Squid
-
3 Hari Om he he,.,., soalnya, kemarin Ke Lusca 1.4 terus –enable-arp-acl g' bisa cara configurasi ulang, cache lama delete semua, trs awal lagi... pengguna hotspot pada rame tuh... Om lihat aja di http://daruttaqwa.org/hotspot2 atau http://hotspot.daruttaqwa.org pada perang tuh anak2. soalnya saya matikan terus... he he
kenapa musti di delete, kalau migrasi squid filesystemnya sama (aufs ke aufs / diskd ke diskd) gak usah di delet cache, cukup di squid -z aja, untuk support acl arp, bukan lewat config, tapi harus di build ulang.
silahkan sedot disini lusca vanila yang sudah support arp-acl
fetch http://shakau.googlepages.com/vanila-arp-lusca-1.4.tbz
-
Wah,,, makasih OM,.,. waduh,.,., ada aja Om grage95 in.,.,
tadi Q udah turunkan cache_mem menjadi 64 terus maxfile mem 64 kb jadinya,.,. setelah 15 menit…
ternyata........Cache information for squid:
Request Hit Ratios: 5min: 25.2%, 60min: 28.2%
Byte Hit Ratios: 5min: 21.7%, 60min: 22.4%
Request Memory Hit Ratios: 5min: 1.8%, 60min: 1.7%
Request Disk Hit Ratios: 5min: 77.2%, 60min: 57.8%
Storage Swap size: 800112 KB
Storage Mem size: 6820 KB
Mean Object Size: 9.84 KB
Requests given to unlinkd: 0lumyana,.,. thank buaaaaaaaaaaaanyak,.,.,
tenyata squid memang "iso cak asal sesuai aturan"(nada projeckpo) ha ha
Oke,.,. mau testing yg support arp ,.,., panjang umur Om grage95. -
untuk kondisi cache_dir ditempat anda, jika partisi cache tersendiri
tambahkan option cache1-cache3 di /etc/fstab dengan option noatime (ex:/dev/ad0s1g /cache ufs rw,noatime 2 2)
warning: kalau hardisk cuman satu, gunakan 1 cache_dir saja, kecuali anda menggunakan 3 hardisk fisik, kerja hardisk akan menjadi lemot jika 1 hardisk di gunakan lebih dari 1 cache_dirutk tunning option ganti option ini :
di config squid
di web config :
cache_mem 256 MB menjadi cache_mem 32 MBdi squid.inc
hierarchy_stoplist cgi-bin ? .js .jsp menjadi hierarchy_stoplist cgi-bin ?di tunning.conf
range_offset_limit -1 menjadi range_offset_limit 0
download_fastest_client_speed off menjadi download_fastest_client_speed on
n_aiops_threads -1 menjadi n_aiops_threads 16Rasio hit byte dihitung sedikit berbeda daripada rasio hit request. Squid menghitung jumlah byte yang dibaca dari jaringan di sisi server, dan jumlah byte yang ditulis ke sisi klien. Rasio hit byte dihitung dari :
Byte Hit Ratios = (client_bytes - server_bytes) / client_bytes
Jika server_bytes lebih besar daripada client_bytes, Nilai byte hit berakhir dengan nilai negatif.
Nilai server_bytes mungkin lebih besar daripada client_bytes untuk bebrapa alasan:
1. Cache Digests dan request lainnya yang dihasilkan secara internal. Pesan Digest cache cukup besar dan dihitung dalam server_bytes, tapi karena mereka dikonsumsi secara internal di sisi server, mereka tidak menghitung dalam client_bytes.
2. User-membatalkan permintaan request. atur nilai quick_abort*
3. Beberapa permintaan dapat mengkonsumsi lebih banyak bandwidth pada sisi server daripada di sisi klien. Dalam berbagai permintaan, klien meminta hanya mengambil beberapa bagian dari objek. Squid dapat memutuskan untuk mengambil seluruh objek sehingga dapat digunakan di kemudian hari. Ini berarti men-download lebih dari server daripada pengiriman ke klien. Anda dapat mempengaruhi perilaku ini dengan opsi range_offset_limit menjadi 0Ok. Aku akan mencobanya….
