Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- apt-get update
- apt-get install build-essential devscripts libcppunit-dev openssl libssl-dev libcap-dev libsasl2-dev ccze pkg-config libkrb5-dev -y
- wget http://www.measurement-factory.com/tmp/ecap/libecap-1.0.0.tar.gz
- tar xzvf libecap-1.0.0.tar.gz
- cd libecap-1.0.0
- ./configure && make && make install
- echo '/usr/local/lib' >> /etc/ld.so.conf
- ldconfig
- cd
- wget --no-check-certificate -O ecap_adapter_DSI.tgz https://www.dropbox.com/s/z4levwr2frun3c9/ecap_adapter_DSI.tgz?dl=0
- tar xzvf ecap_adapter_DSI.tgz
- cd ecap_adapter_sample-1.0.0
- ./configure && make && make install
- cd
- wget http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.24.tar.gz
- tar xzvf squid-3.5.24.tar.gz
- wget -O squid_forgery.patch http://www.squid-cache.org/mail-archive/squid-users/201404/att-0240/squid_forgery.patch.txt
- cd squid-3.5.24
- patch -p0 <../squid_forgery.patch
- ./configure --prefix=/usr \
- --bindir=/usr/bin \
- --sbindir=/usr/sbin \
- --libexecdir=/usr/lib/squid \
- --sysconfdir=/etc/squid \
- --localstatedir=/var \
- --libdir=/usr/lib \
- --includedir=/usr/include \
- --datadir=/usr/share/squid \
- --mandir=/usr/share/man \
- --enable-storeio=ufs,aufs,diskd,rock \
- --enable-removal-policies=lru,heap \
- --enable-stacktrace \
- --enable-zph=qos \
- --enable-ssl-crtd \
- --enable-ecap \
- --disable-ident-lookup \
- --disable-auth \
- --disable-auth-basic \
- --disable-auth-digest \
- --disable-auth-negotiate \
- --disable-auth-ntlm \
- --disable-url-rewriter-helpers \
- --disable-storeid-rewrite-helpers \
- --with-logdir=/var/log/squid \
- --with-pid-file=/var/run/squid.pid \
- --with-swap-dir=/var/spool/squid \
- --with-large-files \
- --with-openssl
- make
- make install
- chown -R nobody /var/log/squid
- chown -R nobody /var/spool/squid
- mkdir -p /etc/squid/ssl_cert
- openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout /etc/squid/ssl_cert/warnet.pem -out /etc/squid/ssl_cert/warnet.pem -subj "/C=ID/ST=Sumatera Utara/L=Medan/O=DSI/CN=Dokter Squid Indonesia"
- openssl x509 -in /etc/squid/ssl_cert/warnet.pem -outform DER -out /etc/squid/ssl_cert/warnet.der
- openssl x509 -in /etc/squid/ssl_cert/warnet.pem -outform DER -out /etc/squid/ssl_cert/warnet.crt
- /usr/lib/squid/ssl_crtd -c -s /var/lib/ssl_db
- chown -R nobody /var/lib/ssl_db
- echo '#
- # Recommended minimum configuration:
- #
- # Example rule allowing access from your local networks.
- # Adapt to list your (internal) IP networks from where browsing
- # should be allowed
- acl localnet src 10.0.0.0/8
- acl localnet src 172.16.0.0/12
- acl localnet src 192.168.0.0/16
- acl localnet src fc00::/7
- acl localnet src fe80::/10
- acl SSL_ports port 443
- acl Safe_ports port 80
- acl Safe_ports port 21
- acl Safe_ports port 443
- acl Safe_ports port 70
- acl Safe_ports port 210
- acl Safe_ports port 1025-65535
- acl Safe_ports port 280
- acl Safe_ports port 488
- acl Safe_ports port 591
- acl Safe_ports port 777
- acl CONNECT method CONNECT
- acl step1 at_step SslBump1
- acl step2 at_step SslBump2
- acl step3 at_step SslBump3
- acl PURGE method PURGE
- #http://empire.goodgamestudios.com/
- #acl bypass_ssl dst 37.48.88.132
- #BBM-http://bgp.he.net/search?search%5Bsearch%5D=blackberry+messenger&commit=Search
- #acl bypass_ssl dst 68.171.224.0/19 #BBM
- #acl bypass_ssl dst 74.82.64.0/19 #BBM
- #
- # Recommended minimum Access Permission configuration:
- #
- # Deny requests to certain unsafe ports
- http_access deny !Safe_ports
- # Deny CONNECT to other than secure SSL ports
- http_access deny CONNECT !SSL_ports
- # Only allow cachemgr access from localhost
- http_access allow localhost manager
- http_access deny manager
- # We strongly recommend the following be uncommented to protect innocent
- # web applications running on the proxy server who think the only
- # one who can access services on "localhost" is a local user
- #http_access deny to_localhost
- http_access allow localhost purge
- http_access deny purge
- #
- # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
- #
- # Example rule allowing access from your local networks.
- # Adapt localnet in the ACL section to list your (internal) IP networks
- # from where browsing should be allowed
- http_access allow localnet
- http_access allow localhost
- # And finally deny all other access to this proxy
- http_access deny all
- # Squid normally listens to port 3128 (forward proxy)
- http_port 3128
- #SSL Tunnel
- http_port 3127 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/warnet.pem
- #transparent proxy intercept
- #http_port 3129 intercept
- #https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/warnet.pem
- #transparent proxy tproxy
- #http_port 3129 tproxy
- #https_port 3127 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/warnet.pem
- #caching konten https
- #ssl_bump splice bypass_ssl
- ssl_bump peek step1 all
- ssl_bump bump all
- #opsi caching konten https
- sslproxy_cert_error allow all
- sslproxy_flags DONT_VERIFY_PEER
- sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE #Jika menggunakan versi setelah squid-3.5.12-20151222-r13967
- sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
- # Uncomment and adjust the following to add a disk cache directory.
