SQUID3-HEAD + SSL + TPROXY

Diskusi tentang Ubuntu Server baik webserver, database server, samba server dan service lainnya serta jaringan menggunakan Sistem Operasi Ubuntu.
User avatar
DhananJaya
Posts: 22
Joined: 08 Nov 2012, 21:36
Location: Lubuklinggau

SQUID3-HEAD + SSL + TPROXY

Postby DhananJaya » 29 May 2013, 22:35

selamat malam mas-mas dan saudara2 seperjuanganku sekalian ( alaah..kek pidato aja ^^).
Awalnya pertanyaan ini cuma sekadar PM buat mas SJW, maksudnya buat minta pendapatnya tentang masalah SSL_Bump nya si Cumi3-Head ini.
Namun menurut saran dari mas SJW dan juga mas Pragola-Pati, akhirnya saya beranikan diri untuk membuat thread baru aja.
Semoga aja pertanyaan dari seorang nubitol ini bisa di selesaikan secara berjamaah di forum ini.

Ok, Langsung ke kasus aja yah,
Disini saya udah coba pake squid3-HEAD. setelah ngubah2 berbagai macam posisi atau lebih tepatnya
configurasi mode si-cumi, saya keknya dapet clue tentang SSL_bump nya ini. Tapi berhubung "disini" cuma seorang nubietol di dunia Ubuntu
dan linux umumnya, gara2 kebanyakan pake sang "Jendela", jadi mau nanyain dulu bener apa nggak nya ini
  • Kayaknya, Penggunaan SSL_Bump pada protokol https, emang bener harus pake tproxy mode? soalnya kalo saya coba NAT, itu sisi clien selalu minta konfirmasi "sertifikat" tanah yang sebelumnya udah di tanamkan di sana. Dan selalu failed saat konfirmasi pada situs2 yang sangat sensitif tentang SSL etc, seperti pada situs perbankan. Meski pada browser juga udah di setting agar browser nyari sendiri "sertifikat" tanah yang berhak. Tapi kalo menggunakan tproxy, semuanya keknya lancar. atau kalo kata orang Palembang itu "everything seems work perfectly" (alah...)
    Nah, pertanyaannya..apakah emang bener kek gini? bahwa tproxy dengan sifat nya yang full transparansi itu bisa mengakomodir SSL_Bump nya squid? atau ini hanya ada di jaringanku aja
  • Nah yang kedua ini bener2 pertanyaan dari seorang pemula ini. Gimana sih sebenernya status "security" network kita ini saat kita mengimplementasikan SSL_Bump pada protokol https? lebih spesifiknya unutk jaringan lokal kita aja deh
Mohon petunjuk dan bimbingan semuanya

regards

### Update
Sebagai pelengkap, saya konfirmasikan disini semua senjata tempur network di benamkan di dalam satu box CPU dengan OS Ubuntu Server 12.04 LTS 64. jadi 1 Ubuntu buat semua

###
User avatar
q_p
Posts: 3109
Joined: 14 Oct 2012, 13:01
Contact:

Re: SQUID3-HEAD + SSL + TPROXY

Postby q_p » 29 May 2013, 23:19

Kalau boleh usul, anda lengkapi (edit saja lagi posting anda di atas) dilengkapi dengan HowTo-nya. Itu penting sebagai second-opini (syukur2 bisa dijadikan referensi) bagi warga FUI yang lagi siap2 dengan 3HEAD.
User avatar
SyaifuddinJW
Posts: 152
Joined: 22 Feb 2010, 10:59
Contact:

Re: SQUID3-HEAD + SSL + TPROXY

Postby SyaifuddinJW » 30 May 2013, 14:11

boleh saya lihat squid confignya??? tentu dengan catatan yang mungkin menurutmu rahasia harus di rubah dahulu :3
User avatar
DhananJaya
Posts: 22
Joined: 08 Nov 2012, 21:36
Location: Lubuklinggau

Re: SQUID3-HEAD + SSL + TPROXY

Postby DhananJaya » 30 May 2013, 17:08

Oalah..maaf mas-mas baru jenguk.
wkwkw gak ada rahasia2 an mas, wong ini juga asalnya dari sini.

Oh iya buat Mas Pragola, How To Squid3-HEAD nya saya ambil dari google-codenya mas ucok.
https://code.google.com/p/tempat-sampah/source/browse/

terus squid-conf nya aku pake ini mas

Tampilkan

Code: Select all

## SQUID 3.HEAD
# Testing Configuration
################

###################################
# ACCESS CONTROL LIST
# source: FPUI acl r25 and KIOS, with some edited nangkono and nangkene
####################################
acl blocked dstdomain "/etc/squid/blocked.acl"
deny_info http://www.google.com blocked
http_access deny blocked

acl localnet src 192.168.1.0/24
acl bethadmin src 192.168.1.112 192.168.1.122

# SAFE PORTs
##################
acl SSL_ports port 443 563 873          # https snews rsync
acl Safe_ports port 80 20 21 221 70 210 1025-65535 631 10000 901 280 488 591 777 873 110 995 25 587 995 2095 2096 2082 2083 18901-18909          # default
acl purge method PURGE
acl CONNECT method CONNECT