Trima kasih ya atas pencerahannya....
Salam....btw... hdd aku cuman 1, bisa ngak aku naikkan cache dirnya menjadi 20GB ato lebih? apa ad pengaruh di kinerjanya?
-
Ok. Aku akan mencobanya….
Trima kasih ya atas pencerahannya....
Salam....btw... hdd aku cuman 1, bisa ngak aku naikkan cache dirnya menjadi 20GB ato lebih? apa ad pengaruh di kinerjanya?
bisa, dengan RAM 1 Gb perkirakan saja kebutuhannya, naikin saja cache_dir 40 Gb, dan sebaiknya cache_dir digunakan tdk lebih dari 50% partisi fisik contoh partisi fisik 80Gb maka utk cache_dir maximum 40Gb, jika menggunakan cache_dir diatas 50% dari partisi fisik, maka paralel thread spindel hardisk akan berubah dari optimasi time ke optimasi space (akan keluar pesan messages dr syslog). rekomendasi yang lainnya katanya 80%, namun dalam praktek jika request rata2 diatas 100 hit/s dan kondisi cache_dir sudah penuh, kerja hardisk jadi loyo untuk read/write/delete, saran dari addrian chad (developer squid) gunakan cache_dir tidak lebih dari 50% partisi fisik.
-
Om… setelah Q pakai http://shakau.googlepages.com/vanila-arp-lusca-1.4.tbz download file sering putus2 delaypool g' jalan, max download tembus, terus max upload file size jika di kasih 256 kb g' bisa submit data... jika request homepage maknyus.. cuman post data error... peringatannya data terlalu besar gitu… Maaf nanya terus he he he,.,., jadi ngrepotin.
-
delay pool tidak jalan maksudnya bagaimana ? ada error ?
post data eroro yang diupload apakah melebihi 256kb ( pembatasan max upload size)
coba di paste ke sini hasil
$ squidclient -p 80 cache_object://localhost/ mgr:config >/tmp/config
-
Oh… g' OM grage95, Setelah Q restart ternyata normal,
Terus untuk membagi tempat penyimpanan file-file cache yang sesuai ukuran gmn OM?Q ada 2 buah Hardisk 80GB rencananya
HD 1 = System
/cache1 = yang file cache ukuran 5-10 MB keatasHD 2 = /cache2 = ukuran 512-1 MB
/cache3 = ukuran 0-512 MBTolong kanda2.... ???
-
Oh… g' OM grage95, Setelah Q restart ternyata normal,
Terus untuk membagi tempat penyimpanan file-file cache yang sesuai ukuran gmn OM?Q ada 2 buah Hardisk 80GB rencananya
HD 1 = System
/cache1 = yang file cache ukuran 5-10 MB keatasHD 2 = /cache2 = ukuran 512-1 MB
/cache3 = ukuran 0-512 MBTolong kanda2.... ???
memory ram-nya berapa ?
-
3 GB OM,.. Proc DualCore 2.2
-
3 GB OM,.. Proc DualCore 2.2
partisi fisik cache1 = 70 GB
partisi fisik cache12 = 80 GB
tambahkan option rw,noatime di fstabcache_dir aufs /cache1 32768 64 256 min-size=65535
cache_dir aufs /cache2 40960 64 256 max-size=65535
store_dir_select_algorithm round-robinatau bisa menggunakan coss utk file2 kecil, cuman rada ribet sedikit membuatnya :D
-
Setelah Q tambah
rw,noatime – > partisinya yg di tambah param itu kok g' bisa muncul OM?
Maksudnya untuk option ini32768 64 256 min-size/max-size=65535 –> huruf tebal apa OM
kan biasanya :
32768 16 256
Mau donk kalau bisa yang pakai Coss….biar tambah wussssssss he he
-
Setelah Q tambah
rw,noatime – > partisinya yg di tambah param itu kok g' bisa muncul OM?
