apt-get update

apt-get install build-essential devscripts libcppunit-dev openssl libssl-dev libcap-dev libsasl2-dev ccze pkg-config libkrb5-dev apache2 php5 -y

### install pake ecap seperti http://pastebin.com/G8sUCy6h

cd

wget http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.20-20160724-r14069.tar.gz

tar xzvf squid-3.5.20-20160724-r14069.tar.gz

wget -O squid_forgery.patch http://www.squid-cache.org/mail-archive/squid-users/201404/att-0240/squid_forgery.patch.txt

cd squid-3.5.20-20160724-r14069

patch -p0 <../squid_forgery.patch

### configure squid http://pastebin.com/YJxDf02h

make 

make install

chown -R nobody /var/log/squid

chown -R nobody /cache

mkdir -p /etc/squid/ssl_cert

openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout /etc/squid/ssl_cert/warnet.pem -out /etc/squid/ssl_cert/warnet.pem -subj "/C=ID/ST=Jawa Tengah/L=Semarang/O=TSI/CN=Terapi Squid Indonesia"

openssl x509 -in /etc/squid/ssl_cert/warnet.pem -outform DER -out /etc/squid/ssl_cert/warnet.der

openssl x509 -in /etc/squid/ssl_cert/warnet.pem -outform DER -out /etc/squid/ssl_cert/warnet.crt

/usr/lib/squid/ssl_crtd -c -s /var/lib/ssl_db

chown -R nobody /var/lib/ssl_db

### awal squid.conf, jangan ditulis ###

# Recommended minimum configuration:

# sesuaikan ukuran cache

# sesuaikan ip address

# script squid.conf untuk non-range 360p

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

dns_v4_first on

reply_header_access Alternate-Protocol deny all

reply_header_access Alt-Svc deny all

#cache_dir aufs /cache 700000 16 256

cache_dir aufs /cache 360000 1 1

cache_mem 8 MB

coredump_dir /var/log/squid

cache_swap_low 80

cache_swap_high 85

cache_replacement_policy heap LFUDA

memory_replacement_policy heap GDSF

maximum_object_size 4096000 KB

maximum_object_size_in_memory 0 KB

request_body_max_size 0 KB

refresh_all_ims on

reload_into_ims on

cache_mgr cespun@gmail.com

visible_hostname cespun-proxy

strip_query_terms off

httpd_suppress_version_string on

log_mime_hdrs off

forwarded_for off

via off

request_header_access X-Forwarded-For deny all

reply_header_access X-Forwarded-For deny all

request_header_access Via deny all

reply_header_access Via deny all

max_filedescriptors 65536

cache_swap_high 98

cache_swap_low 95

fqdncache_size 4096

ipcache_size 4096

dns_nameservers 208.67.222.222 208.67.220.220

http_port 3128

#http_port 3127 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/warnet.pem

#http_port 3129 intercept

#https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/warnet.pem

http_port 3129 tproxy

https_port 3127 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/warnet.pem

qos_flows local-hit=0x30

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network

acl localnet src 172.16.0.0/12  # RFC1918 possible internal network

acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl localnet src fc00::/7       # RFC 4193 local private network range

acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443

acl Safe_ports port 80      # http

acl Safe_ports port 182     # http

acl Safe_ports port 21      # ftp

acl Safe_ports port 443     # https

acl Safe_ports port 70      # gopher

acl Safe_ports port 210     # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280     # http-mgmt

acl Safe_ports port 488     # gss-http

acl Safe_ports port 591     # filemaker

acl Safe_ports port 777     # multiling http

acl step1 at_step SslBump1

acl step2 at_step SslBump2

acl step3 at_step SslBump3

#acl sslserver ssl::server_name_regex -i "/etc/squid/bypass.txt"

#acl iphone browser -i regexp (iPhone|iPad)

#acl BB browser -i regexp (BlackBerry|PlayBook)

#acl Winphone browser -i regexp (Windows.*Phone|Trident|IEMobile)

#acl Android browser -i regexp Android

acl yt-modif url_regex -i ^https?\:\/\/www\.youtube\.com\/(watch\?v|embed|v)

acl youtube url_regex -i ^http.*(youtube|googlevideo|videoplayback|videogoodput)

acl versipatch url_regex -i ^http.*(update|patch).*versi

acl versipatch url_regex -i ^http.*versi.*(update|patch)

acl versipatch url_regex -i ^http.*(antihack|xigncode|gameguard)

#acl patchpartial url_regex -i ^http.*(garena|gemscool|netmarble|valve|dota|winnerinter|lytogame|megaxus).*patch

#acl patchpartial url_regex -i ^http.*patch.*(garena|gemscool|netmarble|valve|dota|winnerinter|lytogame|megaxus)

acl patchpartial url_regex -i ^http.*patch.*garena

acl patchpartial url_regex -i ^http.*garena.*patch

acl httptomiss http_status 302

acl mimehtml rep_mime_type -i mime-type ^text/html

acl mimeplain rep_mime_type -i mime-type ^text/plain

acl tostoreid url_regex -i ^http.*(youtube|googlevideo|videoplayback|videogoodput)

acl tostoreid url_regex -i ^http.*(fbcdn|akamaihd)

acl tostoreid url_regex -i ^http.*c2lo\.reverbnation\.com\/audio_player\/ec_stream_song\/.*\?

acl tostoreid url_regex -i ^http.*\.c\.android\.clients\.google\.com\/market\/GetBinary\/GetBinary\/.*\/.*\?

acl tostoreid url_regex -i ^http.*datafilehost.*\/get\.php.*file\=.*

acl tostoreid url_regex -i ^http.*\.filehippo\.com\/.*\?

