Category Archives: Squid Proxy

ACL


Option Name: acl
Replaces:
Requires:
Default Value: acl all src all
Suggested Config:
 
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

 Defining an Access List

Every access list definition must begin with an aclname and acltype,
followed by either type-specific arguments or a quoted filename that
they are read from.

acl aclname acltype argument ...
acl aclname acltype "file" ...

When using "file", the file should contain one item per line.

By default, regular expressions are CASE-SENSITIVE.
To make them case-insensitive, use the -i option. To return case-sensitive
use the +i option between patterns, or make a new ACL line without -i.

Some acl types require suspending the current request in order
to access some external data source.
Those which do are marked with the tag [slow], those which
don't are marked as [fast].
See http://wiki.squid-cache.org/SquidFaq/SquidAcl
for further information

***** ACL TYPES AVAILABLE *****

acl aclname src ip-address/netmask ... # clients IP address [fast]
acl aclname src addr1-addr2/netmask ... # range of addresses [fast]
acl aclname dst ip-address/netmask ... # URL host's IP address [slow]
acl aclname myip ip-address/netmask ... # local socket IP address [fast]

acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
# The arp ACL requires the special configure option --enable-arp-acl.
# Furthermore, the ARP ACL code is not portable to all operating systems.
# It works on Linux, Solaris, Windows, FreeBSD, and some
# other *BSD variants.
# [fast]
#
# NOTE: Squid can only determine the MAC address for clients that are on
# the same subnet. If the client is on a different subnet,
# then Squid cannot find out its MAC address.

acl aclname srcdomain .foo.com ...
# reverse lookup, from client IP [slow]
acl aclname dstdomain .foo.com ...
# Destination server from URL [fast]
acl aclname srcdom_regex [-i] \.foo\.com ...
# regex matching client name [slow]
acl aclname dstdom_regex [-i] \.foo\.com ...
# regex matching server [fast]
#
# For dstdomain and dstdom_regex a reverse lookup is tried if a IP
# based URL is used and no match is found. The name "none" is used
# if the reverse lookup fails.

acl aclname src_as number ...
acl aclname dst_as number ...
# [fast]
# Except for access control, AS numbers can be used for
# routing of requests to specific caches. Here's an
# example for routing all requests for AS#1241 and only
# those to mycache.mydomain.net:
# acl asexample dst_as 1241
# cache_peer_access mycache.mydomain.net allow asexample
# cache_peer_access mycache_mydomain.net deny all

acl aclname peername myPeer ...
# [fast]
# match against a named cache_peer entry
# set unique name= on cache_peer lines for reliable use.

acl aclname time [day-abbrevs] [h1:m1-h2:m2]
# [fast]
# day-abbrevs:
# S - Sunday
# M - Monday
# T - Tuesday
# W - Wednesday
# H - Thursday
# F - Friday
# A - Saturday
# h1:m1 must be less than h2:m2

acl aclname url_regex [-i] ^http:// ...
# regex matching on whole URL [fast]
acl aclname urlpath_regex [-i] \.gif$ ...
# regex matching on URL path [fast]

acl aclname port 80 70 21 0-1024... # destination TCP port [fast]
# ranges are alloed
acl aclname myport 3128 ... # local socket TCP port [fast]
acl aclname myportname 3128 ... # http(s)_port name [fast]

acl aclname proto HTTP FTP ... # request protocol [fast]

acl aclname method GET POST ... # HTTP request method [fast]

acl aclname http_status 200 301 500- 400-403 ...
# status code in reply [fast]

acl aclname browser [-i] regexp ...
# pattern match on User-Agent header (see also req_header below) [fast]

acl aclname referer_regex [-i] regexp ...
# pattern match on Referer header [fast]
# Referer is highly unreliable, so use with care

acl aclname ident username ...
acl aclname ident_regex [-i] pattern ...
# string match on ident output [slow]
# use REQUIRED to accept any non-null ident.