Maksudnya untuk option ini32768 64 256 min-size/max-size=65535 –> huruf tebal apa OM
kan biasanya :
32768 16 256
Mau donk kalau bisa yang pakai Coss….biar tambah wussssssss he he
edit /etc/fstab
contoh :
proxy# cat /etc/fstab # Device Mountpoint FStype Options Dump Pass# /dev/ad0s1g /cache ufs rw,noatime 2 2supaya berefek bisa di reboot, atau di umount /cache baru di mount /cache
cara ngeceknya, ketik
mount
hasilnya salah satunya ada :
/dev/ad0s1g on /cache (ufs, local, noatime, soft-updates)max-size=ukuran maksimum yang di izinkan di cache (dalam byte)
min-size=ukuran minum yang di izinkan di cache (dalam byte)cache_dir aufs Directory-Name Mbytes L1 L2 [options]
L2 di rekomendaiskan 256
LI di sesuaikan dengan besaran partisidari om Henrik
_simplified formula:L2 = 256
L1 = cache_dir size / 500, rounded upwards on small numbers..If L2 is changed or you have a singnificantly different object size
distribution then use the equation above. This simplified formula is
only valid for L2 = 256 and average object size of about 13KB.Regards
Henrik_referensi complit filesystem coss
http://wiki.squid-cache.org/Features/CyclicObjectStorageSystem -
Wah…wah...wah...terims penalarannya OM grage95, wah butuh oprek2 pc baru untuk percobaan dulu nich... test dulu ach, ntr kalu berhasil baru langsung update ke server yg ad. ;D
-
Kenapa ini ?
2009/11/20 17:12:15| WARNING: All dnsserver processes are busy.
2009/11/20 17:12:15| WARNING: up to 10 pending requests queued
2009/11/20 17:13:09| httpReadReply: Request not yet fully sent "POST http://89.248.172.86/update.php"
2009/11/20 17:13:09| httpReadReply: Request not yet fully sent "POST http://83.170.102.41/update.php"
2009/11/20 17:13:09| httpReadReply: Request not yet fully sent "POST http://83.170.102.41/update.php"
2009/11/20 17:14:48| httpReadReply: Request not yet fully sent "POST http://83.170.102.41/update.php"
2009/11/20 17:14:48| httpReadReply: Request not yet fully sent "POST http://89.248.172.86/update.php"
2009/11/20 17:14:50| httpReadReply: Request not yet fully sent "POST http://89.248.172.90/update.php"
2009/11/20 17:15:13| httpReadReply: Request not yet fully sent "POST http://83.170.102.41/update.php"
2009/11/20 17:15:20| httpReadReply: Request not yet fully sent "POST http://89.248.172.90/update.php"
2009/11/20 17:15:23| httpReadReply: Request not yet fully sent "POST http://89.248.172.86/update.php"
2009/11/20 17:15:40| httpReadReply: Request not yet fully sent "POST http://apps.facebook.com/fbml/fbjs_ajax_proxy.php"
2009/11/20 17:15:55| httpReadReply: Request not yet fully sent "POST http://89.248.172.86/update.php"
2009/11/20 17:16:17| httpReadReply: Request not yet fully sent "POST http://89.248.172.90/update.php"
2009/11/20 17:17:01| httpReadReply: Request not yet fully sent "POST http://apps.facebook.com/fbml/fbjs_ajax_proxy.php"
2009/11/20 17:17:13| parseHttpRequest: Unsupported method 'NICK'
2009/11/20 17:17:13| clientReadRequest: FD 74 (192.168.254.222:2550) Invalid Request
2009/11/20 17:17:43| parseHttpRequest: Unsupported method 'NICK'
2009/11/20 17:17:43| clientReadRequest: FD 51 (192.168.254.222:2560) Invalid Request
2009/11/20 17:17:49| httpReadReply: Request not yet fully sent "POST http://89.248.172.86/update.php"
2009/11/20 17:17:50| httpReadReply: Request not yet fully sent "POST http://89.248.172.90/update.php"
2009/11/20 17:18:16| parseHttpRequest: Unsupported method 'NICK'
2009/11/20 17:18:16| clientReadRequest: FD 57 (192.168.254.222:2568) Invalid Request
2009/11/20 17:18:49| parseHttpRequest: Unsupported method 'NICK'
2009/11/20 17:18:49| clientReadRequest: FD 66 (192.168.254.222:2577) Invalid Request
2009/11/20 17:18:53| clientProcessHit: Vary object loop!