- cache_dir aufs /var/spool/squid 1000 16 256
- cache_mem 16 MB
- cache_swap_low 97
- cache_swap_high 98
- cache_replacement_policy heap LFUDA
- memory_replacement_policy heap GDSF
- #Maximum Object Size
- maximum_object_size 1024 MB
- maximum_object_size_in_memory 1024 KB
- #partial 206
- #range_offset_limit 1 MB
- #atau (pilih salah satu)
- #request_header_access Range deny all
- #Administrative
- cache_mgr admin_squid@dokter-squid.com
- visible_hostname s-proxy1-dsi
- # Leave coredumps in the first cache dir
- coredump_dir /var/log/squid
- #debugging
- strip_query_terms off
- #debug_options 11,2 22,3
- logfile_rotate 1
- #cache_store_log /var/log/squid/store.log
- #ecap
- #yt_quality: tiny = 144px small = 240px medium = 360px large = 480px HD720 = Hd720px
- acl youtube_240 dstdomain .youtube.com
- request_header_access Accept-Encoding deny youtube_240
- loadable_modules /usr/local/lib/ecap_adapter_modifying.so
- ecap_enable on
- ecap_service ecapModifier respmod_precache uri=ecap://dokter-squid.com/ecap yt_quality=small
- adaptation_access ecapModifier allow youtube_240
- adaptation_access ecapModifier deny all
- #storeid
- acl getmethod method GET
- acl loop_302 http_status 302
- acl youtube url_regex -i ^http.*\.googlevideo\.com\/videoplayback\?
- send_hit deny loop_302
- store_id_program /etc/squid/storeid.pl
- store_id_children 50 startup=5 idle=2 concurrency=200
- store_id_access deny !getmethod
- store_id_access allow youtube
- store_id_access deny all
- store_id_extras "%{Referer}>h %>a/%>A %un %>rm myip=%la myport=%lp"
- refresh_pattern -i ^http.*\.internal 43200 0% 0 override-expire ignore-private
- refresh_pattern -i \.(htm|html|xml|css|chm|txt|dll|dat)(\?.*)?$ 1440 100% 4320
- refresh_pattern -i \.(3gp|7z|ace|asx|bin|deb|divx|dvr-ms|ram|rpm|exe|inc|cab|qt)(\?.*)?$ 4320 100% 43200
- refresh_pattern -i \.(rar|jar|gz|tgz|bz2|iso|m1v|m2(v|p)|mo(d|v)|arj|lha|lzh|zip|tar)(\?.*)?$ 4320 100% 43200
- refresh_pattern -i \.(jp(e?g|e|2)|gif|pn[pg]|bm?|ico|swf|ad)(\?.*)?$ 43200 100% 43200
- refresh_pattern -i \.(avi|ac4|mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p)|og(x|v|a|g)|rm|r(a|p)m|snd|vob)(\?.*)?$ 43200 100% 43200
- refresh_pattern -i \.((pp(t?x)|s|t)|pdf|rtf|wax|wm(a|v)|wmx|wpl|cb(r|z|t)|xl(s?x)|do(c?x)|flv|x-flv)(\?.*)?$ 43200 100% 43200
- #
- # Add any of your own refresh_pattern entries above these.
- #
- refresh_pattern ^ftp: 1440 20% 10080
- refresh_pattern ^gopher: 1440 0% 1440
- refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
- refresh_pattern . 0 20% 4320
- qos_flows local-hit=0x30 ' > /etc/squid/squid.conf
- echo '#!/usr/bin/perl
- $|=1;
- while (<>) {
- @X = split;
- $x = $X[1];
- $y = $X[0] . " ";
- $z = $X[2];
- if ($x =~ m/^https?:\/\/.*(youtube|google).*videoplayback.*/){
- @itag = m/[&?](itag\=[0-9]*)/;
- @mime = m/[&?](mime\=[^\&\s]*)/;
- @range = m/[&?](range\=[^\&\s]*)/;
- if($z =~ m/^https?:\/\/.*\?v\=(.*)/){
- $id=$1;}
- print $y . "OK store-id=http://video.youtube.doktersquid.internal/video-id=$id&@itag&@mime&@range\n" ;
- } else {
- print $y . "ERR\n";
- }
- } ' > /etc/squid/storeid.pl
- chmod +x /etc/squid/storeid.pl
- squid -zN
- wget --no-check-certificate -O /etc/init.d/squid https://gist.githubusercontent.com/e7d/1f784339df82c57a43bf/raw/squid.sh
- chmod +x /etc/init.d/squid
- update-rc.d squid defaults
- service squid start
- echo '#tproxy
- #iptables -t mangle -N DIVERT
- #iptables -t mangle -A DIVERT -j MARK --set-mark 1
- #iptables -t mangle -A DIVERT -j ACCEPT
- #iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
- #iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
- #iptables -t mangle -A PREROUTING -p tcp --dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3127
- #ip rule add fwmark 1 lookup 212
- #ip route add local 0.0.0.0/0 dev lo table 212
- #intercept
- #iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
- #iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127
- exit 0' > /etc/rc.local
- tailf /var/log/squid/access.log | ccze
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement