My Server Log

Installasi HTPROXY di Debian 6.05
RIG : AMD X3 440 Memory = 6 GB Hardisk = 500 GB
topologinya Squid sejajar client ( ip proxy satu subnet dgn client)

MODEM------MT-----Swicth----client
                    |
                  Debian


Local = 192.168.2.30
Client = 192.168.2.1-192.168.2.20
PROXY = 192.168.2.28

/ip firewall nat
add action=dst-nat chain=dstnat comment="TRANSPARENT PROXY SEJAJAR" disabled=no dst-port=80 in-interface=Local protocol=tcp src-address=!192.168.2.28 to-addresses=\
    192.168.2.28 to-ports=3128
add action=src-nat chain=srcnat disabled=no out-interface=Local protocol=tcp src-address-list=Local-Address to-addresses=192.168.2.30 to-ports=0-65535

/ip firewall address-list add address=192.168.2.1-192.168.2.27 list=Local-Address
/ip firewall address-list add address=192.168.2.1-192.168.2.28 list=Proxy-Address


/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=4096KiB \
    max-udp-packet-size=512 servers="203.130.208.18,203.130.193.74,203.130.196.5, \
    222.124.204.34,203.130.196.6,208.67.222.222,208.67.220.220,180.131.144.144, \
    180.131.145.145"

/ip dns static
add address=192.168.2.28 disabled=no name=proxy.hade.war.net ttl=1d


ip 192.168.2.28
netmask 255.255.255.0
gateway 192.168.2.30
name server addresses = 192.168.2.30
host = proxy
domain = hade.war.net

partisi

# 1        Primary        6.1 GB        swap         swap
# 5        Logical        80  GB        brtfs        /cache-1
# 6        Logical        80  GB        brtfs        /cache-2
# 7        Logical        80  GB        brtfs        /cache-3
# 8        Logical        80  GB        brtfs        /cache-4
# 9        Logical        80  GB        brtfs        /cache-5
# 10       Logical        80  GB        brtfs        /cache-6
# 3        Primary        14  GB        ext4         /


mulai installasi via remote as root
tambah repo webmin dan installasi build-essential supaya extract tar.bz2 tidak error

[CODE]
echo deb http://download.webmin.com/download/repository sarge contrib | tee -a /etc/apt/sources.list
cd /root
wget http://www.webmin.com/jcameron-key.asc
apt-key add jcameron-key.asc
apt-get update && apt-get upgrade
[/CODE]


Jika memory kurang dari 4 lewati saja tahapan ini
[CODE]
apt-get apt-get install linux-image-2.6.32-5-686-bigmem linux-headers-2.6.32-5-686-bigmem
reboot
[/CODE]

Tuning Up
Optimalkan file system cache & ubah opsi untuk partisi cache
Disabled fsck (file system check)

Angka standart Drive Cache adalah 0 2 ——>> ganti dengan 0 0 (INGAT HANYA DRIVE CACHE)
Opsi Directory /cache :
gunakan opsi noatime,barrier=0     0     0

contoh

# /cache-1 was on /dev/sda5 during installation
UUID=6f346352-cdce-4f3e-a197-f123a6c09ca4 /cache-1        btrfs   default         0       2

# /cache-1 was on /dev/sda5 during installation
UUID=6f346352-cdce-4f3e-a197-f123a6c09ca4 /cache-1        btrfs   noatime,compress,noacl,barrier=0        0       0

[CODE]
apt-get -y install unbound build-essential
cd /etc/unbound
wget  ftp://FTP.INTERNIC.NET/domain/named.cache
unbound-control-setup
chown unbound:root unbound_*
chmod 440 unbound_*
[/CODE]


nano /etc/unbound/unbound.conf
delete isinya ganti dengan

server:
        verbosity: 1
        statistics-interval: 120
        num-threads: 1
        interface: 0.0.0.0
        outgoing-range: 512
        num-queries-per-thread: 1024
        msg-cache-size: 16m
        rrset-cache-size: 32m
        msg-cache-slabs: 4
        rrset-cache-slabs: 4
        cache-max-ttl: 86400
        infra-host-ttl: 60
        infra-lame-ttl: 120
        infra-cache-numhosts: 10000
        infra-cache-lame-size: 10k
        do-ip4: yes
        do-ip6: no
        do-udp: yes
        do-tcp: yes
        do-daemonize: yes