2009/11/20 17:18:54| clientProcessHit: Vary object loop!
2009/11/20 17:18:54| clientProcessHit: Vary object loop!
2009/11/20 17:18:54| clientProcessHit: Vary object loop!
2009/11/20 17:18:55| clientProcessHit: Vary object loop!Ada yg salah?
-
All dnsserver processes are busy.
di pager/delete saja di squid.inc
#dns_children 32
trs edit sysctl.conf dan loader.conf
/boot/loader.conf
kern.ipc.maxsockbufs="2097152"
kern.ipc.msgmnb="8192"
kern.ipc.msgssz="64"
kern.ipc.msgtql="2048"
kern.ipc.shmseg="16"
kern.ipc.somaxconn="32768"
kern.ipc.nmbclusters="131072"
kern.ipc.maxsockets="65536"kern.maxfiles="262144"
kern.maxfilesperproc="65536"
net.inet.tcp.tcbhashsize="4096"/etc/sysctl.conf
net.inet.ip.fastforwarding=1
net.inet.ip.portrange.last=65535
net.inet.ip.portrange.first=1024
net.inet.icmp.icmplim=0
net.inet.icmp.icmplim_output=0
net.inet.tcp.msl=3000
net.inet.tcp.hostcache.expire=1
net.inet.tcp.inflight.enable=0
net.inet.tcp.sendspace=65535
net.inet.tcp.recvspace=65535
kern.ipc.maxsockbufs=2097152
kern.ipc.maxsockets=65536
kern.ipc.somaxconn=32768
kern.ipc.nmbclusters=131072
kern.maxfiles=262144
kern.maxfilesperproc=65536
net.inet.tcp.delayed_ack=0
net.inet.udp.recvspace=65535
net.inet.udp.maxdgram=57344
net.local.stream.recvspace=65535
net.local.stream.sendspace=65535
kern.dirdelay=6
kern.metadelay=5
kern.filedelay=7reboot server
-
Oke Om,.,., siiiip,.,. thanks. ;D
-
httpReadReply: Request not yet fully sent "POST http://89.248.172.90/update.php"
httpReadReply: Request not yet fully sent "POST http://89.248.172.90/update.php"salah satu client kena virus tuh hihihi
-
Itu milik client hotspot OM g' tau milik sapa tuh tangtop, kalau di rule dan blacklist squid udah q block port2 yg Q anggap berbahaya dan nama2 virus yg saya ketahui:
Firewall: Rules
Proto Source Port Destination Port Gateway Schedule Description
TCP LAN net * * 65506 * Drop PhatBot, Agobot, Gaobot
TCP LAN net * * 3128 * Proxy
TCP LAN net * * 8080 * Proxy
TCP LAN net * * 8000 * Proxy
TCP LAN net * * 47624 * –---
TCP LAN net * * 8181 * -----
TCP LAN net * * 27374 * Drop SubSeven
TCP LAN net * * 17300 * Drop Kuang2
TCP LAN net * * 12345 * Drop NetBus
TCP LAN net * * 10080 * Drop MyDoom.B
TCP LAN net * * 9898 * Drop Beagle.A-B
TCP LAN net * * 8866 * Drop Beagle.B
TCP LAN net * * 5554 * Drop Sasser
TCP/UDP LAN net * * 4444 * Worm
TCP LAN net * * 3410 * Drop Backdoor OptixPro
TCP LAN net * * 3127 * Drop MyDoom
TCP LAN net * * 2745 * Drop Beagle.C-K
TCP LAN net * * 2535 * Drop Beagle
TCP LAN net * * 2283 * Drop Dumaru.Y
TCP LAN net * * 2745 * Bagle Virus
TCP LAN net * * 1377 * cichlid
TCP LAN net * * 1373 * hromgrafx
TCP LAN net * * 1368 * screen cast
TCP LAN net * * 1363 - 1364 * ndm requester & ndm Server
TCP LAN net * * 1214 * ________
TCP LAN net * * 1080 * Drop MyDoom
TCP LAN net * * 1024 - 1030 * ________
TCP LAN net * * 593 * ________
TCP/UDP LAN net * * 445 (MS DS) * Drop Blaster Worm
TCP LAN net * * 1433 - 1434 * Worm
TCP/UDP LAN net * * 135 - 139 * Drop Messenger Worm
ICMP LAN net * * * * ICMP
TCP LAN net * * 6667 - 6669 * IRC
TCP LAN net * * 5222 * GTALK
TCP LAN net * * 5050 *
TCP LAN net * * 5000 - 5010 *
TCP LAN net * * 3000 - 3129 * 3000-3129
TCP LAN net * * 3131 - 4000 * 3131-4000mungkin dari Om ada tambahan?
