LUSCA

Download LUSCA

Post on 21-Aug-2014

295 views

Category:

Documents

0 download

TRANSCRIPT

UBUNTU 10.10 64 BIT + LUSCA_HEAD + DNS UNBOUNDPaket yang Dibutuhkan : untuk lusca r14809 : http://untuk-kitasemua.googlecode.com/files/SQUID%202%20LUSCA.zip Untuk lusca FMI : http://untuk-kita-semua.googlecode.com/files/SQUID-CONF.zip Link Dw UBUNTU 10.10 64 bit http://ubuntu.pesat.net.id/releases/rver-amd64.iso Bahan-bahan : - Ubuntu 10.10 64 bit - Ip proxy 192.168.2.2 - Gatewai 192.168.2.1 - Ip mikrotik ke arah proxy 192.168.2.1/24 - Ram 2 GB - HDD Sata 320 GB 1. Partisi HDD Dari harddisk 320 Gb dibagi dg type partisi primary sebagai berikut: 256 Mb ext4 /boot ( Flag Boot) jika Flag Boot masih off setelah pilihan on ABAIKAN SAJA 16 Gb ext4 / 2.0 Gb swap swap sesuaikan dengan RAM fisik cpu anda sisanya gb btrfs /cache 2. Install Paket OPTIMALKAN partisi btrfs nya : # lsmod |grep -i btrfs # nano /etc/fstab /cache btrfs noatime,compress,noacl 0 2 OPTIMALKAN juga kernelnya : default FD 1024 cek di console # ulimit -n cara merubah : # ulimit -HSn 65536 # echo root soft nofile 65536 >> /etc/security/limits.conf # echo root hard nofile 65536 >> /etc/security/limits.conf # nano /etc/pam.d/common-session session required pam_limits.so # modprobe ip_conntrack kemudian tambahkan ip_contrack di /etc/modules # nano /etc/modules Tambahkan kalimat berikut : ip_conntrack DNS Unbound High Performance apt-get install unbound cd /etc/unbound wget ftp://FTP.INTERNIC.NET/domain/named.cache unbound-control-setup chown unbound:root unbound_* chmod 440 unbound_* sesuaikan config /etc/unbound/unbound.conf, dan servis dns lainnya (bind/dnsmasq dll) harus di stop agar tidak bentrok) # nano

server: verbosity: 1 statistics-interval: 120 statistics-cumulative: yes num-threads: 1 interface: 0.0.0.0 outgoing-range: 512 num-queries-per-thread: 1024 msg-cache-size: 16m rrset-cache-size: 32m msg-cache-slabs: 4 rrset-cache-slabs: 4 cache-max-ttl: 86400 infra-host-ttl: 60 infra-lame-ttl: 120 infra-cache-numhosts: 10000 infra-cache-lame-size: 10k do-ip4: yes do-ip6: no do-udp: yes do-tcp: yes do-daemonize: yes #access-control: 0.0.0.0/0 allow access-control: 192.168.0.0/16 allow access-control: 172.16.0.0/12 allow access-control: 10.0.0.0/8 allow access-control: 127.0.0.0/8 allow access-control: 0.0.0.0/0 refuse chroot: /etc/unbound username: unbound directory: /etc/unbound #logfile: /etc/unbound/unbound.log #use-syslog: yes logfile: use-syslog: no pidfile: /etc/unbound/unbound.pid root-hints: /etc/unbound/named.cache identity: DNS version: 1.4 hide-identity: yes hide-version: yes harden-glue: yes do-not-query-address: 127.0.0.1/8 do-not-query-localhost: yes module-config: iterator #zone localhost local-zone: localhost. static local-data: localhost. 10800 IN NS localhost. local-data: localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800 local-data: localhost. 10800 IN A 127.0.0.1