        #access-control: 0.0.0.0/0 allow
        access-control: 192.168.0.0/16 allow
        #access-control: 172.16.0.0/12 allow
        #access-control: 10.0.0.0/8 allow
        access-control: 127.0.0.0/8 allow
        access-control: 0.0.0.0/0 refuse

        chroot: "/etc/unbound"
        username: "unbound"
        directory: "/etc/unbound"
        #logfile: "/etc/unbound/unbound.log"
        #use-syslog: yes
        logfile: ""
        use-syslog: no
        pidfile: "/etc/unbound/unbound.pid"
        root-hints: "/etc/unbound/named.cache"

        identity: "proxy.hade.war.net"
        version: "1.4"
        hide-identity: yes
        hide-version: yes
        harden-glue: yes
        do-not-query-address: 127.0.0.1/8
        do-not-query-localhost: yes
        module-config: "iterator"

        #zone localhost
        local-zone: "localhost." static
        local-data: "localhost. 10800 IN NS localhost."
        local-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
        local-data: "localhost. 10800 IN A 127.0.0.1"

        local-zone: "127.in-addr.arpa." static
        local-data: "127.in-addr.arpa. 10800 IN NS localhost."
        local-data: "127.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 2 3600 1200 604800 10800"
        local-data: "1.0.0.127.in-addr.arpa. 10800 IN PTR localhost."

        #zone hade.war.net
        local-zone: "hade.war.net." static
        local-data: "hade.war.net. 86400 IN NS ns.hade.war.net."
        local-data: "hade.war.net. 86400 IN SOA hade.war.net. hostmaster.hade.war.net.  3 3600 1200 604800 86400"
        local-data: "hade.war.net. 86400 IN A 192.168.2.28"
        local-data: "www.hade.war.net. 86400 IN A 192.168.2.28"
        local-data: "ns.hade.war.net. 86400 IN A 192.168.2.28"
        local-data: "mp3.hade.war.net. 86400 IN A 192.168.2.28"

        local-zone: "2.168.192.in-addr.arpa." static
        local-data: "2.168.192.in-addr.arpa. 10800 IN NS hade.war.net."
        local-data: "2.168.192.in-addr.arpa. 10800 IN SOA hade.war.net. hostmaster.hade.war.net. 4 3600 1200 604800 864000"
        local-data: "28.2.168.192.in-addr.arpa. 10800 IN PTR hade.war.net."


forward-zone:
        name: "."
        forward-addr: 203.130.208.18
        forward-addr: 203.130.193.74
        forward-addr: 203.130.196.5
        forward-addr: 222.124.204.34
        forward-addr: 203.130.196.6
        forward-addr: 208.67.222.222
        forward-addr: 208.67.220.220
        forward-addr: 180.131.144.144
        forward-addr: 180.131.145.145

remote-control:
        control-enable: yes
        control-interface: 127.0.0.1
        control-port: 953
        server-key-file: "/etc/unbound/unbound_server.key"
        server-cert-file: "/etc/unbound/unbound_server.pem"
        control-key-file: "/etc/unbound/unbound_control.key"
        control-cert-file: "/etc/unbound/unbound_control.pem"

save

rubah resolv.conf

[CODE]
cat > /etc/resolv.conf
# Begin /etc/resolv.conf
domain proxy.hade.war.net
nameserver 127.0.0.1
nameserver 192.168.2.30
# End /etc/resolv.conf
EOF
[/CODE]

unbound-checkconf /etc/unbound/unbound.conf

reboot

Tuning Up

Optimalkan file system cache & ubah opsi untuk partisi cache
Disabled fsck (file system check)

Angka standart Drive Cache adalah 0 2 ——>> ganti dengan 0 0 (INGAT HANYA DRIVE CACHE)

Opsi Directory /cache :

gunakan opsi noatime,barrier=0     0     0

contoh

# /cache-1 was on /dev/sda5 during installation
UUID=6f346352-cdce-4f3e-a197-f123a6c09ca4 /cache-1        btrfs   default         0       2


# /cache-1 was on /dev/sda5 during installation
UUID=6f346352-cdce-4f3e-a197-f123a6c09ca4 /cache-1        btrfs   noatime,compress,noacl,barrier=0        0       0


