sQUID 3 SUPPORT HTTPS, YOUTUBE, FB, DLL

1. =======================================
2. ||||||configuration
3. =======================================
4. apt-get update && apt-get upgrade -y
5.  
6. apt-get install devscripts \
7. build-essential \
8. openssl libssl-dev \
9. fakeroot \
10. libcppunit-dev \
11. libsasl2-dev \
12. cdbs \
13. ccze \
14. libfile-readbackwards-perl \
15. libcap2 \
16. libcap-dev \
17. libcap2-dev \
18. libtool \
19. sysv-rc-conf -y &&
20. wget http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.21.tar.bz2 &&
21. tar -xjf squid-3.5.21.tar.bz2 &&
22. cd squid-3.5.21 &&
23. ./configure \
24. --prefix=/usr \
25. --includedir=/usr/include \
26. --infodir=/usr/share/info \
27. --sysconfdir=/etc \
28. --localstatedir=/var \
29. --libexecdir=/usr/lib/squid \
30. --srcdir=. \
31. --datadir=/usr/share/squid \
32. --sysconfdir=/etc/squid \
33. --mandir=/usr/share/man \
34. --enable-inline \
35. --enable-async-io=24 \
36. --enable-storeio=ufs,aufs,diskd,rock \
37. --enable-removal-policies=lru,heap \
38. --enable-gnuregex \
39. --enable-delay-pools \
40. --enable-cache-digests \
41. --enable-underscores \
42. --enable-icap-client \
43. --enable-follow-x-forwarded-for \
44. --enable-eui \
45. --enable-esi \
46. --enable-icmp \
47. --enable-zph-qos \
48. --enable-http-violations \
49. --enable-ssl-crtd \
50. --enable-linux-netfilter \
51. --enable-ltdl-install \
52. --enable-ltdl-convenience \
53. --enable-x-accelerator-vary \
54. --disable-maintainer-mode \
55. --disable-dependency-tracking \
56. --disable-silent-rules \
57. --disable-translation \
58. --disable-ipv6 \
59. --disable-ident-lookups \
60. --with-swapdir=/var/spool/squid \
61. --with-logdir=/var/log/squid \
62. --with-pidfile=/var/run/squid.pid \
63. --with-aufs-threads=24 \
64. --with-filedescriptors=65536 \
65. --with-large-files \
66. --with-maxfd=65536 \
67. --with-openssl \
68. --with-default-user=proxy \
69. --with-included-ltdl &&
70. make && make install
71.  
72. =======================================
73. ||||||squid.conf
74. =======================================
75.  
76. acl localnet src all
77.  
78. acl SSL_ports port 443
79.  
80. acl Safe_ports port 88 # http
81. acl Safe_ports port 80 # http
82. acl Safe_ports port 21 # ftp
83. acl Safe_ports port 443 # https
84. acl Safe_ports port 70 # gopher
85. acl Safe_ports port 210 # wais
86. acl Safe_ports port 1025-65535 # unregistered ports
87. acl Safe_ports port 280 # http-mgmt
88. acl Safe_ports port 488 # gss-http
89. acl Safe_ports port 591 # filemaker
90. acl Safe_ports port 777 # multiling http
91. acl CONNECT method CONNECT
92.  
93. # TAG: QUERY
94. # -----------------------------------------------------------------------------
95. acl QUERY urlpath_regex -i (hackshield|blank.html|infinity.js|hshield.da|renew_session_token.php|recaptcha.js|dat.asp|notice.swf|patchlist.txt|hackshield|captcha|reset.css|update.ver|notice.html|updates.txt|gamenotice|images.kom|patchinfo.xml|noupdate.ui|\.Xtp|\.htc|\.txt)
96. acl QUERY urlpath_regex -i (patch.conf|uiimageset.xml.iop|gashaponwnd.xml.iop|loading.swf|download.swf|version.list|version.ini|launch.jnlp|server_patch.cfg.iop|core.swf|Loading.swf|resouececheck.sq|mainloading.swf|config.xml|gemmaze.swf|xml.png|size.xml|resourcesbar.swf|version.xml|version.list|delete.ini)
97. acl QUERY urlpath_regex -i \.(jsp|asp|aspx|cfg|iop|zip|php|xml|html)(\?|$)
98. cache deny QUERY
99.  