acl aclname proxy_auth [-i] username ...
acl aclname proxy_auth_regex [-i] pattern ...
# perform http authentication challenge to the client and match against
# supplied credentials [slow]
#
# takes a list of allowed usernames.
# use REQUIRED to accept any valid username.
#
# Will use proxy authentication in forward-proxy scenarios, and plain
# http authenticaiton in reverse-proxy scenarios
#
# NOTE: when a Proxy-Authentication header is sent but it is not
# needed during ACL checking the username is NOT logged
# in access.log.
#
# NOTE: proxy_auth requires a EXTERNAL authentication program
# to check username/password combinations (see
# auth_param directive).
#
# NOTE: proxy_auth can't be used in a transparent/intercepting proxy
# as the browser needs to be configured for using a proxy in order
# to respond to proxy authentication.

acl aclname snmp_community string ...
# A community string to limit access to your SNMP Agent [fast]
# Example:
#
# acl snmppublic snmp_community public

acl aclname maxconn number
# This will be matched when the client's IP address has
# more than TCP connections established. [fast]
# NOTE: This only measures direct TCP links so X-Forwarded-For
# indirect clients are not counted.

acl aclname max_user_ip [-s] number
# This will be matched when the user attempts to log in from more
# than different ip addresses. The authenticate_ip_ttl
# parameter controls the timeout on the ip entries. [fast]
# If -s is specified the limit is strict, denying browsing
# from any further IP addresses until the ttl has expired. Without
# -s Squid will just annoy the user by "randomly" denying requests.
# (the counter is reset each time the limit is reached and a
# request is denied)
# NOTE: in acceleration mode or where there is mesh of child proxies,
# clients may appear to come from multiple addresses if they are
# going through proxy farms, so a limit of 1 may cause user problems.

acl aclname req_mime_type [-i] mime-type ...
# regex match against the mime type of the request generated
# by the client. Can be used to detect file upload or some
# types HTTP tunneling requests [fast]
# NOTE: This does NOT match the reply. You cannot use this
# to match the returned file type.

acl aclname req_header header-name [-i] any\.regex\.here
# regex match against any of the known request headers. May be
# thought of as a superset of "browser", "referer" and "mime-type"
# ACL [fast]

acl aclname rep_mime_type [-i] mime-type ...
# regex match against the mime type of the reply received by
# squid. Can be used to detect file download or some
# types HTTP tunneling requests. [fast]
# NOTE: This has no effect in http_access rules. It only has
# effect in rules that affect the reply data stream such as
# http_reply_access.

acl aclname rep_header header-name [-i] any\.regex\.here
# regex match against any of the known reply headers. May be
# thought of as a superset of "browser", "referer" and "mime-type"
# ACLs [fast]

acl aclname external class_name [arguments...]
# external ACL lookup via a helper class defined by the
# external_acl_type directive [slow]

acl aclname user_cert attribute values...
# match against attributes in a user SSL certificate
# attribute is one of DN/C/O/CN/L/ST [fast]

acl aclname ca_cert attribute values...
# match against attributes a users issuing CA SSL certificate
# attribute is one of DN/C/O/CN/L/ST [fast]

acl aclname ext_user username ...
acl aclname ext_user_regex [-i] pattern ...
# string match on username returned by external acl helper [slow]
# use REQUIRED to accept any non-null user name.

acl aclname tag tagvalue ...
# string match on tag returned by external acl helper [slow]

Examples:
acl macaddress arp 09:00:2b:23:45:67
acl myexample dst_as 1241
acl password proxy_auth REQUIRED
acl fileupload req_mime_type -i ^multipart/form-data$
acl javascript rep_mime_type -i ^application/x-javascript$ 
 
Sumber: http://www.blogger.com/blogger.g?blogID=4178251841297857100#editor/target=post;postID=4640298480786995324 

IGOS Nusantara dan proxy server squid kompilasi


Optimasi squid dapat lebih ditingkatkan dengan melakukan kompilasi dari source squid. 