# TIME LIMITs
##################
acl pcngroup-blok_waktu src 192.168.1.113-192.168.1.121 192.168.1.123-192.168.1.254 192.168.1.2-192.168.1.4 192.168.1.6-192.168.1.111
acl pcntime-Denied time SMTWHFA 04:00-07:00

acl getmethod method GET

http_access allow manager localhost
http_access allow manager bethadmin
http_access allow purge localhost
http_access allow localnet
http_access allow localhost
http_access deny manager
http_access deny pcngroup-blok_waktu pcntime-Denied
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#http_access allow CONNECT SSL_ports
http_access deny to_localhost getmethod
http_access deny all

#end of ACL
#################

# Store_ID buat squid3.HEAD atawa squid 3.4 <comment jika menggunakan versi sebelumnya>
################
#store_id_program /etc/squid3/store-id.pl
#store_id_children 20 startup=5 idle=1 concurrency=20


# PORTs
##############
https_port 3127 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/usr/share/ssl-cert/myCA.pem cert=/usr/share/ssl-cert/myCA.pem connection-auth=off
http_port 3129 tproxy
http_port 3130 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/usr/share/ssl-cert/myCA.pem cert=/usr/share/ssl-cert/myCA.pem connection-auth=off

always_direct allow all
ssl_bump server-first all

#ssl_bump allow all
##Or may be deny all according to your company policy
##sslproxy_cert_error deny all
#acl TrustedName url_regex -i "/etc/squid3/https.conf"
#sslproxy_cert_error allow TrustedName

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /lib/squid3/ssl_crtd3 -s /var/lib/ssl_db -M 8MB
sslcrtd_children 20

#########################
# MISc
#########################
request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access Via deny all
request_header_access Forwarded-For deny all
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all

#########################
# TUNES 3-HEAD
#########################
strip_query_terms off
cache_mem 16 MB
maximum_object_size_in_memory 13 KB
minimum_object_size 0 KB
maximum_object_size 64 MB
cache_swap_low 98
cache_swap_high 99
ipcache_size 10240
fqdncache_size 10240
positive_dns_ttl 8 hours
negative_dns_ttl 15 seconds
ipcache_low 97
ipcache_high 98
#log_fqdn off
log_icp_queries off
half_closed_clients off
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 98
vary_ignore_expire on
#pipeline_prefetch on
reload_into_ims on
forwarded_for off
via on
buffered_logs on
client_db on
client_persistent_connections off
server_persistent_connections off
icp_hit_stale on
query_icmp on
memory_pools off
negative_ttl 30 seconds
max_filedescriptors 65536
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
uri_whitespace strip
shutdown_lifetime 10 seconds
logfile_rotate 1
tcp_outgoing_tos 0x30 localnet

# ZPH
###########################
qos_flows tos 0x30
#qos_flows mark 0x4
qos_flows local-hit=0x30

############################
# CACHE_DIR
# Measuring your cache_dir, with this formula :
# ((( x / y ) / 256 ) / 256 ) * 2 = L1
# while  256 = L2 ( Ususally used, 256. but you can change it to 512 if you like)
#       x = your current HD size for cache_dir
#          y = average object (usually 13 kb)
# L1, L2 = your directory value
########################################
cache_dir aufs /cache3 8192 20 256

################
# PATHs
################
coredump_dir /var/spool/squid3
access_log stdio:/var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
cache_store_log none

# REFRESH PATTERN
# Dhananjaya(c)2012
#--------
# 1 year = 525600 mins, 1 month = 43200, 1 week = 10080 mins, 1 day = 1440
#--------

max_stale 3 years

#refresh_pattern .*(get_video\?|videoplayback\?|videodownload\?|\.flv?) 129600 99% 129600 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims store-stale
#refresh_pattern .*(get_video\?|videoplayback\?(id.*)?|videoplayback.*id|videodownload\?|\.flv?) 129600 99% 129600 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims store-stale
#refresh_pattern .*\.youtube\.com\/(watch\?|get_video\?|videoplayback\?(id.*)?|videoplayback.*id|videodownload\?|\.flv?).*\.(flv|swf|mp3|mp4|webm|xml|txt|js|css)(.*)? 129600 99% 129600 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims store-stale

#refresh_pattern (get_video\?|videoplayback\?|videodownload\?|\.flv?).*\.((x\-)?flv|(x\-)?swf|mp(3|4)) 129600 99% 129600 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims store-stale
#refresh_pattern (get_video\?|videoplayback\?(id.*)?|videoplayback.*id|videodownload\?|\.flv?).*\.((x\-)?flv|(x\-)?swf|mp(3|4)) 129600 99% 129600 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims store-stale

#refresh_pattern \.(ico|video\-stats)(.*)? 129600 99% 129600 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims store-stale
refresh_pattern -i \.speedtest\/.*\.(jpe?g|swf|png|gif|html|txt|xml|html|css|js|php) 64800 99% 64800 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims store-stale
#refresh_pattern -i \/[a-z]\.speedtest\.net\/.*\.(jpe?g|swf|bmp|png|ico|css|js|gif|php) 64800 99% 64800 ignore-must-revalidate ignore-no-store ignore-private override-expire override-lastmod reload-into-ims store-stale

