#manual for debian7 ubuntu12/14

after finish your installing of ubuntu / debian

# change or replace /etc/apt/sources.list with  a local repository  

debian 7 indonesia= 

deb http://kambing.ui.ac.id/debian/ wheezy main contrib non-free

deb http://kambing.ui.ac.id/debian/ wheezy-updates main contrib non-free

deb http://kambing.ui.ac.id/debian-security/ wheezy/updates main contrib non-free

for debian error key= 

aptitude install debian-keyring debian-archive-keyring

apt-key update

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553

apt-get update && apt-get upgrade -y 

key input (q)

#edit tuning limits.conf at /security/limits.conf

add /etc/security/limits.conf

=============================================================

*         soft        nofile          65536

*         hard        nofile          65536

root      soft        nofile          65536

root      hard        nofile          65536

proxy     soft        nofile          65536

proxy     hard        nofile          65536

================================================================

#edit kernel @ .. /etc/sysctl.conf

=================================================================

#remove all contents and replace with config below

################################################################

<< .....................................................................................

kernel.panic = 30

kernel.panic_on_oops = 30

kernel.sysrq = 0

kernel.core_uses_pid = 1

kernel.msgmnb = 65536

kernel.msgmax = 65536

fs.file-max = 65536

vm.swappiness = 5

vm.vfs_cache_pressure=50

vm.mmap_min_addr = 4096

vm.overcommit_ratio = 0

vm.overcommit_memory = 0

kernel.shmmax = 268435456

kernel.shmall = 268435456

vm.min_free_kbytes = 65536

net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_syn_retries = 5

net.ipv4.tcp_synack_retries = 2

net.ipv4.tcp_max_syn_backlog = 4096

net.ipv4.ip_forward = 1

net.ipv4.conf.all.forwarding = 1

net.ipv4.conf.default.forwarding = 1

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.all.rp_filter = 0

net.ipv4.conf.default.rp_filter = 0

net.ipv4.conf.eth0.rp_filter = 0

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.all.log_martians = 0

net.ipv4.conf.default.log_martians = 0

net.ipv4.tcp_fin_timeout = 15

net.ipv4.tcp_keepalive_time = 300

net.ipv4.tcp_keepalive_probes = 5

net.ipv4.tcp_keepalive_intvl = 15

net.ipv4.conf.all.bootp_relay = 0

net.ipv4.conf.all.proxy_arp = 0

net.ipv4.tcp_dsack = 1

net.ipv4.tcp_sack = 1

net.ipv4.tcp_fack = 1

net.ipv4.tcp_timestamps = 1

net.ipv4.icmp_echo_ignore_all = 0

net.ipv4.icmp_echo_ignore_broadcasts = 1

net.ipv4.icmp_ignore_bogus_error_responses = 1

net.ipv4.ip_local_port_range = 1024 65535

net.ipv4.tcp_rfc1337 = 1

net.ipv4.tcp_congestion_control = cubic

net.ipv4.tcp_window_scaling = 1

net.ipv4.tcp_mem = 65536 131072 262144

net.ipv4.udp_mem = 65536 131072 262144

net.ipv4.tcp_rmem = 8192 87380 16777216

net.ipv4.udp_rmem_min = 16384

net.core.rmem_default = 87380

net.core.rmem_max = 16777216

net.ipv4.tcp_wmem = 8192 65536 16777216

net.ipv4.udp_wmem_min = 16384

net.core.wmem_default = 65536

net.core.wmem_max = 16777216

net.core.somaxconn = 32768

net.core.netdev_max_backlog = 4096

net.core.dev_weight = 64

net.core.optmem_max = 65536

net.ipv4.tcp_max_tw_buckets = 1440000

net.ipv4.tcp_tw_recycle = 1

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_max_orphans = 16384

net.ipv4.tcp_orphan_retries = 0

net.ipv4.ipfrag_high_thresh = 512000

net.ipv4.ipfrag_low_thresh = 446464

net.ipv4.tcp_no_metrics_save = 1

net.ipv4.tcp_moderate_rcvbuf = 1

net.unix.max_dgram_qlen = 50

net.ipv4.neigh.default.gc_thresh3 = 2048

net.ipv4.neigh.default.gc_thresh2 = 1024

net.ipv4.neigh.default.gc_thresh1 = 32

net.ipv4.neigh.default.gc_interval = 30

net.ipv4.neigh.default.proxy_qlen = 96

net.ipv4.neigh.default.unres_qlen = 6

net.ipv4.tcp_ecn = 1

net.ipv4.tcp_reordering = 3

net.ipv4.tcp_retries2 = 15

net.ipv4.tcp_retries1 = 3

<<<...........................................................................................................