1. Spesifikasi Server

Berikut ini kompilasi squid untuk spesifikasi:

  1. Sistem Operasi memakai IGOS Nusantara 2010 (Instal minimal)
  2. Posesor Intel(R) Xeon(TM) CPU 3.00GHz
  3. RAM 1 GB (yup memori masih kecil, harusnya update ke 4 GB)
  4. Harddisk 2 x 80 GB SCSI
    • Harddisk1: /dev/sda (untuk menyimpan sistem operasi)
    • Harddisk2: /dev/sdb (untuk menyimpan cache squid)


2. Prasyarat untuk optimasi squid

Sebelum melakukan kompilasi squid, beberapa hal sudah selesai dikonfigurasi dan berfungsi denganbaik, yaitu:

  1. Mengetahui skema jaringan, ada di: http://igos-nusantara.or.id/wiki/Skema_Jaringan
  2. Instal IGOS Nusantara sebagai server, memakai pilihan minimal/konsol, ada di: http://igos-nusantara.or.id/wiki/Instal_IGOS_Nusantara_minimal-konsol
  3. Memformat harddisk kedua, ada di: http://igos-nusantara.or.id/wiki/Memformat_harddisk_kedua
  4. Tuning file sistem, ada di: http://igos-nusantara.or.id/wiki/Tuning_file_sistem


3. Kompilasi Squid


Pasang paket untuk kompilasi squid

# yum -y install gcc 
# yum -y install gcc-c++
# yum -y install libxml2-devel libcap-devel

Instal semua dalam satu baris perintah:

# yum -y install gcc gcc-c++ libxml2-devel libcap-devel


Unduh squid-3.1.10.tar.bz2

# mkdir /root/sumber
# cd /root/sumber
# wget http://www.squid-cache.org/Versions/v3/3.1/squid-3.1.10.tar.bz2


Buat group dan user

Group dan user yang akan dipakai untuk menjalankan squid dibuat dengan cara:

# useradd squid -c "Squid Proxy" -M -d /cache/proxy1 -s /bin/false


Optimasi Kompilasi

Kompilasi agar optimal perlu memakai opsi atau FLAG yang sesuai dengan prosesor. Informasi tentang prosesor ada di /proc/cpuinfo

# cat /proc/cpuinfo
# cat /proc/cpuinfo | grep family
cpu family : 15
cpu family : 15
[root@intra ~]# cat /proc/cpuinfo |grep model
model : 4
model name : Intel(R) Xeon(TM) CPU 3.00GHz

Informasi yang diperoleh dari /proc/cpuinfo kemudian disesuaikan dengan flag kompilasi yang ada Gentoo Wiki[1], yaitu diperoleh:

CHOST="i686-pc-linux-gnu"
CFLAGS="-march=prescott -O2 -pipe -fomit-frame-pointer"
CXXFLAGS="${CFLAGS}"


Parameter Kompilasi

Paramater yang dipakai untuk kompilasi sebagian disesuaikan dengan squid.spec yang ada squid-*-.src.rpm dari Fedora 13 (F13). Info: F13 adalah basis IGOS Nusantara 2010. Berikut penjelasan sebagian parameter yang akan dipakai saat kompilasi:

  • –enable-async-io untuk mengaktifkan asynchronous I/O dalam proses baca/tulis ke harddisk. Memakai 16 bila memakai satu harddisk jenis lama (buffer hanya 2 MB). Bila memakai harddisk model baru dengan buffer 8 MB, 16 MB atau 32 MB dapat memakai 32.
  • –enable-useragent-log berguna agar squid mencatat useragent di entri log
  • –enable-snmp aktifkan snmp, misal mencatat statistik squid lalu ditampilkan dalam bentuk grafik.
  • –enable-cache-digests harus diaktifkan jika memakai cache peer.
  • –enable-storeio=”aufs” adalah metoda penyimpanan metode I/O. AUFS adalah Asynchronous, memiliki performa yang optimal di Linux.
  • –enable-removal-policies=”heap,lru” adalah pilihan opsi untuk removal policies
  • –with-maxfd=8192
  • –enable-poll
  • –disable-ident-lookups menghentikan squid dari melihat ident di setiap koneksi, bisa juga untuk mencegah serangan DDOS (membuka ribuan koneksi) yang dapat mematikan squid server
  • –enable-truncate memerintahkan squid untuk selalu menggunakan truncate() ketimbang unlink() ketika menghapus file cache.
  • –enable-delay-pools


