Setting Mikrotik dan Squid Proxy External

Setting Mikrotik dan Squid Proxy External

Alat Yang di Gunakan :
- Modem Speedy
- RB750 ROS 4.6 atau Mikrotik v5.xx
- Squid proxy yang berjalan transparant pada port 3128 + zph

Topologi :
- Speedy 2M down dan 512 up
- 1M untuk jatah download semua client dengan batasan maksimal 256kbps/client
- Akses tanpa dibatasi limit untuk beberapa IP tertentu (dalam hal ini IP 192.168.2.16 dan 192.168.2.17)
- Browsing tidak dibatasi
- Aplikasi QOS pada outbound/paket yang keluar dari modem speedy

Manifest IP address yang digunakan :
[MODEM]
Public IP Address = 192.168.1.2/24
[CLIENTS]
Client IP Address = 192.168.2.2-192.168.2.17 (ip selain itu tidak konek internet)
[SQUID BOX]
Proxy Ip Address = 192.168.3.2
squid.conf dengan zph
http_port 3128 transparent
zph_mode tos
zph_local 0x30
zph_parent 0
zph_option 136

================Basic Configuration================

/interface ethernet
set 0 comment="Public Interface" name=Public
set 1 comment="Local Interface" name=Local
set 2 comment="Proxy Interface" name=Proxy

/ip address
add address=192.168.2.1/24 broadcast=192.168.2.2 comment="" disabled=no \
interface=Local network=192.168.2.0
add address=192.168.3.1/24 broadcast=192.168.3.2 comment="" disabled=no \
interface=Proxy network=192.168.3.0
add address=192.168.1.2/24 broadcast=192.168.1.3 comment="" disabled=no \
interface=Public network=192.168.1.0

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=4096KiB \
max-udp-packet-size=512 servers="125.160.4.82,203.130.196.155"
(sesuaikan dengan DNS ISP sobat)

/ip route
add gateway=192.168.1.1 comment="" disabled=no

/ip service
set telnet address=0.0.0.0/0 disabled=yes port=23
set ftp address=0.0.0.0/0 disabled=yes port=21
set www address=0.0.0.0/0 disabled=no port=80
set ssh address=0.0.0.0/0 disabled=yes port=22
set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443
set api address=0.0.0.0/0 disabled=yes port=8728
set winbox address=0.0.0.0/0 disabled=no port=8291

/system ntp client
set enabled=yes mode=unicast primary-ntp=152.118.24.8 secondary-ntp=\
202.169.224.16

/ip firewall address-list
add address=192.168.3.1/24 comment="" disabled=no list=ProxyNET
add address=192.168.2.2-192.168.2.17 comment="" disabled=no list=localNet
(saya hanya menjalankan client konek internet 2-17 client)

=================end of basic configuration=================

Untuk firewall filternya saya terapkan yang terpentingnya saja.

/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections" \
connection-state=invalid disabled=no
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=\
no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Dropping port scanners" disabled=no \
src-address-list="port scanners"
add action=accept chain=input comment="Allow Established connections" \
connection-state=established disabled=no
add action=accept chain=input comment="Allow Related connections" \
connection-state=related disabled=no
add action=accept chain=input comment="Allow ICMP from LOCAL Network" \
disabled=no protocol=icmp src-address-list=localNet
add action=accept chain=input comment="Allow ICMP from PROXY Network" \
disabled=no protocol=icmp src-address-list=ProxyNET
add action=accept chain=input comment="Allow Input from LOCAL Network" \
disabled=no src-address-list=localNet
add action=accept chain=input comment="Allow Input from PROXY Network" \
disabled=no src-address-list=ProxyNET
add action=drop chain=input comment="Drop everything else" disabled=no
add action=drop chain=forward comment="Drop Invalid connections" \
connection-state=invalid disabled=no
add action=jump chain=forward comment="Bad packets filtering" disabled=no \
jump-target=tcp protocol=tcp
add action=jump chain=forward comment="" disabled=no jump-target=udp \
protocol=udp
add action=jump chain=forward comment="" disabled=no jump-target=icmp \
protocol=icmp
add action=drop chain=tcp comment="deny SMTP" disabled=no dst-port=25 \
protocol=tcp
add action=drop chain=tcp comment="deny TFTP" disabled=no dst-port=69 \
protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" disabled=no dst-port=137-139 \
protocol=tcp
add action=drop chain=tcp comment="deny cifs" disabled=no dst-port=445 \
protocol=tcp
add action=drop chain=tcp comment="deny NFS" disabled=no dst-port=2049 \
protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=\
12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=20034 \
protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" disabled=no dst-port=\
3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" disabled=no dst-port=67-68 \
protocol=tcp
add action=drop chain=tcp comment="deny P2P" disabled=no p2p=all-p2p
add action=drop chain=udp comment="deny TFTP" disabled=no dst-port=69 \
protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
135 protocol=udp
add action=drop chain=udp comment="deny NBT" disabled=no dst-port=137-139 \
protocol=udp
add action=drop chain=udp comment="deny NFS" disabled=no dst-port=2049 \
protocol=udp
add action=drop chain=udp comment="deny BackOriffice" disabled=no dst-port=\
3133 protocol=udp
add action=accept chain=icmp comment="limit packets 5/secs" disabled=no \
icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=icmp comment="limit packets 5/secs" disabled=no \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="limit packets 5/secs" disabled=no \
icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=icmp comment="limit packets 5/secs" disabled=no \
icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=icmp comment="limit packets 5/secs" disabled=no \
icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=icmp comment="limit packets 5/secs" disabled=no \
icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=icmp comment="Drop other icmp packets" disabled=no
add action=accept chain=forward comment="Allow Established connections" \
connection-state=established disabled=no
add action=accept chain=forward comment="Allow Forward from LOCAL Network" \
disabled=no src-address-list=localNet
add action=accept chain=forward comment="Allow Forward from PROXY Network" \
disabled=no src-address-list=ProxyNET
add action=drop chain=forward comment="Drop everything else" disabled=no