nano /etc/sysctl.conf

kernel.panic = 30
kernel.panic_on_oops = 30
kernel.sysrq = 0
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
fs.file-max = 65536
vm.swappiness = 0
vm.vfs_cache_pressure=50
vm.mmap_min_addr = 4096
vm.overcommit_ratio = 0
vm.overcommit_memory = 0
kernel.shmmax = 268435456
kernel.shmall = 268435456
vm.min_free_kbytes = 65536
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.ip_forward = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.conf.all.bootp_relay = 0
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.tcp_dsack = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_fack = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_congestion_control = cubic
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_mem = 65536 131072 262144
net.ipv4.udp_mem = 65536 131072 262144
net.ipv4.tcp_rmem = 8192 87380 16777216
net.ipv4.udp_rmem_min = 16384
net.core.rmem_default = 87380
net.core.rmem_max = 16777216
net.ipv4.tcp_wmem = 8192 65536 16777216
net.ipv4.udp_wmem_min = 16384
net.core.wmem_default = 65536
net.core.wmem_max = 16777216
net.core.somaxconn = 32768
net.core.netdev_max_backlog = 4096
net.core.dev_weight = 64
net.core.optmem_max = 65536
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_orphans = 16384
net.ipv4.tcp_orphan_retries = 0
net.ipv4.ipfrag_high_thresh = 512000
net.ipv4.ipfrag_low_thresh = 446464
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1
net.unix.max_dgram_qlen = 50
net.ipv4.neigh.default.gc_thresh3 = 2048
net.ipv4.neigh.default.gc_thresh2 = 1024
net.ipv4.neigh.default.gc_thresh1 = 32
net.ipv4.neigh.default.gc_interval = 30
net.ipv4.neigh.default.proxy_qlen = 96
net.ipv4.neigh.default.unres_qlen = 6
net.ipv4.tcp_ecn = 1
net.ipv4.tcp_reordering = 3
net.ipv4.tcp_retries2 = 15
net.ipv4.tcp_retries1 = 3


setelah di save,
sysctl -p


Kurangi TCP TIME_WAIT setting, default value (60 in Debian 6)

echo 4 > /proc/sys/net/ipv4/tcp_fin_timeout

ulimit -n 65535                     # Sets number of open files for this process and it's children

nano /etc/profile file and ensure that the file does not contain any commands that set ulimit values.
Add the following commands to the end of the /etc/profile file

ulimit -Hn 65536
ulimit -Sn 65535


echo 65536 > /proc/sys/fs/file-max
echo "*         soft        nofile          65536" >> /etc/security/limits.conf
echo "*         hard        nofile          65536" >> /etc/security/limits.conf
echo "root      soft        nofile          65536" >> /etc/security/limits.conf
echo "root      hard        nofile          65536" >> /etc/security/limits.conf
echo "proxy     soft        nofile          65536" >> /etc/security/limits.conf
echo "proxy     hard        nofile          65536" >> /etc/security/limits.conf
echo "session required        pam_limits.so" >> /etc/pam.d/common-session
modprobe ip_conntrack


kemudian tambahkan ip_contrack di /etc/modules
nano /etc/modules

tambahkan kalimat berikut baris paling bawah :

ip_conntrack

save


Install squid


[CODE]

cd /home

wget http://squid-proxy-pkg.googlecode.com/files/deb-htproxy_14942_i386.tar.bz2

tar xvf deb-htproxy_14942_i386.tar.bz2

dpkg -i *.deb

/etc/init.d/squid stop

[/CODE]


64 only for a reccord

[CODE]

cd /home

wget http://squid-proxy-pkg.googlecode.com/files/deb-htproxy_14942_x86-64.tar.bz2

tar xvf deb-htproxy_14942_x86-64.tar.bz2 && dpkg -i *.deb

dpkg -i *.deb

/etc/init.d/squid stop

[/CODE]


# Hapus cache

rm -rf /var/spool/squid/*


edit squid.conf sesuai kondisi


http_port 3229 transparent

visible_hostname www.hade.war.net


#partisi cachedir maksimal 80% dari total jumlah volume yang kosong

#dan sesuaikan dengan besar memory setelah di kurangi memory untuk system OS dan aplikasi yang lainya,

#untuk 32 bit OS I386 setiap 1 Gb Hardisk membutuhakn 10 Mb RAM

#untuk 64 bit OS I386 setiap 1 Gb Hardisk membutuhakn 14 Mb RAM

# 480 G . 75 % = 360 G. 10 = 3600 MB Untuk Cache

# dari 6144 memory yg terinstall karena onboard vga terbaca 6053 ( free -m )

# 6053 = 1536 + 3600 + 953  ( cache memory + cache + system dan mrtg)

cache_mem 1536 MB


#Contoh cache dir untuk disk 80Gb dengan sisa space yang kosong 70Gb, kita gunakan 50% saja = 35GB

