Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- =======================================
- ||||||configuration
- =======================================
- apt-get update && apt-get upgrade -y
- apt-get install devscripts \
- build-essential \
- openssl libssl-dev \
- fakeroot \
- libcppunit-dev \
- libsasl2-dev \
- cdbs \
- ccze \
- libfile-readbackwards-perl \
- libcap2 \
- libcap-dev \
- libcap2-dev \
- libtool \
- sysv-rc-conf -y &&
- wget http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.21.tar.bz2 &&
- tar -xjf squid-3.5.21.tar.bz2 &&
- cd squid-3.5.21 &&
- ./configure \
- --prefix=/usr \
- --includedir=/usr/include \
- --infodir=/usr/share/info \
- --sysconfdir=/etc \
- --localstatedir=/var \
- --libexecdir=/usr/lib/squid \
- --srcdir=. \
- --datadir=/usr/share/squid \
- --sysconfdir=/etc/squid \
- --mandir=/usr/share/man \
- --enable-inline \
- --enable-async-io=24 \
- --enable-storeio=ufs,aufs,diskd,rock \
- --enable-removal-policies=lru,heap \
- --enable-gnuregex \
- --enable-delay-pools \
- --enable-cache-digests \
- --enable-underscores \
- --enable-icap-client \
- --enable-follow-x-forwarded-for \
- --enable-eui \
- --enable-esi \
- --enable-icmp \
- --enable-zph-qos \
- --enable-http-violations \
- --enable-ssl-crtd \
- --enable-linux-netfilter \
- --enable-ltdl-install \
- --enable-ltdl-convenience \
- --enable-x-accelerator-vary \
- --disable-maintainer-mode \
- --disable-dependency-tracking \
- --disable-silent-rules \
- --disable-translation \
- --disable-ipv6 \
- --disable-ident-lookups \
- --with-swapdir=/var/spool/squid \
- --with-logdir=/var/log/squid \
- --with-pidfile=/var/run/squid.pid \
- --with-aufs-threads=24 \
- --with-filedescriptors=65536 \
- --with-large-files \
- --with-maxfd=65536 \
- --with-openssl \
- --with-default-user=proxy \
- --with-included-ltdl &&
- make && make install
- =======================================
- ||||||squid.conf
- =======================================
- acl localnet src all
- acl SSL_ports port 443
- acl Safe_ports port 88 # http
- acl Safe_ports port 80 # http
- acl Safe_ports port 21 # ftp
- acl Safe_ports port 443 # https
- acl Safe_ports port 70 # gopher
- acl Safe_ports port 210 # wais
- acl Safe_ports port 1025-65535 # unregistered ports
- acl Safe_ports port 280 # http-mgmt
- acl Safe_ports port 488 # gss-http
- acl Safe_ports port 591 # filemaker
- acl Safe_ports port 777 # multiling http
- acl CONNECT method CONNECT
- # TAG: QUERY
- # -----------------------------------------------------------------------------
- acl QUERY urlpath_regex -i (hackshield|blank.html|infinity.js|hshield.da|renew_session_token.php|recaptcha.js|dat.asp|notice.swf|patchlist.txt|hackshield|captcha|reset.css|update.ver|notice.html|updates.txt|gamenotice|images.kom|patchinfo.xml|noupdate.ui|\.Xtp|\.htc|\.txt)
- acl QUERY urlpath_regex -i (patch.conf|uiimageset.xml.iop|gashaponwnd.xml.iop|loading.swf|download.swf|version.list|version.ini|launch.jnlp|server_patch.cfg.iop|core.swf|Loading.swf|resouececheck.sq|mainloading.swf|config.xml|gemmaze.swf|xml.png|size.xml|resourcesbar.swf|version.xml|version.list|delete.ini)
- acl QUERY urlpath_regex -i \.(jsp|asp|aspx|cfg|iop|zip|php|xml|html)(\?|$)
- cache deny QUERY
- #
- acl dontstore url_regex ^http:\/\/(([\d\w-]*(\.[^\.\-]*?\..*?))(\/\mosalsal\/[\d]{4}\/.*\/)(.*\.flv))\?start.*
- acl dontstore url_regex redbot\.org \.php
- acl dontstore url_regex -i ^http:\/\/.*gemscool\.com\/.*
- acl dontstore url_regex \.(aspx|php)\?
