SQUID3-HEAD + SSL + TPROXY

Diskusi tentang Ubuntu Server baik webserver, database server, samba server dan service lainnya serta jaringan menggunakan Sistem Operasi Ubuntu.
User avatar
q_p
Contact:

Re: SQUID3-HEAD + SSL + TPROXY

Post 06 Jun 2014, 14:33

[size:17pt]TIPS[/size]
Iya, jauh lebih bagus terutama squid3.4.5 :) Untuk kasus Diladele biar tidak terlalu agrressif dan jalan mulus pada saat start/restart, =
  1. Pata tab Policies, gunakan hanya "Policies Default".
  2. Pada TAB Setting, semua opsi "Adblock" jangan digunakan. karena terlalu agrresif dan pada policies Default ada juga kategori Adblock
  3. Sebaiknya gunakan versi terakhir, kalau mesinnya amd/64bits qlproxy-3.3.0.746A_amd64.deb
  4. Pakai sertifikat yang kita generate pada saat install squid.
  5. Rename /etc/init.d/squid dan /usr/sbin/squid menjadi "squid3" sesuaikan juga path dan name pada isi file "/etc/init.d/squid" tsb. Sebab diladele/qlproxy menggunakan terminologi "squid3"
  6. Sebelumnya, pada saat kompil squid3 lalukan patching (gadgets patch). Patch tsb bisa anda download di sini (https://raw.github.com/ra-at-diladele-c ... s.cc.patch) atau copy yang di bawah ini

    Code: Select all

    --- gadgets.cc  2013-07-13 09:25:14.000000000 -0400
    +++ gadgets.cc.new  2013-11-26 03:25:25.461794704 -0500
    @@ -257,7 +257,7 @@
     mimicExtensions(Ssl::X509_Pointer & cert, Ssl::X509_Pointer const & mimicCert)
     {
         static int extensions[]= {
    -        NID_key_usage,
    +        //NID_key_usage,
             NID_ext_key_usage,
             NID_basic_constraints,
             0
  7. Biar sertifikat selalu fresh pada saat start/restart "squid3.x dan qlproxy", bisa anda gunakan skrip ini

    Code: Select all

    #! /bin/sh
    ## SQUID3.x refresh ssl_db ##
    ssl_db=/var/squid/ssl_db
    service qlproxy restart
    rm -r $ssl_db
    mkdir -p $ssl_db && chown -R nobody $ssl_db
    /usr/lib/squid/ssl_crtd -c -s $ssl_db/certs
    chown -R proxy. $ssl_db
    squid3 -k reconfigure
  8. Gunakan juga yang di bawah ini untuk men-generate sertifikat baru=[spoiler]

    Code: Select all

    #!/bin/bash
    #generate cert.der on squid3.x
    #
    domain=myCA
    commonname=www.warnet-ersa.net
    country=ID
    state="Jawa Tengah"
    locality=Pati
    organization=WarnetersaA
    organizationalunit="Kopi Paid"
    email=ngadimin@warnet-ersa.net
    ssl_db=/var/squid/ssl_db
    
    echo "GENERATE myCA"
    mkdir /etc/squid/ssl_cert
    openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout /etc/squid/ssl_cert/$domain.pem -out /etc/squid/ssl_cert/$domain.pem \
        -subj "/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$commonname/emailAddress=$email"
    openssl x509 -in /etc/squid/ssl_cert/$domain.pem -outform DER -out /etc/squid/ssl_cert/$domain.der
    mkdir -p $ssl_db && chown -R nobody $ssl_db
    /usr/lib/squid/ssl_crtd -c -s $ssl_db/certs
    chown -R proxy. $ssl_db
    [/spoiler]


User avatar
DhananJaya

Post 09 Jun 2014, 19:47

wah..makasih bgt mas pragola tips and trick nya. Akan sangat bermanfaat bagi teman2 semua disini ini.

best regards


User avatar
q_p
Contact:

Post 10 Jun 2014, 01:31

DhananJaya wrote:wah..makasih bgt mas pragola tips and trick nya. Akan sangat bermanfaat bagi teman2 semua disini ini.

best regards
Iya, sama2. Sayang-nya diladele tidak free. Kita hanya diberi kesempatan mencoba (free_trial) sampai dengan bulan nopember tahun ini. Karena filtering HTTP/S perlu dilakukan di level jaringan lokal, agar bisa di-kastem (kalau pakai dns nawala kita tidak bisa meng-kastem). Sekarang ini saya pakai alternatif lainnya, yaitu "filtering by DNS" dengan menggunakan powerDNS (pdns-server dan pdns-recursor) dan mySQL, sedangkan DILADELE saya tinggalkan.
  1. Ini hasilnya jika kita ping ke tube8.com dari kompi-client
    [img]http://s20.postimg.org/4zdbcwfot/untitled.png[/img]
  2. Dan ini "pesan error" yang terkirim ke kompi-client karena meng-akses situs yang domainnya kita blokir =
    [img]http://s20.postimg.org/nsz49wdwt/untitled1.png[/img]


User avatar
nunuu

Post 13 Jun 2014, 10:58

Permisi mas,
Kalo keluar eror kayak gini itu knp ya?

[img]http://i61.tinypic.com/2m3p5w6.jpg[/img]

edit: kekecilan gambarnya >.<
ini pesan erornya:

Code: Select all

clientNegotiateSSL: Error negotiating SSL connection on FD 10:\
 error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1)
Ubuntu server 12.04
Squid 3 v 3.4.2

Makasih mas sebelumnya..


User avatar
yohanexz

Post 02 Jul 2014, 10:49

OM, mau nanya ini.
apakah di browser harus import certificat dan perlu diset ip proxy dan port http dan https nya ya?. saya masih binggung.


trima kasih banyak, om


User avatar
q_p
Contact:

Post 02 Jul 2014, 21:35

@nunuu
Coba anda rebuild sertifikat-ssl seperti di atas (halaman ini)
@yohanexz
Tetap diperlukan import sertifikat pada setiap browser. Karena dalam kontek trit ini adalah "tproxy atau intercept", ya tidak diperlukan lagi pengaturan ip-proxy pada setiap browser.


User avatar
para_rosez

Post 07 Sep 2014, 18:06

gan mohon bantuanya udah mentok tp kok tetep g bisa ya,.?
maklum nwbi bgt,..
ini hasil squid -k parse nya,..
squid -z uda ok
squid -Nd1 jg OK
squid start jg OK
Tp kenapa pas tail -f /var/log/squid/access.log | ccze kok penampakanya cuman HTTP yg nongol HTTPS nya kok g mau nongol,.??
pengaturan mozilla proxy 192.168.12.12:3128
padahal uda import sertifikat tanah jg pd browser,.??
mohon bantuanya gan,

[spoiler]2014/09/07 17:40:43| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2014/09/07 17:40:43| Processing: acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
2014/09/07 17:40:43| Processing: acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
2014/09/07 17:40:43| Processing: acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
2014/09/07 17:40:43| Processing: acl localnet src fc00::/7 # RFC 4193 local private network range
2014/09/07 17:40:43| Processing: acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
2014/09/07 17:40:43| Processing: acl SSL_ports port 443
2014/09/07 17:40:43| Processing: acl Safe_ports port 80 # http
2014/09/07 17:40:43| Processing: acl Safe_ports port 21 # ftp
2014/09/07 17:40:43| Processing: acl Safe_ports port 443 # https
2014/09/07 17:40:43| Processing: acl Safe_ports port 70 # gopher
2014/09/07 17:40:43| Processing: acl Safe_ports port 210 # wais
2014/09/07 17:40:43| Processing: acl Safe_ports port 1025-65535 # unregistered ports
2014/09/07 17:40:43| Processing: acl Safe_ports port 280 # http-mgmt
2014/09/07 17:40:43| Processing: acl Safe_ports port 488 # gss-http
2014/09/07 17:40:43| Processing: acl Safe_ports port 591 # filemaker
2014/09/07 17:40:43| Processing: acl Safe_ports port 777 # multiling http
2014/09/07 17:40:43| Processing: acl CONNECT method CONNECT
2014/09/07 17:40:43| Processing: acl QUERY urlpath_regex -i (begin|start)\=
2014/09/07 17:40:43| Processing: acl QUERY urlpath_regex -i cgi-bin \? .php$ .asp$ .shtml$ .cfm$ .cfml$ .phtml$ .php3$ localhost
2014/09/07 17:40:43| Processing: acl dontrewrite url_regex -i c\.youtube\.com\/.*(begin|start)\=.*
2014/09/07 17:40:43| Processing: acl dontrewrite url_regex redbot\.org
2014/09/07 17:40:43| Processing: acl getmethod method GET
2014/09/07 17:40:43| Processing: acl redir urlpath_regex -i &redirect_counter=1&cms_redirect=yes
2014/09/07 17:40:43| Processing: acl redir urlpath_regex -i &ir=1&rr=12
2014/09/07 17:40:43| Processing: acl yutub url_regex -i youtube\.com\/(generate_204|ptracking|stream_204|player_204|s|(.*(playback|watchtime|delayplay)))\?.*$
2014/09/07 17:40:43| Processing: acl yutub url_regex -i gstatic\.com\/csi\?.*$
2014/09/07 17:40:43| Processing: acl rewritedoms url_regex -i dl\.sourceforge\.net.*
2014/09/07 17:40:43| Processing: acl rewritedoms url_regex -i i[0-9]*\.ytimg\.com.*
2014/09/07 17:40:43| Processing: acl rewritedoms url_regex -i ak\.fbcdn\.net.*
2014/09/07 17:40:43| Processing: acl rewritedoms url_regex -i (youtube|google).*\/videoplayback\?.*
2014/09/07 17:40:43| Processing: http_access deny !Safe_ports
2014/09/07 17:40:43| Processing: http_access deny CONNECT !SSL_ports
2014/09/07 17:40:43| Processing: http_access allow localhost manager
2014/09/07 17:40:43| Processing: http_access deny manager
2014/09/07 17:40:43| Processing: http_access allow localnet
2014/09/07 17:40:43| Processing: http_access allow localhost
2014/09/07 17:40:43| Processing: http_access deny all
2014/09/07 17:40:43| Processing: http_port 192.168.12.12:3127 intercept
2014/09/07 17:40:43| Starting Authentication on port 192.168.12.12:3127
2014/09/07 17:40:43| Disabling Authentication on port 192.168.12.12:3127 (interception enabled)
2014/09/07 17:40:43| Processing: https_port 192.168.12.12:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/myCA.pem
2014/09/07 17:40:43| Starting Authentication on port 192.168.12.12:3129
2014/09/07 17:40:43| Disabling Authentication on port 192.168.12.12:3129 (interception enabled)
2014/09/07 17:40:43| Processing: http_port 192.168.12.12:3128
2014/09/07 17:40:43| Processing: always_direct allow all
2014/09/07 17:40:43| Processing: ssl_bump server-first all
2014/09/07 17:40:43| Processing: sslcrtd_program /usr/lib/squid/ssl_crtd -s /etc/squid/ssl_db -M 4MB
2014/09/07 17:40:43| Processing: sslcrtd_children 5
2014/09/07 17:40:43| Processing: sslproxy_cert_error deny all
2014/09/07 17:40:43| Processing: hierarchy_stoplist cgi-bin ?
2014/09/07 17:40:43| Processing: cache allow rewritedoms
2014/09/07 17:40:43| Processing: cache deny QUERY
2014/09/07 17:40:43| Processing: cache deny redir
2014/09/07 17:40:43| Processing: memory_replacement_policy heap GDSF
2014/09/07 17:40:43| Processing: cache_replacement_policy heap LFUDA
2014/09/07 17:40:43| Processing: cache_mem 128 MB
2014/09/07 17:40:43| Processing: maximum_object_size_in_memory 8 KB
2014/09/07 17:40:43| Processing: minimum_object_size 1 KB
2014/09/07 17:40:43| Processing: maximum_object_size 1024 MB
2014/09/07 17:40:43| Processing: cache_swap_low 95
2014/09/07 17:40:43| Processing: cache_swap_high 99
2014/09/07 17:40:43| Processing: cache_dir aufs /cache 55000 16 256 max-size=128000
2014/09/07 17:40:43| Processing: coredump_dir /var/spool/squid
2014/09/07 17:40:43| Processing: access_log /var/log/squid/access.log
2014/09/07 17:40:43| Processing: cache_log /var/log/squid/cache.log
2014/09/07 17:40:43| Processing: cache_store_log none
2014/09/07 17:40:43| Processing: logfile_rotate 5
2014/09/07 17:40:43| Processing: log_icp_queries off
2014/09/07 17:40:43| Processing: store_id_program /etc/squid/store-id.pl
2014/09/07 17:40:43| Processing: store_id_children 20 startup=10 idle=5 concurrency=30
2014/09/07 17:40:43| Processing: store_id_access deny !getmethod
2014/09/07 17:40:43| Processing: store_id_access deny redir
2014/09/07 17:40:43| Processing: store_id_access deny dontrewrite
2014/09/07 17:40:43| Processing: store_id_access allow rewritedoms
2014/09/07 17:40:43| Processing: store_id_access deny all
2014/09/07 17:40:43| Processing: strip_query_terms off
2014/09/07 17:40:43| Processing: max_stale 1 week
2014/09/07 17:40:43| Processing: refresh_pattern .*(begin|start)\=[1-9][0-9].* 0 0% 0
2014/09/07 17:40:43| Processing: refresh_pattern -i (cgi-bin|mrtg|graph) 0 0% 0
2014/09/07 17:40:43| Processing: refresh_pattern -i \.(php|lst|ui|ini|list)$ 0 0% 0
2014/09/07 17:40:43| Processing: refresh_pattern (update.ini|Update.ini|version.list|Version.list|update.1st|update.exe|autoup.exe) 0 0% 0
2014/09/07 17:40:43| Processing: refresh_pattern (hackshield|nprotect) 240 100% 420 override-expire override-lastmod reload-into-ims
2014/09/07 17:40:43| Processing: refresh_pattern -i \.(html|htm|css|js|png|jsp|asx|asp|aspx)$ 240 100% 420
2014/09/07 17:40:43| Processing: refresh_pattern -i \/speedtest\/.*\.(txt|jpg|png|swf) 0 99% 14400 override-expire ignore-reload ignore-private ignore-reload override-lastmod reload-into-ims
2014/09/07 17:40:43| Processing: refresh_pattern .pixieimage\.com.*\.(jp(e?g|e|2)|gif|png|tiff?|bmp|swf|mp(4|3)) 1440 99% 14400 override-expire ignore-reload ignore-private ignore-reload override-lastmod reload-into-ims
2014/09/07 17:40:43| Processing: refresh_pattern .blogspot\.com.*\.(jp(e?g|e|2)|gif|png|tiff?|bmp|swf|mp(4|3)) 1440 99% 14400 override-expire ignore-reload ignore-private ignore-reload override-lastmod reload-into-ims
2014/09/07 17:40:43| Processing: refresh_pattern .multiply\.com.*\.(jp(e?g|e|2)|gif|png|tiff?|bmp|swf|mp(4|3)) 1440 99% 14400 override-expire ignore-reload ignore-private ignore-reload override-lastmod reload-into-ims
2014/09/07 17:40:43| Processing: refresh_pattern .((pikawarnet\.com)|(blogspot\.com)|(pixieimage\.com)|(multiply\.com)).* 60 30% 240
2014/09/07 17:40:43| Processing: refresh_pattern -i \.(sc-|dl-|ex-|mh-|dll|da-) 0 2% 50 reload-into-ims
2014/09/07 17:40:43| Processing: refresh_pattern -i \.(mst|Xtp|iop)$ 0 50% 1440 reload-into-ims
2014/09/07 17:40:43| Processing: refresh_pattern -i (index.php|autoup.exe|main.exe|xtrap.xt|autoupgrade.exe|update.exe|grandchase.exe|FSLauncher.exe|FreeStyle_Setup.exe|grandchase.exe|filelist.zip)$ 0 50% 1440
2014/09/07 17:40:43| Processing: refresh_pattern -i (wks_avira-win32-en-pecl.info.gz|wks_avira10-win32-en-pecl.info.gz|servers.def.vpx)$ 0 50% 1440
2014/09/07 17:40:43| Processing: refresh_pattern -i (setup.exe.gz|avscan.exe.gz|avguard.exe.gz|filelist.zip|AvaClient.exe) 0 50% 1440
2014/09/07 17:40:43| Processing: refresh_pattern -i (livescore.com|goal.com|bobet) 0 50% 60
2014/09/07 17:40:43| Processing: refresh_pattern \.facebook\.com.*\.(jp(e?g|e|2)|gif|png|tiff?|bmp|swf|mp(4|3)) 1440 99% 14400 override-expire ignore-reload ignore-private
2014/09/07 17:40:43| Processing: refresh_pattern \.facebook\.com.* 240 50% 480
2014/09/07 17:40:43| Processing: refresh_pattern \.fbcdn\.net.*\.(jp(e?g|e|2)|gif|png|tiff?|bmp|swf|mp(4|3)) 1440 99% 14400 override-expire ignore-reload ignore-private store-stale
2014/09/07 17:40:43| Processing: refresh_pattern \.gstatic\.com/images\? 1440 99% 14400 override-expire override-lastmod ignore-reload ignore-private ignore-must-revalidate
2014/09/07 17:40:43| Processing: refresh_pattern \.(akamaihd|edgecastcdn|spilcdn|zgncdn|(tw|y|yt)img)\.com.*\.(jp(e?g|e|2)|gif|png|swf|mp(3|4)) 1440 99% 14400 override-expire override-lastmod ignore-reload ignore-private
2014/09/07 17:40:43| Processing: refresh_pattern (gstatic|diggstatic)\.com/.* 1440 99% 14400 override-expire ignore-reload ignore-private
2014/09/07 17:40:43| Processing: refresh_pattern (photobucket|pbsrc|flickr|yimg|ytimg|twimg|gravatar)\.com.*\.(jp(e?g|e|2)|gif|png|tiff?|bmp|swf|mp(4|3)) 1440 99% 14400 override-expire ignore-reload ignore-private
2014/09/07 17:40:43| Processing: refresh_pattern (zynga|ninjasaga|mafiawars|cityville|farmville|crowdstar|spilcdn|agame|popcap)\.com/.* 1440 99% 14400 override-expire ignore-reload ignore-private
2014/09/07 17:40:43| Processing: refresh_pattern ^http:\/\/images|image|img|pics|openx|thumbs[0-9]\. 1440 99% 14400 override-expire ignore-reload ignore-private
2014/09/07 17:40:43| Processing: refresh_pattern ^.*safebrowsing.*google 1440 99% 14400 override-expire ignore-reload ignore-private ignore-auth ignore-must-revalidate
2014/09/07 17:40:43| Processing: refresh_pattern ^http://.*\.squid\.internal\/.* 10080 100% 79900 override-expire override-lastmod ignore-reload ignore-no-store ignore-must-revalidate ignore-private ignore-auth max-stale=10000 store-stale
2014/09/07 17:40:43| Processing: refresh_pattern (get_video\?|videoplayback\?|videodownload\?|\.flv\?|\.fid\?) 43200 99% 43200 override-expire ignore-reload ignore-must-revalidate ignore-private
2014/09/07 17:40:43| Processing: refresh_pattern \.(ico|video-stats) 1440 99% 14400 override-expire ignore-reload ignore-private ignore-auth override-lastmod ignore-must-revalidate
2014/09/07 17:40:43| Processing: refresh_pattern ^http://((cbk|mt|khm|mlt|tbn)[0-9]?)\.google\.co(m|\.uk|\.id) 1440 99% 14400 override-expire override-lastmod ignore-reload ignore-private ignore-auth ignore-must-revalidate
2014/09/07 17:40:43| Processing: refresh_pattern vid\.akm\.dailymotion\.com.*\.on2\? 1440 99% 14400 override-expire override-lastmod
2014/09/07 17:40:43| Processing: refresh_pattern galleries\.video(\?|sz) 1440 99% 14400 override-expire ignore-reload ignore-must-revalidate ignore-private
2014/09/07 17:40:43| Processing: refresh_pattern \.wikimapia\.org\/? 1440 99% 14400 override-expire override-lastmod ignore-reload ignore-private
2014/09/07 17:40:43| Processing: refresh_pattern -i \.(7z|arj|bin|bz2|cab|dll|exe|gz|inc|iso|jar|lha|ms(i|p|u)|rar|rpm|tar|tgz|zip|rtp|rpz|nui|kom|stg|pak|sup|nzp|npz|iop)$ 1440 99% 14400 override-expire override-lastmod ignore-private reload-into-ims ignore-must-revalidate ignore-reload store-stale
2014/09/07 17:40:43| Processing: refresh_pattern -i \.(class|doc|docx|pdf|pps|ppt|ppsx|pptx|ps|rtx|txt|wpl|xls|xlsx)$ 1440 99% 14400 override-expire override-lastmod ignore-private reload-into-ims ignore-must-revalidate ignore-reload store-stale
2014/09/07 17:40:43| Processing: refresh_pattern -i \.(3gp|ac4|agx|au|avi|axd|bmp|cbr|cbt|cbz|dat|divx|flv|gif|hqx|ico|jp(2|e|eg|g)|mid|mk(a|v)|mov|mp(1|2|3|4|e|eg|g)|og(a|g|v)|qt|ra|ram|rm|swf|tif|tiff|wa(v|x)|wm(a|v|x)|x-flv)$ 1440 99% 14400 override-expire override-lastmod ignore-private reload-into-ims ignore-must-revalidate ignore-reload store-stale
2014/09/07 17:40:43| Processing: refresh_pattern -i .(html|htm|css|js)$ 1440 75% 40320
2014/09/07 17:40:43| Processing: refresh_pattern -i .index.(html|htm)$ 0 75% 10080
2014/09/07 17:40:43| Processing: refresh_pattern ^ftp: 1440 20% 10080
2014/09/07 17:40:43| Processing: refresh_pattern ^gopher: 1440 0% 1440
2014/09/07 17:40:43| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
2014/09/07 17:40:43| Processing: refresh_pattern . 60 50% 14400 store-stale
2014/09/07 17:40:43| Processing: memory_pools off
2014/09/07 17:40:43| Processing: client_db off
2014/09/07 17:40:43| Processing: pipeline_prefetch 100
2014/09/07 17:40:43| Processing: offline_mode off
2014/09/07 17:40:43| Processing: cache_effective_user proxy
2014/09/07 17:40:43| Processing: cache_effective_group proxy
2014/09/07 17:40:43| Processing: request_header_access From deny all
2014/09/07 17:40:43| Processing: request_header_access Server deny all
2014/09/07 17:40:43| Processing: request_header_access WWW-Authenticate deny all
2014/09/07 17:40:43| Processing: request_header_access Link deny all
2014/09/07 17:40:43| Processing: request_header_access Cache-Control deny all
2014/09/07 17:40:43| Processing: request_header_access Proxy-Connection deny all
2014/09/07 17:40:43| Processing: request_header_access X-Cache deny all
2014/09/07 17:40:43| Processing: request_header_access X-Cache-Lookup deny all
2014/09/07 17:40:43| Processing: request_header_access Via deny all
2014/09/07 17:40:43| Processing: request_header_access Forwarded-For deny all
2014/09/07 17:40:43| Processing: request_header_access X-Forwarded-For deny all
2014/09/07 17:40:43| Processing: request_header_access Pragma deny all
2014/09/07 17:40:43| Processing: request_header_access Keep-Alive deny all
2014/09/07 17:40:43| Processing: vary_ignore_expire on
2014/09/07 17:40:43| Processing: qos_flows local-hit=0x30
2014/09/07 17:40:43| WARNING: use of 'override-expire' in 'refresh_pattern' violates HTTP
2014/09/07 17:40:43| WARNING: use of 'override-lastmod' in 'refresh_pattern' violates HTTP
2014/09/07 17:40:43| WARNING: use of 'reload-into-ims' in 'refresh_pattern' violates HTTP
2014/09/07 17:40:43| WARNING: use of 'ignore-reload' in 'refresh_pattern' violates HTTP
2014/09/07 17:40:43| WARNING: use of 'ignore-no-store' in 'refresh_pattern' violates HTTP
2014/09/07 17:40:43| WARNING: use of 'ignore-must-revalidate' in 'refresh_pattern' violates HTTP
2014/09/07 17:40:43| WARNING: use of 'ignore-private' in 'refresh_pattern' violates HTTP
2014/09/07 17:40:43| WARNING: use of 'ignore-auth' in 'refresh_pattern' violates HTTP
2014/09/07 17:40:43| Initializing https proxy context
2014/09/07 17:40:43| Initializing https_port 192.168.12.12:3129 SSL context
2014/09/07 17:40:43| Using certificate in /etc/squid/ssl_cert/myCA.pem[/spoiler]


