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache
refresh_pattern ^http://*.photobucket.com/.* 720 100% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http://*.tinypic.com/.* 720 100% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http://*.imageshack.us/.* 720 100% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http://*.friendster.com/.* 720 100% 10080 override-expire override-lastmod ignore-no-cache ignore-auth
refresh_pattern ^http://*.facebook.com/.* 720 100% 10080 ignore-reload override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth ignore-must-revalidate store-stale
refresh_pattern ^http://*.apps.facebook.com/.* 720 100% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http://*.fbcdn.net/.* 720 100% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http://*.akamaihd.net/.* 720 100% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http://*.zynga.com/.* 720 100% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http://*.farmville.com/.* 720 100% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http:\/\/\videoxl\.l[0-9]\.facebook.com\/.* 720 90% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth ignore-must-revalidate store-stale
refresh_pattern ^http:\/\/\*.channel\.facebook\.com\/.* 720 90% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth ignore-must-revalidate store-stale
refresh_pattern ^http:\/\/video\.ak\.facebook.com*\/.* 720 90% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth ignore-must-revalidate store-stale
refresh_pattern ^http:\/\/photos-[a-z]\.ak\.fbcdn\.net\/.* 720 90% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth ignore-must-revalidate store-stale
refresh_pattern ^http:\/\/profile\.ak\.fbcdn.net*\/.* 720 90% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth ignore-must-revalidate store-stale
refresh_pattern ^http:\/\/static\.ak\.fbcdn.net*\/.* 720 90% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth ignore-must-revalidate store-stale
refresh_pattern ^http:\/\/creative\.ak\.fbcdn.net*\/.* 720 90% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth ignore-must-revalidate store-stale
refresh_pattern ^http:\/\/facebook\.poker\.zynga.com\.* 720 90% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth ignore-must-revalidate store-stale
refresh_pattern ^http:\/\/\statics\.poker\.static\.zynga\.com\.* 720 90% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth ignore-must-revalidate store-stale
refresh_pattern ^http:\/\/\*.crowdstar.com*\.* 720 90% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth ignore-must-revalidate store-stale
refresh_pattern ^http://*.yahoo.com/.* 720 80% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http://*.google.com/.* 720 80% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http://*.forummikrotik.com/.* 720 80% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http://*.linux.or.id/.* 720 100% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http://*.l.yimg\.com.*\.* 720 100% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http://*.yahoofs.com\.* 720 100% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http://v\.okezone\.com/get_video\/([a-zA-Z0-9]) 129600 100% 129600 ignore-no-cache ignore-no-store reload-into-ims override-expire ignore-must-revalidate store-stale
refresh_pattern \.(ico|video-stats) 129600 100% 129600 override-expire ignore-reload ignore-no-cache ignore-no-store ignore-private ignore-auth override-lastmod ignore-must-revalidate negative-ttl=10080 store-stale
refresh_pattern \.etology\? 129600 100% 129600 override-expire ignore-reload ignore-no-cache store-stale
refresh_pattern galleries\.video(\?|sz) 129600 100% 129600 override-expire ignore-reload ignore-no-cache store-stale
refresh_pattern \.adtology\? 129600 100% 129600 override-expire ignore-reload ignore-no-cache store-stale
refresh_pattern ^.*safebrowsing.*google 43200 50% 129600 override-expire ignore-reload ignore-no-cache ignore-no-store ignore-private ignore-auth ignore-must-revalidate negative-ttl=10080 store-stale
refresh_pattern ^http://((cbk|mt|khm|mlt)[0-9]?)\.google\.co(m|\.id) 43200 50% 129600 override-expire ignore-reload store-stale ignore-private negative-ttl=10080
refresh_pattern ^http://*.ytimg\.com.*\.* 43200 50% 129600 override-expire ignore-reload store-stale
refresh_pattern vid\.akm\.dailymotion\.com.*\.on2\? 129600 100% 129600 ignore-no-cache override-expire override-lastmod store-stale
refresh_pattern ^http:\/\/images|pics|thumbs[0-9]\. 129600 100% 129600 ignore-no-cache ignore-no-store ignore-reload override-expire store-stale
refresh_pattern -i \*.speedtest.*com\.* 0 50% 180 override-expire store-stale negative-ttl=0
refresh_pattern -i (cgi-bin|hackshield|xtrap|Loader|login) 0 0% 0
refresh_pattern \.(php|jsp|cgi|asx|js|jsp)\? 0 0% 0
refresh_pattern . 0 50% 2629742 store-stale
# -----------------------------------------------------------------------------
# HTTP OPTIONS
# -----------------------------------------------------------------------------
server_http11 on
collapsed_forwarding on
vary_ignore_expire on
header_access From deny all
header_access Server deny all
header_access Link deny all
header_access Via deny all
header_access X-Forwarded-For deny all

# -----------------------------------------------------------------------------
# TIMEOUTS
# -----------------------------------------------------------------------------
forward_timeout 240 seconds
connect_timeout 30 second
peer_connect_timeout 5 seconds
read_timeout 600 second
request_timeout 60 second
persistent_request_timeout 60 seconds
client_lifetime 86400 second
half_closed_clients off
pconn_timeout 60 second
shutdown_lifetime 10 second
# -----------------------------------------------------------------------------
# ADMINISTRATIVE PARAMETERS
# -----------------------------------------------------------------------------

cache_mgr admin@hade.war.net
cache_effective_user proxy
cache_effective_group proxy
httpd_suppress_version_string on
visible_hostname proxy.hade.war.net

# -----------------------------------------------------------------------------
# ADVANCED NETWORKING OPTIONS
#---------------------------
max_filedescriptors 65536

# -----------------------------------------------------------------------------
# DNS OPTIONS
# -----------------------------------------------------------------------------

check_hostnames off
dns_timeout 30 seconds
hosts_file /etc/hosts
ipcache_size 8192
ipcache_low 90
ipcache_high 95
fqdncache_size 4096

# -----------------------------------------------------------------------------
# MISCELLANEOUS
# -----------------------------------------------------------------------------
memory_pools off
forwarded_for off
reload_into_ims on
coredump_dir /cache
pipeline_prefetch on
offline_mode off
# -=EoF=-

chown proxy:proxy /cache-1; chmod 777 /cache-1; squid -z; /etc/init.d/squid start

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A INPUT -s 192.168.2.0/24 -m state --state NEW -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -s 192.168.2.0/24 -m state --state NEW -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.2.0/24 --dport 80 -j ACCEPT
iptables-save -c > /etc/iptables.up.rules