######################
# adds and cdn for bandwidth saving
######################
refresh_pattern -i ^http\:\/\/ssl\.gstatic\.com\/.*\.(jpe?g|swf|png|gif|bmp|js|css) 11520 99% 11520 ignore-reload reload-into-ims store-stale
refresh_pattern -i \.gstatic\.com\/.*\.(gif|jpe?g|bmp|png|swf|js|css)(.*)? 43200 99% 43200 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims store-stale
refresh_pattern -i ^http\:\/\/www\.google\.co(\.id|m)\/images\/.*\.(jpe?g|swf|png|gif|bmp|js|css) 11520 99% 525600 ignore-reload ignore-private reload-into-ims store-stale
refresh_pattern -i ^http\:\/\/www\.google\.co(\.id|m)\/.*\.(jpe?g|swf|png|gif|bmp|js|css|html|gzip|zip|rar|tar|nar) 11520 99% 11520 ignore-reload ignore-private reload-into-ims store-stale
refresh_pattern -i .*(\.doubleclick\.net|\.quantserve\.com|\.googlesyndication\.com|yieldmanager|cpxinteractive).*\.(jpe?g|swf|bmp|png|ico|css|js|gif) 64800 99% 64800 ignore-must-revalidate ignore-no-store ignore-private override-expire override-lastmod reload-into-ims store-stale
refresh_pattern -i ^http\:\/\/cdn(.*)?\.fastclick\.net\/.*\.(gif|jpe?g|bmp|png|swf|js|css)(.*)? 43200 99% 43200 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims store-stale

######################
# situs2 populer Indonesia
######################
# kapanlagi
refresh_pattern -i ^http\:\/\/[a-z]\.kapanlaginetwork\.com\/.*\(jpe?g|swf|png|bmp|ico|gif|txt|css|js)(.*)? 64800 99% 64800 ignore-reload reload-into-ims override-expire override-lastmod store-stale
refresh_pattern -i http\:\/\/www\.kapanlagi\.com\/ 0 0% 0

# okezone
refresh_pattern -i http\:\/\/cdn\.okeinfo\.net\/.*\.(jpe?g|swf|png|bmp|ico|gif|txt|css|js)(.*)? 64800 99% 64800 ignore-reload reload-into-ims store-stale
refresh_pattern -i http\:\/\/img\.okeinfo\.net\/.*\.(jpe?g|swf|png|bmp|ico|gif|txt|css|js)(.*)? 64800 99% 64800 ignore-reload reload-into-ims store-stale
refresh_pattern -i http\:\/\/cdn\.okezone\.tv\/.*\.(jpe?g|swf|png|bmp|ico|gif|txt|css|js)(.*)? 64800 99% 64800 ignore-reload reload-into-ims store-stale
refresh_pattern -i \.okezone\.com\/.*\.(jpe?g|swf|png|bmp|ico|gif|txt|css|js)(.*)? 64800 99% 64800 ignore-reload reload-into-ims store-stale 
refresh_pattern -i ^http\:\/\/www\.okezone\.com\/ 0 0% 0

# kompas
refresh_pattern -i ^http\:\/\/stat\.k\.kidsklik\.com\/.*\.(gif|jpe?g|png|swf|js|css|ico|bmp) 43200 99% 43200 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims store-stale
refresh_pattern -i ^http\:\/\/img\.ads\.kompas\.com\/.*\.(gif|jpe?g|png|swf|js|css|ico|bmp) 43200 99% 43200 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims store-stale
refresh_pattern -i ^http\:\/\/ads.*\.kompasads\.com\/.*\.(gif|jpe?g|png|swf|js|css|ico|bmp) 43200 99% 43200 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims store-stale
refresh_pattern -i ^http\:\/\/assets\.kompas\.com\/.*\.(gif|jpe?g|png|swf|js|css|ico|bmp) 43200 99% 43200 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims store-stale
refresh_pattern -i ^http\:\/\/tv\.kompas\.com\/.*\.(gif|jpe?g|png|swf|js|css|ico|bmp) 43200 99% 43200 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims store-stale
refresh_pattern -i ^http\:\/\/www\.kompas\.com\/ 0 0% 0