User avatar
f26net
Contact:

Post 12 Sep 2014, 22:37

Maaf om
Dari melihat squid.conf nya itu partisi utk cachenya ada brp dan kapasitas partisinya berapa tiap2nya
Mohon pencerahan
Maklum newbiiiiiii banget


User avatar
Bandi_Shippuden
Contact:

Post 20 Sep 2014, 20:20

[ INFO ]
squidGuard udah bisa aktif di squid.3.4.7
pake patch ini ...
http://bugs.squid-cache.org/show_bug.cgi?id=3978

udah ane coba dan berjalan normal untuk saat ini, belum tau kedepana :v


User avatar
q_p
Contact:

Post 21 Sep 2014, 02:50

@Bandi_Shippuden
Tq infonya, sangat membantu. Bisa untuk filtering https mas ?


User avatar
sipelaut
Contact:

Post 21 Sep 2014, 07:47

sekedar saran boleh dong :wow:

kalo saya boleh saran sich dibikin tutor sendiri lalu di stickyyyy kek ini nichh,
Image
biar lebih gampang nyarinya seperti nubietol kayak saya.. :grin: :grin: :grin: :grin:
maaf hanya saran lohh


User avatar
Bandi_Shippuden
Contact:

Post 22 Sep 2014, 04:39

q_p wrote:@Bandi_Shippuden
Tq infonya, sangat membantu. Bisa untuk filtering https mas ?
bisa mas ini contoh lognya ...
[imgleft]http://i.imgur.com/uSw3wLQ.png[/img]


User avatar
sipelaut
Contact:

Post 23 Sep 2014, 16:07

file squid di /etc/init.d/squid ada dimana yahh..
kok saya nyari ngak ada dimari


User avatar
sr_aja

Post 24 Sep 2014, 04:23

@q_p;
kira2 bisa ngak yee cache proxy kita copy ke mesin lain...
kalau ndak salah mas kan pernah posting agar ndak mudah menghapus cache karena sayang cache yg sudah di kumpulin oleh server.


User avatar
LuckyDaf
Contact:

Post 20 Oct 2014, 23:27

bisa ga ya, sertifikat dimasukan secara otomatis di browser? karna ga mungkinkan pengguna hotspot disuruh kalau brosing install dulu sertifikatnya om... hhehehe.. tks atas bantuannya..


User avatar
adriano

Post 21 Oct 2014, 13:56

LuckyDaf wrote:bisa ga ya, sertifikat dimasukan secara otomatis di browser? karna ga mungkinkan pengguna hotspot disuruh kalau brosing install dulu sertifikatnya om... hhehehe.. tks atas bantuannya..
pake sertifikat berbayar mungkin bisa Om,,,,
tapi yaaa.... harga nya juga lumayan mahal.... :)


User avatar
otonk

Post 04 Nov 2014, 21:28

Bandi_Shippuden wrote:[ INFO ]
squidGuard udah bisa aktif di squid.3.4.7
pake patch ini ...
http://bugs.squid-cache.org/show_bug.cgi?id=3978

udah ane coba dan berjalan normal untuk saat ini, belum tau kedepana :v
gan da tutorial buat patch squidguardnya buat squid3, thanks before


User avatar
otonk

Post 04 Nov 2014, 21:50

q_p wrote:
DhananJaya wrote:wah..makasih bgt mas pragola tips and trick nya. Akan sangat bermanfaat bagi teman2 semua disini ini.

best regards
Iya, sama2. Sayang-nya diladele tidak free. Kita hanya diberi kesempatan mencoba (free_trial) sampai dengan bulan nopember tahun ini. Karena filtering HTTP/S perlu dilakukan di level jaringan lokal, agar bisa di-kastem (kalau pakai dns nawala kita tidak bisa meng-kastem). Sekarang ini saya pakai alternatif lainnya, yaitu "filtering by DNS" dengan menggunakan powerDNS (pdns-server dan pdns-recursor) dan mySQL, sedangkan DILADELE saya tinggalkan.
  1. Ini hasilnya jika kita ping ke tube8.com dari kompi-client
    [img]http://s20.postimg.org/4zdbcwfot/untitled.png[/img]
  2. Dan ini "pesan error" yang terkirim ke kompi-client karena meng-akses situs yang domainnya kita blokir =
    [img]http://s20.postimg.org/nsz49wdwt/untitled1.png[/img]
"filtering by DNS" tertarik dengan tut ini, kira" agan ada tutorialnya, mo coba juga nich gan....


User avatar
dermovel

Post 14 Nov 2014, 17:20

para_rosez wrote:gan mohon bantuanya udah mentok tp kok tetep g bisa ya,.?
maklum nwbi bgt,..
ini hasil squid -k parse nya,..
squid -z uda ok
squid -Nd1 jg OK
squid start jg OK
Tp kenapa pas tail -f /var/log/squid/access.log | ccze kok penampakanya cuman HTTP yg nongol HTTPS nya kok g mau nongol,.??
pengaturan mozilla proxy 192.168.12.12:3128
padahal uda import sertifikat tanah jg pd browser,.??
mohon bantuanya gan,
nasib kita sama..... belum nemu jawabannya sampe sekarang... :(


User avatar
adriano

Post 15 Nov 2014, 14:06

dermovel wrote:
para_rosez wrote:gan mohon bantuanya udah mentok tp kok tetep g bisa ya,.?
maklum nwbi bgt,..
ini hasil squid -k parse nya,..
squid -z uda ok
squid -Nd1 jg OK
squid start jg OK
Tp kenapa pas tail -f /var/log/squid/access.log | ccze kok penampakanya cuman HTTP yg nongol HTTPS nya kok g mau nongol,.??
pengaturan mozilla proxy 192.168.12.12:3128
padahal uda import sertifikat tanah jg pd browser,.??
mohon bantuanya gan,
nasib kita sama..... belum nemu jawabannya sampe sekarang... :(
emang detail masalah nya gimana Om ..???