Untuk NAT nya sebagai berikut :

/ip firewall nat
add action=masquerade src-address-list=localNet chain=srcnat comment="NAT-LOCAL" disabled=no \
out-interface=Public
add action=masquerade src-address-list=ProxyNet chain=srcnat comment="NAT-PROXY" disabled=no \
out-interface=Public
add action=dst-nat chain=dstnat comment="TRANSPARENT PROXY" disabled=no \
dst-address-list=!ProxyNET dst-port=80,8080,3128 in-interface=Local \
protocol=tcp to-addresses=192.168.3.2 to-ports=3128

(atau yang saya punya redirect proxy seperti ini :)

add action=dst-nat chain=dstnat comment="TRANSPARENT PROXY" disabled=no \
src-address=192.168.2.2-192.168.2.17 dst-port=80,8080,3128 in-interface=Local \
protocol=tcp to-addresses=192.168.3.2 to-ports=3128
add action=dst-nat chain=dstnat comment="TRANSPARENT DNS" disabled=no \
dst-port=53 in-interface=Local protocol=udp to-ports=53
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53 \
in-interface=Local protocol=tcp to-ports=53
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53 \
in-interface=Proxy protocol=udp to-ports=53
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53 \
in-interface=Proxy protocol=tcp to-ports=53

Penjelasan :

- Transparent DNS agar client tidak bisa menggunakan NS selain yang terpasang di mikrotik

  (bisa sobat gunakan atau tidak, tergantung keinginan)

- Mengarahkan request dari client tujuan port 80,8080,3128 ke squid external

  saya beri contoh 2 untuk redirect terserah sobat mo pilih yang mana pastinya keduanya jalan

  jika ada interface lain misalkan hotspot sobat tingal tambahkan tanda ! pada src.address atau   dst.address list

Untuk manglenya biar saya jelaskan satu-persatu biar tidak bingung :

/ip firewall mangle
add action=mark-packet chain=forward comment="PROXY-HIT-DSCP 12" disabled=no \
dscp=12 new-packet-mark=proxy-hit passthrough=no

Menandai paket proxy-hit dari external proxy yang nantinya pada rule queue diberikan kebebasan tanpa proses limitasi

add action=change-dscp chain=postrouting comment=CRITICAL disabled=no \
new-dscp=1 protocol=icmp
add action=change-dscp chain=postrouting comment="" disabled=no dst-port=53 \
new-dscp=1 protocol=udp
add action=change-dscp chain=postrouting comment="" disabled=no dst-port=53 \
new-dscp=1 protocol=tcp
add action=mark-connection chain=postrouting comment="" disabled=no dscp=1 \
new-connection-mark=critical_conn passthrough=yes
add action=mark-packet chain=postrouting comment="" connection-mark=\
critical_conn disabled=no new-packet-mark=critical_pkt passthrough=no

Menandai paket ICMP dan DNS request untuk diberikan prioritas tertinggi

add action=mark-connection chain=prerouting comment=MARK-ALL-CONN disabled=no \
dst-address-list=!localNet in-interface=Local new-connection-mark=\
all.pre_conn passthrough=yes
add action=mark-connection chain=forward comment="" disabled=no \
new-connection-mark=all.post_conn out-interface=Local passthrough=yes \
src-address-list=!localNet
add action=mark-packet chain=prerouting comment="" connection-mark=\
all.pre_conn disabled=no new-packet-mark=all.pre_pkt passthrough=yes
add action=mark-packet chain=forward comment="" connection-mark=all.post_conn \
disabled=no new-packet-mark=all.post_pkt passthrough=yes