- acl dontstore url_regex goldprice\.org\/NewCharts\/gold\/images\/.*\.png
- acl dontstore url_regex google\.co(m|\.[a-z]{2})\/complete\/search\?
- acl dontstore url_regex redirector\.([0-9.]{4}|.*\.youtube\.com|.*\.googlevideo\.com|.*\.video\.google\.com)\/(get_video\?|videodownload\?|videoplayback.*id|get_video_info\?|ptracking\?|player_204\?|stream_204\?).*
- acl store_yt_id url_regex -i youtube.*(ptracking|stream_204|playback|player_204|watchtime|set_awesome|s\?|ads).*(video_id|docid|\&v|content_v)\=([^\&\s]*).*$
- acl store_id_list_yt url_regex -i (youtube|googlevideo).*videoplayback.*$
- acl store_id_list_yt url_regex ^https?\:\/\/([0-9.]{4}|.*\.youtube\.com|.*\.googlevideo\.com|.*\.video\.google\.com)\/(get_video\?|videodownload\?|videoplayback.*id).*
- request_header_access Range deny store_id_list_yt
- range_offset_limit 10 KB store_id_list_yt
- acl loop_302 http_status 302
- acl getmethod method GET
- #Permisision
- http_access deny !Safe_ports
- http_access deny CONNECT !SSL_ports
- http_access allow localhost manager
- http_access deny manager
- http_access allow localnet
- http_access allow localhost
- http_access deny all
- #SSL
- always_direct allow all
- ssl_bump server-first all
- sslproxy_cert_error deny all
- sslproxy_flags DONT_VERIFY_PEER
- sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
- sslcrtd_children 8 startup=1 idle=1
- ###############################################################################
- # Squid normally listens to port 3128
- ###############################################################################
- http_port 3126 tproxy
- http_port 3127 intercept
- http_port 3128
- http_port 3129 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
- https_port 3130 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
- https_port 3131 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
- # TAG: Store-id Program
- # -----------------------------------------------------------------------------
- store_id_program /etc/squid/store.pl
- store_id_children 100 startup=0 idle=1 concurrency=1000
- # TAG: Store-id Access
- # -----------------------------------------------------------------------------
- store_id_access deny dontstore
- store_id_access deny !getmethod
- store_id_extras "%{Referer}>h"
- store_id_access allow store_id_list_yt
- store_id_access allow store_yt_id
- store_id_access deny all
- store_id_bypass on
- # TAG: Youtube 302
- # -----------------------------------------------------------------------------
- store_miss deny store_id_list_yt loop_302
- send_hit deny store_id_list_yt loop_302
- acl loop rep_mime_type -i mime-type ^text/html
- acl loop rep_mime_type -i mime-type ^text/plain
- store_miss deny loop_302
- send_hit deny loop_302
- store_miss deny loop
- send_hit deny loop
- #MEMORY
- client_dst_passthru on
- cache_mem 8 MB
- maximum_object_size_in_memory 0
- memory_cache_shared off
- memory_cache_mode disk
- memory_replacement_policy heap GDSF
- #DISK
- cache_replacement_policy heap LFUDA
- minimum_object_size 1 bytes
- maximum_object_size 1 GB
- cache_dir aufs /cache 320000 16 256 # sesuaikan dengan drive penyimpanan cache
- store_dir_select_algorithm round-robin
- cache_swap_low 90
- cache_swap_high 95
- #LOG
- access_log /tmp/access.log squid
- logfile_daemon /usr/lib/squid/log_file_daemon
- cache_store_log none
- logfile_rotate 1
- mime_table /etc/squid/mime.conf
- pid_filename /var/run/squid.pid
- strip_query_terms off
- buffered_logs off
- cache_log /dev/null
- coredump_dir /var/spool/squid
- ###############################################################################
- # Add any of your own refresh_pattern entries above these.