Memulai Kompilasi

# cd /root/sumber
# tar xjvf squid-3.1.10.tar.bz2
# cd squid-3.1.10
# CHOST="i686-pc-linux-gnu" \
CFLAGS="-march=prescott -O2 -pipe -fomit-frame-pointer" \
CXXFLAGS="${CFLAGS}" \
./configure \
--bindir=/usr/bin \
--datadir=/usr/share \
--exec-prefix=/usr \
--includedir=/usr/include \
--infodir=/usr/share/info \
--libexecdir=/usr/libexec \
--localstatedir=/var \
--mandir=/usr/share/man \
--prefix=/usr \
--program-prefix= \
--sbindir=/usr/sbin \
--sharedstatedir=/var/lib \
--sysconfdir=/etc/squid \
--disable-auth \
--disable-basic-auth-helpers \
--disable-dependency-tracking \
--disable-digest-auth-helpers \
--disable-epoll \
--disable-external-acl-helpers \
--disable-hostname-checks \
--disable-htcp \
--disable-ident-lookups \
--disable-ipv6 \
--disable-linux-tproxy \
--disable-negotiate-auth-helpers \
--disable-ntlm-auth-helpers \
--disable-snmp \
--disable-translation \
--disable-wccp \
--disable-wccpv2 \
--enable-arp-acl \
--enable-auth=basic,digest \
--enable-async-io=32 \
--enable-cache-digests \
--enable-cachemgr-hostname=localhost \
--enable-default-err-languages=English \
--enable-delay-pools \
--enable-err-languages=English \
--enable-follow-x-forwarded-for \
--enable-gnuregex \
--enable-icmp \
--enable-linux-transparent \
--enable-linux-netfilter \
--enable-removal-policies=heap,lru \
--enable-storeio=aufs \
--enable-underscores \
--enable-useragent-log \
--enable-zph-qos \
--with-aufs-threads=32 \
--with-default-user=squid \
--with-dl \
--with-filedescriptors=32768 \
--with-large-files \
--with-logdir=/var/log/squid \
--with-maxfd=32768 \
--with-pidfile=/var/run/squid.pid \
--with-pthreads

Selanjutnya ketikkan perintah

# make

Lanjutkan dengan

# make install

Ketik perintah

# ls -l /usr/sbin/squid
-rwxr-xr-x 1 root root 2521209 Jan 29 13:30 /usr/sbin/squid
# strip /usr/sbin/squid
# ls -l /usr/sbin/squid
-rwxr-xr-x 1 root root 2121976 Jan 29 13:31 /usr/sbin/squid


4. Konfigurasi


Konfigurasi squid.conf

# localhost
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32

# Jaringan lokal yang boleh mengakses
#acl ip-admin src 192.168.228.10/32
#acl localnet src 10.0.0.0/8
#acl localnet src 172.16.0.0/12
acl localnet src 192.168.228.0/24

acl SSL_ports port 443 563 # https, snews
acl Safe_ports port 80 81 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 10000 # webmin
acl Safe_ports port 777 # multiling http
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl CONNECT method CONNECT

# Akses cachemgr hanya boleh dari localhost
# http_access allow manager ip-admin
http_access allow manager localhost
http_access deny manager

# Tolak permintaan ke Safe_ports
http_access deny !Safe_ports

# Tolak CONNECT ke selain SSL ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localnet
http_access allow localhost

# Terakhir: tolak yang lainnya untuk akses ke proxy
http_access deny all

http_port 3128 transparent
icp_port 3130

max_filedescriptors 32768
dns_nameservers 127.0.0.1

hierarchy_stoplist cgi-bin ? .js .jsp .awt
acl QUERY urlpath_regex cgi-bin \? localhost
no_cache deny QUERY

cache_mgr admin
cache_effective_user squid
cache_effective_group squid
visible_hostname proxy

memory_replacement_policy heap LFUDA
cache_replacement_policy heap GDSF

# Ukuran 50GB untuk cache_dir (contoh memakai harddisk SCSI)
# cache_dir aufs /cache/proxy1 50000 102 256
cache_dir aufs /cache/proxy1 7500 16 256