# detik
refresh_pattern -i ^http\:\/\/www\.detik\.com\/.*\.(gif|jpe?g|ico|png|swf|js|css|bmp) 1440 99% 1440 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims store-stale
refresh_pattern -i ^http\:\/\/detik\.net\.id\/.*\.(gif|jpe?g|ico|png|swf|js|css|bmp) 1440 99% 1440 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims store-stale
refresh_pattern -i ^http\:\/\/images\.detik\.com\/.*\.(gif|jpe?g|ico|png|swf|js|css|bmp) 1440 99% 1440 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims store-stale
refresh_pattern -i ^http\:\/\/openx\.detik\.com\/.*\.(gif|jpe?g|ico|png|swf|js|css|bmp) 1440 99% 1440 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims store-stale
refresh_pattern -i \.detik\.com\/.*\.(gif|jpe?g|ico|png|swf|js|css|bmp) 1440 99% 1440 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims store-stale
refresh_pattern -i ^http\:\/\/www\.mytrans\.com\/.*\.(gif|jpe?g|ico|png|swf|js|css|bmp) 43200 99% 43200 ignore-no-store ignore-must-revalidate ignore-private override-expire override-lastmod reload-into-ims store-stale
refresh_pattern -i ^http\:\/\/[a-z][a-z]{0,1}\.serving\-sys\.com\/.*\.(gif|jpe?g|ico|png|swf|js|css|bmp) 43200 99% 43200 ignore-no-store ignore-must-revalidate ignore-private override-expire override-lastmod reload-into-ims store-stale
refresh_pattern -i ^http\:\/\/adsbox\.detik\.com\/.*\.(gif|jpe?g|ico|png|swf|js|css|bmp) 1440 99% 1440 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims store-stale
refresh_pattern -i ^http\:\/\/pagead[1-9]\.googlesyndication\.com\/.*\.(gif|jpe?g|ico|png|swf|js|css|bmp) 1440 99% 1440 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims store-stale
refresh_pattern -i ^http\:\/\/www\.detik\.com\/ 0 0% 0

# 4Shared
refresh_pattern -i ^http\:\/\/static\.4shared\.com\/.*\.(jpe?g|swf|png|ico|css|js|gif|wmv|avi|mp3|mp4|3gp|flv) 43200 99% 43200 ignore-reload reload-into-ims ignore-must-revalidate store-stale
refresh_pattern -i ^http\:\/\/www\.4shared\.com\/ 0 0% 0

# Bhinneka
refresh_pattern -i ^http\:\/\/www\.bhinneka\.com\/.*\.(jpe?g|png|bmp|ico|gif|swf|js|css) 43200 99% 43200 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims store-stale
refresh_pattern -i ^http\:\/\/s[1-9]\.bmdstatic\.com\/.*\.(jpe?g|bmp|ico|gif|png|css|js|swf) 43200 99% 43200 ignore-no-store ignore-private ignore-reload override-expire override-lastmod reload-into-ims store-stale


######################
# MANGA and korean sites
######################
refresh_pattern -i ^http\:\/\/www\.epdrama\.com\/.*\.(gif|jpe?g|png|swf|js|css|bmp) 43200 99% 43200 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims store-stale
refresh_pattern -i (.*)?animeshippunden\.com\/.*\.(png|jpe?g|bmp|gif|txt|js|css) 43200 99% 129600 ignore-private override-expire override-lastmod reload-into-ims store-stale
refresh_pattern -i (.*)?mangacanblog\.com\/.*\.(png|jpe?g|bmp|gif|txt|js|css) 43200 99% 129600 ignore-private override-expire override-lastmod reload-into-ims store-stale
refresh_pattern -i ^http\:\/\/i.*\.photobucket\.com\/.*\.(gif|bmp|jpe?g|png|swf|js|css) 43200 99% 43200 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims store-stale
refresh_pattern -i http\:\/\/i[1-9]\.ytimg\.com\/.*\.(png|jpe?g|bmp|giff?|swf|js|css) 43200 99% 129600 ignore-private override-expire override-lastmod reload-into-ims store-stale
refresh_pattern -i ^http\:\/\/\w{1}\.ytimg\.com\/.*\.(png|jpe?g|bmp|giff?|swf|js|css) 43200 99% 129600 ignore-private override-expire override-lastmod reload-into-ims store-stale
refresh_pattern -i ^http\:\/\/klimg\.com\/.*\.(jpe?g|swf|png|bmp|ico|gif|txt|css|js) 64800 99% 64800 ignore-reload reload-into-ims store-stale

######################
# All Files
######################
refresh_pattern -i \.(exe|bin|(n|t)ar|acv|(r|j)ar|t?gz|(g|b)z(ip)?2?|7?z(ip)?|patch|diff|vpu|inc|r(a|p)m|kom|iso|sys|dat|msi|cab|dvr-ms|ace|asx|qt|xt)$ 43200 99% 43200 ignore-no-store ignore-must-revalidate override-lastmod reload-into-ims store-stale
refresh_pattern -i \.(ico(.*)?|pn[pg]|css|(g|t)iff?|jpe?g(2|3|4)?|psd|c(d|b)r|cad|bmp)$ 43200 99% 43200 ignore-no-store ignore-must-revalidate override-lastmod reload-into-ims store-stale
refresh_pattern -i \.(webm|(x-)?swf|mp(eg)?(3|4)|mpe?g(av)?|(x-)?f(l|4)v|divx?|rmvb?|mov|trp|ts|avi|wmv|wmp|m4v|mkv|asf|dv|vob|3gp?2?)$ 43200 99% 43200 ignore-no-store ignore-must-revalidate override-lastmod reload-into-ims store-stale
refresh_pattern -i \.(m4a|aa?c3?|wm?av?|og(x|v|a|g)|ape|mka|au|aiff|flac|m4(b|r)|m1v|m2(v|p)|mo(d|v)|arj|lha|lzh|on2)$ 43200 99% 43200 ignore-no-store ignore-must-revalidate override-lastmod reload-into-ims store-stale
refresh_pattern -i \.(docx?|xlsx?|pptx?|rtf|pdf|tiff?|txt)$ 43200 99% 43200 ignore-no-store ignore-must-revalidate override-lastmod reload-into-ims store-stale
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(css|js)$ 1440 40% 43200
refresh_pattern -i \.htm$ 720 40% 1440
refresh_pattern -i \.html$ 720 40% 1440