# dir untuk cache 80Gb digunakan 75% = 60 GB

###############################################################################################

cache_dir aufs /cache-1 60000 140 256

cache_dir aufs /cache-2 60000 140 256

cache_dir aufs /cache-3 60000 140 256

cache_dir aufs /cache-4 60000 140 256

cache_dir aufs /cache-5 60000 140 256

cache_dir aufs /cache-6 60000 140 256


#CONTOH  DNS speedy open dns dan nawala

dns_nameservers 203.130.208.18

dns_nameservers 203.130.193.74

dns_nameservers 203.130.196.5

dns_nameservers 222.124.204.34

dns_nameservers 203.130.196.6

dns_nameservers 208.67.222.222

dns_nameservers 208.67.220.220

dns_nameservers 180.131.144.144

dns_nameservers 180.131.145.145

##############################################################


# Antisipasi patch game ukuran besar

maximum_object_size 700000 KB


# storeurl_rewrite_children 30

quick_abort_min 0 KB

quick_abort_max 0 KB

quick_abort_pct 100

storeurl_rewrite_children 15


include /etc/squid/safeSearch.conf


chown proxy:proxy /cache-* && chmod 777 /cache-*

squid -z

squid -f /etc/squid/squid.conf -z && /etc/init.d/squid start


iptables -F

iptables -X

iptables -t nat -F

iptables -t nat -X

iptables -t mangle -F

iptables -t mangle -X

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -A INPUT -s 192.168.0.0/16 -m state --state NEW -p tcp --dport 53 -j ACCEPT

iptables -A INPUT -s 192.168.0.0/16 -m state --state NEW -p udp --dport 53 -j ACCEPT

iptables -A INPUT -p tcp -s 192.168.0.0/16 --dport 80 -j ACCEPT

iptables -A INPUT -p udp -s 192.168.0.0/16 --dport 3128 -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -p udp --dport 80 -j REDIRECT --to-port 3229

iptables-save -c > /etc/iptables.up.rules


apt-get install sharutils ccze webmin

Server Log Mrtg
http://oss.oetiker.ch/mrtg/doc/mrtg-unix-guide.en.html

mrtg tanpa snmp on Debian Squeeze
disini kita hanya akan menggunakan script bash dan perl untuk menggantikan snmpwalk

data yang di graph :
cache size, ethernet traffic, memory usage, cpu load, tcp connection dan latency

apt-get install gcc make perl apache2 libgd-tools mrtg-contrib mrtg

cd /usr/local/bin

nano mem.sh

#!/bin/sh

# Thierry Nkaoua [email protected]

USED=`free -b|grep cache:|cut -d ":" -f2|cut -c1-11`
#FREE=`free -b|grep cache:|cut -d ":" -f2|cut -c12-22`
echo $USED
echo $USED

nano eth.pl

#!/usr/bin/perl

use strict;

my $if = $ARGV[0] || mrtg_die();

open(F, "</proc/net/dev") || mrtg_die();
my @LINES = <F>;
close(F);

foreach (grep(/\s+$if\:/, @LINES)) {
    /\s+$if\:(\s*\d*){1}/;
    my $recv = $1;
        $recv =~ s/\s+//g;

    /\s+$if\:(\s*\d*){9}/;
    my $sent = $1;
        $sent =~ s/\s+//g;

    print "$recv\n$sent\n0\n0\n";
}

sub mrtg_die() {
    print "0\n0\n0\n0\n";
}

nano loadavg.sh

#!/bin/sh
awk </proc/loadavg '{print (100*$1) "\n" (100*$2) }'
hostname;
echo "loadavg";

nano tcpconn.sh

#!/bin/sh

if [ "$1" = "" ] ; then
	O=`/bin/netstat -nt | fgrep ESTABLISHED | wc -l`
	label='numconns'
else
	O=`/bin/netstat -nt | fgrep ESTABLISHED | fgrep "$1" | wc -l`
	label="$1"
fi
echo $O
echo $O
hostname
echo "$label"

nano ping.pl


#!/usr/bin/perl
use strict;
use warnings;
use Net::Ping;
use Time::HiRes;

my $host = shift;

my $p = Net::Ping->new("icmp");
$p->hires();
my ($ret, $duration, $ip) = $p->ping($host, 5.5);
if ( $ret ) {
        printf "%.0f\n", 1000 * $duration;
} else {
        print "0\n";
}