local-zone: 127.in-addr.arpa. static local-data: 127.in-addr.arpa. 10800 IN NS localhost. local-data: 127.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 2 3600 1200 604800 10800 local-data: 1.0.0.127.in-addr.arpa. 10800 IN PTR localhost. #zone zoky.net local-zone: zoky.net. static local-data: zoky.net. 86400 IN NS ns1.zoky.net. local-data: zoky.net. 86400 IN SOA zoky.net. hostmaster.zoky.net. 3 3600 1200 604800 86400 local-data: zoky.net. 86400 IN A 192.168.2.2 local-data: www.zoky.net. 86400 IN A 192.168.2.2 local-data: ns1.zoky.net. 86400 IN A 192.168.2.2 local-data: mail.zoky.net. 86400 IN A 192.168.2.2 local-data: zoky.net. 86400 IN MX 10 mail.zoky.net. local-data: zoky.net. 86400 IN TXT v=spf1 a mx ~all local-zone: 2.168.192.in-addr.arpa. static local-data: 2.168.192.in-addr.arpa. 10800 IN NS zoky.net. local-data: 2.168.192.in-addr.arpa. 10800 IN SOA zoky.net. hostmaster.zoky.net. 4 3600 1200 604800 864000 local-data: 2.2.168.192.in-addr.arpa. 10800 IN PTR zoky.net. forward-zone: name: . forward-addr: 192.168.2.1 forward-addr: 116.254.99.254 forward-addr: 202.134.0.155 forward-addr: 203.130.196.5 forward-addr: 8.8.8.8 forward-addr: 8.8.4.4 forward-addr: 208.67.222.222 forward-addr: 208.67.220.220 remote-control: control-enable: yes control-interface: 127.0.0.1 control-port: 953 server-key-file: /etc/unbound/unbound_server.key server-cert-file: /etc/unbound/unbound_server.pem control-key-file: /etc/unbound/unbound_control.key control-cert-file: /etc/unbound/unbound_control.pem lalu save di /etc/unbound/unbound.conf forward-zone: sesuaikan dengan DNS ISP anda cek configure unbound : # unbound-checkconf /etc/unbound/unbound.conf edit file di /etc/resolv.conf : # nano /etc/resolv.conf nameserver 127.0.0.1 edit file /etc/network/interfaces # nano /etc/network/interfaces iface eth0 inet static address 192.168.2.2

netmask 255.255.255.0 network 122.168.2.0 broadcast 192.168.2.255 gateway 192.168.2.1 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 127.0.0.1 untuk cek apakah d jalan : # /etc/init.d/unbound restart # nslookup 192.168.2.2 Server: 127.0.0.1 Address: 127.0.0.1#53 2.2.168.192.in-addr.arpa name = zoky.net # nslookup zoky.net Server: 127.0.0.1 Address: 127.0.0.1#53 Name: Q.net Address: 192.168.2.2 Untuk monitor : # unbound-control stats # sudo unbound-control stats | tail -16 # sudo apt-get update # sudo apt-get install squid # nano /etc/default/squid SQUID_MAXFD=8192 # sudo apt-get install squid squidclient squid-cgi # sudo apt-get install gcc # grep -E #define\W+__FD_SETSIZE /usr/include/*.h /usr/include/*/*.h # nano /usr/include/linux/posix_types.h #define __FD_SETSIZE 65536 # nano /usr/include/bits/typesizes.h #define __FD_SETSIZE 65536 # nano /etc/pam.d/login Session required /lib/security/pam_limits.so # sudo apt-get install build-essential # sudo apt-get install sharutils # sudo apt-get install ccze # sudo apt-get install libzip-dev # sudo apt-get install automake1.9 3.Download Lusca download lusca r14809 lewat terminal ubuntu dengan perintah : # wget http://untuk-kita-semua.googlecode.com/files/LUSCA_HEAD-r14809.tar.gz download lusca FMI lewat terminal ubuntu dengan perintah : # wget http://untuk-kita-semua.googlecode.com/files/LUSCA_FMI.tar.gz lalu ekstrak :masuk ke foldernya : jika memakai lusca r14809 : # tar xzvf LUSCA_HEAD-r14809.tar.gz jika memakai lusca FMI : # tar tar xzvf LUSCA_FMI.tar.gz jika menggunakan lusca r14809 : copy file imr.diff ke /home/proxyku dengan menggunakan winscp..