# cache_mem 256 MB
cache_mem 128 MB

minimum_object_size 0 KB
maximum_object_size 128 MB
maximum_object_size_in_memory 64 KB

cache_swap_low 98
cache_swap_high 99

#high_response_time_warning 2000
#high_page_fault_warning 2
#high_memory_warning 1900 MB

mime_table /etc/squid/mime.conf
pid_filename /var/run/squid.pid
# coredump_dir /cache/proxy1/
coredump_dir none

access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

#access_log none
#cache_log /dev/null
#cache_store_log none

emulate_httpd_log off
logfile_rotate 2
log_fqdn off
buffered_logs off
client_netmask 255.255.255.255
strip_query_terms off

refresh_pattern windowsupdate.com/.*\.(cab|exe\dll) 259200 95% 259200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private
refresh_pattern download.microsoft.com/.*\.(cab|exe\dll) 259200 95% 259200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private
refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|psf) 259200 95% 259200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private
refresh_pattern ^ftp: 20160 95% 259200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private
refresh_pattern . 180 95% 120960 reload-into-ims override-lastmod

quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 100
negative_ttl 2 minutes
positive_dns_ttl 60 seconds
negative_dns_ttl 30 seconds
store_avg_object_size 16 KB
vary_ignore_expire on
client_lifetime 2 hours
half_closed_clients off
shutdown_lifetime 4 seconds
log_icp_queries off
icp_hit_stale on
query_icmp on
ipcache_size 4096
ipcache_low 90
ipcache_high 95
fqdncache_size 4096
memory_pools off
forwarded_for off
reload_into_ims on
reload_into_ims on
pipeline_prefetch on


Menyiapkan folder untuk squid

mkdir -p /var/log/squid
touch /var/log/squid/access.log
chmod 770 /var/log/squid
chown -R squid:root /var/log/squid

touch /var/run/squid.pid
mkdir -p /cache/proxy1
chown -R squid:squid /cache/proxy1


Periksa Konfigurasi

Konfigurasi squid.conf yang dibuat dapat diperiksa dengan:

# squid -k parse
2011/01/28 02:43:07| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2011/01/28 02:43:07| Starting Authentication on port [::]:3128
2011/01/28 02:43:07| Disabling Authentication on port [::]:3128 (interception enabled)
2011/01/28 02:43:07| Disabling IPv6 on port [::]:3128 (interception enabled)
2011/01/28 02:43:07| WARNING: use of 'override-expire' in 'refresh_pattern' violates HTTP
2011/01/28 02:43:07| WARNING: use of 'override-lastmod' in 'refresh_pattern' violates HTTP
2011/01/28 02:43:07| WARNING: use of 'reload-into-ims' in 'refresh_pattern' violates HTTP
2011/01/28 02:43:07| WARNING: use of 'ignore-reload' in 'refresh_pattern' violates HTTP
2011/01/28 02:43:07| WARNING: use of 'ignore-no-cache' in 'refresh_pattern' violates HTTP
2011/01/28 02:43:07| WARNING: use of 'ignore-private' in 'refresh_pattern' violates HTTP

Abaikan warning yang muncul karena refresh_pattern yang dibuat memang diatur untuk mengabaikan beberapa pengaturan HTTP.

Buat /etc/init.d/squid

Pada bagian awal skrip /etc/init.d/squid harus memakai “ulimit -n 32768″

# wget http://repo.informatika.lipi.go.id/panduan/wiki/squid -O /etc/init.d/squid
# chmod 700 /etc/init.d/squid

Buat simbolik link untuk squid

# chkconfig --add squid

Agar squid otomatis jalan saat server dinyalakan, tambahkan service squid dengan chkconfig

# chkconfig --level 345 squid on


Memasang squid di rc.local

# echo "# Squid Proxy" >> /etc/rc.local
# echo "/etc/init.d/squid start" >> /etc/rc.local


5. Buat swap

Setelah konfigurasi squid.conf dilakukan, kini saatnya menjalankan squid. Ketikkan perintah agar squid membuat swap