# DONT MODIFY THESE LINES
refresh_pattern \^ftp:              1440   20%     10080
refresh_pattern \^gopher:           1440   0%      1440
refresh_pattern -i (/cgi-bin/|\?)    0        0%      0
refresh_pattern .                  0      20%     4320

# END OF REFRESH PATTERN
######################

# DNS
############
dns_nameservers 127.0.0.1
hosts_file /etc/hosts

# Administrative
############
cache_effective_user proxy
cache_effective_group proxy
cache_mgr Dhananjaya
cachemgr_passwd none all
visible_hostname Dhananjaya

### end of config




#Update>>>>>
Oh iya Build squid nya pake config gini mas, (dipake di proc. AMD X2 240)

CHOST="x86_64-pc-linux-gnu" CFLAGS="-march=amdfam10 -O2 -pipe" CXXFLAGS="${CFLAGS}" ./configure --prefix=/usr --program-suffix=3 --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --libexecdir=${prefix}/lib/squid3 --srcdir=. --with-filedescriptors=65536 --enable-ssl --enable-ssl-crtd --disable-auth --enable-delay-pools --enable-async-io=24 --with-aufs-threads=24 --with-pthreads --enable-gnuregex --with-large-files --enable-ltdl-convenience --enable-storeio=ufs,aufs,diskd --enable-removal-policies=lru,heap --build=x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --disable-silent-rules --datadir=/usr/share/squid3 --sysconfdir=/etc/squid3 --mandir=/usr/share/man --with-cppunit-basedir=/usr --enable-inline --enable-cache-digests --enable-underscores --enable-referer-log --enable-icap-client --enable-follow-x-forwarded-for --enable-arp-acl --enable-esi --enable-zph-qos --enable-wccpv2 --disable-translation --with-logdir=/var/log/squid3 --with-pidfile=/var/run/squid3.pid --with-default-user=proxy --enable-linux-netfilter build_alias=x86_64-linux-gnu

###
Refresh_Pattern kok jadi lampiran, wkwk mau buat kek mas Pragola gimana yah..yang bisa di buka2 itu loh mas :hajarpc:
Last edited by DhananJaya on 27 Feb 2016, 22:06, edited 1 time in total.
Reason: spoiler maksudnya ?
User avatar
q_p
Posts: 3109
Joined: 14 Oct 2012, 13:01
Contact:

Re: SQUID3-HEAD + SSL + TPROXY

Postby q_p » 30 May 2013, 17:48

Untuk menggunakan fitur tproxy, squid 3-HEAD tidak perlu patching dengan balabit lagi ya ?
User avatar
DhananJaya
Posts: 22
Joined: 08 Nov 2012, 21:36
Location: Lubuklinggau

Re: SQUID3-HEAD + SSL + TPROXY

Postby DhananJaya » 30 May 2013, 17:57

kek nya gak perlu mas. Soalnya itu si cumi, setelah selesai di build, langsung dijalanin pake tproxy, bisa.
User avatar
GongLang
Posts: 93
Joined: 20 Jul 2012, 19:55
Location: PematangSiantar
Contact:

Re: SQUID3-HEAD + SSL + TPROXY

Postby GongLang » 30 May 2013, 19:12

Wah ...
udah boleh mencoba merambah ke CUMI Kepala 3 Neh :D

Thank Info nya gan ...

Keep Alive this Thread ...

Mau coba coba dulu aGh ... :p

Dulu pertama kali belajar seh langsung ke squid3. Karna bingung, susah di jalankan semua refresh patternya, akhirnya belajar dari dasar dulu deh. Cumi kepala2

Mantap Info nya Gan ...

Oh yah ... ini newbie mau bertanya dulu, apakah squid3 bisa cache https ???
Jika bisa, alangkah bagusnya https bisa di cache. Sehingga menghemat bandwidth. Dikarenakan rata-rata pengguna Facebook udah menggunakan system SECURE BROWSING (HTTPS). Pening deh jika orang itu saat menjalankan game. Apalagi Game berat yang menguras Bandwidth. Salah satu nya "Empires and Allies" nya facebook

CMIIW

________________________________________

Setelah melihat isi squid3 conf nya ...
Apakah bisa cache YouTube ???
Soalnya, saya tidak melihat adanya storeurl yang bekerja disana ...
atau mata saya yang sudah rabun

CMIIW
User avatar
DhananJaya
Posts: 22
Joined: 08 Nov 2012, 21:36
Location: Lubuklinggau

Re: SQUID3-HEAD + SSL + TPROXY

Postby DhananJaya » 30 May 2013, 19:52

@Mas Gonglang
Kalo menurut teori sih bisa dan itu kalo konteks nya di facebook dan jejaring sosial lainnya.
Tapi yang jadi pertanyaan sekarang, cara kita itu udah bener nggak :confused:. Soalnya saya pernah nemuin kasus, tiba2 kok itu tampilan facebook jadi gak beraturan semua wkwkwk. dan beberapa situs yang sangat sensitif, perbankan contohnya, kadang2 gak mau dibuka sama sekali. seolah nggak mau nerima sertifikat kita. Apalagi kalo baca WARNING dari squid sendiri, masalah security nya, jadi bertanya2 lagi.