User avatar
dermovel

Post 16 Nov 2014, 23:07

adriano wrote:
dermovel wrote:
para_rosez wrote:gan mohon bantuanya udah mentok tp kok tetep g bisa ya,.?
maklum nwbi bgt,..
ini hasil squid -k parse nya,..
squid -z uda ok
squid -Nd1 jg OK
squid start jg OK
Tp kenapa pas tail -f /var/log/squid/access.log | ccze kok penampakanya cuman HTTP yg nongol HTTPS nya kok g mau nongol,.??
pengaturan mozilla proxy 192.168.12.12:3128
padahal uda import sertifikat tanah jg pd browser,.??
mohon bantuanya gan,
nasib kita sama..... belum nemu jawabannya sampe sekarang... :(
emang detail masalah nya gimana Om ..???
masalahnya klo pake http di port standart jalan mulus tetapi youtube tidak bisa cache [sy menggukan squid conf dan store id di page 5] tapi kalau di tambahankan
===========================================
http_port 172.16.197.1:3127 intercept
https_port 172.16.197.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/myCA.pem
http_port 127.0.0.1:3128
always_direct allow all
ssl_bump server-first all
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /etc/squid3/ssl_db -M 4MB
sslcrtd_children 5
sslproxy_cert_error deny all
===================================
malah refuse connection baik http maupun httpsnya

sy pake mozilla redirect ke port dan belum mencoba tproxy nya..
ada yang bisa bantu ngga ya??? :(


User avatar
adriano

Post 17 Nov 2014, 01:14

untuk youtube, coba saja tambah/edit dengan kata "googlevideo"

untuk maslah penambahan rule intercept (squid v2.xx=transparent),
coba cek n ricek rule iptable nya, dan pastikan di option browser (mozila) tidak memakai proxy, di set ke "no proxy" saja.
btw, ini lewat mikrotik dulu gk Om ..???


User avatar
dermovel

Post 17 Nov 2014, 09:57

adriano wrote:untuk youtube, coba saja tambah/edit dengan kata "googlevideo"

untuk maslah penambahan rule intercept (squid v2.xx=transparent),
coba cek n ricek rule iptable nya, dan pastikan di option browser (mozila) tidak memakai proxy, di set ke "no proxy" saja.
btw, ini lewat mikrotik dulu gk Om ..???
Maksudnya tambah dengan "googlevideo" dimananya ya di store id ato di squid conf nya?

Untuk rule pake intercept dan tproxy sudah sy coba ttp connection refuse

Untuk sementara belum pakai mikrotik dl dan masih pakai network option di firefox dulu, ntar kalau sudah berhasil baru pakai mikrotik

Kasih panduannya donk iptable nya hehehehe
Krn aku pake http_port 3128 tanpa iptable (etc/rc.local) dan tanpa rule ssl bump di squid.conf sudah bisa jalan

Ada yg tau ngga ya kenapa rule ssl bump di squid conf pake 3 port


User avatar
adriano

Post 18 Nov 2014, 14:27

dermovel wrote:
adriano wrote:untuk youtube, coba saja tambah/edit dengan kata "googlevideo"

untuk maslah penambahan rule intercept (squid v2.xx=transparent),
coba cek n ricek rule iptable nya, dan pastikan di option browser (mozila) tidak memakai proxy, di set ke "no proxy" saja.
btw, ini lewat mikrotik dulu gk Om ..???
Maksudnya tambah dengan "googlevideo" dimananya ya di store id ato di squid conf nya?

Untuk rule pake intercept dan tproxy sudah sy coba ttp connection refuse

Untuk sementara belum pakai mikrotik dl dan masih pakai network option di firefox dulu, ntar kalau sudah berhasil baru pakai mikrotik

Kasih panduannya donk iptable nya hehehehe
Krn aku pake http_port 3128 tanpa iptable (etc/rc.local) dan tanpa rule ssl bump di squid.conf sudah bisa jalan

Ada yg tau ngga ya kenapa rule ssl bump di squid conf pake 3 port
coba tammbah/edit di storeid dan squid.conf => (youtube|googlevideo)

Code: Select all

http_port 172.16.197.1:3127 intercept
https_port 172.16.197.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/myCA.pem
http_port 127.0.0.1:3128
port 3127 dan port 3129, port ini yg sebnarnya akan digunakan untuk meng intercept trafik http dan trafik https dari client

sedangkan pada config agan => http_port 127.0.0.1:3128, port 3128 sebnarnya adalah port http yg digunakan untuk si proxy nya sendiri untuk berkomunikasi dengan client, misal digunakan untuk memberikan pesan eror dari proxy ke client
saran:
di option browser client, untuk port yg di isi adalah http=3127 dan ssl=3129.

kalo mau full transparent (tanpa seting port di browser), agan harus menambahkan rule di iptable nya supaya trafik http port 80 dan trafik https port 443 otomatis dibelokan langsung sama proxy nya ke port 3127 dan port 3129


User avatar
dermovel

Post 19 Nov 2014, 16:49

coba tammbah/edit di storeid dan squid.conf => (youtube|googlevideo)
maksudnya ditambahkan di baris inikah??
squid.conf
acl QUERY urlpath_regex -i (begin|start)\=
acl QUERY urlpath_regex -i cgi-bin \? .php$ .asp$ .shtml$ .cfm$ .cfml$ .phtml$ .php3$ localhost
acl dontrewrite url_regex -i c\.youtube\.com\/.*(begin|start)\=.*
acl dontrewrite url_regex redbot\.org
acl getmethod method GET
acl redir urlpath_regex -i &redirect_counter=1&cms_redirect=yes
acl redir urlpath_regex -i &ir=1&rr=12
acl yutub url_regex -i youtube\.com\/(generate_204|ptracking|stream_204|player_204|s|(.*(playback|watchtime|delayplay)))\?.*$
acl yutub url_regex -i gstatic\.com\/csi\?.*$

acl rewritedoms url_regex -i dl\.sourceforge\.net.*
acl rewritedoms url_regex -i i[0-9]*\.ytimg\.com.*
acl rewritedoms url_regex -i ak\.fbcdn\.net.*
acl rewritedoms url_regex -i (youtube|googlevideo).*\/videoplayback\?.*
store-id.pl
if ($x =~ m/^http(|s)\:\/\/.*youtube.*(ptracking|stream_204|player_204|gen_204).*(video_id|docid|v)\=([^\&\s]*).*/){
$vid = $4 ;
@cpn = m/[&?]cpn\=([^\&\s]*)/;
$fn = "/var/log/squid/@cpn";
unless (-e $fn) {
open FH,">".$fn ;
print FH "$vid\n";
close FH;
}
$out = $x . "\n";

} elsif ($x =~ m/^http\:\/\/.*(youtube|googlevideo).*videoplayback.*/){
@itag = m/[&?](itag=[0-9]*)/;
@ids = m/[&?]id\=([^\&\s]*)/;
@mime = m/[&?](mime\=[^\&\s]*)/;
@cpn = m/[&?]cpn\=([^\&\s]*)/;
if (defined($cpn[0])) {
$fn = "/var/log/squid/@cpn";
if (-e $fn) {
open FH,";
chomp $id ;
close FH ;
} else {
$id = $ids[0] ;
}
} else {
$id = $ids[0] ;
}
@range = m/[&?](range=[^\&\s]*)/;
$out = "http://video-srv.youtube.com.SQUIDINTERNAL/id=" . $id . "&@itag@range@mime";
sudah saya coba juga ttp belon bisa hit si yutub....

dan untuk squid sy yang ngadat kemarin ternyata ada masalah di
The ssl_crtd helpers are crashing too rapidly, need help!

solusinya upgrade ke squid 3.4.9 masalah selesai untuk cache HTTP nya (firefox redirect ke 3128 dan ssl redirect ke 3129)
tapi yang HTTPS ngadat dan ada masalah di
kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 16: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1)

need help... :(


User avatar
adriano

Post 20 Nov 2014, 01:13

dermovel wrote:
coba tammbah/edit di storeid dan squid.conf => (youtube|googlevideo)
maksudnya ditambahkan di baris inikah??
squid.conf
acl QUERY urlpath_regex -i (begin|start)\=
acl QUERY urlpath_regex -i cgi-bin \? .php$ .asp$ .shtml$ .cfm$ .cfml$ .phtml$ .php3$ localhost
acl dontrewrite url_regex -i c\.youtube\.com\/.*(begin|start)\=.*
acl dontrewrite url_regex redbot\.org
acl getmethod method GET
acl redir urlpath_regex -i &redirect_counter=1&cms_redirect=yes
acl redir urlpath_regex -i &ir=1&rr=12
acl yutub url_regex -i youtube\.com\/(generate_204|ptracking|stream_204|player_204|s|(.*(playback|watchtime|delayplay)))\?.*$
acl yutub url_regex -i gstatic\.com\/csi\?.*$

acl rewritedoms url_regex -i dl\.sourceforge\.net.*
acl rewritedoms url_regex -i i[0-9]*\.ytimg\.com.*
acl rewritedoms url_regex -i ak\.fbcdn\.net.*
acl rewritedoms url_regex -i (youtube|googlevideo).*\/videoplayback\?.*
store-id.pl
if ($x =~ m/^http(|s)\:\/\/.*youtube.*(ptracking|stream_204|player_204|gen_204).*(video_id|docid|v)\=([^\&\s]*).*/){
$vid = $4 ;
@cpn = m/[&?]cpn\=([^\&\s]*)/;
$fn = "/var/log/squid/@cpn";
unless (-e $fn) {
open FH,">".$fn ;
print FH "$vid\n";
close FH;
}
$out = $x . "\n";

} elsif ($x =~ m/^http\:\/\/.*(youtube|googlevideo).*videoplayback.*/){
@itag = m/[&?](itag=[0-9]*)/;
@ids = m/[&?]id\=([^\&\s]*)/;
@mime = m/[&?](mime\=[^\&\s]*)/;
@cpn = m/[&?]cpn\=([^\&\s]*)/;
if (defined($cpn[0])) {
$fn = "/var/log/squid/@cpn";
if (-e $fn) {
open FH,";
chomp $id ;
close FH ;
} else {
$id = $ids[0] ;
}
} else {
$id = $ids[0] ;
}
@range = m/[&?](range=[^\&\s]*)/;
$out = "http://video-srv.youtube.com.SQUIDINTERNAL/id=" . $id . "&@itag@range@mime";
sudah saya coba juga ttp belon bisa hit si yutub....

dan untuk squid sy yang ngadat kemarin ternyata ada masalah di
The ssl_crtd helpers are crashing too rapidly, need help!

solusinya upgrade ke squid 3.4.9 masalah selesai untuk cache HTTP nya (firefox redirect ke 3128 dan ssl redirect ke 3129)
tapi yang HTTPS ngadat dan ada masalah di
kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 16: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1)

need help... :(
u/ youtub, pastikan diaksesnya pake http ya Om. kan https nya lom jalan yah ... :)
pastikkan juga auto resolusi yutub nya nya di matikan dulu.
u/ eror ini " The ssl_crtd helpers are crashing too rapidly, need help! "
coba inisiasi ulang ssl db nya

Code: Select all

	/etc/init.d/squid3 stop
	rm -rf /etc/squid3/ssl_db
	/usr/lib/squid3/ssl_crtd -c -s /etc/squid3/ssl_db
	chown -R proxy:proxy /etc/squid3/ssl_db 
	/etc/init.d/squid3 restart
*) sesuaikan directory squid nya
cek cache.log, apa masih ada eror nya atau tidak ..


User avatar
dermovel

Post 21 Nov 2014, 12:06

kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 16: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1)

Tinggal yang ini aja errornya...... Masih berjuang n belum ketemu


User avatar
happiers07
Contact:

Post 24 Nov 2014, 08:04

keanapa IDM kelimit jadi 3 connection ya? tp kl di pause trs resume/start lagi balik jd 8 connection

kira2 salah dimana ya?
squid confnya kek gini

Code: Select all

cache_mgr proxy
visible_hostname proxy

cache_mem 8 MB
cache_swap_low 98
cache_swap_high 99

maximum_object_size 1024 MB
maximum_object_size_in_memory 32 KB

ipcache_size 2048
ipcache_low 98
ipcache_high 99

memory_pools off
reload_into_ims on
vary_ignore_expire on

#sesuaikan dengan size cache hd anda
#====================================
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF

cache_dir aufs /c1 25000 58 256
cache_dir aufs /c2 25000 58 256
cache_dir aufs /c3 25000 58 256

access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log

acl all src
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT

acl reverbnation url_regex -i reverbnation.*(audio_player|ec_stream_song).*$
acl reverbnation url_regex -i \.c\.(reverbnation|c2lo)\.com\/(get_audio|audioplayback|audioplay).*$

acl youtube url_regex -i youtube.*(ptracking|stream_204|player_204|gen_204).*$
acl youtube url_regex -i (youtube|google).*\/videoplayback\?.*

acl dontrewrite url_regex redbot\.org
acl getmethod method GET

always_direct allow all
ssl_bump server-first all
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all
http_reply_access allow all
icp_access allow all

http_port 3128 intercept
https_port 3127 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/squid/ssl_cert/tukang-comot-indonesia.com.private cert=/etc/squid/ssl_cert/tukang-comot-indonesia.com.cert

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/squid/ssl_db/certs/ -M 4MB
sslcrtd_children 32 startup=30 idle=1

ssl_unclean_shutdown on
sslproxy_version 1
always_direct allow all
ssl_bump none localhost
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER 

acl QUERY urlpath_regex -i (begin|start)\=
acl QUERY urlpath_regex -i cgi-bin \? .php$ .asp$ .shtml$ .cfm$ .cfml$ .phtml$ .php3$ localhost
acl dontrewrite url_regex -i c\.youtube\.com\/.*(begin|start)\=.*
acl dontrewrite url_regex redbot\.org
acl getmethod method GET
acl redir urlpath_regex -i &redirect_counter=1&cms_redirect=yes
acl redir urlpath_regex -i &ir=1&rr=12
acl yutub url_regex -i youtube\.com\/(generate_204|ptracking|stream_204|player_204|s|(.*(playback|watchtime|delayplay)))\?.*$
acl yutub url_regex -i gstatic\.com\/csi\?.*$

acl rewritedoms url_regex -i dl\.sourceforge\.net.*
acl rewritedoms url_regex -i i[0-9]*\.ytimg\.com.*
acl rewritedoms url_regex -i ak\.fbcdn\.net.*
acl rewritedoms url_regex -i (youtube|google).*\/videoplayback\?.*

cache allow rewritedoms
cache deny QUERY
cache deny redir 

store_id_program /etc/squid/store-id.pl
store_id_children 20 startup=10 idle=5 concurrency=30
store_id_access deny !getmethod
store_id_access deny redir
store_id_access deny dontrewrite 
store_id_access allow rewritedoms
store_id_access allow youtube
store_id_access allow reverbnation
store_id_access deny all

strip_query_terms off

max_stale 1 week

refresh_pattern .*(begin|start)\=[1-9][0-9].*               0 0% 0
refresh_pattern -i (cgi-bin|mrtg|graph) 0 0% 0
refresh_pattern -i \.(php|lst|ui|ini|list)$ 0 0% 0 
refresh_pattern (update.ini|Update.ini|version.list|Version.list|update.1st|update.exe|autoup.exe) 0 0% 0
refresh_pattern (hackshield|nprotect) 240 100% 420 override-expire override-lastmod reload-into-ims
#refresh_pattern \.gemscool.com.*\.(exe|dll|cab|zip|iop|npz|swf)$ 1440 100% 4320 override-expire override-lastmod reload-into-ims ignore-auth store-stale
#refresh_pattern \.crossfire.web.id.*\.(cab|zip|exe|rar|dat|swf)$ 1440 100% 4320 override-expire override-lastmod reload-into-ims ignore-auth store-stale
#refresh_pattern \.cabalonline.co.id.*\.(cab|zip|exe|rar|dat|swf) 1440 100% 4320 override-expire override-lastmod reload-into-ims ignore-auth store-stale
#refresh_pattern \.megaxus.com.*\.(cab|zip|exe|rar|dat|swf) 1440 100% 4320 override-expire override-lastmod reload-into-ims ignore-auth store-stale
#refresh_pattern \.lytogame.com.*\.(cab|zip|exe|rar|dat|swf) 1440 100% 4320 override-expire override-lastmod reload-into-ims ignore-auth store-stale
#refresh_pattern ((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[0-9]{1,2})\.){3}(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[0-9]{1,2}).*\.(pak|exe|zip|kom|stg|npz|swf)$ 1440 100% 4320 override-expire override-lastmod reload-into-ims ignore-auth store-stale

