Selasa, 01 September 2015

Konfigurasi Squid Proxy Server Di CentOS 6.6

Konfigurasi Squid Proxy Server Di CentOS 6.6

 

Spesifikasi Server HP Proliant DL320
Prosessor : Intel Xeon E3-1220v2
RAM : 4GB DDR3-1600 UDIMM
VGA : Matrox G200
HDD : 2TB Sata
NIC : 2 x GbE NIC
OS : Centos 6.6 x86_64

1. Konfigurasi Jaringan
eth0 : (ke Internet)
IP = 192.168.188.254/26
Gateway = 192.168.188.193
DNS = 202.137.3.110, 202.137.3.111
eth1 : (ke LAN)
IP = 192.168.88.1/29
Topologi Jaringan
Proxy-Diagram


Setelah proses instal selesai masuk sebagai root
lihat apakah ethernet sudah aktif atau belum dengan perintah :
  1. ifconfig
jika belum aktif, aktifkan dengan perintah :
  1. ifconfig eth0 up
  2. ifconfig eth1 up
cek kembali dengan ifconfig
kemudian setting ip address di eth0
  1. nano /etc/sysconfig/network-scripts/ifcfg-eth0
Kemudian isikan dengan script sebagai berikut :
  1. DEVICE=eth0
  2. TYPE=Ethernet
  3. UUID=757e8f68-8179-471e-8423-a226f991f962
  4. ONBOOT=yes
  5. NM_CONTROLLED=yes
  6. BOOTPROTO=static
  7. HWADDR=A4:5D:36:C5:97:1C
  8. IPADDR=192.168.188.254
  9. PREFIX=26
  10. GATEWAY=192.168.188.193
  11. DNS1=202.137.3.110
  12. DNS2=202.137.3.111
  13. DEFROUTE=yes
  14. IPV4_FAILURE_FATAL=yes
  15. IPV6INIT=no
  16. NAME="INTERNET-eth0"
Tekan CTRL+O untuk menyimpan, dan keluar dengan CTRL+X
kemudian setting ip address di eth1
  1. nano /etc/sysconfig/network-scripts/ifcfg-eth1
Kemudian isikan dengan script sebagai berikut :
  1. DEVICE=eth1
  2. HWADDR=A4:5D:36:C5:97:1D
  3. TYPE=Ethernet
  4. UUID=6c614425-1e8e-4ce5-a2c3-d99926c1adbf
  5. ONBOOT=yes
  6. NM_CONTROLLED=yes
  7. BOOTPROTO=static
  8. IPADDR=192.168.88.1
  9. PREFIX=29
  10. DEFROUTE=yes
  11. IPV4_FAILURE_FATAL=yes
  12. IPV6INIT=no
  13. NAME="LAN-eth1"
Tekan CTRL+O untuk menyimpan, dan keluar dengan CTRL+X
Keterangan :
DEVICE=Nama ethernet yang terdeteksi, pada kasus ini yaitu eth0 dapat berubah menjadi eth1, eth2 dan sebagainya.
BOOTPROTO=Jenis Networknya, pada kasus ini dituliskan static karena kita memberikan ip address secara manual. Bila jenis networknya automatis/dhcp kita tuliskan dhcp.
ONBOOT=Adalah perintah apakah ethernet diaktifkan ketika start up atau dapat dikatakan auto start. Pada kasus ini kita berikan perintah yes. Bila kita berikan perintah no maka pada saat sistem operasi melakukan start up ethernet tidak akan aktif secara automatis.Cek kembali dengan menggunakan ifconfig dan lihat apakah ip sudah muncul, bila sudah muncul lakukan test ping ke DNS servernya, jika ip belum muncul tuliskan perintah ifup eth0 dan restart kembali service networknya.
2. Konfigurasi Firewall Dengan Iptables
buat file squidfw.sh dengan perintah
  1. nano /root/squidfw.sh
tambahkan konfigurasi firewall berikut (sesuaikan dengan konfigurasi ethernet yang digunakan)
  1. #!/bin/sh
  2. # squid server IP
  3. SQUID_SERVER="192.168.88.1"
  4. # Interface connected to Internet
  5. INTERNET="eth0"
  6. # Interface connected to LAN
  7. LAN_IN="eth1"
  8. # Squid port
  9. SQUID_PORT="3128"
  10. # DO NOT MODIFY BELOW
  11. # Clean old firewall
  12. iptables -F
  13. iptables -X
  14. iptables -t nat -F
  15. iptables -t nat -X
  16. iptables -t mangle -F
  17. iptables -t mangle -X
  18. # Load IPTABLES modules for NAT and IP conntrack support
  19. modprobe ip_conntrack
  20. modprobe ip_conntrack_ftp
  21. # For win xp ftp client
  22. #modprobe ip_nat_ftp
  23. echo 1 > /proc/sys/net/ipv4/ip_forward
  24. # Setting default filter policy
  25. iptables -P INPUT DROP
  26. iptables -P OUTPUT ACCEPT
  27. # Unlimited access to loop back
  28. iptables -A INPUT -i lo -j ACCEPT
  29. iptables -A OUTPUT -o lo -j ACCEPT
  30. # Allow UDP, DNS and Passive FTP
  31. iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
  32. # set this system as a router for Rest of LAN
  33. iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
  34. iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
  35. # unlimited access to LAN
  36. iptables -A INPUT -i $LAN_IN -j ACCEPT
  37. iptables -A OUTPUT -o $LAN_IN -j ACCEPT
  38. # REDIRECT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
  39. iptables -t nat -A PREROUTING -i $LAN_IN -p tcp -m tcp --dport 80 -j REDIRECT --to-ports $SQUID_PORT
  40. # if it is same system
  41. iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
  42. # Allow SSH
  43. iptables -A INPUT -i $INTERNET -p tcp -m tcp --dport 22 -j ACCEPT
  44. # DROP everything and Log it
  45. iptables -A INPUT -j LOG
  46. iptables -A INPUT -j DROP
jalankan dengan perintah
  1. sh /root/squidfw.sh
tambahkan perintah “sh /root/squidfw.sh” ke /etc/rc.local
  1. nano /etc/rc.local