100. #
101. acl dontstore url_regex ^http:\/\/(([\d\w-]*(\.[^\.\-]*?\..*?))(\/\mosalsal\/[\d]{4}\/.*\/)(.*\.flv))\?start.*
102. acl dontstore url_regex redbot\.org \.php
103. acl dontstore url_regex -i ^http:\/\/.*gemscool\.com\/.*
104. acl dontstore url_regex \.(aspx|php)\?
105. acl dontstore url_regex goldprice\.org\/NewCharts\/gold\/images\/.*\.png
106. acl dontstore url_regex google\.co(m|\.[a-z]{2})\/complete\/search\?
107. acl dontstore url_regex redirector\.([0-9.]{4}|.*\.youtube\.com|.*\.googlevideo\.com|.*\.video\.google\.com)\/(get_video\?|videodownload\?|videoplayback.*id|get_video_info\?|ptracking\?|player_204\?|stream_204\?).*
108.  
109. acl store_yt_id url_regex -i youtube.*(ptracking|stream_204|playback|player_204|watchtime|set_awesome|s\?|ads).*(video_id|docid|\&v|content_v)\=([^\&\s]*).*$
110. acl store_id_list_yt url_regex -i (youtube|googlevideo).*videoplayback.*$
111. acl store_id_list_yt url_regex ^https?\:\/\/([0-9.]{4}|.*\.youtube\.com|.*\.googlevideo\.com|.*\.video\.google\.com)\/(get_video\?|videodownload\?|videoplayback.*id).*
112.  
113. request_header_access Range deny store_id_list_yt
114. range_offset_limit 10 KB store_id_list_yt
115.  
116. acl loop_302 http_status 302
117. acl getmethod method GET
118.  
119. #Permisision
120.  
121. http_access deny !Safe_ports
122. http_access deny CONNECT !SSL_ports
123. http_access allow localhost manager
124. http_access deny manager
125. http_access allow localnet
126. http_access allow localhost
127. http_access deny all
128.  
129. #SSL
130.  
131. always_direct allow all
132. ssl_bump server-first all
133. sslproxy_cert_error deny all
134. sslproxy_flags DONT_VERIFY_PEER
135.  
136. sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
137. sslcrtd_children 8 startup=1 idle=1
138.  
139. ###############################################################################
140. # Squid normally listens to port 3128
141. ###############################################################################
142.  
143.  
144. http_port 3126 tproxy
145. http_port 3127 intercept
146. http_port 3128
147. http_port 3129 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
148. https_port 3130 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
149. https_port 3131 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
150.  
151.  
152.  
153. # TAG: Store-id Program
154. # -----------------------------------------------------------------------------
155. store_id_program /etc/squid/store.pl
156. store_id_children 100 startup=0 idle=1 concurrency=1000
157.  
158. # TAG: Store-id Access
159. # -----------------------------------------------------------------------------
160. store_id_access deny dontstore
161. store_id_access deny !getmethod
162.  
163. store_id_extras "%{Referer}>h"
164.  
165. store_id_access allow store_id_list_yt
166. store_id_access allow store_yt_id
167. store_id_access deny all
168. store_id_bypass on
169.  
170. # TAG: Youtube 302
171. # -----------------------------------------------------------------------------
172. store_miss deny store_id_list_yt loop_302
173. send_hit deny store_id_list_yt loop_302
174.  
175. acl loop rep_mime_type -i mime-type ^text/html
176. acl loop rep_mime_type -i mime-type ^text/plain
177.  
178. store_miss deny loop_302
179. send_hit deny loop_302
180.  
181. store_miss deny loop
182. send_hit deny loop
183. #MEMORY
184. client_dst_passthru on
185. cache_mem 8 MB
186. maximum_object_size_in_memory 0
187. memory_cache_shared off
188. memory_cache_mode disk
189. memory_replacement_policy heap GDSF
190. #DISK
191. cache_replacement_policy heap LFUDA
192. minimum_object_size 1 bytes
193. maximum_object_size 1 GB
194.  
195. cache_dir aufs /cache 320000 16 256 # sesuaikan dengan drive penyimpanan cache
196.  
197. store_dir_select_algorithm round-robin
198. cache_swap_low 90
199. cache_swap_high 95
200.  
201.  