#PATTERN REFRESH
refresh_pattern -i \.(html|htm|css|js|png|jsp|asx|asp|aspx)$ 240 100% 420
refresh_pattern -i \/speedtest\/.*\.(txt|jpg|png|swf)  0  99% 14400 override-expire ignore-reload ignore-private ignore-reload override-lastmod reload-into-ims 
refresh_pattern .pixieimage\.com.*\.(jp(e?g|e|2)|gif|png|tiff?|bmp|swf|mp(4|3))  1440 99% 14400 override-expire ignore-reload ignore-private ignore-reload override-lastmod reload-into-ims 
refresh_pattern .blogspot\.com.*\.(jp(e?g|e|2)|gif|png|tiff?|bmp|swf|mp(4|3))  1440 99% 14400 override-expire ignore-reload ignore-private ignore-reload override-lastmod reload-into-ims 
refresh_pattern .multiply\.com.*\.(jp(e?g|e|2)|gif|png|tiff?|bmp|swf|mp(4|3))  1440 99% 14400 override-expire ignore-reload ignore-private ignore-reload override-lastmod reload-into-ims 
refresh_pattern .((pikawarnet\.com)|(blogspot\.com)|(pixieimage\.com)|(multiply\.com)).*  60  30% 240

#sensitive site
refresh_pattern -i \.(sc-|dl-|ex-|mh-|dll|da-) 0 2% 50 reload-into-ims
refresh_pattern -i \.(mst|Xtp|iop)$ 0 50% 1440 reload-into-ims
refresh_pattern -i (index.php|autoup.exe|main.exe|xtrap.xt|autoupgrade.exe|update.exe|grandchase.exe|FSLauncher.exe|FreeStyle_Setup.exe|grandchase.exe|filelist.zip)$ 0 50% 1440
#refresh_pattern -i (UpdaterModifier.exe|FreeStyle.exe|PBLauncher.exe|update.exe|NewLauncher.exe|NewAvalon.exe|hon.exe.zip|cabal.exe)$ 0 50% 1440 
#refresh_pattern -i (PointBlank.exe.zip|HSUpdate.exe.zip|PBConfig.exe.zip) 0 50% 1440
refresh_pattern -i (wks_avira-win32-en-pecl.info.gz|wks_avira10-win32-en-pecl.info.gz|servers.def.vpx)$ 0 50% 1440
refresh_pattern -i (setup.exe.gz|avscan.exe.gz|avguard.exe.gz|filelist.zip|AvaClient.exe) 0 50% 1440 
refresh_pattern -i (livescore.com|goal.com|bobet) 0 50% 60 

refresh_pattern ^http.*(youtube|googlevideo)\.*     43200 99% 242020 ignore-reload override-expire override-lastmod ignore-must-revalidate  ignore-private ignore-no-store ignore-auth store-stale
#FB
refresh_pattern \.facebook\.com.*\.(jp(e?g|e|2)|gif|png|tiff?|bmp|swf|mp(4|3)) 1440 99% 14400 override-expire ignore-reload ignore-private
refresh_pattern \.facebook\.com.* 240 50% 480
refresh_pattern \.fbcdn\.net.*\.(jp(e?g|e|2)|gif|png|tiff?|bmp|swf|mp(4|3))  1440 99% 14400 override-expire ignore-reload ignore-private store-stale
refresh_pattern \.gstatic\.com/images\? 1440 99% 14400 override-expire override-lastmod ignore-reload ignore-private ignore-must-revalidate
refresh_pattern \.(akamaihd|edgecastcdn|spilcdn|zgncdn|(tw|y|yt)img)\.com.*\.(jp(e?g|e|2)|gif|png|swf|mp(3|4)) 1440 99% 14400 override-expire override-lastmod ignore-reload ignore-private
refresh_pattern (gstatic|diggstatic)\.com/.* 1440 99% 14400 override-expire ignore-reload ignore-private
refresh_pattern (photobucket|pbsrc|flickr|yimg|ytimg|twimg|gravatar)\.com.*\.(jp(e?g|e|2)|gif|png|tiff?|bmp|swf|mp(4|3)) 1440 99% 14400 override-expire ignore-reload ignore-private
refresh_pattern (zynga|ninjasaga|mafiawars|cityville|farmville|crowdstar|spilcdn|agame|popcap)\.com/.* 1440 99% 14400 override-expire ignore-reload ignore-private
refresh_pattern ^http:\/\/images|image|img|pics|openx|thumbs[0-9]\. 1440 99% 14400 override-expire ignore-reload ignore-private
refresh_pattern ^.*safebrowsing.*google 1440 99% 14400 override-expire ignore-reload ignore-private ignore-auth ignore-must-revalidate
refresh_pattern ^http://.*\.squid\.internal\/.*  10080 100%  79900 override-expire override-lastmod ignore-reload ignore-no-store ignore-must-revalidate ignore-private ignore-auth max-stale=10000 store-stale
refresh_pattern -i reverbnation.com 1440 99% 14400 override-expire override-lastmod ignore-no-cache ignore-private ignore-must-revalidate ignore-reload store-stale
#refresh_pattern (get_video\?|videoplayback\?|videodownload\?|\.flv\?|\.fid\?) 43200 99% 43200 override-expire ignore-reload ignore-must-revalidate ignore-private

#ads
refresh_pattern ^.*(streamate.doublepimp.com.*\.js\?|utm\.gif|ads\?|rmxads\.com|ad\.z5x\.net|bh\.contextweb\.com|bstats\.adbrite\.com|a1\.interclick\.com|ad\.trafficmp\.com|ads\.cubics\.com|ad\.xtendmedia\.com|\.googlesyndication\.com|advertising\.com|yieldmanager|game-advertising\.com|pixel\.quantserve\.com|adperium\.com|doubleclick\.net|adserving\.cpxinteractive\.com|syndication\.com|media.fastclick.net).* 1440 99% 14400 ignore-private override-expire ignore-reload ignore-auth max-stale=1440
refresh_pattern \.(ico|video-stats) 1440 99% 14400 override-expire ignore-reload ignore-private ignore-auth override-lastmod ignore-must-revalidate
refresh_pattern ^http://((cbk|mt|khm|mlt|tbn)[0-9]?)\.google\.co(m|\.uk|\.id) 1440 99% 14400 override-expire override-lastmod ignore-reload ignore-private ignore-auth ignore-must-revalidate 
refresh_pattern vid\.akm\.dailymotion\.com.*\.on2\? 1440 99% 14400 override-expire override-lastmod
refresh_pattern galleries\.video(\?|sz) 1440 99% 14400 override-expire ignore-reload ignore-must-revalidate ignore-private
refresh_pattern \.wikimapia\.org\/? 1440 99% 14400 override-expire override-lastmod ignore-reload ignore-private

#general
refresh_pattern -i \.(7z|arj|bin|bz2|cab|dll|exe|gz|inc|iso|jar|lha|ms(i|p|u)|rar|rpm|tar|tgz|zip|rtp|rpz|nui|kom|stg|pak|sup|nzp|npz|iop)$ 1440 99% 14400 override-expire override-lastmod ignore-private reload-into-ims ignore-must-revalidate ignore-reload store-stale
refresh_pattern -i \.(class|doc|docx|pdf|pps|ppt|ppsx|pptx|ps|rtx|txt|wpl|xls|xlsx)$ 1440 99% 14400 override-expire override-lastmod ignore-private reload-into-ims ignore-must-revalidate ignore-reload store-stale
refresh_pattern -i \.(3gp|ac4|agx|au|avi|axd|bmp|cbr|cbt|cbz|dat|divx|flv|gif|hqx|ico|jp(2|e|eg|g)|mid|mk(a|v)|mov|mp(1|2|3|4|e|eg|g)|og(a|g|v)|qt|ra|ram|rm|swf|tif|tiff|wa(v|x)|wm(a|v|x)|x-flv)$ 1440 99% 14400 override-expire override-lastmod ignore-private reload-into-ims ignore-must-revalidate ignore-reload store-stale
refresh_pattern -i .(html|htm|css|js)$ 1440 75% 40320
refresh_pattern -i .index.(html|htm)$ 0 75% 10080
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern . 60 50% 14400 store-stale


memory_pools off
client_db off
#reload_into_ims on
pipeline_prefetch on
offline_mode off
cache_effective_user proxy
cache_effective_group proxy

request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access Via deny all
request_header_access Forwarded-For deny all
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all
vary_ignore_expire on