Decrypting HTTPS tunnels constitutes a man-in-the-middle attack from the overall network security point of view. Attack tools are an equivalent of an atomic bomb in real world: Make sure you understand what you are doing and that your decision makers have enough information to make wise choices

makanya ini lagi nunggu pencerahan dari para sesepuh disini mas.
Mudah2an bermanfaat buat semua


###
Soal cache youtube, itu emang cuma buat test SSL Bump mas. Soalnya kemarin yang jadi alasan saya nyobain 3-Head ini , sama persis dengan alasan mas Gonglang, Facebook dan kawan2. Klo cache yutub keknya saya masih bisa ngandelin Bang Lusca_HEAD. Pake tips and trick dari FUI ini juga, yang di thread nya Mas Pragola
Attachments
SSL_Bump.jpg
SSL_Bump.jpg (258.08 KiB) Viewed 3499 times
User avatar
q_p
Posts: 3109
Joined: 14 Oct 2012, 13:01
Contact:

Re: SQUID3-HEAD + SSL + TPROXY

Postby q_p » 30 May 2013, 20:01

DhananJaya wrote:kek nya gak perlu mas. Soalnya itu si cumi, setelah selesai di build, langsung dijalanin pake tproxy, bisa.

http://wiki.squid-cache.org/Features/Tp ... figuration
http://www.cyberciti.biz/files/linux-ke ... tproxy.txt
http://www.balabit.com/downloads/files/ ... README.txt
User avatar
DhananJaya
Posts: 22
Joined: 08 Nov 2012, 21:36
Location: Lubuklinggau

Re: SQUID3-HEAD + SSL + TPROXY

Postby DhananJaya » 30 May 2013, 20:13

Oh... Kalo Kernel mungkin iya mas Pragola. Soalnya saya disini coba2 pake kernel custom biar bisa pake reiser4 di squid cache_dir nya (suka ama fitur kompress nya hi..hi). Nah kebetulan waktu itu aku iseng-iseng nge-patch juga xtables-addons-2.2. Mungkin itu kali ya

CMIIW
User avatar
GongLang
Posts: 93
Joined: 20 Jul 2012, 19:55
Location: PematangSiantar
Contact:

Re: SQUID3-HEAD + SSL + TPROXY

Postby GongLang » 30 May 2013, 20:17

DhananJaya wrote:###
Soal cache youtube, itu emang cuma buat test SSL Bump mas. Soalnya kemarin yang jadi alasan saya nyobain 3-Head ini , sama persis dengan alasan mas Gonglang, Facebook dan kawan2. Klo cache yutub keknya saya masih bisa ngandelin Bang Lusca_HEAD. Pake tips and trick dari FUI ini juga, yang di thread nya Mas Pragola


Loh ???
jadi 1 CPU 2 Proxy atau ...
2 CPU 2 Proxy ???

Bingung x_X


_____________________

Atau bermain di IP Tables rule ???

3127 <<< HTTPS
3128 <<< HTTP ???

CMIIW
User avatar
DhananJaya
Posts: 22
Joined: 08 Nov 2012, 21:36
Location: Lubuklinggau

Re: SQUID3-HEAD + SSL + TPROXY

Postby DhananJaya » 30 May 2013, 20:39

GongLang wrote:
DhananJaya wrote:###
Soal cache youtube, itu emang cuma buat test SSL Bump mas. Soalnya kemarin yang jadi alasan saya nyobain 3-Head ini , sama persis dengan alasan mas Gonglang, Facebook dan kawan2. Klo cache yutub keknya saya masih bisa ngandelin Bang Lusca_HEAD. Pake tips and trick dari FUI ini juga, yang di thread nya Mas Pragola


Loh ???
jadi 1 CPU 2 Proxy atau ...
2 CPU 2 Proxy ???

Bingung x_X


_____________________

Atau bermain di IP Tables rule ???

3127 <<< HTTPS
3128 <<< HTTP ???

CMIIW


:D Nggak mas, belum ampe se-ekstrim itu. Kebetulan disini ada satu kompie nggak kepake buat uji coba. nah itu yang dibuat percobaan. kalo squid produksi masih pake LUSCA.
Tapi kalo emang nanti https bisa lancar jaya, keknya opsi ke dua boleh juga dipelajarin mas (mainin iptables nya) :blush:
User avatar
SyaifuddinJW
Posts: 152
Joined: 22 Feb 2010, 10:59
Contact:

Re: SQUID3-HEAD + SSL + TPROXY

Postby SyaifuddinJW » 30 May 2013, 21:01

@pragola, tanpa harus patch dah bisa kok untuk tproxy

@dananjaya, saya boleh tau iptables yg berkaitan dengan HTTPSnya?? sudah mengikuti tutor dari intercept??
User avatar
DhananJaya
Posts: 22
Joined: 08 Nov 2012, 21:36
Location: Lubuklinggau

Re: SQUID3-HEAD + SSL + TPROXY

Postby DhananJaya » 30 May 2013, 21:11

SyaifuddinJW wrote:@pragola, tanpa harus patch dah bisa kok untuk tproxy

@dananjaya, saya boleh tau iptables yg berkaitan dengan HTTPSnya?? sudah mengikuti tutor dari intercept??