202. #LOG
203. access_log /tmp/access.log squid
204. logfile_daemon /usr/lib/squid/log_file_daemon
205. cache_store_log none
206. logfile_rotate 1
207. mime_table /etc/squid/mime.conf
208. pid_filename /var/run/squid.pid
209. strip_query_terms off
210. buffered_logs off
211.  
212. cache_log /dev/null
213. coredump_dir /var/spool/squid
214.  
215. ###############################################################################
216. # Add any of your own refresh_pattern entries above these.
217. ###############################################################################
218. refresh_pattern ^ftp: 1440 20% 10080
219. refresh_pattern ^gopher: 1440 0% 1440
220. refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
221.  
222. # Youtube Video
223. refresh_pattern -i (get_video\?|videoplayback\?|videodownload\?|\.mp4|\.webm|\.flv|((audio|video)\/(webm|mp4))) 241920 100% 241920 override-expire ignore-reload ignore-private ignore-no-store ignore-must-revalidate reload-into-ims ignore-auth store-stale
224. refresh_pattern -i ^https?\:\/\/.*\.googlevideo\.com\/videoplayback.* 10080 99% 43200 override-lastmod override-expire ignore-reload reload-into-ims ignore-private reload-into-ims ignore-auth store-stale
225. refresh_pattern -i ^https?\:\/\/.*\.googlevideo\.com\/videoplayback.*$ 241920 100% 241920 override-expire ignore-reload ignore-private ignore-no-store ignore-must-revalidate reload-into-ims ignore-auth store-stale
226.  
227. # Image Youtube
228. refresh_pattern -i (yimg|twimg)\.com\.* 1440 100% 129600 override-expire ignore-reload reload-into-ims
229. refresh_pattern -i (ytimg|ggpht)\.com\.* 1440 80% 129600 override-expire override-lastmod ignore-auth ignore-reload reload-into-ims
230.  
231.  
232. ###############################################################################
233. ## ERROR PAGE OPTIONS
234. ###############################################################################
235. error_directory /usr/share/squid/errors/en
236. error_log_languages off
237.  
238. qos_flows tos local-hit=0x30 parent-hit=0x34
239. #zph_mode tos
240. #zph_local 48
241. #zph_sibling 0
242. #zph_parent 0
243. #zph_option 136
244.  
245. =======================================
246. ||||||storeid.pl
247. =======================================
248. #!/usr/bin/perl
249. #
250. # storeid.pl with debug opt - based on storeurl.pl
251. # @ http://www2.fh-lausitz.de/launic/comp/misc/squid/projekt_youtube/
252. #
253. # mods by cespun and fajar @ ipfire.id
254. #
255.  
256. use IO::File;
257. $|=1;
258. STDOUT->autoflush(1);
259. $debug=0; ## recommended:0
260. $bypassallrules=0; ## recommended:0
261. $sucks=""; ## unused
262. $sucks="sucks" if ($debug>=1);
263. $timenow="";
264. $printtimenow=1; ## print timenow: 0|1
265. my $logfile = '/tmp/storeid.log';
266.  
267. open my $logfh, '>>', $logfile
268. or die "Couldn't open $logfile for appending: $!\n" if $debug;
269. $logfh->autoflush(1) if $debug;
270.  
271. while (<>) {
272. $timenow=time()." " if ($printtimenow);
273. print $logfh "$timenow"."in : $_" if ($debug>=1);
274. chop;
275. my $myURL = $_;
276. @X = split(" ",$myURL);
277. $a = $X[0]; ## channel id
278. $b = $X[1]; ## url
279. $c = $X[2]; ## ip address
280. $u = $b; ## url
281.  
282. if ($bypassallrules){
283. $out="$u"; ## map 1:1
284.  
