Senin, 27 Februari 2012

Setup Squid Transparent Proxy Server dengan bridge

Installasi squid 2.7 Stable 9 di debian 6
Topologi :
Router === Proxy===Switch===LAN
Menggunakan 2 buah NIC eth0 dan eth1 yang di bridge
  • Buka terminal/console
  • Masukkan perintah #sudo su
  • Masukkan password root
  • Lakukan installasi paket-paket yang di butuhkan dengan cara #apt-get install iptables ebtables bridge-utils squid
  • edit /etc/rc.local dengan cara #nano /etc/rc.local
  • masukkan script :
      • brctl addbr br0 
      ifconfig eth0 0.0.0.0 promisc up 
      ifconfig eth1 0.0.0.0 promisc up 
      brctl addif br0 eth0 
      brctl addif br0 eth1 
      ip link set br0 up 
      ip addr add 192.168.0.224/24 brd + dev br0
      route add default gw 192.168.0.1 dev br0 
      iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128 
      exit 0
  • Simpan dengan cara ctrl + O, ctrl + X
  • Backup dulu squid.conf yang lama dengan cara #mv /etc/squid/squid.conf /etc/squid/backup.squid.conf
  • Buat file squid.conf yang baru dengan cara #nano /etc/squid/squid.conf
  • Copy dan paste script berikut :
      • # WELCOME TO SQUID 2.7.STABLE3
      # Author by : http://www.ubuntushell.com
      # .............
      #
      http_port 3128 transparent
      icp_port 3130
      udp_incoming_address 0.0.0.0
      udp_outgoing_address 255.255.255.255
      hierarchy_stoplist cgi-bin ?
      acl QUERY urlpath_regex cgi-bin \?
      no_cache deny QUERY
      cache_mem 1 GB
      cache_swap_low 90
      cache_swap_high 95
      connect_timeout 1 minute
      negative_ttl 5 minute
      read_timeout 15 minute
      request_timeout 5 minute
      persistent_request_timeout 1 minutes
      client_lifetime 5 day
      pconn_timeout 120 second
      shutdown_lifetime 30 second
      maximum_object_size 20480 KB
      minimum_object_size 0 KB
      maximum_object_size_in_memory 4096 KB
      ipcache_size 1024
      ipcache_low 90
      ipcache_high 95
      fqdncache_size 1024
      cache_replacement_policy lru
      memory_replacement_policy lru
      cache_dir ufs /var/spool/squid 100000 16 256 
      cache_access_log /var/log/squid/access.log
      cache_log /var/log/squid/cache.log
      cache_store_log /var/log/squid/store.log
      log_ip_on_direct on
      debug_options ALL,1
      client_netmask 255.255.255.255
      ftp_user Squid@
      ftp_list_width 32
      ftp_passive on
      ftp_sanitycheck on
      ftp_telnet_protocol on
      redirect_children 10
      auth_param basic children 10
      auth_param basic realm Squid proxy-caching web server
      auth_param basic credentialsttl 2 hours
      auth_param basic casesensitive off
      refresh_pattern ^ftp: 1440 20% 10080
      refresh_pattern ^gopher: 1440 0% 1440
      refresh_pattern . 0 20% 4320
      quick_abort_min 16 KB
      quick_abort_max 16 KB
      quick_abort_pct 95
      acl all src 0.0.0.0/0.0.0.0
      acl manager proto cache_object
      acl localhost src 127.0.0.1/255.255.255.255
      acl to_localhost dst 127.0.0.0/8
      acl SSL_ports port 443 563 6667 7000
      acl Safe_ports port 80 # http
      acl Safe_ports port 81
      acl Safe_ports port 21 # ftp
      acl Safe_ports port 443 563 # https
      acl Safe_ports port 70 # ghoper
      acl Safe_ports port 210 # wais
      acl Safe_ports port 1025-65535 # unregistered ports
      acl Safe_ports port 280 # http-mgmt
      acl Safe_ports port 488 # gss-http
      acl Safe_ports port 591 # filemaker
      acl Safe_ports port 777 110 # pop3
      acl Safe_ports port 4461
      acl Safe_ports port 5050
      acl CONNECT method CONNECT
      # LIST OF IP ADDRESS
      # ...........
      acl our_network src 192.168.0.0/24
      # POLICY ABOUT LAN
      # ..........-
      http_reply_access allow all
      icp_access allow all
      miss_access allow all
      cache_mgr localhost
      visible_hostname localhost
      logfile_rotate 10
      buffered_logs off
      snmp_port 3401
      snmp_access allow localhost
      snmp_access deny all
      snmp_access deny all
      coredump_dir /var/spool/squid
      ie_refresh on
      dns_nameservers 208.67.222.222 208.67.220.220
      store_avg_object_size 20 MB
      http_access deny manager
      http_access deny !Safe_ports
      http_access deny CONNECT !SSL_ports
      always_direct allow all
      http_access allow all #membolehkan semua client untuk akses ke internet
    • Tambahkan konfigurasi anda sendiri dengan mendefenisikan acl – acl tambahan.
    • Untuk lebih memudahkan management install webmin
    • bikin interface eth0 & eth1 benar2 ga punya IP.
      edit file: # nano /etc/network/interfaces
      sehingga isinya seperti ini:
      • auto lo iface lo inet loopback
    • Restart komputer.#shudown –r now
    Note :

    • Jika proxy server mengalami masalah, silahkan colok kabel LAN yg ke proxy langsung ke Router. dengan catatan semua user LAN akan bisa akses internet.
    • Jika anda memiliki web server di belakang squid maka rubah script iptables yang ada di /etc/rc.local menjadi iptables -t nat -I PREROUTING -i br0 -m tcp -p tcp -s 192.168.0.0/24 \ --dport 80 -j REDIRECT --to-ports 3128 Kemudian restart proxy anda.
    script iptables untuk akses webserver di belakan proxy merupakan kontribusi dari mas Arief Yudhawarman
    http://awarmanf.wordpress.com http://www.mail-archive.com/tanya-jawab@linux.or.id/msg70414.html
    sumber1 : disini
    sumber2: disini
    Diposting oleh di
    Label:

    Tidak ada komentar:

    Posting Komentar

    Langganan: Posting Komentar (Atom)