Gmn cara block virusnya OM? Rule/nat?$ pfctl -sn
nat-anchor "pftpx/" all
nat-anchor "natearly/" all
nat-anchor "natrules/" all
nat on fxp0 inet from 192.168.254.0/24 port = isakmp to any port = isakmp -> (fxp0) port 500 round-robin
nat on fxp0 inet from 192.168.254.0/24 port = 5060 to any port = 5060 -> (fxp0) port 5060 round-robin
nat on fxp0 inet from 192.168.254.0/24 to any -> (fxp0) port 1024:65535 round-robin
rdr-anchor "pftpx/" all
rdr-anchor "slb" all
no rdr on re0 inet proto tcp from any to 192.168.0.0/16 port = http
no rdr on re0 inet proto tcp from any to 172.16.0.0/12 port = http
no rdr on re0 inet proto tcp from any to 10.0.0.0/8 port = http
rdr on re0 inet proto tcp from any to ! (re0) port = http -> 127.0.0.1 port 80
rdr-anchor "imspector" all
rdr-anchor "miniupnpd" allmgr info
Select loop called: 849129 times, 15.683 ms avg
loop called, apa berpengaruh OM?Ini masih nongol…
2009/11/20 22:40:01| WARNING: All dnsserver processes are busy.
2009/11/20 22:40:01| WARNING: up to 10 pending requests queued
2009/11/20 22:42:35| WARNING: All dnsserver processes are busy.
2009/11/20 22:42:35| WARNING: up to 5 pending requests queued
2009/11/20 22:42:35| Consider increasing the number of dnsserver processes to at least 10 in your config file.
2009/11/20 22:42:38| dnsSubmit: queue overload, rejecting img132.imageshack.us
2009/11/20 22:43:41| WARNING: All dnsserver processes are busy.
2009/11/20 22:43:41| WARNING: up to 10 pending requests queued
2009/11/20 22:43:41| Consider increasing the number of dnsserver processes to at least 15 in your config file.Ups,.,. :-X :-X :-X Setelah Q telity,.,. ada client yang pakai Ultrasurf http://ultrareach.net/,.,. ini program buat bypass proxy sangat mantabb tuh, g' bisa di block ta Om?
Ultrasurf pakai proxy local 127.0.0.1 port 9666, Q coba download n Q pakai,., wah ternyata bobol juga tuh proxy, Q block port 9666 eh ternyata g' mempan, dia pakai port 9666 hanya untuk local saja, terus ?
IP kadang 65.49.14.10, 65.49.2.17 dan banyak lagi…..... Q tanya mbah google, eh ternyata ultrasurf pakai port https(443), ya q Block port 443, Walkhasil email Yahoo dan Gmail dan situs yg pakai https juga g' bisa kebuka,.. Alkhamdulillah keblock kabeh, solusinya?