==============================================================================================================

# install web server 

apt-get install apache2 php5 php5-mysql mysql-server phpmyadmin -y

edit apache2.conf @/etc/apache2/apache2.conf

# Include the virtual host configurations:

Include sites-enabled/

ServerName localhost <<<< adding 

# install dns server can bind or unbound 

I used to wear when unbound, user friendly installation 

apt-get install unbound

/etc/init.d/unbound stop 

cd /etc/unbound

wget ftp://ftp.internic.net/domain/named.cache -O /etc/unbound/named.cache

edit unbound.conf= <<<my unbound.conf.... http://pastebin.com/2gTnMNAV

edit dns-nameservers in /etc/netwwork/interfaces replace with localhost ip 

# for mikrotik router 

<<<.. adding my mikrotik nat dns-server unbound resolver= http://pastebin.com/190MZmtz

unbound-control-setup

chown unbound:root unbound_* && chmod 440 unbound_* 

/etc/init.d/unbound restart

flush cache unbound= /etc/init.d/unbound reload or unbound control-reload

#mulai konfigurasi squid proxy

# install packet

apt-get install devscripts build-essential openssl libssl-dev fakeroot libcppunit-dev libsasl2-dev cdbs ebtables bridge-utils libcap2 libcap-dev libcap2-dev sysv-rc-conf iproute kernel-package libncurses5-dev fakeroot wget bzip2 debhelper linuxdoc-tools libselinux1-dev htop iftop dnstop perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python ccze pastebinit checkinstall libssl-dev htop iftop iptraf mtr-tiny bwm-ng ccze sysv-rc-conf -y

#libecap

download libecap= http://www.4shared.com/archive/uMVmB3ADce/libecap-100tar.html

download DSI_ecap_youtube.so=  http://www.4shared.com/file/rYJcJqyVce/DSI_ecap_youtube.html

tar -xzf libecap-1.0.0.tar.gz

cd libecap-1.0.0/

./configure && make && make install

echo "/usr/local/lib" >> /etc/ld.so.conf

ldconfig

#ecap_adapter

apt-get install pkg-config 

wget http://www.measurement-factory.com/tmp/ecap/ecap_adapter_sample-1.0.0.tar.gz

tar -xzf ecap_adapter_sample-1.0.0.tar.gz

cd ecap_adapter_sample-1.0.0

# download patch ecap_adapter in mikrotik squid indonesia group / thanks to Mikrotike N SquidLovers

https://www.facebook.com/download/989568241123182/patch_ecap_adapter_sample.patch

<<< move patch_ecap_adapter_sample.patch > #to directory= /ecap_adapter_sample-1.0.0

<<< and then input the scripts below >>>

eksekusi >> patch -p1 < patch_ecap_adapter_sample.patch

./configure && make && make install

#squid installation

wget http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.12.tar.gz

tar -xzvf squid-3.5.12.tar.gz

cd squid-3*

./configure \

CHOST="x86_64-pc-linux-gnu" \

CFLAGS="-march=core2 -O2 -pipe" \

CXXFLAGS="${CFLAGS}" \

--build=x86_64-linux-gnu \

--prefix=/usr \

--exec-prefix=/usr \

--bindir=/usr/bin \

--sbindir=/usr/sbin \

--libdir=/usr/lib \

--sharedstatedir=/usr/com \

--includedir=/usr/include \

--localstatedir=/var \

--libexecdir=/usr/lib/squid \

--srcdir=. \

--datadir=/usr/share/squid \

--sysconfdir=/etc/squid \

--infodir=/usr/share/info \

--mandir=/usr/share/man \

--x-includes=/usr/include \

--x-libraries=/usr/lib \

--with-default-user=proxy \

--with-logdir=/var/log/squid \

--with-swapdir=/cache/cache \

--with-pidfile=/var/run/squid.pid \

--enable-err-languages=English \

--enable-default-err-language=English \

--enable-storeio=ufs,aufs,diskd \

--enable-linux-netfilter \

--enable-removal-policies=lru,heap \

--enable-gnuregex \

--enable-follow-x-forwarded-for \

--enable-x-accelerator-vary \

--enable-zph-qos \

--enable-delay-pools \

--enable-snmp \

--enable-underscores \

--with-openssl \

--enable-ssl-crtd \

--enable-http-violations \

--enable-async-io=24 \

--enable-storeid-rewrite-helpers \

--with-large-files \

--with-libcap \

--with-libnetfilter-conntrack \

--with-included-ltdl \

--with-maxfd=65536 \

--with-filedescriptors=65536 \

--with-pthreads \

--without-gnutls \

--without-mit-krb5 \

--without-heimdal-krb5 \

--without-gnugss \

--disable-icap-client \

--disable-wccp \

--disable-wccpv2 \

--disable-dependency-tracking \

--disable-auth --disable-epoll \

--disable-ident-lookups \

--disable-icmp \

--enable-ecap \

PKG_CONFIG_PATH=/usr/local/lib/pkgconfig

make && make install

chown -R proxy:proxy /cache/cache/

chmod -R 777 /cache/cache/

cd /etc/squid

mkdir ssl_certs

cd ssl_certs

openssl genrsa -out squid.key 2048

openssl req -new -key squid.key -out squid.csr -nodes

#input  data for certificate squid#

openssl x509 -req -days 3652 -in squid.csr -signkey squid.key -out squid.crt

/usr/lib/squid/ssl_crtd -c -s /etc/squid/ssl_db

#edit squid.conf 

my squid.conf for tproxy= http://pastebin.com/18Rb3nD0

my squid.conf non tproxy only virtualbox= http://pastebin.com/uvtLinw8

my store-id.pl= http://pastebin.com/pLK4Jk81

chown -R nobody /etc/squid/

chown -R proxy:proxy /etc/squid/

chmod -R 777 /etc/squid/

/usr/lib/squid/ssl_crtd -c -s /etc/squid/ssl_db

cd /var/log/squid/

touch access.log

touch cache.log

cd ...

chown -R proxy:proxy /var/log/squid/access.log

chown -R proxy:proxy /var/log/squid/cache.log

chmod -R 777 /var/log/squid/access.log

chmod -R 777 /var/log/squid/cache.log

cd /etc/init.d/

touch squid >> add scripts 

/etc/init.d/squid= http://pastebin.com/W8xQAD0d

edit line 64 squid file @/etc/init.d/squid >>line 64= #cache_dir=`find_cache_dir cache_dir /cache/cache`

chmod +x /etc/init.d/squid

update-rc.d squid defaults

/etc/init.d/squid stop

<<< chown -R nobody /etc/squid/ssl_db/

<<< chown -R proxy:proxy /etc/squid/ssl_db/

<<< chmod -R 777 /etc/squid/ssl_db/

# edit /etc/rc.local

config rc.local>>>.... http://pastebin.com/3z3s1Hpy

squid -z

reboot

###################################################################################

# your mikrotik 

add your ip proxy @ ip firewall address list 

<<and this is mikrotik simple config for tproxy access

>>> http://pastebin.com/9uyMpMac

#####################################################################################

#back to proxy and login

input= 

/etc/init.d/squid restart

#ssl_cert import

download ssl_cert your squid directory

using winscp >> download ssl_certs on directory /etc/squid/ >> to your computer windows/....

#setting non tproxy manual browser input

#add setting your browser mozilla / chrome or etc.... 

# google chrome= setting >>> add https/ssl >> manage certificates >> click trusted root certification 

click buttin import >>> and import your squid.crt -on directory /ssl_cets

# mozilla/firefox 

click tools >> advanced >> certificates >> clieck button view certifictes >> import your squid.crt -on directory /ssl_cets

=======================================================================================================

# if you install dns-crypt and unbound>>  

script auto start dns-crypt=

<<<... /usr/local/sbin/dnscrypt-proxy -a 127.0.0.1:40 -d -R d0wn-sg-ns1 -e 4096 -p /run/dnscrypt-proxy.pid

========================================================================================================