Menandai SEMUA paket keluar masuk dari Local interface SELAIN ke Local Address

add action=mark-connection chain=prerouting comment=GAMES connection-mark=\
all.pre_conn disabled=no dst-port=9339,843 new-connection-mark=games_conn \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" connection-mark=\
all.pre_conn disabled=no dst-port=40000-40010 new-connection-mark=\
games_conn passthrough=yes protocol=udp
add action=mark-packet chain=forward comment="" connection-mark=games_conn \
disabled=no new-packet-mark=games_pkt passthrough=no

Menandai Paket GAMES untuk diberikan prioritas KEDUA

add action=mark-connection chain=prerouting comment=HTTP-CLIENT \
connection-mark=all.pre_conn disabled=no new-connection-mark=\
browsing_conn packet-size=0-64 passthrough=yes protocol=tcp tcp-flags=ack
add action=mark-connection chain=prerouting comment="" connection-mark=\
all.pre_conn disabled=no dst-port=80,443 new-connection-mark=\
browsing_conn passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment="" connection-bytes=0-131072 \
connection-mark=browsing_conn disabled=no new-packet-mark=browsing_pkt \
passthrough=no protocol=tcp
add action=mark-connection chain=prerouting comment=HTTP-PROXY disabled=no \
dst-address-list=!localNet dst-port=80,443 new-connection-mark=proxy_conn \
passthrough=yes protocol=tcp src-address-list=ProxyNET
add action=mark-packet chain=forward comment="" connection-mark=proxy_conn \
disabled=no new-packet-mark=proxy_pkt passthrough=no

Menandai paket untuk browsing TERMASUK http req dari external proxy dengan conn-byte=0-131072 serta paket-paket protocol tcp yang berukuran kecil (packet-size=0-64 tcp-flags=ack) untuk diberikan prioritas KETIGA

add action=mark-connection chain=prerouting comment=REALTIME connection-mark=\
all.pre_conn disabled=no dst-port=22,179,110,161,8291 \
new-connection-mark=realtime_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" connection-mark=\
all.pre_conn disabled=no dst-port=123 new-connection-mark=realtime_conn \
passthrough=yes protocol=udp
add action=mark-packet chain=forward comment="" connection-mark=realtime_conn \
disabled=no new-packet-mark=realtime_pkt passthrough=no

Menandai paket-paket REALTIME ACCESS untuk diberikan prioritas KEEMPAT

add action=mark-connection chain=prerouting comment=FILETRANSER \
connection-mark=all.pre_conn disabled=no dst-port=20,21,23 \
new-connection-mark=communication_conn passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment="" connection-mark=\
communication_conn disabled=no new-packet-mark=communication_pkt \
passthrough=no

Menandai paket-paket FILETRANSFER untuk diberikan prioritas KELIMA

add action=mark-connection chain=prerouting comment=NORMAL connection-mark=\
all.pre_conn disabled=no dst-address-list=!ProxyNET new-connection-mark=\
normal_conn passthrough=yes
add action=mark-packet chain=forward comment="" connection-mark=normal_conn \
disabled=no new-packet-mark=normal_pkt passthrough=no

Menandai semua paket yang tersisa SELAIN tujuan Proxy untuk diberikan prioritas KEENAM

add action=mark-packet chain=forward comment=DOWNLOAD connection-bytes=\
131072-4294967295 connection-mark=all.post_conn disabled=no dst-address=\
192.168.2.2 new-packet-mark=client1 passthrough=no protocol=tcp
add action=mark-packet chain=forward comment="" connection-bytes=\
131072-4294967295 connection-mark=all.post_conn disabled=no dst-address=\
192.168.2.3 new-packet-mark=client2 passthrough=no protocol=tcp

………………..dst sampai jumlah client yang di perlukanterpenuhi

add action=mark-packet chain=forward comment=DOWNLOAD-NO-LIMIT connection-bytes=\
131072-4294967295 connection-mark=all.post_conn disabled=no dst-address=\
192.168.2.16 new-packet-mark=client16 passthrough=no protocol=tcp
add action=mark-packet chain=forward comment="" connection-bytes=\
131072-4294967295 connection-mark=all.post_conn disabled=no dst-address=\
192.168.2.17 new-packet-mark=client17 passthrough=no protocol=tcp

Menandai paket protocol tcp yang diteruskan ke client untuk memberikan batasan download pada masing-masing client dengan conn-byte=131072-4294967295

Setelah itu buat queue type nya

/queue type
add kind=pcq name=pcq_up pcq-classifier=src-address pcq-limit=200 pcq-rate=0 \
pcq-total-limit=8000
add kind=pcq name=pcq_down pcq-classifier=dst-address pcq-limit=200 pcq-rate=\
0 pcq-total-limit=8000
add kind=pfifo name=pfifo-critical pfifo-limit=10
add kind=pcq name=pcq_critical.up pcq-classifier=src-address,src-port \
pcq-limit=20 pcq-rate=0 pcq-total-limit=500
add kind=pcq name=pcq_critical.down pcq-classifier=dst-address,dst-port \
pcq-limit=20 pcq-rate=0 pcq-total-limit=500

di lanjut menambahkan queue tree nya…..