-
All dnsserver processes are busy
inti masalahnya di dns, bisa karena bottleneck jaringan / karena dns server tidak cepat merespon query dns client
solusi :
1. coba sih squid -vapakah ada option –disable-internal-dns, kalau ada upgrade squid nya, gunakan internal dns saja lebih ok
2. coba di nslookup abc.com dari client, apakah server bisa cepat merespon,
jika menggunakan dnsmasq, tambahkan cache-size=10000 (10Mb) atau naikkan pelan2, sesuikan dengan ram fisik, jika masih tetap saja bussy berarti segera buat dns-cache selain dnsmasq, dnsmasq hanya utuk net kecil, solusinya buat dedicated dns-server (bukan di box pfsense), recomend gunakan bind atau djbdnsjika menggunakan bind, tambahkan option datasize 12M; max-cache-size 10M; naikkan pelan2, dengan client +/- 2000 nilai 256M sudah sangat responsif
3. tambahkan di squid.inc half_closed_clients off
block ultra yang tunneling ke port 443 banyak cara, bisa lewat firewall/squid
1. lewat squid
tambahkan di squid.inc
acl numeric_IPs url_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+
http_access deny CONNECT numeric_IP allkelemahannya gak bisa buka web yang menggunakan ip, hanya bisa domain,
contohnya skype jk melakukan call menggunakan numerik ip acak, bukan domain, jadi gak bisa connect hehehe ;D2. lewat firewall, block ip ultrasurf, lihat di attachment, banyak sekali hehehe
untuk virus, kalau client menjalankan aplikasi yang bervirus dan mengandung trojan / hijack browser, solusi satu2nya basmi virusnya di client, firewall secanggih apapun gak bisa ngapa2in, trojan itu destination ip dan portnya acak, ini yang susah
-
Oh ya om untuk Skypi Q nyontoh
http://www1.cs.columbia.edu/~salman/skype/BlockingSkype_corp.pdf
inti :Your acl definitions
acl numeric_IPs urlpath_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+
acl connect method CONNECTApply your acls
http_access deny connect numeric_IPs all
dan
http://www.riccardoriva.com/archives/275
isi :
This post will explain a quick and dirt method to block Skype for some user, but avoid to block access to https urls not defined as FQDN.This post assume that your client have non direct Internet access and must pass trough your Squid Proxy Server to have an external connection.
This Post assume your local network is 192.168.1.0/24
This post assume you want to give SKYPE access to IPs from 192.168.1.100 to 192.168.1.200 and you want to give internet access to all your network.Obviously you MUST change the IPs based on your REAL network configuration.
In the following configuration, I’m going to create some ACL to define my networks, the skype connection method, skype connections destinations and create a sort of WhiteList that could fill in with some exceptions to avoid https connection problems.
The WhiteList file is /etc/squid/https_url_allowed and you can fill in with a single ip address for line, example :
proxy:~ # cat /etc/squid/https_url_allowed
aaa.bbb.ccc.ddd
eee.fff.ggg.hhh
iii.jjj.kkk.lll
mmm.nnn.ooo.ppp
qqq.rrr.sss.ttt
uuu.vvv.www.xxxproxy:~ #
All the following lines is in the main SquidProxy Configuration file, usually /etc/squid/squid.conf
# Declare an ACL to catch ALL
acl all src 0.0.0.0/0.0.0.0
# Define an ACL to define my local network
acl mynetworks src 192.168.1.0/24
# Define an ACL to have some IPs that can connect to SKYPE
acl skype_users src 192.168.1.100-192.168.1.200
# Define a CONNECT acl for the CONNECT method
acl CONNECT method CONNECT# Define an ACL for the URLs composed only of numbers, not FQDN
acl skype_url url_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+# Define an ACL for use URLs composed only of numbers, not FQDN
acl https_url_allowed url_regex -i “/etc/squid/https_url_allowed”# Allow SKYPE access for the group “skype_users”
http_access allow CONNECT skype_url skype_users# Allow https access for IP Addresses defined in “/etc/squid/https_url_allowed”
http_access allow CONNECT https_url_allowed# Deny Access to SKYPE and all other
http_access deny CONNECT skype_url# Allow Internet access to all “mynetworks”
http_access allow mynetworks# And finally deny all other access from this proxy
http_access deny allAt this point you can restart squid an check if all works with :
/etc/init.d/squid restart
Hope this help
Bye
RiccardoUltrasurf,.,., biarlah berlalu dulu,