- ###############################################################################
- refresh_pattern ^ftp: 1440 20% 10080
- refresh_pattern ^gopher: 1440 0% 1440
- refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
- # Youtube Video
- refresh_pattern -i (get_video\?|videoplayback\?|videodownload\?|\.mp4|\.webm|\.flv|((audio|video)\/(webm|mp4))) 241920 100% 241920 override-expire ignore-reload ignore-private ignore-no-store ignore-must-revalidate reload-into-ims ignore-auth store-stale
- refresh_pattern -i ^https?\:\/\/.*\.googlevideo\.com\/videoplayback.* 10080 99% 43200 override-lastmod override-expire ignore-reload reload-into-ims ignore-private reload-into-ims ignore-auth store-stale
- refresh_pattern -i ^https?\:\/\/.*\.googlevideo\.com\/videoplayback.*$ 241920 100% 241920 override-expire ignore-reload ignore-private ignore-no-store ignore-must-revalidate reload-into-ims ignore-auth store-stale
- # Image Youtube
- refresh_pattern -i (yimg|twimg)\.com\.* 1440 100% 129600 override-expire ignore-reload reload-into-ims
- refresh_pattern -i (ytimg|ggpht)\.com\.* 1440 80% 129600 override-expire override-lastmod ignore-auth ignore-reload reload-into-ims
- ###############################################################################
- ## ERROR PAGE OPTIONS
- ###############################################################################
- error_directory /usr/share/squid/errors/en
- error_log_languages off
- qos_flows tos local-hit=0x30 parent-hit=0x34
- #zph_mode tos
- #zph_local 48
- #zph_sibling 0
- #zph_parent 0
- #zph_option 136
- =======================================
- ||||||storeid.pl
- =======================================
- #!/usr/bin/perl
- #
- # storeid.pl with debug opt - based on storeurl.pl
- # @ http://www2.fh-lausitz.de/launic/comp/misc/squid/projekt_youtube/
- #
- # mods by cespun and fajar @ ipfire.id
- #
- use IO::File;
- $|=1;
- STDOUT->autoflush(1);
- $debug=0; ## recommended:0
- $bypassallrules=0; ## recommended:0
- $sucks=""; ## unused
- $sucks="sucks" if ($debug>=1);
- $timenow="";
- $printtimenow=1; ## print timenow: 0|1
- my $logfile = '/tmp/storeid.log';
- open my $logfh, '>>', $logfile
- or die "Couldn't open $logfile for appending: $!\n" if $debug;
- $logfh->autoflush(1) if $debug;
- while (<>) {
- $timenow=time()." " if ($printtimenow);
- print $logfh "$timenow"."in : $_" if ($debug>=1);
- chop;
- my $myURL = $_;
- @X = split(" ",$myURL);
- $a = $X[0]; ## channel id
- $b = $X[1]; ## url
- $c = $X[2]; ## ip address
- $u = $b; ## url
- if ($bypassallrules){
- $out="$u"; ## map 1:1
- } elsif ($u=~ m/http.*\.(fbcdn|akamaihd)\.net\/h(profile|photos).*[\d\w].*\/([\w]\d+x\d+\/.*\.[\d\w]{3}).*/) {
- $out="OK store-id=http://fbcdn.net.squid.internal/" . $2 . "/" . $3 ;
- } elsif ($u=~ m/^http(.*)static(.*)(akamaihd|fbcdn).net\/rsrc.php\/(.*\/.*\/(.*).(js|css|png|gif|jpg))(\?(.*)|$)/) {