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="A. PROXY HIT" packet-mark=proxy-hit parent=Local \
priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="B. CRITICAL" packet-mark=critical_pkt parent=Public \
priority=1 queue=pfifo-critical

Tanpa limit dengan prioritas pertama untuk proxy hit dan critical

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="C. INBOUND" packet-mark=all.post_pkt parent=global-out \
priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="D. OUTBOUND" packet-mark=all.pre_pkt parent=Public \
priority=8

Membuat parent untuk inbound (traffic masuk ke client) dan outbound (traffic keluar dari public)

Untuk child INBOUND nya saya bagi menjadi beberapa prioritas seperti berikut :

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="A. GAMES" packet-mark=games_pkt parent="C. INBOUND" \
priority=2 queue=pcq_critical.down
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="B. HTTP" packet-mark=browsing_pkt parent="C. INBOUND" \
priority=3 queue=pcq_down
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=64k \
max-limit=128k name="C. REALTIME" packet-mark=realtime_pkt parent=\
"C. INBOUND" priority=4 queue=pcq_critical.down
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=64k \
max-limit=128k name="D. FILETRANS" packet-mark=communication_pkt parent=\
"C. INBOUND" priority=5 queue=pcq_down
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=64k \
max-limit=128k name="E. NORMAL" packet-mark=normal_pkt parent=\
"C. INBOUND" priority=6 queue=pcq_down

selanjutnya parent untuk download per client nya :

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=1024k name="F. DOWN 1M" parent="C. INBOUND" priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="G. DOWN 2M" parent="C. INBOUND" priority=8

membuat 2 parent untuk 1M dan 2M (atau tanpa limit)

Setelah itu buat child nya, untuk memberikan batasan download per clientnya

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=256k name=Client1 packet-mark=client1 parent=\
"F. DOWN 1M" priority=8 queue=pcq_down
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=256k name=Client2 packet-mark=client2 parent=\
"F. DOWN 1M" priority=8 queue=pcq_down

…………………..dst sampai semua paket ke client yang di perlukan terpenuhi

Batasan download sebesar 1M untuk semua client dan maksimum 256k per client

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=Client16 packet-mark=client16 parent=\
"G. DOWN 2M" priority=8 queue=pcq_down
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=Client17 packet-mark=client17 parent=\
"G. DOWN 2M" priority=8 queue=pcq_down

Tanpa batasan download untuk IP 192.168.2.16 dan 192.168.2.17

Kemudiam membuat limit untuk uploadnya

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="A. GAMES UP" packet-mark=games_pkt parent="D. OUTBOUND" \
priority=2 queue=pcq_critical.up
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=64k \
max-limit=256k name="B. HTTP UP" packet-mark=proxy_pkt parent=\
"D. OUTBOUND" priority=3 queue=pcq_up
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=32k \
max-limit=64k name="C. REALTIME UP" packet-mark=realtime_pkt parent=\
"D. OUTBOUND" priority=4 queue=pcq_critical.up
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=64k \
max-limit=128k name="D. FILETRANS UP" packet-mark=communication_pkt \
parent="D. OUTBOUND" priority=5 queue=pcq_up
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=64k \
max-limit=128k name="E. NORMAL UP" packet-mark=normal_pkt parent=\
"D. OUTBOUND" priority=6 queue=pcq_up

C a t a t a n 
- Silahkan sobat sesuaikan Untuk IP ADDRESS, Nama Ethernet. dll
- Tanda Hijau Biru dan Merah sengaja saya tandai agar sobat tidak tertukar jika sobat sudah memberi nama lain (maksudnya harus di sesuaikan)
- Tanda Jingga da Ping harus sama dengan yang ada di address list (jika sobat mengganti dengan nama lain)
- Silahkan sobat Kopi script yang saya buat dan pastekan dahulu di notepad (maksudnya di di hilangkan keterangan-keteranganya, buat satu block satu block biar tidak pusing eheheh)

Diurutkan berdasarkan prioritas paket keluar, mulai dari games, http request, realtime connection, filetransfer dan normal request.

Perintah di LUSCA Di ClearOS

Ini adalah sebagian dari perintah melalui CLI di LUSCA, mungkin anda memerlukannya.
- Untuk Startup Squid Manual:

/usr/local/squid/sbin/squid -NDd1 &

- Untuk meng reconfigurasi squid, apabila habis di edit squid.conf nya:

/usr/local/squid/sbin/squid -k reconfigure

- Melihat aktifitas user:

tail -f /cache1/access.log

- Melihat persentase HIT Ratio:

/usr/local/squid/bin/squidclient -p 3128 mgr:info|grep Hit

- Untuk matiin squid:

/usr/local/squid/sbin/squid -k shutdown

- Untuk mengoreksi configurasi squid.conf:

/usr/local/squid/sbin/squid -k parse

- Untuk mengaktifkan kembali content filter:

yum install adzapper app-dansguardian-av app-squid app-squid-acl dansguardian-av

Source : Beldin.Net

Install LUSCA di ClearOS 5.2

Tuts ini udah diuji di server Clearos 5.2, mode : Gateway & Standalone no FIrewall
Perlu diingat, simpan/backup squid.conf anda sebelum melakukan praktek, karena mungkin masih diperlukan untuk setingan delaypool.
Langkah-langkahnya :
——————-
buka putty :
——————-

yum install squid

yum remove squid          (jawab :  y)

yum remove squid          (sengaja… untuk memastikan gak ada yg tersisa)

yum install automake gcc glibc-devel e2fsprogs-devel sharutils                 (jawab : y)

wget http://lusca-cache.googlecode.com/files/LUSCA_HEAD-r14809.tar.gz

tar -zxvf LUSCA_HEAD-r14809.tar.gz

cd LUSCA_HEAD-r14809

ulimit -n 8192

./configure –prefix=/usr/local/squid –exec-prefix=/usr/local/squid –enable-delay-pools –enable-cache-digests –enable-poll –enable-linux-netfilter –enable-removal-policies –with-maxfd=8192 –enable-storeio=aufs –disable-wccp –enable-x-accelerator-vary –enable-kill-parent-hack –enable-async-io=30 –disable-ident-lookups

make all && make install

cd /usr/local/squid/etc/

wget http://v1.tiberias.or.id/downloads/squid.conf

wget http://v1.tiberias.or.id/downloads/storeurl.pl.conf

wget http://www.hendraarif.web.id/wp-content/uploads/2011/02/tunning.conf

(cat. jika tunning.conf gagal didonlot, bisa copy semua isi dari ini, lalu paste ke notepad, simpan dengan nama : tunning.conf, lalu copykan ke /usr/local/squid/etc/ , gunakan winscp)

———————-
buka winscp :
———————-
masuk ke folder/directory : /usr/local/squid/etc/
ganti nama file : storeurl.pl.conf menjadi storeurl.pl (klik kanan rename)
hapus file : squid.conf (atau ganti dg nama lain)
ganti nama file : squid.conf.1 menjadi squid.conf
buka file squid.conf, untuk melakukan pengeditan.
tambahkan tanda # didepan baris offline_mode on (hasilnya : #offline_mode on)
menyesuaikan IP, cari baris perintah berikut :
acl localnet src 10.0.2.0/24 # RFC1918 possible internal network
ganti dg ip LAN kita, contoh : 10.0.2.0/24 ganti dengan 192.168.2.0/24)
ganti juga ip 10.0.2.0/24 yg berada dikelompok delaypool (digulung/scroll kebawah sampai mentok)
ganti dengan IP LAN kita tadi.
——————————–
kembali lagi ke…… PUTTY :
——————————–

cd /usr/local/squid/etc/
rm -rf /cache1/
mkdir /cache1
chown squid:squid /cache1
chmod 777 squid.conf tunning.conf storeurl.pl
/usr/local/squid/sbin/squid -k parse
/usr/local/squid/sbin/squid -z
/usr/local/squid/sbin/squid -NDd1 &

jika tampil tulisan : Finished rebuilding storage from disk. dst…
hingga tulisan : storeLateRelease: released 0 objects.
artinya LUSCA telah berhasil di tanamkan di Server anda.
tekan Ctrl + C untuk kembali ke prompt
——————————————–
kembali lagi ke… WINSCP :
—————————————————–

• masuk ke direktori /etc/rc.d

• buka file : rc.local

• hapus semua dan gantikan dengan script dibawah ini:

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don’t
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
/usr/local/squid/sbin/squid -NDd1 &
# This file is executed by the firewall on stop/start/restart.

• Simpan, tutup.

———————–
kemudian (next) :
———————–

• Masuk ke folder : /etc

• Buka file : firewall

• Cari baris berikut :

# Squid configuration
#————————–
SQUID_TRANSPARENT=”" ( ganti menjadi ) SQUID_TRANSPARENT=”on”
SQUID_FILTER_PORT=”" ( ganti menjadi ) SQUID_FILTER_PORT=”3128″

• Simpan, tutup.