# /usr/sbin/squid -z


6. Jalankan squid

Pertama kali menjalankan squid sebaiknya mengaktifkan parameter debug, sehingga beberapa kesalahan dapat diketahui. Jalankan dengan cara:

# /usr/sbin/squid -Nd1

Buka terminal kedua, lalu periksa apakah squid sudah jalan atau gagal, lakukan:
Cek apakah squid sudah berjalan apa belum dengan perintah

# netstat -pln | grep squid

bila muncul tampilan seperti dibawah ini, berarti squid sudah berjalan

tcp        0      0 0.0.0.0:3128                0.0.0.0:*                   LISTEN      13109/(squid)       
udp 0 0 0.0.0.0:6628 0.0.0.0:* 13109/(squid)
udp 0 0 :::41063  :::* 13109/(squid)
udp 0 0 :::3401  :::* 13109/(squid)
udp 0 0 :::3130  :::* 13109/(squid)

Setelah squid dijalankan, akses beberapa situs dari PC client, jika squid sudah berfungsi, hentikan squid dengan menekan Ctrl+C. Selanjutnya jalankan squid sebagai daemon. Caranya:

# /etc/init.d/squid start


7. Periksa log

Ada di /var/log/squid/access.log

# tail -f /var/log/squid/access.log

Tampilan log ringkas

# tail -f /var/log/squid/access.log | awk '{print$3 " " $8 " " $7}'


8. Boot ulang server

Lakukan reboot, kemudian jalankan squid.

Referensi

 
Source: http://igos-nusantara.or.id/wiki/IGOS_Nusantara_dan_proxy_server_squid_kompilasi 

Squid result codes


The TCP_ codes refer to requests on the HTTP port (usually 3128). The UDP_ codes refer to requests on the ICP port (usually 3130). If ICP logging was disabled using the log_icp_queries option, no ICP replies will be logged.
The following result codes were taken from a Squid-2, compare with the log_type enum in src/enums.h:
TCP_HIT A valid copy of the requested object was in the cache.
TCP_MISS The requested object was not in the cache.

TCP_REFRESH_HIT The requested object was cached but STALE. The IMS query for the object resulted in “304 not modified”.
TCP_REFRESH_FAIL_HIT The requested object was cached but STALE. The IMS query failed and the stale object was delivered.
TCP_REFRESH_MISS The requested object was cached but STALE. The IMS query returned the new content.
TCP_CLIENT_REFRESH_MISS The client issued a “no-cache” pragma, or some analogous cache control command along with the request. Thus, the cache has to refetch the object.
TCP_IMS_HIT The client issued an IMS request for an object which was in the cache and fresh.
TCP_SWAPFAIL_MISS The object was believed to be in the cache, but could not be accessed.
TCP_NEGATIVE_HIT Request for a negatively cached object, e.g. “404 not found”, for which the cache believes to know that it is inaccessible. Also refer to the explainations for negative_ttl in your squid.conf file.
TCP_MEM_HIT A valid copy of the requested object was in the cache and it was in memory, thus avoiding disk accesses.
TCP_DENIED Access was denied for this request.
TCP_OFFLINE_HIT The requested object was retrieved from the cache during offline mode. The offline mode never validates any object, see offline_mode in squid.conf file.
TCP_STALE_HIT The object was cached and served stale. This is usually caused by stale-while-revalidate or stale-if-error.
TCP_ASYNC_HIT A background request (e.g., one started by stale-while-revalidate) resulted in a refresh hit.
TCP_ASYNC_MISS A background request (e.g., one started by stale-while-revalidate) resulted in a miss; i.e., the cached object (if any) was updated).
UDP_HIT A valid copy of the requested object was in the cache.
UDP_MISS The requested object is not in this cache.
UDP_DENIED Access was denied for this request.
UDP_INVALID An invalid request was received.
UDP_MISS_NOFETCH During “-Y” startup, or during frequent failures, a cache in hit only mode will return either UDP_HIT or this code. Neighbours will thus only fetch hits.
NONE Seen with cachemgr requests and errors, usually when the transaction fails before being classified into one of the above outcomes.
The following code suffixes are specific to Squid3:
_ABORTED suffix means that the connection with HTTP client was closed or otherwise failed prematurely. This includes half-closed client sockets when half_closed_clients in squid.conf is off.
_TIMEDOUT suffix means that the transaction timed out while writing the response to the HTTP client (i.e., the client was not reading or stopped reading Squid’s response).
The following codes are no longer available in Squid-2:
ERR_* Errors are now contained in the status code.
TCP_CLIENT_REFRESH See: TCP_CLIENT_REFRESH_MISS.
TCP_SWAPFAIL See: TCP_SWAPFAIL_MISS.
TCP_IMS_MISS Deleted, now replaced with TCP_IMS_HIT.
UDP_HIT_OBJ Refers to an old version that would send cache hits in ICP replies. No longer implemented.
UDP_RELOADING See: UDP_MISS_NOFETCH. 