@Mas SJW
Pake tuts nya mas SJW yang di tempat-sampah. cuma diubah2 dikit secara "nggak tau bener apa nggak nya"

Code: Select all

modprobe xt_TPROXY
modprobe xt_socket
modprobe nf_tproxy_core
modprobe xt_mark
modprobe nf_nat
modprobe nf_conntrack_ipv4
modprobe nf_conntrack
modprobe nf_defrag_ipv4
modprobe ipt_REDIRECT
modprobe iptable_nat

# SSL BUmps or LB_Proxy
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A INPUT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

iptables -t mangle -A PREROUTING -d 192.168.1.1/32 -p tcp --dport 80 -j ACCEPT
iptables -t mangle -A PREROUTING -d 192.168.1.1/32 -p tcp --dport 443 -j ACCEPT
iptables -t mangle -A PREROUTING -d 192.168.1.1/32 -p tcp --dport 3127 -j ACCEPT
iptables -t mangle -A PREROUTING -d 192.168.1.1/32 -p tcp --dport 3129 -j ACCEPT
iptables -t mangle -A PREROUTING -d 192.168.1.1/32 -p tcp --dport 3130 -j ACCEPT
iptables -t mangle -A PREROUTING ! -d 192.168.1.1/32 -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
iptables -t mangle -A PREROUTING ! -d 192.168.1.1/32 -p tcp --dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3127

ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward

Mohon petunjuk nya mas
User avatar
SyaifuddinJW
Posts: 152
Joined: 22 Feb 2010, 10:59
Contact:

Re: SQUID3-HEAD + SSL + TPROXY

Postby SyaifuddinJW » 30 May 2013, 21:15

itu kan tproxy, yang saya tanya interceptnya. katanya kalau intercept httpsnya gak semulus tproxy
User avatar
DhananJaya
Posts: 22
Joined: 08 Nov 2012, 21:36
Location: Lubuklinggau

Re: SQUID3-HEAD + SSL + TPROXY

Postby DhananJaya » 30 May 2013, 21:34

ooh...
NAT nya y mas

Code: Select all

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1:3129
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
# HTTPS Test
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.1:3127
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127
User avatar
GongLang
Posts: 93
Joined: 20 Jul 2012, 19:55
Location: PematangSiantar
Contact:

Re: SQUID3-HEAD + SSL + TPROXY

Postby GongLang » 30 May 2013, 23:38

DhananJaya wrote:@Mas SJW
Pake tuts nya mas SJW yang di tempat-sampah. cuma diubah2 dikit secara "nggak tau bener apa nggak nya"

modprobe xt_TPROXY
modprobe xt_socket
modprobe nf_tproxy_core
modprobe xt_mark
modprobe nf_nat
modprobe nf_conntrack_ipv4
modprobe nf_conntrack
modprobe nf_defrag_ipv4
modprobe ipt_REDIRECT
modprobe iptable_nat

# SSL BUmps or LB_Proxy
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A INPUT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

iptables -t mangle -A PREROUTING -d 192.168.1.1/32 -p tcp --dport 80 -j ACCEPT
iptables -t mangle -A PREROUTING -d 192.168.1.1/32 -p tcp --dport 443 -j ACCEPT
iptables -t mangle -A PREROUTING -d 192.168.1.1/32 -p tcp --dport 3127 -j ACCEPT
iptables -t mangle -A PREROUTING -d 192.168.1.1/32 -p tcp --dport 3129 -j ACCEPT
iptables -t mangle -A PREROUTING -d 192.168.1.1/32 -p tcp --dport 3130 -j ACCEPT
iptables -t mangle -A PREROUTING ! -d 192.168.1.1/32 -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
iptables -t mangle -A PREROUTING ! -d 192.168.1.1/32 -p tcp --dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3127

ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward

Mohon petunjuk nya mas


Jika yang di atas ini mau di save kemana yah ???
atau hanya di jalankan saja ???