- $out="OK store-id=http://fbcdn.net.squid.internal/static/" . $5 . "." . $6 ;
- } elsif ($u =~ m/^https?:\/\/attachment\.fbsbx\.com\/.*\?(id=[0-9]*).*/) {
- $out="OK store-id=http://facebook.squid.internal/" . $1;
- } elsif ($u=~ m/^https?\:\/\/.*utm.gif.*/) {
- $out="OK store-id=http://google-analytics.squid.internal/__utm.gif";
- } elsif ($u=~ m/^http\:\/\/.*\/speedtest\/(.*\.(jpg|txt|png|swf|gif|xml|css)).*/) {
- $out="OK store-id=http://speedtest.squid.internal/" . $1;
- } elsif ($u=~ m/^https?\:\/\/.*\/(.*\..*(mp4|3gp|flv))\?.*/) {
- $out="OK store-id=http://video-file.squid.internal/" . $1;
- } elsif ($u=~ m/^https?\:\/\/c2lo\.reverbnation\.com\/audio_player\/ec_stream_song\/(.*)\?.*/) {
- $out="OK store-id=http://reverbnation.squid.internal/" . $1;
- } elsif ($u=~ m/^https?\:\/\/.*\.c\.android\.clients\.google\.com\/market\/GetBinary\/GetBinary\/(.*\/.*)\?.*/) {
- $out="OK store-id=http://playstore-android.squid.internal/" . $1;
- } elsif ($_ =~ m/^https?:\/\/.*\.ytimg\.com\/(.*\.(webp|jpg|gif))/){
- $out="OK store-id=http://ytimg.squid.internal/" . $1;
- } elsif ($_ =~ m/^https?:\/\/.*\.gstatic\.com\/images\?q=tbn\:(.*)/){
- $out="OK store-id=http://gstatic.squid.internal/" . $1;
- } elsif ($_ =~ m/^https?:\/\/.*\.reverbnation\.com\/.*\/(ec_stream_song|download_song_direct|stream_song)\/([0-9]*).*/){
- $out="OK store-id=http://reverbnation.squid.internal/" . $1;
- } elsif ($_ =~ m/^https?:\/\/([^\.]*)\.yimg\.com\/(.*)/){
- $out="OK store-id=http://yimg.squid.internal/" . $1;
- } elsif ($_ =~ m/^https?:\/\/(.*?)\/speedtest\/(.*\.(jpg|txt|png|swf|gif|xml|css))\??.*$/){
- $out="OK store-id=http://speedtest.squid.internal/" . $1;
- } elsif ($_ =~ m/^https?:\/\/([a-z0-9.]*)(\.doubleclick\.net|\.quantserve\.com|.exoclick\.com|interclick.\com|\.googlesyndication\.com|\.auditude\.com|.visiblemeasures\.com|yieldmanager|cpxinteractive)(.*)/){
- $out="OK store-id=http://ads.squid.internal/" . $1;
- } elsif ($_ =~ m/^https?:\/\/(.*?)\/(ads)\?(.*?)/){
- $out="OK store-id=http://ads.squid.internal/" . $1;
- #} elsif ($_ =~ m/^https?:\/\/.*gemscool\.com\/.*\/([0-9]+\/(.*))/) {
- # $out="OK store-id=http://gemscool.squid.internal/" . $1;
- #} elsif ($_ =~ m/^https?:\/\/.*netmarble\.co\.id\/.*\/(Patch|ModooMarble)\/(.*)/) {
- # $out="OK store-id=http://netmarble.squid.internal/" . $1;
- #} elsif ($_ =~ m/^https?:\/\/.*lytogame\.com\/.*\/([a-zA-Z]+\/(.*))/) {
- # $out="OK store-id=http://lytogame.squid.internal/" . $1;
- } elsif ($u=~ m/^https?\:\/\/.*youtube.*ptracking.*/){
- @video_id = m/[&?]video_id\=([^\&\s]*)/;
- @cpn = m/[&?]cpn\=([^\&\s]*)/;
- unless (-e "/tmp/@cpn"){
- open FILE, ">/tmp/@cpn";
- print FILE "@video_id";
- close FILE;
- }
- $out="ERR";
- } elsif ($u=~ m/^https?\:\/\/.*youtube.*stream_204.*/){
- @docid = m/[&?]docid\=([^\&\s]*)/;
- @cpn = m/[&?]cpn\=([^\&\s]*)/;