Upgrade Squid ClearOS 5.2 ke versi 3.1


Kali ini saya mencoba upgrade Squid default ClearOS 5.2 ke versi 3.1.3 (Tutorial by Andi Micro), dengan menggunakan partisi terpisah sebagai media penyimpanan proxy (/cache) yg sudah dibuat dengan LVM saat instalasi ClearOS. Mengingat RAM yg saya gunakan relatif kecil maka untuk partisi /cache saya siapkan kapasitas sebesar 15 GB dan hanya sekitar 12 GB saja yg nantinya akan digunakan untuk menyimpan hasil tangkapan squid.

Asumsi, ClearOS baru selesai install dan squid.conf belum di-customize alias masih perawan.

Ok, kita mulai saja tahap demi tahapnya. (Pastikan server terkoneksi dengan internet)

1: Remove pengaturan squid lama (2.6)

% service squid stop
% yum remove squid app-squid

2: Update dan install beberapa modul pendukung. langkah ini bisa di-skipp bila dianggap tidak perlu.

% yum update
% yum groupinstall "Development Tools"
% yum install automake gcc glibc-devel e2fsprogs-devel sharutils
% yum install patch

3: Install squid 3.1

% mkdir /tmp/squid
% cd /tmp/squid
% wget http://download.clearfoundation.com/community/timb80/repo/clearos/5.2/testing/squid-3.1.3-2.clearos.i686.rpm
% rpm -U squid-3.1.3-2.clearos.i686.rpm
% cp /etc/squid/squid.conf /etc/squid/squid.conf.backup
% cp /etc/squid/squid.conf.rpmnew /etc/squid/squid.conf

4: Ubah owner agar partisi /cache dapat dikontrol oleh squid.

% chown squid:squid /cache

5: Ganti mode penulisan direktori /cache

% chmod 0777 /cache

6: Cari dan edit squid.conf baris:

# cache_dir ufs /var/spool/squid 100 16 256

ganti menjadi

# cache_dir aufs /cache 12288 16 256

Catatan: dengan parameter “cache_dir aufs /cache 12288 16 256″ maka squid akan menggunakan 30% RAM dari jumlah total 512MB untuk melayani client squid.

7: Buat swap dan jalankan squid

% squid –z
% service squid start

8: Intergrasi dengan webconfig

% yum install adzapper app-dansguardian-av app-squid app-squid-acl dansguardian-av

9: Buka file  /etc/rc.d/rc.firewall.local menggunakan winscp (terserah). tambahkan diakhir baris dengan ini :

# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 
Catatan : eth1 adalah  yang mengarah ke LAN, jika menggunakan 2 LAN maka tambahkan lagi dibaris berikutnya. Sesuaikan dengan jaringan yg ada.

10: Restart firewall

% service firewall restart

11: Login ke webconfig>Gateway>Proxy and Filtering>Web Proxy: Klik To Auto agar squid berjalan saat ClearOS booting
 
Selesai. Kini Squid 3.1.3 telah berjalan di server ClearOS-ku.

PERBAIKAN :
Jika squid anda bermasalah fatal setelah upgrade, coba lakukan downgrade berikut :
% yum remove squid app-squid
% yum install squid app-squid


Follow

Get every new post delivered to your Inbox.