winscp bisa didownload di : 4shared.com /file/KlAfa3dQ/winscp428.html kemudian copy dengan menggunakan putty putty bisa didownload di : 4shared.com /file/16tJyvlq/putty.html # sudo cp /home/proxyku/imr.diff /home/proxyku/LUSCA_HEAD-r14809 masuk ke foldernya : jika menggunakan lusca r14809 : # cd LUSCA_HEAD-r14809/ @ patch dulo revalidate dgn cara : patch -p0 < imr.diff jika menggunakan lusca FMI : # cd LUSCA_FMI/ jika menggunakan lusca FMI di unbuntu 64 sebelum compile lakukan perintah ini didalam folder lusca FMI : # make distclean ok..!! sekarang dimulai tahap compile nya : cat /proc/cpuinfo : untuk mengetahui info cpu proxy nya dan sesuaikan dengan processor yang anda pakai Link untuk mengetahui CHOST dan CFLAGS ; # untuk AMD http://en.gentoo-wiki.com/wiki/Safe_Cflags/AMD # untuk INTEL http://en.gentoowiki.com/wiki/Safe_Cflags/Intel sebagai contoh saya menggunakan amd x2 7750 BE : CHOST=x86_64-pc-linux-gnu \ CFLAGS=-march=amdfam10 -msse3 -O2 -pipe \ ./configure prefix=/usr exec_prefix=/usr bindir=/usr/sbin sbindir=/usr/sbin libexecdir=/usr/lib/squid sysconfdir=/etc/squid \ localstatedir=/var/spool/squid datadir=/usr/share/squid enable-async-io=24 with-aufs-threads=24 with-pthreads enablestoreio=aufs \ enable-linux-netfilter enable-arp-acl enable-epoll enable-removalpolicies=heap with-aio with-dl enable-snmp \ enable-delay-pools enable-htcp enablecache-digests disable-unlinkd enable-large-cache-files with-large-files \ enable-errlanguages=English enable-default-err-language=English with-maxfd=65536 selanjutnya, ketik perintah berikut di terminal ubuntu : # make # sudo make install Edit squid.conf agar perintah sudo /etc/init.d/squid stop jalan di ubuntu 10.10 #copy file squid yg di download tadi ke /etc/init.d/ # sudo cp /home/proxyku/squid /etc/init.d/ jgn lupa di : #sudo chmod +x /etc/init.d/squid # stop dulu squidnya : sudo /etc/init.d/squid stop #copy file squid.conf, dan storeur.pl yg di download tadi kedalam folder /etc/squid -> edit sesuai network juragan sudo cp /home/proxyku/squid.conf /etc/squid sudo cp /home/proxyku/storeurl.pl /etc/squid 4. Langkah selanjutnya # Memberikan permission pada folder cache chown proxy:proxy /cache chmod 777 /cache chown proxy:proxy /etc/squid/storeurl.pl chmod 777 /etc/squid/storeurl.pl # Membuat folder-folder swap/cache di dalam folder cache yang telah ditentukan dg perintah : squid -f /etc/squid/squid.conf -z # Restart squid sudo /etc/init.d/squid restart # nano /etc/sysctl.conf fs.file-max=65536 vm.drop_caches = 3 vm.swappiness = 3 net.netfilter.nf_conntrack_acct= 1 net.ipv4.netfilter.ip_conntrack_max = 16777216 net.ipv4.tcp_keepalive_time = 60 net.ipv4.tcp_keepalive_intvl = 10 net.ipv4.tcp_keepalive_probes = 6 net.ipv4.tcp_timestamps = 0

net.ipv4.tcp_sack = 0 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 2 net.ipv4.tcp_max_tw_buckets = 1440000 net.ipv4.ip_local_port_range = 16384 65535 net.core.rmem_max=16777216 net.core.wmem_max=16777216 net.ipv4.tcp_rmem=4096 87380 16777216 net.ipv4.tcp_wmem=4096 65536 16777216 net.ipv4.tcp_fin_timeout = 3 net.core.netdev_max_backlog = 30000 net.ipv4.tcp_no_metrics_save=1 net.core.somaxconn = 262144 net.ipv4.tcp_syncookies = 0 net.ipv4.tcp_max_orphans = 262144 net.ipv4.tcp_max_syn_backlog = 262144 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 4294967295 kernel.shmall = 268435456 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 setelah di save, baru di sysctl -p catatan : utk ram 512Mb kurangi saja parameter *mem di kolom ke dua dan tiga menjadi setengahnya, kolom ke satu biarkan saja Reboot CPU nya tambahan : Menghitung memory yang sedang digunakan oleh aplikasi di Linux : # wget http://www.pixelbeat.org/scripts/ps_mem.py # chmod +x ps_mem.py # ./ps_mem.py Install Squidmon : # wget http://squidmon.googlecode.com/svn/trunk/squidmon.py # chmod +x squidmon.py untuk monitor squid : # cat /var/log/squid/access.log | ./squidmon.py # cat /var/log/squid/access.log | python squidmon.py MEMBUAT SQUIDSTATS 1. apt-get install librrds-perl libsnmp-session-perl snmpd rrdtool snmp apache2 -y 2. perl -MCPAN -e install Config::IniFiles 3. wget http://jaringanwarnet.com/downloads/squidstats-r54.tar 4. tar -xvf squidstats-r54.tar 5. cd squidstats-r54

5. cp mib.txt /etc/squid/ 6. cp snmpd.conf /etc/snmp/ 8. untuk squid.conf tambahkan berikut ini : snmp_port 3401 acl snmppublic snmp_community public snmp_access allow snmppublic all 9. make && make install 10. snmpwalk -v 1 -c public localhost 11. squidstats.pl createdb 12. squidstats.pl gather 13. crontab -e (kemudian copy rule dibawah ini) */5 * * * * /usr/local/bin/squidstats.pl gather >/dev/null 14. cp squidstats.conf /etc/apache2/conf.d 15. reboot 16. cek hasilnya ke http://isi dg ipproxy/squidstats/graph-summary.cgi Agar bias di akses dari luar buat spt ini : /ip firewall nat add action=dst-nat chain=dstnat comment=redir-squidtasq disabled=no \ dst-address=xxx.xxx.xxx.xxx dst-port=8080 protocol=tcp to-addresses=192.168.2.2 toports=80 Untuk memonitor SQUID : sudo /etc/init.d/squid stop sudo /etc/init.d/squid restart /etc/init.d/unbound restart unbound-control stats sudo unbound-control stats | tail -16 squidclient mgr:info squidclient mgr:client_list tail -f /var/log/squid/access.log tail -f /var/log/squid/cache.log tail -n 80 /var/log/squid/cache.log squidclient mgr:storedir cat /var/log/squid/access.log | ./squidmon.py cat /var/log/squid/access.log | python squidmon.py http://192.168.2.2/squidstats/graph-summary.cgi ./ps_mem.py credit to teukurizal http://forummikrotik.com This entry was posted in Uncategorized. Bookmark the permalink. Posted by Putra Jaya Komputer (PJK) at 14:47 Email ThisBlogThis!Share to TwitterShare to Facebook

Caching Dynamic Contentafter read manual configuration about caching dynamic content on squid now il try share about caching dynamic content. for example we will make video cache from youtube. after read about that in squid-cache.org we will find configuration config example. default configuration about dinamyc content on squid configuration store in hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \?

cache deny QUERY for changed policy remove the QUERY ACL will paired and replace by refesh apttern below: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 now we try caching youtube video. store configuration below to your squid configuration # REMOVE these lines from squid.conf acl QUERY urlpath_regex cgi-bin \? cache deny QUERY refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private quick_abort_min -1 KB maximum_object_size 4 GB acl youtube dstdomain .youtube.com cache allow youtube refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 0% 4320 and try to access video from youtube and what we will see that video will cache with our configuration.Now that youve added your blog, we need to make sure that you own this blog. note : default configuration on squid prevent dynamic content and youtube content. and specialy implemented on several feature from flash video format. and for more detail read artikel source : squid-cache.org