# Value "in" for mrtg
print "0\n";
# Value "out" for mrtg
print "\n";
# A comment for mrt
print "$host\n";
$p->close();


chmod +x *
nano /etc/mrtg.cfg

# -------------------------------------------
# HADENET
# -------------------------------------------
WorkDir: /var/www/mrtg
#RunAsDaemon:Yes
Interval:5
WriteExpires: Yes
EnableIPv6: no
Background[_]:#CCCCCC;
Colours[_]:LIGHTBLUE#0099FF,ORANGE#FF6600,BLUE#0000FF,RED#FF0000
Options[_]: nopercent,growright,noinfo,gauge

# eth0
# -------------------------------------------

Title[eth0]: Ethernet Trafic
PageTop[eth0]: <h1>Ethernet Trafic</h1>
Target[eth0]: `/usr/local/bin/eth.pl eth0`
Options[eth0]: bits
MaxBytes[eth0]: 100000000

# Memory
# -------------------------------------------

Title[mem]: Memory Usage
PageTop[mem]: <h1>Memory Usage</h1>
Target[mem]: `/usr/local/bin/mem.sh`
Options[mem]: gauge,noinfo,nopercent,growright,nobanner,noarrow,pngdate
MaxBytes[mem]: 1024000000
YLegend[mem]: Bytes
ShortLegend[mem]: Bytes
LegendO[mem]: Mem Used :
WithPeak[mem]: wmy
Kilo[mem]:1024

# TCP Connection
# -------------------------------------------

Title[server-numconns]: Server TCP connections
Target[server-numconns]: `/usr/local/bin/tcpconn.sh`
PageTop[server-numconns]: <h1>TCP connections</h1>
MaxBytes[server-numconns]: 1000
YLegend[server-numconns]: Connections
ShortLegend[server-numconns]: Connections
LegendO[server-numconns]: Connections
Options[server-numconns]: gauge, growright

## CPU Load
# -------------------------------------------

Target[server-cpu]: `/usr/local/bin/loadavg.sh`
MaxBytes[server-cpu]: 500
Title[server-cpu]: CPU Load
PageTop[server-cpu]: <h1>CPU Load</h1>
YLegend[server-cpu]: Load*100
ShortLegend[server-cpu]: load
Legend1[server-cpu]: CPU Load (x 100)
Legend2[server-cpu]:
LegendI[server-cpu]: 1min load
LegendO[server-cpu]: 5min load
Options[server-cpu]: gauge,nopercent,integer,growright

# Latency Local
# -------------------------------------------

Target[ping_local]: `/usr/local/bin/ping.pl www.indowebster.com`
Title[ping_local]: Latency Local
PageTop[ping_local]: <h1>Latency Local</h1>
LegendO[ping_local]:
MaxBytes[ping_local]: 10000
Options[ping_local]: gauge,growright
LegendI[ping_local]: Ping in ms
ShortLegend[ping_local]: ms
YLegend[ping_local]: ms
Factor[ping_local]: 1

# Latency Inter
# -------------------------------------------

Target[ping_inter]: `/usr/local/bin/ping.pl www.facebook.com`
Title[ping_inter]: Latency Inter<
PageTop[ping_inter]: <h1>Latency Inter</h1>
LegendO[ping_inter]:
MaxBytes[ping_inter]: 10000
Options[ping_inter]: gauge,growright
LegendI[ping_inter]: Ping in ms
ShortLegend[ping_inter]: ms
YLegend[ping_inter]: ms
Factor[ping_inter]: 1


mkdir /var/www/mrtg

env LANG=C mrtg /etc/mrtg.cfg

jalankan 3 x sampai error hilang

indexmaker --output=/var/www/mrtg/index.html /etc/mrtg.cfg

192.168.2.28/mrtg

edit lagi file /etc/mrtg.cfg
nano /etc/mrtg.cg

hilangkan tanda “#” di depan RunAsDaemon:Yes

jalankan sekali lagi mrtg untuk aktifkan daemon mrtg
env LANG=C mrtg /etc/mrtg.cfg

buat index.html
indexmaker --output=/var/www/mrtg/index.html /etc/mrtg.cfg

akses via broser ke http://[ip-address]/mrtg

buka webmin, kita akan buat start-up mrtg dari webmin

webmin > system > bootup and shutdown > Create a new bootup and shutdown action

note

    * Target[eth0]: `/usr/local/bin/eth.pl eth0` > jika ethernet yg aktif bukan eth0, ganti eth0 dengan ethernet card yang aktif. jalankan ifconfig untuk melihat ethernet yang aktif
    * Target[ping_inter]: `/usr/local/bin/ping.pl www.yahoo.com` > silahkan diganti dengan host lain sesuai selera misalnya microsoft.com ato cuma IP-nya tidak perlu pakai hostname. hanya pastikan host yang anda pakai reliable