285. } elsif ($u=~ m/http.*\.(fbcdn|akamaihd)\.net\/h(profile|photos).*[\d\w].*\/([\w]\d+x\d+\/.*\.[\d\w]{3}).*/) {
286. $out="OK store-id=http://fbcdn.net.squid.internal/" . $2 . "/" . $3 ;
287. } elsif ($u=~ m/^http(.*)static(.*)(akamaihd|fbcdn).net\/rsrc.php\/(.*\/.*\/(.*).(js|css|png|gif|jpg))(\?(.*)|$)/) {
288. $out="OK store-id=http://fbcdn.net.squid.internal/static/" . $5 . "." . $6 ;
289. } elsif ($u =~ m/^https?:\/\/attachment\.fbsbx\.com\/.*\?(id=[0-9]*).*/) {
290. $out="OK store-id=http://facebook.squid.internal/" . $1;
291. } elsif ($u=~ m/^https?\:\/\/.*utm.gif.*/) {
292. $out="OK store-id=http://google-analytics.squid.internal/__utm.gif";
293. } elsif ($u=~ m/^http\:\/\/.*\/speedtest\/(.*\.(jpg|txt|png|swf|gif|xml|css)).*/) {
294. $out="OK store-id=http://speedtest.squid.internal/" . $1;
295. } elsif ($u=~ m/^https?\:\/\/.*\/(.*\..*(mp4|3gp|flv))\?.*/) {
296. $out="OK store-id=http://video-file.squid.internal/" . $1;
297. } elsif ($u=~ m/^https?\:\/\/c2lo\.reverbnation\.com\/audio_player\/ec_stream_song\/(.*)\?.*/) {
298. $out="OK store-id=http://reverbnation.squid.internal/" . $1;
299. } elsif ($u=~ m/^https?\:\/\/.*\.c\.android\.clients\.google\.com\/market\/GetBinary\/GetBinary\/(.*\/.*)\?.*/) {
300. $out="OK store-id=http://playstore-android.squid.internal/" . $1;
301.  
302. } elsif ($_ =~ m/^https?:\/\/.*\.ytimg\.com\/(.*\.(webp|jpg|gif))/){
303. $out="OK store-id=http://ytimg.squid.internal/" . $1;
304. } elsif ($_ =~ m/^https?:\/\/.*\.gstatic\.com\/images\?q=tbn\:(.*)/){
305. $out="OK store-id=http://gstatic.squid.internal/" . $1;
306. } elsif ($_ =~ m/^https?:\/\/.*\.reverbnation\.com\/.*\/(ec_stream_song|download_song_direct|stream_song)\/([0-9]*).*/){
307. $out="OK store-id=http://reverbnation.squid.internal/" . $1;
308. } elsif ($_ =~ m/^https?:\/\/([^\.]*)\.yimg\.com\/(.*)/){
309. $out="OK store-id=http://yimg.squid.internal/" . $1;
310. } elsif ($_ =~ m/^https?:\/\/(.*?)\/speedtest\/(.*\.(jpg|txt|png|swf|gif|xml|css))\??.*$/){
311. $out="OK store-id=http://speedtest.squid.internal/" . $1;
312. } elsif ($_ =~ m/^https?:\/\/([a-z0-9.]*)(\.doubleclick\.net|\.quantserve\.com|.exoclick\.com|interclick.\com|\.googlesyndication\.com|\.auditude\.com|.visiblemeasures\.com|yieldmanager|cpxinteractive)(.*)/){
313. $out="OK store-id=http://ads.squid.internal/" . $1;
314. } elsif ($_ =~ m/^https?:\/\/(.*?)\/(ads)\?(.*?)/){
315. $out="OK store-id=http://ads.squid.internal/" . $1;
316.  
317. #} elsif ($_ =~ m/^https?:\/\/.*gemscool\.com\/.*\/([0-9]+\/(.*))/) {
318. # $out="OK store-id=http://gemscool.squid.internal/" . $1;
319. #} elsif ($_ =~ m/^https?:\/\/.*netmarble\.co\.id\/.*\/(Patch|ModooMarble)\/(.*)/) {
320. # $out="OK store-id=http://netmarble.squid.internal/" . $1;
321. #} elsif ($_ =~ m/^https?:\/\/.*lytogame\.com\/.*\/([a-zA-Z]+\/(.*))/) {
322. # $out="OK store-id=http://lytogame.squid.internal/" . $1;
323.  
324. } elsif ($u=~ m/^https?\:\/\/.*youtube.*ptracking.*/){
325. @video_id = m/[&?]video_id\=([^\&\s]*)/;
326. @cpn = m/[&?]cpn\=([^\&\s]*)/;
327. unless (-e "/tmp/@cpn"){
328. open FILE, ">/tmp/@cpn";
329. print FILE "@video_id";
330. close FILE;
331. }
332. $out="ERR";
333.  