NB :   Jika mengikuti tuts diatas masih gagal, coba anda edit squid.conf untuk baris :
storeurl_rewrite_children 0 diganti 1
storeurl_rewrite_concurrency 0 diganti 75
ganti angkanya…
karena ternyata beda mesin beda hasil

Squid.Conf

#============================================================================================================================#
#=========================================================#  AWAL  #=========================================================#
#============================================================================================================================#
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.0.0/24 # RFC1918 possible internal network
acl localnet src 192.168.1.0/24 # RFC1918 possible internal network
acl localnet src 192.168.2.0/24 # RFC1918 possible internal network
acl localnet src 192.168.3.0/24 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 3128 transparent
cache_dir aufs /cache1/ 10000 16 256
cache_dir aufs /cache1/ 14000 32 256
cache_mem 8 MB
maximum_object_size_in_memory 128 MB
minimum_object_size 1 bytes
maximum_object_size 393216 KB
cache_swap_low 98
cache_swap_high 99
access_log /cache1/access.log
cache_log /cache1/cache.log
cache_store_log /cache1/store.log
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_effective_user squid
cache_effective_group squid
#=================================================================================================================================#
#=========================================================#  REGEX URL  #=========================================================#
#=================================================================================================================================#
coredump_dir /cache1/
###############################################################################
#acl PHP77 url_regex forum.php forumdisplay.php showthread.php showthreads.php
#acl PHP77 url_regex download.php downloads.php classifieds.php classified.php
#acl PHP77 url_regex forum
#no_cache deny PHP77
#hierarchy_stoplist cgi-bin ? localhost
#acl QUERY22 urlpath_regex cgi-bin \? localhost
#no_cache deny QUERY22
################################################################################
#acl store_rewrite_list urlpath_regex \/(get_video|videoplayback\?id|videoplayback.*id) \.(jp(e?g|e|2)|gif|png|tiff?|bmp|ico|flv|wmv|3gp|mp(4|3)|exe
|msi|zip|on2|mar|swf)
#acl store_rewrite_list_domain url_regex ^http:\/\/([a-zA-Z-]+[0-9-]+)\
.[A-Za-z]*\.[A-Za-z]*
#acl store_rewrite_list_domain url_regex (([a-z]{1,2}[0-9]{1,3})|([0-9]{1,3}[a-z]{1,2}))\.[a-z]*[0-9]
?\.[a-z]{3}
#acl store_rewrite_list_path urlpath_regex \.(jp(e?g|e|2)|gif|png|tiff?|bmp|ico|flv|avc|zip|mp3|3gp|rar
|on2|mar|exe)$
#acl store_rewrite_list_domain_CDN url_regex \.rapidshare\.com.*\/[0-9]*\/.*\/[^\/]* ^http:\/\/(www\.ziddu\.com.*\.[^\/]{3,4})\/(.*) \.doubleclick\.net.* yieldmanager cpxinteractive ^http:\/\/[.a-z0-9]*\.photobuc
ket\.com.*\.[a-z]{3}$ quantserve\.com
emulate_httpd_log off
server_http11 on
redirector_bypass on
acl video urlpath_regex                   \/(get_video|videoplayback\?id
|videoplayback.*id)
acl speedtest urlpath_regex               \.(jp(e?g|e|2)|gif|png|tiff?|bmp|ico|flv|wmv|3gp|mp(4|3)|exe
|msi|zip|on2|mar|txt)\?
acl angka1 url_regex                      ^http:\/\/([a-zA-Z-]+[0-9-]+)\
.[A-Za-z]*\.[A-Za-z]*
acl angka2 url_regex                      (([a-z]{1,2}[0-9]{1,3})|([0-9]{1,3}[a-z]{1,2}))\.[a-z]*[0-9]
?\.[a-z]{3}
acl gambar urlpath_regex                  \.(jp(e?g|e|2)|gif|png|tiff?|bmp|ico|flv|avc|zip|mp3|3gp|rar
|on2|mar|exe)$
acl rapidshare url_regex                  \.rapidshare\.com.*\/[0-9]*\/.*\/[^\/]* ^http:\/\/(www\.ziddu\.com.*\.
[^\/]{3,4})\/(.*) \.doubleclick\.net.*
acl photobucket url_regex                 ^http:\/\/[.a-z0-9]*\.photobuc
ket\.com.*\.[a-z]{3}$ quantserve\.com
acl google url_regex                      ^http:\/\/[a-z]+[0-9]\.google\
.co(m|\.id)
acl indowebster url_regex                 ^http:\/\/\.www[0-9][0-9]\.indowebster\.com\/(.*)(rar|zip|flv|wm(a|v)|3gp|mp(4|3)|exe|msi|avi|(mp(e?g|a|e|1|2|3|4))|cab|
exe)
acl getmethod method GET
storeurl_access allow video
storeurl_access allow speedtest
storeurl_access allow gambar
storeurl_access allow rapidshare
storeurl_access allow photobucket
storeurl_access allow indowebster
storeurl_access deny all
storeurl_rewrite_program /usr/local/squid/etc/storeurl.
pl
storeurl_rewrite_children 1
storeurl_rewrite_concurrency 100
#storeurl_rewrite_children 15 #7
#storeurl_rewrite_concurrency 10 #60
#=======================================================================================================================================#
#=========================================================#  REFRESH PATTERN  #=========================================================#
#=======================================================================================================================================#
# VIDEO CACHE
refresh_pattern ^http://(.*?)/get_video\? 10080 90% 432000 override-expire ignore-no-cache ignore-private
refresh_pattern ^http://(.*?)/videoplayback\? 10080 90% 432000 override-expire ignore-no-cache ignore-private
refresh_pattern -i (get_video\?|videoplayback\?id
|videoplayback.*id) 161280 50000% 525948 override-expire ignore-reload
# facebook
refresh_pattern ((facebook.com)|(85.131.151.39)).*\.(jpg|png|gif) 129600 100% 129600 ignore-reload override-expire ignore-no-cache ignore-no-store store-stale
refresh_pattern ((tagged.com)|(96.17.109.27)).*\.(jpg|png|gif) 129600 100% 129600 ignore-reload override-expire ignore-no-cache ignore-no-store store-stale
refresh_pattern static\.ak\.fbcdn\.net*\.(jpg|gif|png) 129600 100% 129600 ignore-reload override-expire ignore-no-cache ignore-no-store store-stale
refresh_pattern ^http:\/\/profile\.ak\.fbcdn.net*\.(jpg|gif|png) 129600 100% 129600 ignore-reload override-expire ignore-no-cache ignore-no-store store-stale
refresh_pattern edgecastcdn.\net.*\.swf? 129600 100% 129600 override-expire ignore-reload store-stale
refresh_pattern \.(jp(e?g|e|2)|tiff?|bmp|gif|png)($|&) 129600 100% 129600 ignore-no-cache ignore-no-store reload-into-ims override-expire store-stale
refresh_pattern .zynga.net.*\.(jpg|gif|png|swf|mp3)($|&) 129600 100% 129600 store-stale
refresh_pattern .zynga.com.*\.(jpg|gif|png|swf|mp3)($|&) 129600 100% 129600 store-stale
refresh_pattern .farmville.net.*\.(jpg|gif|png|swf|mp3)($|&) 129600 100% 129600 store-stale
refresh_pattern .farmville.com.*\.(jpg|gif|png|swf|mp3)($|&) 129600 100% 129600 store-stale
refresh_pattern .ninjasaga.com.*\.(jpg|gif|png|swf|mp3)($|&) 129600 100% 129600 store-stale
refresh_pattern .apps.facebook.com.*\.(jpg|gif|png|swf|mp3)($|&) 129600 100% 129600 store-stale
refresh_pattern .frontierville.*\.(jpg|gif|png|swf|mp3)($|&) 129600 100% 129600 store-stale
refresh_pattern .tagged.*\.(jpg|gif|png|swf|mp3)($|&) 129600 100% 129600 store-stale
#ads
refresh_pattern ^.*(utm\.gif|ads\?|rmxads\.com|ad\.z5x\.net|bh\.contextweb\.com|bstats\.adbrite\.com|a1\.interclick\.com|ad\.trafficmp\.com|ads\.cubics\.com|ad\.xtendmedia\.com|\.googlesyndication\.com|advertising\.com|yieldmanager|game-advertising\.com|pixel\.quantserve\.com|adperium\.com|doubleclick\.net|adserving\.cpxinteractive\.com|syndication\.com|media.fastclick.net)
.* 129600 20% 129600 ignore-no-cache ignore-no-store ignore-private override-expire ignore-reload ignore-auth store-stale negative-ttl=40320 max-stale=1440
#specific sites
refresh_pattern ^.*safebrowsing.*google 129600 100% 129600 override-expire ignore-reload ignore-no-cache ignore-no-store ignore-private ignore-auth negative-ttl=10080 store-stale
refresh_pattern (get_video\?|videoplayback\?|videodownload\?|\.flv?) 129600 99100% 129600 override-expire ignore-reload store-stale
refresh_pattern \.(ico|video-stats) 129600 100% 129600 override-expire ignore-reload ignore-no-cache ignore-no-store ignore-private ignore-auth override-lastmod negative-ttl=10080 store-stale
# pictures & images
refresh_pattern -i \.(gif|png|jpeg|jpg|bmp|tif|tiff|ico|swf)$ 10080 50% 43200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-auth ignore-private store-stale
refresh_pattern -i \.(gif|png|jpeg|jpg|bmp|tif|tiff|ico|swf)\? 10080 50% 43200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-auth ignore-private store-stale
# website
#refresh_pattern -i \.(xml|html|htm|js|jsp|txt|css|php|asp)$ 10080 50% 43200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-auth store-stale
refresh_pattern -i \.(xml|js|jsp|txt|css)$ 10080 50% 43200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-auth store-stale
refresh_pattern -i \.(xml|js|jsp|txt|css)\? 10080 50% 43200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-auth store-stale
#sound, video multimedia
refresh_pattern -i \.(flv|x-flv|mov|avi|qt|mpg|mpeg|wmv)$ 10080 50% 43200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache store-stale
refresh_pattern -i \.(wav|mp3|mp4|au|mid)$ 10080 50% 43200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-auth ignore-private store-stale
# files
refresh_pattern -i \.(iso|deb|rpm|zip|tar|tgz|ram|rar|bin|ppt|doc)$ 10080 90% 43200 ignore-no-cache ignore-auth store-stale
refresh_pattern -i \.(zip|gz|arj|lha|lzh)$ 10080 100% 43200 override-expire ignore-no-cache ignore-auth store-stale
refresh_pattern -i \.(rar|tgz|tar|exe|bin)$ 10080 100% 43200 override-expire ignore-no-cache ignore-auth ignore-reload ignore-no-cache store-stale
refresh_pattern -i \.(hqx|pdf|rtf|doc|swf)$ 10080 100% 43200 override-expire ignore-no-cache ignore-auth store-stale
refresh_pattern -i \.(inc|cab|ad|txt|dll)$ 10080 100% 43200 override-expire ignore-no-cache ignore-auth store-stale
#IIX DOWNLOAD
refresh_pattern ^http:\/\/\.www[0-9][0-9]\.indowebster\.com\/(.*)(mp3|rar|zip|flv|wmv|3gp|mp(4|3)|exe|msi|zip) 43200 99999% 129600 reload-into-ims ignore-reload override-expire ignore-no-cache ignore-no-store store-stale ignore-auth
#default option
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern -i (/cgi-bin/|\?) 1    0%    2
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320 store-stale
#=============================================================================================================================#
#=========================================================#  TOOLS  #=========================================================#
#=============================================================================================================================#
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
negative_ttl 2 minutes
half_closed_clients off
connect_timeout 1 minute
read_timeout 15 minutes
request_timeout 5 minutes
persistent_request_timeout 2 minutes
half_closed_clients on
shutdown_lifetime 30 seconds
icp_port 0
prefer_direct off
ipcache_size 5120
ipcache_low 98
ipcache_high 99
fqdncache_size 5120
memory_pools off
log_icp_queries off
icp_hit_stale on
query_icmp on
reload_into_ims on
pipeline_prefetch on
vary_ignore_expire on
header_access X-Forwarded-For deny all
client_persistent_connections on
server_persistent_connections off
half_closed_clients off
strip_query_terms off
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 100
vary_ignore_expire on
reload_into_ims on
pipeline_prefetch on
negative_ttl 30 seconds
positive_dns_ttl 6 hours
negative_dns_ttl 60 seconds
pconn_timeout 15 seconds
request_timeout 1 minute
log_icp_queries off
ipcache_size 8192
ipcache_low 98
ipcache_high 99
log_fqdn off
fqdncache_size 8192
memory_pools off
forwarded_for on
prefer_direct on
persistent_connection_after_er
ror on
balance_on_multiple_ip on
store_avg_object_size 50 KB
n_aiops_threads 24
load_check_stopen on
load_check_stcreate on
download_fastest_client_speed on
#=============================================================================================================================#
#===================================================#     DELAY POOLS     #===================================================#
#=============================================================================================================================#
acl bypas url_regex -i 192.168.0.1/
acl admin src 192.168.0.2
acl warnet src 192.168.0.3-192.168.0.13
acl  magic_words1 url_regex -i 192.168.2.0/24
acl  magic_words1 url_regex -i 192.168.3.0/24
acl  file-file url_regex -i ftp \.ppt \.tar.gz \.tar.bz \.tar.bz2 \.gz \.rpm \.zip \.gzip \.bin \.rar \.qt \.iso \.raw \.tar \.doc \.z \.arj \.lzh \.vqf \.exe
acl  audio-audio url_regex -i \.mp3 \.mp2 \.aac \.wav \.mid \.wmv \.wma \.ogg
acl  striming url_regex -i \.mov \.avi \.mpeg \.mpe \.mpg \.ram \.rm \.flv \.flv-x \.mp4 \.3gp \.mkv
acl  striming url_regex -i get_video? video_id? videodownload? videoplayback? .c.youtube.com
acl  speedtt url_regex -i  \.jpg?
delay_pools 4
delay_class 1 2
delay_access 1 allow magic_words1
delay_parameters 1 -1/-1 -1/-1
delay_access 1 deny bypas
delay_class 2 1
delay_access 2 allow file-file
delay_parameters 2 25600/25600
delay_class 3 1
delay_access 3 allow audio-audio
delay_parameters 3 25600/25600
delay_class 4 1
delay_access 4 allow striming
delay_parameters 4 51200/51200
#delay_class 5 2
#delay_access 5 allow speedtt
#delay_parameters 5 -1/-1 32785/3278500