DhananJaya wrote:ooh...
NAT nya y mas
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1:3129
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
# HTTPS Test
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.1:3127
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127



Jika ini kan IPTABLES Rule untuk NAT (Masquerade) nya system client to Proxy dan Proxy to Client

CMIIW
User avatar
sipelaut
Posts: 1963
Joined: 03 Jan 2010, 17:25
Location: madura-sampang
Contact:

Re: SQUID3-HEAD + SSL + TPROXY

Postby sipelaut » 31 May 2013, 07:04

saya mash ngak ngerti dengan embel2 head dibelakangnya
saya pemakai squid 3.0, bawaan asli/default dari ubuntu 10.04.4 LTS
beri saya penjelasan, sebelum saya melangkah kepertanyaan selanjutnya.. banyak yg mau saya tanyakan
makasih sebelumnya
User avatar
q_p
Posts: 3109
Joined: 14 Oct 2012, 13:01
Contact:

Re: SQUID3-HEAD + SSL + TPROXY

Postby q_p » 31 May 2013, 12:50

@sipelaut
saya pemakai squid 3.0, bawaan asli/default dari Ubuntu 10.04.4 LTS
Maksudnya Ubuntu 12.04 LTS :)
Untuk squid-HEAD, saya kutipkan saja dari situs resminya.
Meant for Squid users who are already familiar with Squid. You should expect to find numerous bugs and problems. We do not recommend running a development release on your production cache. If you have any problems with a development release please write to our squid-bugs@squid-cache.org or squid-dev@squid-cache.org lists. DO NOT write to squid-users with code-related problems.(Referr to Development Versions)

@DhananJaya
Useful link =
http://wiki.squid-cache.org/ConfigExamples/Intercept
User avatar
DhananJaya
Posts: 22
Joined: 08 Nov 2012, 21:36
Location: Lubuklinggau

Re: SQUID3-HEAD + SSL + TPROXY

Postby DhananJaya » 31 May 2013, 14:06

@SiPelaut
Seperti quote yang dikutip oleh mas Pragola diatas, atau mungkin dalam bahasa mudahnya (ini cuma bisa2an saya aja, maksudnya biar lebih mudah mahamin versi si cumi ini)
HEAD pada akhiran squid merujuk pada versi mentah/raw roadmap nya si squid itu sendiri, sebelum akhirnya keluar versi STABLE nya. contoh, pada squid2. saat squid meluncurkan roadmap squid2,
mereka mengumumkan fitur2 yang nantinya akan menjadi fitur puncak, seperti storeurl_rewriter dan apalah yang lainnya. Tapi fitur2 tersebut masih belum sempurna meski udah diimplementasikan dan udah bisa dipakai pada versi mentah/awalnya(HEAD)-nya.
Belum sempurna nya fitur2 inilah (bugs) yang akan terus di fix hingga akhirnya baru benar2 diimplementasikan pada versi STABLE nya.
selama proses bugging tersebut, squid tetap mengeluarkan sub-versi2 lainnya yang merupakan pembenahan dari versi HEAD tadi, kecuali beberapa fitur tertentu yang mereka anggap belum benar2 siap (storeurl_rewriter). contoh squid-2.1,2.2 dan seterusnya
begitu juga dengan squid3 ini yang mungkin akan menjadi versi STABLE nya pada squid-3.4

CMIIW

@bang Gonglang
iya bang itu proses NAt-ing proxy-client.


@ masPragola
makasih link nya mas. baru ngeh aja ( meski dah berkali2 lihat tulisan itu saat kita jalanin debug squid-3.HEAD). Setelah, di teliti tadi malam, oalah iya..
Intercept ama transparent proxy itu yah dia2 itu juga. transparent proxy ya metode intercept juga. sama kek SSL_Bump, itu juga salah satu metode intercept juga.
"Interception Caching goes under many names - Interception Caching, Transparent Proxying, URL rewriting, SSL-Bump and Cache Redirection" -http://wiki.squid-cache.org/SquidFaq/InterceptionProxy

Tapi overall, setelah terinspirasi dari pertanyaan mas SJW diatas (yang saya menangkapnya ada pesan tersembunyi, intercept juga bisa di SSL_Bump ^^ thanks mas ucok)
tadi malam ngubek2 sambil cari2 informasi di mbah Google, akhirnya saya dapat kesimpulan NAT ataupun TPROXY, semuanya bisa digunakan pada SSL_Bump.
Dengan menggunakan mode intercept yang diatas, terus nyobain juga metode NAT ing yang lebih simple dan global

Code: Select all

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to 192.168.1.1:3129
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to 192.168.1.1:3127
hasilnya berjalan lancar.
Mungkin pada awal2nya saya nyobain itu konfigurasi/system atau apanya lah berantakan. gara2 itu kompie percobaan, jadi seenaknya aja bongkar pasang squid dan kompile apa2 disana, hasilnya jadi ngawur.

sekarang mungkin tinggal pertanyaan tentang issue security kita aja. Mudah2an mas SJW n mas pragola masih bisa memberikan petunjuk

### Tambahan
Oh iya lupa mas, tadi malam waktu coba ini kebetulan di kompie itu sya install juga webhtb. ternyata eh ternyata webhtb masuk dalam access log nya si cumi :hajarpc:.
n jadi timbul pertanyaan baru, apakah HIT https ini masih bisa unlimit kayak protocol http standard via webhtb??? soalnya malam tadi sengaja dipisahin qos tos nya dan dibuatin mangle baru, ajaibnya ....ogah nongol :crazy:
padahal melalui tcpdump di nilai tos tersebut jalan.
mudah2an melalui thread ini masalah ini bisa selesai juga
Attachments
HTTPS_31Mei_Success2.jpg
HTTPS_31Mei_Success2.jpg (678.89 KiB) Viewed 3428 times

Return to “Ubuntu Server”

Who is online

Users browsing this forum: No registered users and 1 guest