3. Konfigurasi Proxy Squid 3.1
Update Centos 6.6
  1. yum update
Install aplikasi Development Tools
  1. yum groupinstall 'Development Tools'
Install squid
  1. yum -y install squid
Selanjutnya Edit seting squid.conf pada squid yang telah diinstall
  1. nano /etc/squid/squid.conf
Konfigurasi squid
  1. #
  2. # Recommended minimum configuration:
  3. #
  4. acl manager proto cache_object
  5. acl localhost src 127.0.0.1/32
  6. acl to_localhost dst 127.0.0.0/8
  7. #acl localhost src 127.0.0.1/32 ::1
  8. #acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

  10. # Example rule allowing access from your local networks.
  11. # Adapt to list your (internal) IP networks from where browsing
  12. # should be allowed
  13. #acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
  14. #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
  15. #acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
  16. #acl localnet src fc00::/7 # RFC 4193 local private network range
  17. #acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

  19. acl SSL_ports port 443
  20. acl Safe_ports port 80 # http
  21. acl Safe_ports port 21 # ftp
  22. acl Safe_ports port 443 # https
  23. acl Safe_ports port 70 # gopher
  24. acl Safe_ports port 210 # wais
  25. acl Safe_ports port 1025-65535 # unregistered ports
  26. acl Safe_ports port 280 # http-mgmt
  27. acl Safe_ports port 488 # gss-http
  28. acl Safe_ports port 591 # filemaker
  29. acl Safe_ports port 777 # multiling http
  30. acl CONNECT method CONNECT

  32. acl all src all

  34. acl client src 192.168.88.0/24
  35. http_access allow client

  37. http_access allow manager localhost
  38. http_access deny manager

  40. http_access deny !Safe_ports

  42. http_access deny CONNECT !SSL_ports

  44. # We strongly recommend the following be uncommented to protect innocent
  45. # web applications running on the proxy server who think the only
  46. # one who can access services on "localhost" is a local user
  47. #http_access deny to_localhost

  49. #
  50. # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
  51. #

  53. # Example rule allowing access from your local networks.
  54. # Adapt localnet in the ACL section to list your (internal) IP networks
  55. # from where browsing should be allowed
  56. #http_access allow localnet
  57. http_access allow localhost