334. } elsif ($u=~ m/^https?\:\/\/.*youtube.*stream_204.*/){
335. @docid = m/[&?]docid\=([^\&\s]*)/;
336. @cpn = m/[&?]cpn\=([^\&\s]*)/;
337. unless (-e "/tmp/@cpn"){
338. open FILE, ">/tmp/@cpn";
339. print FILE "@docid";
340. close FILE;
341. }
342. $out="ERR";
343.  
344. } elsif ($u=~ m/^https?\:\/\/.*youtube.*player_204.*/){
345. @v = m/[&?]v\=([^\&\s]*)/;
346. @cpn = m/[&?]cpn\=([^\&\s]*)/;
347. unless (-e "/tmp/@cpn"){
348. open FILE, ">/tmp/@cpn";
349. print FILE "@v";
350. close FILE;
351. }
352. $out="ERR";
353.  
354. } elsif ($u=~ m/^https?\:\/\/.*(youtube|googlevideo).*videoplayback.*/){
355. @itag = m/[&?](itag\=[0-9]*)/;
356. @range = m/[&?](range\=[^\&\s]*)/;
357. @cpn = m/[&?]cpn\=([^\&\s]*)/;
358. @mime = m/[&?](mime\=[^\&\s]*)/;
359. @id = m/[&?]id\=([^\&\s]*)/;
360.  
361. if (defined(@cpn[0])){
362. if (-e "/tmp/@cpn"){
363. open FILE, "/tmp/@cpn";
364. @id = <FILE>;
365. close FILE;}
366. }
367. $out="OK store-id=http://video-srv.squid.internal/id=@id@mime@range";
368.  
369. } else {
370. $out="ERR";
371. }
372. print $logfh "$timenow"."out: $a $out\n" if ($debug>=1);
373. print "$a $out\n";
374. }
375. close $logfh if ($debug);
376.  
377.  
378. =======================================
379. ||||||etc
380. =======================================
381.  
382. mkdir /var/lib/squid &&
383. chown -R nobody /var/lib/squid/ &&
384. /usr/lib/squid/ssl_crtd -c -s /var/lib/squid/ssl_db &&
385. chown -R proxy:proxy /var/lib/squid/ssl_db/ &&
386. chmod -R 777 /var/lib/squid/ssl_db/
387.  
388. mkdir /etc/squid/ssl_cert
389. cd /etc/squid/ssl_cert
390.  
391. openssl req -new -newkey rsa:2048 -days 3652 -nodes -x509 -keyout myCA.pem -subj "/C=ID/ST=Lampung/L=Kalianda/O=(C) 2015 SMK N1 CANDIPURO/OU=SMK NEGERI/CN=SMK N1 CANDIPURO/emailAddress=eko.hendratno@gmail.com" -out myCA.pem &&
392. openssl x509 -in myCA.pem -outform DER -out myCA.der &&
393.  
394. chmod +x /etc/squid/store.pl
395. chmod +x /etc/squid
396. chown proxy:proxy /cache
397. chmod 777 /cache
398. squid -f /etc/squid/squid.conf -z
399.  
400. update-rc.d squid defaults
401.  
402. nano /etc/rc.local
403.  
404. #!/bin/sh -e
405. #
406. # rc.local
407. #
408. # This script is executed at the end of each multiuser runlevel.
409. # Make sure that the script will "exit 0" on success or any other
410. # value on error.
411. #
412. # In order to enable or disable this script just change the execution
413. # bits.
414. #
415. # By default this script does nothing.
416.  
417. iptables -t mangle -F
418. iptables -t mangle -X
419.  
420. iptables -t mangle -N DIVERT
421. iptables -t mangle -A DIVERT -j MARK --set-mark 1
422. iptables -t mangle -A DIVERT -j ACCEPT
423. iptables -t mangle -A INPUT -j ACCEPT
424. iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
425. iptables -t mangle -A PREROUTING ! -d 192.168.11.2/24 -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3126
426. iptables -t mangle -A PREROUTING ! -d 192.168.11.2/24 -p tcp --dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3130
427.  
428. /sbin/ip rule add fwmark 1 lookup 100
429. /sbin/ip route add local 0.0.0.0/0 dev lo table 100
430.  
431. echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
432. echo 1 > /proc/sys/net/ipv4/ip_forward
433. exit 0
434.  
435.  
436. tail -f /tmp/access.log | ccze