# local
qos_flows local-hit=0x30
# sibling
# qos_flows sibling-hit=0x31
# parent
# qos_flows parent-hit=0x32
# preserve
# qos_flows disable-preserve-miss


User avatar
sigaret
Contact:

Post 11 Dec 2014, 13:50

udah beberapa kali bolak balik forum room ini dari page 1-8
baca tutor mbah google juga
masih aja gagal ga pernah jalan

squid -z

Code: Select all

root@ubuntu:~# squid -z
2014/12/11 13:43:30| WARNING: (B) '::/0' is a subnetwork of (A) '::/0'
2014/12/11 13:43:30| WARNING: because of this '::/0' is ignored to keep splay tree searching predictable
2014/12/11 13:43:30| WARNING: You should probably remove '::/0' from the ACL named 'all'
2014/12/11 13:43:30| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1'
2014/12/11 13:43:30| WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable
2014/12/11 13:43:30| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost'
2014/12/11 13:43:30| WARNING: (B) '127.0.0.0/8' is a subnetwork of (A) '127.0.0.0/8'
2014/12/11 13:43:30| WARNING: because of this '127.0.0.0/8' is ignored to keep splay tree searching predictable
2014/12/11 13:43:30| WARNING: You should probably remove '127.0.0.0/8' from the ACL named 'to_localhost'
2014/12/11 13:43:30| WARNING: (B) '192.168.1.0/24' is a subnetwork of (A) '192.168.1.0/24'
2014/12/11 13:43:30| WARNING: because of this '192.168.1.0/24' is ignored to keep splay tree searching predictable
2014/12/11 13:43:30| WARNING: You should probably remove '192.168.1.0/24' from the ACL named 'localnet'
2014/12/11 13:43:30| Squid is already running!  Process ID 1847

Code: Select all

root@ubuntu:~# squid -Nd1
2014/12/11 13:43:39| WARNING: (B) '::/0' is a subnetwork of (A) '::/0'
2014/12/11 13:43:39| WARNING: because of this '::/0' is ignored to keep splay tree searching predictable
2014/12/11 13:43:39| WARNING: You should probably remove '::/0' from the ACL named 'all'
2014/12/11 13:43:39| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1'
2014/12/11 13:43:39| WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable
2014/12/11 13:43:39| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost'
2014/12/11 13:43:39| WARNING: (B) '127.0.0.0/8' is a subnetwork of (A) '127.0.0.0/8'
2014/12/11 13:43:39| WARNING: because of this '127.0.0.0/8' is ignored to keep splay tree searching predictable
2014/12/11 13:43:39| WARNING: You should probably remove '127.0.0.0/8' from the ACL named 'to_localhost'
2014/12/11 13:43:39| WARNING: (B) '192.168.1.0/24' is a subnetwork of (A) '192.168.1.0/24'
2014/12/11 13:43:39| WARNING: because of this '192.168.1.0/24' is ignored to keep splay tree searching predictable
2014/12/11 13:43:39| WARNING: You should probably remove '192.168.1.0/24' from the ACL named 'localnet'
2014/12/11 13:43:39| Squid is already running!  Process ID 1847
bingung sendiri

apakah dari para suhu ada tutorial yang menjelaskan step by step yang benar benar success ?

@Mas SJW
@Mas Pragola
@Mas DhananJaya

:(


User avatar
cah_clacap
Contact:

Post 08 Mar 2015, 09:26

mas tadi katanya :

ip proxy: 192.168.20.13


++++++++++++++++++++++++++++++++++++++++++++
### untuk pertama kali config jalankan perintah berikut "/usr/lib/squid3/ssl_crtd -c -s /etc/squid3/ssl_db"
#https_port 3127 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/myCA.pem
#http_port 3128
#http_port 3129 tproxy
http_port 172.16.197.1:3127 intercept
https_port 172.16.197.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/myCA.pem
http_port 127.0.0.1:3128

Terdaftar: 25 Mar 13
Pesan: 45
Lokasi: Palembang, Indonesia
(125.165.175.252)
!192.168.0.0/16 = range ip utk bypass network internal
192.168.1.0/24 = range ip lokal / client
_________________________
Salam,
Juldian Tan

J-Com IT & System Solution
Jl Jend Sudirman 2189
Palembang 30126
Telp: (0711)8351935
YM/GTalk/WLM: juldiantan

=================

kok tidak nyambung dengaN squid.conf nya


User avatar
cah_clacap
Contact:

Post 08 Mar 2015, 09:28

Sya udah pusing teman2 ..... pakai TPROXY belum pernah berhasil ////

kira2 setingan yg di forum ini mana yg masih kurang ya???


User avatar
cah_clacap
Contact:

Post 08 Mar 2015, 09:30

Squid sudah running ..... tapi belum bisa utk browsing dll


User avatar
anbel
Contact:

Post 11 Mar 2015, 21:51

@Mas Cah_Clacap
Wah rupanya masih oprek squid3 Head, saran saya pakai yg versi stable saja saya sudah 1th lancar2 saja :like:
Attachments
squidversi.png
squidversi.png (28.35 KiB) Viewed 2091 times


User avatar
para_rosez

Post 09 Jul 2015, 18:17

:'( Help Me,..ane udah behasil ni install SQUID 3.4.2 + TPROXY + HTTPS SSL BUMP, kalau pakai setting proxy manual browser berhasil port 3128(http saja yg nongol) sedangkan kalau diganti port 3127(https yang lancar),.tp kalau pakai mikrotik kok g ada aktifitas ya ketika di tail -f,,???
ini settingan di mikrotiknya :
/ip address
add address=192.168.12.1/24 interface=ether3

/ip firewall mangle
add action=mark-routing chain=prerouting comment="TPROXY ROUTING" disabled=no dst-port=80,443 in-interface=ether2 new-routing-mark=tproxy_rm passthrough=no \ protocol=tcp
add action=mark-connection chain=prerouting disabled=no dst-port=80,443 in-interface=ether3 new-connection-mark=tproxy_cm passthrough=yes protocol=tcp \ src-address=!192.168.12.12
add action=mark-routing chain=prerouting connection-mark=tproxy_cm disabled=yes in-interface=!ether3 new-routing-mark=tproxy_rm passthrough=no

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.12.12 routing-mark=tproxy_rm scope=30 target-scope=10

kira" yang salah yang mana ya,.???
ip proxynya : 192.168.12.12
ip lannya : 192.168.0.0/24

Ini settingan di rc.local:

modprobe xt_TPROXY
modprobe xt_socket
modprobe nf_tproxy_core
modprobe xt_mark
modprobe nf_nat
modprobe nf_conntrack_ipv4
modprobe nf_conntrack
modprobe nf_defrag_ipv4
modprobe ipt_REDIRECT
modprobe iptable_nat

iptables -t mangle -F
iptables -t mangle -X

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A INPUT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING ! -d 192.168.12.0/24 -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
iptables -t mangle -A PREROUTING ! -d 192.168.12.0/24 -p tcp --dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3127

/sbin/ip rule add fwmark 1 lookup 100
/sbin/ip route add local 0.0.0.0/0 dev lo table 100

echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward

echo 1024 65535 > /proc/sys/net/ipv4/ip_local_port_range
ulimit -HSn 65535
/usr/sbin/squid -Nd1 &

exit 0

Kira" kesalahanya yang mana ya,.??atau mungkin masih ada yg kurang,..mohon bantuanya,.??


Post Reply

Who is online

Users browsing this forum: No registered users and 42 guests