- unless (-e "/tmp/@cpn"){
- open FILE, ">/tmp/@cpn";
- print FILE "@docid";
- close FILE;
- }
- $out="ERR";
- } elsif ($u=~ m/^https?\:\/\/.*youtube.*player_204.*/){
- @v = m/[&?]v\=([^\&\s]*)/;
- @cpn = m/[&?]cpn\=([^\&\s]*)/;
- unless (-e "/tmp/@cpn"){
- open FILE, ">/tmp/@cpn";
- print FILE "@v";
- close FILE;
- }
- $out="ERR";
- } elsif ($u=~ m/^https?\:\/\/.*(youtube|googlevideo).*videoplayback.*/){
- @itag = m/[&?](itag\=[0-9]*)/;
- @range = m/[&?](range\=[^\&\s]*)/;
- @cpn = m/[&?]cpn\=([^\&\s]*)/;
- @mime = m/[&?](mime\=[^\&\s]*)/;
- @id = m/[&?]id\=([^\&\s]*)/;
- if (defined(@cpn[0])){
- if (-e "/tmp/@cpn"){
- open FILE, "/tmp/@cpn";
- @id = <FILE>;
- close FILE;}
- }
- $out="OK store-id=http://video-srv.squid.internal/id=@id@mime@range";
- } else {
- $out="ERR";
- }
- print $logfh "$timenow"."out: $a $out\n" if ($debug>=1);
- print "$a $out\n";
- }
- close $logfh if ($debug);
- =======================================
- ||||||etc
- =======================================
- mkdir /var/lib/squid &&
- chown -R nobody /var/lib/squid/ &&
- /usr/lib/squid/ssl_crtd -c -s /var/lib/squid/ssl_db &&
- chown -R proxy:proxy /var/lib/squid/ssl_db/ &&
- chmod -R 777 /var/lib/squid/ssl_db/
- mkdir /etc/squid/ssl_cert
- cd /etc/squid/ssl_cert
- openssl req -new -newkey rsa:2048 -days 3652 -nodes -x509 -keyout myCA.pem -subj "/C=ID/ST=Lampung/L=Kalianda/O=(C) 2015 SMK N1 CANDIPURO/OU=SMK NEGERI/CN=SMK N1 CANDIPURO/emailAddress=eko.hendratno@gmail.com" -out myCA.pem &&
- openssl x509 -in myCA.pem -outform DER -out myCA.der &&
- chmod +x /etc/squid/store.pl
- chmod +x /etc/squid
- chown proxy:proxy /cache
- chmod 777 /cache
- squid -f /etc/squid/squid.conf -z
- update-rc.d squid defaults
- nano /etc/rc.local
- #!/bin/sh -e
- #
- # rc.local
- #
- # This script is executed at the end of each multiuser runlevel.
- # Make sure that the script will "exit 0" on success or any other
- # value on error.
- #
- # In order to enable or disable this script just change the execution
- # bits.
- #
- # By default this script does nothing.
- iptables -t mangle -F
- iptables -t mangle -X
- iptables -t mangle -N DIVERT
- iptables -t mangle -A DIVERT -j MARK --set-mark 1
- iptables -t mangle -A DIVERT -j ACCEPT
- iptables -t mangle -A INPUT -j ACCEPT
- iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
- iptables -t mangle -A PREROUTING ! -d 192.168.11.2/24 -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3126
- iptables -t mangle -A PREROUTING ! -d 192.168.11.2/24 -p tcp --dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3130
- /sbin/ip rule add fwmark 1 lookup 100
- /sbin/ip route add local 0.0.0.0/0 dev lo table 100
- echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
- echo 1 > /proc/sys/net/ipv4/ip_forward
- exit 0
- tail -f /tmp/access.log | ccze
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement