tutor install squid 3.5.xxx di ubuntu

apt-get update
apt-get install build-essential devscripts libcppunit-dev openssl libssl-dev libcap-dev libsasl2-dev ccze pkg-config libkrb5-dev apache2 php5 -y
### install pake ecap seperti http://pastebin.com/G8sUCy6h
cd
wget http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.20-20160724-r14069.tar.gz
tar xzvf squid-3.5.20-20160724-r14069.tar.gz
wget -O squid_forgery.patch http://www.squid-cache.org/mail-archive/squid-users/201404/att-0240/squid_forgery.patch.txt
cd squid-3.5.20-20160724-r14069
patch -p0 <../squid_forgery.patch
### configure squid http://pastebin.com/YJxDf02h
make
make install
chown -R nobody /var/log/squid
chown -R nobody /cache
mkdir -p /etc/squid/ssl_cert
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout /etc/squid/ssl_cert/warnet.pem -out /etc/squid/ssl_cert/warnet.pem -subj "/C=ID/ST=Jawa Tengah/L=Semarang/O=TSI/CN=Terapi Squid Indonesia"
openssl x509 -in /etc/squid/ssl_cert/warnet.pem -outform DER -out /etc/squid/ssl_cert/warnet.der
openssl x509 -in /etc/squid/ssl_cert/warnet.pem -outform DER -out /etc/squid/ssl_cert/warnet.crt
/usr/lib/squid/ssl_crtd -c -s /var/lib/ssl_db
chown -R nobody /var/lib/ssl_db

### awal squid.conf, jangan ditulis ###
# Recommended minimum configuration:
# sesuaikan ukuran cache
# sesuaikan ip address
# script squid.conf untuk non-range 360p

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
dns_v4_first on
reply_header_access Alternate-Protocol deny all
reply_header_access Alt-Svc deny all

#cache_dir aufs /cache 700000 16 256
cache_dir aufs /cache 360000 1 1
cache_mem 8 MB
coredump_dir /var/log/squid

cache_swap_low 80
cache_swap_high 85
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF

maximum_object_size 4096000 KB
maximum_object_size_in_memory 0 KB
request_body_max_size 0 KB
refresh_all_ims on
reload_into_ims on

cache_mgr cespun@gmail.com
visible_hostname cespun-proxy
strip_query_terms off
httpd_suppress_version_string on
log_mime_hdrs off
forwarded_for off
via off

request_header_access X-Forwarded-For deny all
reply_header_access X-Forwarded-For deny all
request_header_access Via deny all
reply_header_access Via deny all
max_filedescriptors 65536

cache_swap_high 98
cache_swap_low 95
fqdncache_size 4096
ipcache_size 4096
dns_nameservers 208.67.222.222 208.67.220.220

http_port 3128
#http_port 3127 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/warnet.pem
#http_port 3129 intercept
#https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/warnet.pem
http_port 3129 tproxy
https_port 3127 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/warnet.pem

qos_flows local-hit=0x30

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80      # http
acl Safe_ports port 182     # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210     # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280     # http-mgmt
acl Safe_ports port 488     # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777     # multiling http

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
#acl sslserver ssl::server_name_regex -i "/etc/squid/bypass.txt"
#acl iphone browser -i regexp (iPhone|iPad)
#acl BB browser -i regexp (BlackBerry|PlayBook)
#acl Winphone browser -i regexp (Windows.*Phone|Trident|IEMobile)
#acl Android browser -i regexp Android
acl yt-modif url_regex -i ^https?\:\/\/www\.youtube\.com\/(watch\?v|embed|v)
acl youtube url_regex -i ^http.*(youtube|googlevideo|videoplayback|videogoodput)
acl versipatch url_regex -i ^http.*(update|patch).*versi
acl versipatch url_regex -i ^http.*versi.*(update|patch)
acl versipatch url_regex -i ^http.*(antihack|xigncode|gameguard)
#acl patchpartial url_regex -i ^http.*(garena|gemscool|netmarble|valve|dota|winnerinter|lytogame|megaxus).*patch
#acl patchpartial url_regex -i ^http.*patch.*(garena|gemscool|netmarble|valve|dota|winnerinter|lytogame|megaxus)
acl patchpartial url_regex -i ^http.*patch.*garena
acl patchpartial url_regex -i ^http.*garena.*patch
acl httptomiss http_status 302
acl mimehtml rep_mime_type -i mime-type ^text/html
acl mimeplain rep_mime_type -i mime-type ^text/plain
acl tostoreid url_regex -i ^http.*(youtube|googlevideo|videoplayback|videogoodput)
acl tostoreid url_regex -i ^http.*(fbcdn|akamaihd)
acl tostoreid url_regex -i ^http.*c2lo\.reverbnation\.com\/audio_player\/ec_stream_song\/.*\?
acl tostoreid url_regex -i ^http.*\.c\.android\.clients\.google\.com\/market\/GetBinary\/GetBinary\/.*\/.*\?
acl tostoreid url_regex -i ^http.*datafilehost.*\/get\.php.*file\=.*
acl tostoreid url_regex -i ^http.*\.filehippo\.com\/.*\?
acl tostoreid url_regex -i ^http.*\.4shared\.com\/.*\/.*\/.*\/dlink.*preview.mp3
acl tostoreid url_regex -i ^http.*\.4shared\.com\/download\/.*\/.*\?tsid
acl tostoreid url_regex -i ^http.*steam(powered|content)
acl tostoreid url_regex -i ^http.*savefile\.co\:182\/.*\/.*\.(mp4|flv|3gp)
acl tostoreid url_regex -i ^http.*video\-http\.media\-imdb\.com\/.*\.mp4\?
acl tostoreid url_regex -i ^http.*\.dl\.sourceforge\.net
#acl tostoreid url_regex -i ^http.*(speedtest|espeed).*\/.*\.(jpg|txt)
acl speedtest url_regex -i ^http.*(speedtest|espeed).*\/(latency|upload|random.*)\.(jpg|txt|php)
acl CONNECT method CONNECT
acl getmethod method GET

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all

request_header_access Range deny !patchpartial
#range_offset_limit 128 KB !patchpartial
range_offset_limit none patchpartial
quick_abort_min 1 KB
quick_abort_max 1 KB
quick_abort_pct 95

#request_header_access User-Agent deny yt-modif !iphone !BB !Winphone !Android
### flash
#request_header_replace User-Agent Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14
### flash
#request_header_replace User-Agent Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0) Opera 12.14
###html5
#request_header_replace User-Agent Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
###html5
#request_header_replace user_Agent Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20100101 Firefox/35.0
#request_header_replace Mozilla/6.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:2.0.0.0) Gecko/20061028 Firefox/3.0

cache deny versipatch
cache deny localhost
ssl_bump splice localhost
#ssl_bump splice sslserver
ssl_bump peek step1 all
ssl_bump bump step2 all
ssl_bump splice step3 all


sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 2000 startup=30 idle=1
sslproxy_capath /etc/squid/ssl_cert
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_flags NO_SESSION_REUSE
ssl_unclean_shutdown on
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE #Jika menggunakan versi setelah squid-3.5.12-20151222-r13967
#sslproxy_options NO_SSLv2,NO_SSLv3
sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

#debug_options 11,2 22,3
logfile_rotate 1
#logformat referer %ts.%03tu %>a %{Referer}>h %ru
#logformat referer %ts.%03tu %>a %ru %{Referer}>h
#logformat referer %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt %{Referer}>h %{User-Agent}>h
#access_log /var/log/squid/access.log !CONNECT
#access_log /var/log/squid/connect.log CONNECT
#cache_store_log /var/log/squid/store.log
access_log stdio:/var/log/squid/access.log
netdb_filename none


#ecap
#yt_quality: tiny = 144px small = 240px medium = 360px large = 480px HD720 = Hd720px
loadable_modules /usr/local/lib/ecap_adapter_modifying.so
ecap_enable on
request_header_access Accept-Encoding deny yt-modif
ecap_service modif respmod_precache uri=ecap://e-cap.org/ecap/services/sample/modifying victim="enablejsapi" replacement="dash":"0","vq":"medium","enablejsapi"
#ecap_service modif respmod_precache uri=ecap://e-cap.org/ecap/services/sample/modifying victim="enablejsapi" replacement="dash":"1","vq":"tiny","enablejsapi"
#ecap_service modif respmod_precache uri=ecap://e-cap.org/ecap/services/sample/modifying victim="enablejsapi" replacement="vq":"small","enablejsapi"
adaptation_access modif allow yt-modif
adaptation_access modif deny all

cache deny speedtest
url_rewrite_access allow speedtest
url_rewrite_access deny all
url_rewrite_program /etc/squid/speedtest.pl
redirector_bypass on
cache_peer 10.212.212.212 parent 8033 0 no-digest no-tproxy
dead_peer_timeout 5 seconds
cache_peer_access 10.212.212.212 allow speedtest
cache_peer_access 10.212.212.212 deny all
always_direct deny speedtest
never_direct allow speedtest
url_rewrite_children 2000 startup=30 idle=1

store_id_bypass off
store_id_extras "%{Referer}>h"
store_id_program /etc/squid/storeid.pl
store_id_children 2000 startup=30 idle=1
store_id_access deny !getmethod
store_id_access allow tostoreid
store_id_access deny all

store_miss deny youtube httptomiss
send_hit deny youtube httptomiss
store_miss deny youtube mimeplain
send_hit deny youtube mimeplain
store_miss deny mimehtml
send_hit deny mimehtml
store_miss deny versipatch
send_hit deny versipatch

refresh_pattern -i . 432000 100% 432000 override-expire override-lastmod reload-into-ims refresh-ims ignore-no-store ignore-must-revalidate ignore-private ignore-auth store-stale
max_stale 1 day
### akhir squid.conf, jangan ditulis ###

### awal storeid.pl , jangan ditulis ###
#!/usr/bin/perl
#
# storeid.pl with debug opt - based on storeurl.pl
# @ http://www2.fh-lausitz.de/launic/comp/misc/squid/projekt_youtube/
# referensi dan terimakasih khususnya pada Mr. Syaifudin JW aka Ucok Karnadi

use IO::File;
$|=1;
STDOUT->autoflush(1);
$debug=1;			## recommended:0
$bypassallrules=0;		## recommended:0
$sucks="";			## unused
$sucks="sucks" if ($debug>=1);
$timenow="";
$printtimenow=1;  		## print timenow: 0|1
my $logfile = '/var/log/squid/storeid.log';

open my $logfh, '>>', $logfile
    or die "Couldn't open $logfile for appending: $!\n" if $debug;
$logfh->autoflush(1) if $debug;

while (<>) {
$timenow=time()." " if ($printtimenow);
print $logfh "$timenow"."in : input=$_" if ($debug>=1);

@X = split;
if ($X[0] =~ m/^http.*/) {
	$url		= $X[0];
	$referer	= $X[1];
	$urlreferer	= $X[0] ." ". $X[1];
} else {
	$chanel		= $X[0];
	$url		= $X[1];
	$referer	= $X[2];
	$urlreferer	= $X[1] ." ". $X[2];
}


if ($bypassallrules){
 $out="$url"; ## map 1:1

#youtube googlevideo
} elsif ($url =~ m/^https?\:\/\/.*google.*video(playback|goodput).*/){
	@cpn	= m/[=%&?\/]cpn[=%&?\/]([^\&\s]*)/;
	@id	= m/[=%&?\/]id[=%&?\/]([^\&\s]*)/;
	@itag	= m/[=%&?\/]itag[=%&?\/]([\d]*)/;
	@range	= m/[=%&?\/]range[=%&?\/]([\d]*-[\d]*)/;
	@mime	= m/[=%&?\/]mime[=%&?\/]([^\&\s]*)/;
	if ($referer =~ m/^https?\:\/\/www\.youtube\.com\/(watch\?v|embed|v)[=%&?\/]([^\&\s\?]*)/){
		@id	= $2;
	} else {
		if (defined(@cpn[0])){
			if (-e "/tmp/@cpn"){
				open FILE, "/tmp/@cpn";
				@id = <FILE>;
				close FILE;
			}
		}
	}
	$out="OK store-id=http://squid/google/video/id=@id/itag=@itag/mime=@mime/range=@range";

#youtube parameter
} elsif (
	($url =~ m/^https?\:\/\/.*youtube.*(stream_204|watchtime|qoe|atr|csi_204|playback).*[=%&?\/]docid[=%&?\/]([^\&\s]*)/) ||
	($url =~ m/^https?\:\/\/.*youtube.*(ptracking|set_awesome).*[=%&?\/]video_id[=%&?\/]([^\&\s]*)/) ||
	($url =~ m/^https?\:\/\/.*youtube.*(player_204).*[=%&?\/]v[=%&?\/]([^\&\s]*)/)
	){
	@id	= $2;
	@cpn    = m/[=%&?\/]cpn[=%&?\/]([^\&\s]*)/;
	if ($referer !~ m/^https?\:\/\/www\.youtube\.com\/(watch\?v|embed|v)[=%&?\/]([^\&\s\?]*)/){
		unless (-e "/tmp/@cpn"){
			open FILE, ">/tmp/@cpn";
			print FILE @id;
			close FILE;
		}
	}
	$out = "ERR";

#utmgif
} elsif ($url =~ m/^https?\:\/\/www\.google-analytics\.com\/__utm\.gif\?.*/) {
	$out="OK store-id=http://squid/google-analytics/__utm.gif";

#fbcdn.net or akamaihd.net video range
} elsif ($url =~ m/^https?\:\/\/.*(fbcdn\.net|akamaihd\.net).*\/([\w-]+\.[\w]{2,4}).*(bytestart[=%&?\/][\d]+[&\/]byteend[=%&?\/][\d]+)/) {
	$out="OK store-id=http://squid/$1/$2/$3";

#fbcdn.net or akamaihd.net with size
} elsif ($url =~ m/^https?\:\/\/.*(fbcdn\.net|akamaihd\.net).*\/([a-zA-Z][\d]+[x][\d]+\/[\w-]+\.[\w]{2,4})($|\?)/) {
	$out="OK store-id=http://squid/$1/$2";

#fbcdn.net or akamaihd.net safe_image.php
} elsif ($url =~ m/^https?\:\/\/.*(fbcdn\.net|akamaihd\.net).*\/safe_image\.php\?(.*)/) {
	$out="OK store-id=http://squid/$1/$2";

#reverbnation
} elsif ($url =~ m/^https?\:\/\/c2lo\.reverbnation\.com\/audio_player\/ec_stream_song\/(.*)\?.*/) {
	$out="OK store-id=http://squid/reverbnation/$1";

#playstore
} elsif ($url =~ m/^https?\:\/\/.*\.c\.android\.clients\.google\.com\/market\/GetBinary\/GetBinary\/(.*\/.*)\?.*/) {
	$out="OK store-id=http://squid/android/market/$1";


#filehost
} elsif ($url =~ m/^https?\:\/\/.*datafilehost.*\/get\.php.*file\=(.*)/) {
	$out="OK store-id=http://squid/datafilehost/$1";


#speedtest
} elsif ($url =~ m/^https?\:\/\/.*(speedtest|espeed).*\/(.*\.(txt|jpg)).*/) {
	$out="OK store-id=http://squid/speedtest/$2";


#filehippo
} elsif ($url =~ m/^https?\:\/\/.*\.filehippo\.com\/.*\/([\w-]+\.[\w]{2,4})\?.*/) {
	$out="OK store-id=http://squid/filehippo/$1";


#4shared preview.mp3
} elsif ($url =~ m/^https?\:\/\/.*\.4shared\.com\/.*\/(.*\/.*)\/dlink.*preview.mp3/) {
	$out="OK store-id=http://squid/4shared/preview/$1";

#4shared
} elsif ($url =~ m/^https?\:\/\/.*\.4shared\.com\/download\/(.*\/.*)\?tsid.*/) {
	$out="OK store-id=http://squid/4shared/download/$1";

#savefile-animeindo.tv
} elsif ($url =~ m/^https?:\/\/www\.savefile\.co\:182\/.*\/(.*\.(mp4|flv|3gp)).*/) {
	$out="OK store-id=http://squid/savefile:182/$1";

#imdb
} elsif ($url =~ m/^https?\:\/\/video\-http\.media\-imdb\.com\/(.*\.mp4)\?.*/) {
	$out="OK store-id=http://squid/imdb/$1";

#sourceforge
} elsif ($url =~ m/^https?\:\/\/.*\.dl\.sourceforge\.net\/([\w-]+\.[\w]{2,3})/) {
	$out="OK store-id=http://squid/sourceforge/$1";


#steampowered dota 2
#} elsif ($url =~ m/^https?\:\/\/.*(steam(powered|content).*\/(client|depot)\/[\d]+\/(chunk|manifest)\/[^\?\s]*).*/) {
#	$out="OK store-id=http://squid/$1";

#steampowered dota 2
} elsif ($url =~ m/^https?\:\/\/.*steam(powered|content).*\/((client|depot)\/[\d]+\/(chunk|manifest)\/[^\?\s]*).*/) {
	$out="OK store-id=http://squid/steam/content-powered/$2";

} else {
	$out="ERR";
}

if ($X[0] =~ m/^http.*/) {
	print $logfh "$timenow"."in : url=$urlreferer\n" if ($debug>=1);
	print $logfh "$timenow"."out: $out\n" if ($debug>=1);
	print $logfh "\n" if ($debug>=1);
	print "$out\n";
} else {
	print $logfh "$timenow"."in : chanel=$chanel url=$urlreferer\n" if ($debug>=1);
	print $logfh "$timenow"."out: chanel=$chanel $out\n" if ($debug>=1);
	print $logfh "\n" if ($debug>=1);
	print "$chanel $out\n";
}
}
close $logfh if ($debug);
#### akhir script storeid.pl, jangan ditulis ###

### awal speedtest.pl, jangan ditulis ###
#!/usr/bin/perl

$|=1;
while (<>) {
@X = split;
if ($X[0] =~ m/^http.*/) {
    $url        = $X[0];
    $referer    = $X[1];
    $urlreferer = $X[0] ." ". $X[1];
} else {
    $chanel     = $X[0];
    $url        = $X[1];
    $referer    = $X[2];
    $urlreferer = $X[1] ." ". $X[2];
}

if ($url=~ m/^https?\:\/\/.*(speedtest|espeed).*\/((latency|upload|random.*)\.(jpg|txt|php))/) {
    $out="OK rewrite-url=http://10.212.212.212:8033/speedtest/$2";
} else {
$out="ERR";
}

if ($X[0] =~ m/^http.*/) {
    print "$out\n";
} else {
    print "$chanel $out\n";
}
}
### akhir speedtest.pl, jangan ditulis ###

chmod +x /etc/squid/squid.conf
chmod +x /etc/squid/storeid.pl
chmod +x /etc/squid/speedtest.pl
squid -zN
wget --no-check-certificate -O /etc/init.d/squid https://gist.githubusercontent.com/e7d/1f784339df82c57a43bf/raw/squid.sh
chmod +x /etc/init.d/squid
update-rc.d squid defaults
service squid start
### edit isi /etc/rc.local, tambahkan baris berikut :
### awal penambahan di rc.local, jangan ditulis ###
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
iptables -t mangle -A PREROUTING -p tcp --dport 8080 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
iptables -t mangle -A PREROUTING -p tcp --dport 8777 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
iptables -t mangle -A PREROUTING -p tcp --dport 182 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
iptables -t mangle -A PREROUTING -p tcp --dport 5050 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
iptables -t mangle -A PREROUTING -p tcp --dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3127
ip rule add fwmark 1 lookup 212
ip route add local 0.0.0.0/0 dev lo table 212

#intercept
#iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
#iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127
### akhir penambahan rc.local, jangan ditulis ###

reboot