  59. # And finally deny all other access to this proxy
  60. http_access deny all

  62. # NETWORK OPTION
  63. http_port 3128 intercept
  64. hierarchy_stoplist cgi-bin ?
  65. visible_hostname proxy.pipit-pmj.co.id

  67. # MEMORY CACHE OPTION
  68. cache_mem 6 MB
  69. maximum_object_size_in_memory 4 KB
  70. memory_replacement_policy heap GDSF

  72. # DISK CACHE OPTIONS
  73. minimum_object_size 0 KB
  74. maximum_object_size 512 MB
  75. cache_swap_low 97
  76. cache_swap_high 99
  77. cache_replacement_policy heap LFUDA
  78. cache_dir aufs /cache1/cache 40000 94 256
  79. cache_dir aufs /cache2/cache 40000 94 256
  80. cache_dir aufs /cache3/cache 40000 94 256
  81. cache_dir aufs /cache4/cache 40000 94 256


  84. # LOGFILE OPTIONS
  85. access_log /var/log/squid/access.log squid
  86. cache_log /var/log/squid/cache.log
  87. cache_store_log none
  88. cache_swap_log /var/spool/squid/swap.state
  89. logfile_rotate 5
  90. log_fqdn off
  91. log_icp_queries off
  92. buffered_logs off
  93. emulate_httpd_log off

  95. # OPTIONS FOR TUNING THE CACHE
  96. refresh_pattern -i \.swf$ 20160 80% 20160 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private ignore-auth
  97. refresh_pattern -i \.gif$ 20160 80% 20160 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private ignore-auth
  98. refresh_pattern -i \.jpg$ 20160 80% 20160 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private ignore-auth
  99. refresh_pattern -i \.jpeg$ 20160 80% 20160 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private ignore-auth
  100. refresh_pattern -i \.exe$ 20160 80% 20160 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private ignore-auth

  102. # 1 year = 525600 mins, 1 month = 20160 mins, 1 day = 1440
  103. refresh_pattern ^.*(utm\.gif|ads\?|rmxads\.com|ad\.z5x\.net|bh\.contextweb\.com|bstats\.adbrite\.com|a1\.interclick\.com|ad\.trafficmp\.com|ads\.cubics\.com|ad\.xtendmedia\.com|\.googlesyndication\.com|advertising\.com|yieldmanager|game-advertising\.com|pixel\.quantserve\.com|adperium\.com|doubleclick\.net|adserving\.cpxinteractive\.com|syndication\.com|media.fastclick.net).* 20160 20% 20160 ignore-no-cache ignore-private override-expire ignore-reload ignore-auth
  104. refresh_pattern ^.*safebrowsing.*google 20160 80% 20160 override-expire ignore-reload ignore-no-cache ignore-private ignore-auth
  105. refresh_pattern ^http://((cbk|mt|khm|mlt)[0-9]?)\.google\.co(m|\.uk) 20160 80% 20160 override-expire ignore-reload ignore-private
  106. refresh_pattern ytimg\.com.*\.jpg 20160 80% 20160 override-expire ignore-reload
  107. refresh_pattern images\.friendster\.com.*\.(png|gif) 20160 80% 20160 override-expire ignore-reload
  108. refresh_pattern garena\.com 20160 80% 20160 override-expire reload-into-ims
  109. refresh_pattern photobucket.*\.(jp(e?g|e|2)|tiff?|bmp|gif|png) 20160 80% 20160 override-expire ignore-reload
  110. refresh_pattern vid\.akm\.dailymotion\.com.*\.on2\? 20160 80% 20160 ignore-no-cache override-expire override-lastmod
  111. refresh_pattern mediafire.com\/images.*\.(jp(e?g|e|2)|tiff?|bmp|gif|png) 20160 80% 20160 reload-into-ims override-expire ignore-private
  112. refresh_pattern ^http:\/\/images|pics|thumbs[0-9]\. 20160 80% 20160 reload-into-ims ignore-no-cache ignore-reload override-expire
  113. refresh_pattern ^http:\/\/www.onemanga.com.*\/ 20160 80% 20160 reload-into-ims ignore-no-cache ignore-reload override-expire
  114. refresh_pattern ^http://v\.okezone\.com/get_video\/([a-zA-Z0-9]) 20160 80% 20160 override-expire ignore-reload ignore-no-cache ignore-private ignore-auth override-lastmod

