Scribd
Upload
258 views11 pages

Squid Proxy

The document provides instructions to install and configure Squid proxy and related software on a Linux system. It uses apt-get to install dependencies, downloads packages, compiles and installs them. It then generates SSL certificates, configures Squid to listen on ports 3127 and 3128, enables caching, SSL bumping and ecap filtering. The Squid configuration restricts access and enables logging.

Uploaded by

War Tzoe Net
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
258 views11 pages

Squid Proxy

The document provides instructions to install and configure Squid proxy and related software on a Linux system. It uses apt-get to install dependencies, downloads packages, compiles and installs them. It then generates SSL certificates, configures Squid to listen on ports 3127 and 3128, enables caching, SSL bumping and ecap filtering. The Squid configuration restricts access and enables logging.

Uploaded by

War Tzoe Net
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 11

#!

/bin/bash
apt-get update
apt-get install build-essential devscripts libcppunit-dev openssl libssl-dev libcapdev ccze pkg-config libkrb5-dev -y
wget http://www.measurement-factory.com/tmp/ecap/libecap-1.0.0.tar.gz
tar xzvf libecap-1.0.0.tar.gz
cd libecap-1.0.0
./configure && make && make install
echo '/usr/local/lib' >> /etc/ld.so.conf
ldconfig
cd
wget --no-check-certificate -O ecap_adapter_DSI.tgz
https://www.dropbox.com/s/z4levwr2frun3c9/ecap_adapter_DSI.tgz?dl=0
tar xzvf ecap_adapter_DSI.tgz
cd ecap_adapter_sample-1.0.0
./configure && make && make install
cd
wget http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.15-20160229r13997.tar.gz
tar xzvf squid-3.5.15-20160229-r13997.tar.gz
wget -O squid_forgery.patch http://www.squid-cache.org/mail-archive/squidusers/201404/att-0240/squid_forgery.patch.txt
cd squid-3.5.15-20160229-r13997
patch -p0 <../squid_forgery.patch
./configure --prefix=/usr \
--bindir=/usr/bin \
--sbindir=/usr/sbin \
--libexecdir=/usr/lib/squid \
--sysconfdir=/etc/squid \
--localstatedir=/var \

--libdir=/usr/lib \
--includedir=/usr/include \
--datadir=/usr/share/squid \
--mandir=/usr/share/man \
--enable-storeio=ufs,aufs,diskd,rock \
--enable-removal-policies=lru,heap \
--enable-stacktrace \
--enable-zph=qos \
--enable-ssl-crtd \
--enable-ecap \
--enable-wccpv2 \
--disable-ident-lookup \
--disable-auth \
--disable-auth-basic \
--disable-auth-digest \
--disable-auth-negotiate \
--disable-auth-ntlm \
--disable-url-rewriter-helpers \
--disable-storeid-rewrite-helpers \
--with-logdir=/var/log/squid \
--with-pid-file=/var/run/squid.pid \
--with-swap-dir=/cache-1 \
--with-swap-dir=/cache-2 \
--with-swap-dir=/cache-3 \
--with-swap-dir=/cache-4 \
--with-swap-dir=/cache-5 \
--with-large-files \
--with-openssl

make
make install
chown -R nobody /var/log/squid
chown -R nobody /cache
mkdir -p /etc/squid/ssl_cert
openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -keyout
/etc/squid/ssl_cert/warnet.pem -out /etc/squid/ssl_cert/warnet.pem -subj
"/C=ID/ST=Jawa Barat/L=Cikarang/O=DSI/CN=Wartzoe.Net"
openssl x509 -in /etc/squid/ssl_cert/warnet.pem -outform DER -out
/etc/squid/ssl_cert/warnet.der
openssl x509 -in /etc/squid/ssl_cert/warnet.pem -outform DER -out
/etc/squid/ssl_cert/warnet.crt
/usr/lib/squid/ssl_crtd -c -s /var/lib/ssl_db
chown -R nobody /var/lib/ssl_db
echo '#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.


# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10

acl SSL_ports port 443


acl Safe_ports port 80
acl Safe_ports port 21

acl Safe_ports port 443


acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT

acl step1 at_step SslBump1


acl step2 at_step SslBump2
acl step3 at_step SslBump3

acl PURGE method PURGE

#http://empire.goodgamestudios.com/
#acl bypass_ssl dst 37.48.88.132

#BBM-http://bgp.he.net/search?search%5Bsearch
%5D=blackberry+messenger&commit=Search
#acl bypass_ssl dst 68.171.224.0/19 #BBM
#acl bypass_ssl dst 74.82.64.0/19 #BBM

#
# Recommended minimum Access Permission configuration:
#

# Deny requests to certain unsafe ports


http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports


http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost


http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent


# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

http_access allow localhost purge


http_access deny purge

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.


# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy


http_access deny all

# Squid normally listens to port 3128 (forward proxy)


http_port 3128

#SSL Tunnel
http_port 3127 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/warnet.pem

#transparent proxy intercept


#http_port 3129 intercept
#https_port 3127 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/warnet.pem

#transparent proxy tproxy


#http_port 3129 tproxy
#https_port 3127 tproxy ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/warnet.pem

#caching konten https


#ssl_bump splice bypass_ssl
ssl_bump peek step1 all
ssl_bump bump all

#opsi caching konten https


sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE #Jika menggunakan
versi setelah squid-3.5.12-20151222-r13967

sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EEC
DH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aR
SA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!
PSK:!SRP:!DSS

# Uncomment and adjust the following to add a disk cache directory.


cache_dir aufs /cache 1000 16 256
cache_mem 16 MB

cache_swap_low 97
cache_swap_high 98
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF

#Maximum Object Size


maximum_object_size 1024 MB
maximum_object_size_in_memory 1024 KB

#partial 206
#range_offset_limit 1 MB
#atau (pilih salah satu)
#request_header_access Range deny all

#Administrative
cache_mgr [email protected]
visible_hostname s-proxy1-dsi

# Leave coredumps in the first cache dir


coredump_dir /var/log/squid

#debugging
strip_query_terms off
#debug_options 11,2 22,3
logfile_rotate 1
#cache_store_log /var/log/squid/store.log

#ecap
#yt_quality: tiny = 144px small = 240px medium = 360px large = 480px HD720
= Hd720px
acl youtube_240 dstdomain .youtube.com
request_header_access Accept-Encoding deny youtube_240
loadable_modules /usr/local/lib/ecap_adapter_modifying.so
ecap_enable on
ecap_service ecapModifier respmod_precache uri=ecap://dokter-squid.com/ecap
yt_quality=small
adaptation_access ecapModifier allow youtube_240
adaptation_access ecapModifier deny all

#storeid
acl getmethod method GET
acl loop_302 http_status 302

acl youtube url_regex -i ^http.*\.googlevideo\.com\/videoplayback\?

send_hit deny loop_302

store_id_program /etc/squid/storeid.pl
store_id_children 50 startup=5 idle=2 concurrency=200
store_id_access deny !getmethod
store_id_access allow youtube
store_id_access deny all

store_id_extras "%{Referer}>h %>a/%>A %un %>rm myip=%la myport=%lp"


refresh_pattern -i ^http.*\.internal 43200 0% 0 override-expire ignore-private

refresh_pattern -i \.(htm|html|xml|css|chm|txt|dll|dat)(\?.*)?$ 1440 100% 4320


refresh_pattern -i \.(3gp|7z|ace|asx|bin|deb|divx|dvr-ms|ram|rpm|exe|inc|cab|qt)
(\?.*)?$ 4320 100% 43200
refresh_pattern -i \.(rar|jar|gz|tgz|bz2|iso|m1v|m2(v|p)|mo(d|v)|arj|lha|lzh|zip|tar)
(\?.*)?$ 4320 100% 43200
refresh_pattern -i \.(jp(e?g|e|2)|gif|pn[pg]|bm?|ico|swf|ad)(\?.*)?$ 43200 100%
43200
refresh_pattern -i \.(avi|ac4|mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p)|og(x|v|a|g)|rm|
r(a|p)m|snd|vob)(\?.*)?$ 43200 100% 43200
refresh_pattern -i \.((pp(t?x)|s|t)|pdf|rtf|wax|wm(a|v)|wmx|wpl|cb(r|z|t)|xl(s?x)|
do(c?x)|flv|x-flv)(\?.*)?$ 43200 100% 43200

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

qos_flows local-hit=0x30 ' > /etc/squid/squid.conf

echo '#!/usr/bin/perl
$|=1;
while (<>) {
@X = split;
$x = $X[1];
$y = $X[0] . " ";
$z = $X[2];

if ($x =~ m/^https?:\/\/.*(youtube|google).*videoplayback.*/){
@itag = m/[&?](itag\=[0-9]*)/;
@mime = m/[&?](mime\=[^\&\s]*)/;
@range = m/[&?](range\=[^\&\s]*)/;
if($z =~ m/^https?:\/\/.*\?v\=(.*)/){
$id=$1;}

print $y . "OK store-id=http://video.youtube.doktersquid.internal/videoid=$id&@itag&@mime&@range\n" ;

} else {
print $y . "ERR\n";
}
} ' > /etc/squid/storeid.pl
chmod +x /etc/squid/storeid.pl
squid -zN
wget --no-check-certificate -O /etc/init.d/squid
https://gist.githubusercontent.com/e7d/1f784339df82c57a43bf/raw/squid.sh
chmod +x /etc/init.d/squid
update-rc.d squid defaults
service squid start

echo '#tproxy
#iptables -t mangle -N DIVERT
#iptables -t mangle -A DIVERT -j MARK --set-mark 1
#iptables -t mangle -A DIVERT -j ACCEPT
#iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
#iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark
0x1/0x1 --on-port 3129
#iptables -t mangle -A PREROUTING -p tcp --dport 443 -j TPROXY --tproxy-mark
0x1/0x1 --on-port 3127
#ip rule add fwmark 1 lookup 212
#ip route add local 0.0.0.0/0 dev lo table 212

#intercept
#iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --toports 3129
#iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT
--to-ports 3127

exit 0' > /etc/rc.local


tailf /var/log/squid/access.log | ccze

SUMUR: DSI

You might also like