  116. #images facebook
  117. refresh_pattern -i \.facebook.com.*\.(jpg|png|gif) 20160 80% 20160 ignore-reload override-expire ignore-no-cache
  118. refresh_pattern -i \.fbcdn.net.*\.(jpg|gif|png|swf|mp3) 20160 80% 20160 ignore-reload override-expire ignore-no-cache
  119. refresh_pattern static\.ak\.fbcdn\.net*\.(jpg|gif|png) 20160 80% 20160 ignore-reload override-expire ignore-no-cache
  120. refresh_pattern ^http:\/\/profile\.ak\.fbcdn.net*\.(jpg|gif|png) 20160 80% 20160 ignore-reload override-expire ignore-no-cache

  122. #All File
  123. refresh_pattern -i \.(3gp|7z|ace|asx|bin|deb|divx|dvr-ms|ram|rpm|exe|inc|cab|qt) 20160 80% 20160 ignore-no-cache override-expire override-lastmod reload-into-ims
  124. refresh_pattern -i \.(rar|jar|gz|tgz|bz2|iso|m1v|m2(v|p)|mo(d|v)|arj|lha|lzh|zip|tar) 20160 80% 20160 ignore-no-cache override-expire override-lastmod reload-into-ims
  125. refresh_pattern -i \.(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|dat|ad|txt|dll) 20160 80% 20160 ignore-no-cache override-expire override-lastmod reload-into-ims
  126. refresh_pattern -i \.(avi|ac4|mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p)|og(x|v|a|g)|rm|r(a|p)m|snd|vob) 20160 80% 20160 ignore-no-cache override-expire override-lastmod reload-into-ims
  127. refresh_pattern -i \.(pp(t?x)|s|t)|pdf|rtf|wax|wm(a|v)|wmx|wpl|cb(r|z|t)|xl(s?x)|do(c?x)|flv|x-flv) 20160 80% 20160 ignore-no-cache override-expire override-lastmod reload-into-ims
  128. refresh_pattern ^ftp: 1440 90% 201600 override-lastmod reload-into-ims
  129. refresh_pattern ^gopher: 1440 0% 1440 override-lastmod reload-into-ims
  130. refresh_pattern (cgi-bin|\?) 0 0% 0
  131. refresh_pattern . 0 80% 20160 override-lastmod reload-into-ims

  133. # SNMP OPTIONS
  134. #snmp_port 3401
  135. #acl snmppublic snmp_community public
  136. #snmp_access allow snmppublic all

  138. # OPTIMIZING
  139. memory_pools off
  140. client_db off
  141. coredump_dir /cache1/squid
  142. reload_into_ims on
  143. balance_on_multiple_ip on
  144. vary_ignore_expire on
  145. pipeline_prefetch on
  146. quick_abort_min 16 KB
  147. quick_abort_max 16 KB
  148. quick_abort_pct 95
  149. shutdown_lifetime 10 seconds
  150. half_closed_clients off
  151. cache_effective_user squid
  152. cache_effective_group squid
  153. dns_nameservers 202.137.3.110 202.137.3.111
  154. ipcache_size 2048
  155. ipcache_low 90
  156. ipcache_high 96

  158. # MARKING ZPH SQUID 3.1
Memberikan building/permission pada folder/partisi cache squid
  1. chown squid:squid /cache1 && chmod 755 /cache1
  2. chown squid:squid /cache2 && chmod 755 /cache2
  3. chown squid:squid /cache3 && chmod 755 /cache3
  4. chown squid:squid /cache4 && chmod 755 /cache4
  5. chown squid:squid /cache5 && chmod 755 /cache5
Membuat folder-folder swap/cache di dalam folder cache yang telah ditentukan dengan perintah:
  1. /usr/sbin/squid -z
Cek konfig squid, apakah ada yang error atau tidak
  1. /usr/sbin/squid -k parse
Apabila tidak ada error jalankan squid sebagai daemon
  1. /etc/squid/sbin/squid -NDd1 &
  2. service squid start





di Diposting oleh
Label: ,

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)
BREAKING NEWS :
Loading...