acl tostoreid url_regex -i ^http.*\.4shared\.com\/.*\/.*\/.*\/dlink.*preview.mp3

acl tostoreid url_regex -i ^http.*\.4shared\.com\/download\/.*\/.*\?tsid

acl tostoreid url_regex -i ^http.*steam(powered|content)

acl tostoreid url_regex -i ^http.*savefile\.co\:182\/.*\/.*\.(mp4|flv|3gp)

acl tostoreid url_regex -i ^http.*video\-http\.media\-imdb\.com\/.*\.mp4\?

acl tostoreid url_regex -i ^http.*\.dl\.sourceforge\.net

#acl tostoreid url_regex -i ^http.*(speedtest|espeed).*\/.*\.(jpg|txt)

acl speedtest url_regex -i ^http.*(speedtest|espeed).*\/(latency|upload|random.*)\.(jpg|txt|php)

acl CONNECT method CONNECT

acl getmethod method GET

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager

http_access deny manager

http_access allow localnet

http_access allow localhost

http_access deny all

request_header_access Range deny !patchpartial

#range_offset_limit 128 KB !patchpartial

range_offset_limit none patchpartial

quick_abort_min 1 KB

quick_abort_max 1 KB

quick_abort_pct 95

#request_header_access User-Agent deny yt-modif !iphone !BB !Winphone !Android

### flash

#request_header_replace User-Agent Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14

### flash

#request_header_replace User-Agent Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0) Opera 12.14

###html5

#request_header_replace User-Agent Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0

###html5

#request_header_replace user_Agent Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20100101 Firefox/35.0

#request_header_replace Mozilla/6.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:2.0.0.0) Gecko/20061028 Firefox/3.0

cache deny versipatch

cache deny localhost

ssl_bump splice localhost

#ssl_bump splice sslserver

ssl_bump peek step1 all

ssl_bump bump step2 all

ssl_bump splice step3 all

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

sslcrtd_children 2000 startup=30 idle=1

sslproxy_capath /etc/squid/ssl_cert

sslproxy_cert_error allow all

sslproxy_flags DONT_VERIFY_PEER

sslproxy_flags NO_SESSION_REUSE

ssl_unclean_shutdown on

sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE #Jika menggunakan versi setelah squid-3.5.12-20151222-r13967

#sslproxy_options NO_SSLv2,NO_SSLv3

sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

#debug_options 11,2 22,3

logfile_rotate 1

#logformat referer %ts.%03tu %>a %{Referer}>h %ru

#logformat referer %ts.%03tu %>a %ru %{Referer}>h

#logformat referer %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt %{Referer}>h %{User-Agent}>h

#access_log /var/log/squid/access.log !CONNECT

#access_log /var/log/squid/connect.log CONNECT

#cache_store_log /var/log/squid/store.log

access_log stdio:/var/log/squid/access.log

netdb_filename none

#ecap

#yt_quality: tiny = 144px small = 240px medium = 360px large = 480px HD720 = Hd720px

loadable_modules /usr/local/lib/ecap_adapter_modifying.so

ecap_enable on

request_header_access Accept-Encoding deny yt-modif

ecap_service modif respmod_precache uri=ecap://e-cap.org/ecap/services/sample/modifying victim="enablejsapi" replacement="dash":"0","vq":"medium","enablejsapi"

#ecap_service modif respmod_precache uri=ecap://e-cap.org/ecap/services/sample/modifying victim="enablejsapi" replacement="dash":"1","vq":"tiny","enablejsapi"

#ecap_service modif respmod_precache uri=ecap://e-cap.org/ecap/services/sample/modifying victim="enablejsapi" replacement="vq":"small","enablejsapi"

adaptation_access modif allow yt-modif

adaptation_access modif deny all

cache deny speedtest

url_rewrite_access allow speedtest

url_rewrite_access deny all

url_rewrite_program /etc/squid/speedtest.pl

redirector_bypass on

cache_peer 10.212.212.212 parent 8033 0 no-digest no-tproxy

dead_peer_timeout 5 seconds

cache_peer_access 10.212.212.212 allow speedtest

cache_peer_access 10.212.212.212 deny all

always_direct deny speedtest

never_direct allow speedtest

url_rewrite_children 2000 startup=30 idle=1

store_id_bypass off

store_id_extras "%{Referer}>h"

store_id_program /etc/squid/storeid.pl

store_id_children 2000 startup=30 idle=1

store_id_access deny !getmethod

store_id_access allow tostoreid

store_id_access deny all

store_miss deny youtube httptomiss

send_hit deny youtube httptomiss

store_miss deny youtube mimeplain

send_hit deny youtube mimeplain

store_miss deny mimehtml

send_hit deny mimehtml

store_miss deny versipatch

send_hit deny versipatch

refresh_pattern -i . 432000 100% 432000 override-expire override-lastmod reload-into-ims refresh-ims ignore-no-store ignore-must-revalidate ignore-private ignore-auth store-stale

max_stale 1 day

### akhir squid.conf, jangan ditulis ###

### awal storeid.pl , jangan ditulis ###

#!/usr/bin/perl

#

# storeid.pl with debug opt - based on storeurl.pl

# @ http://www2.fh-lausitz.de/launic/comp/misc/squid/projekt_youtube/

# referensi dan terimakasih khususnya pada Mr. Syaifudin JW aka Ucok Karnadi

use IO::File;

$|=1;

STDOUT->autoflush(1);

$debug=1;			## recommended:0

$bypassallrules=0;		## recommended:0

$sucks="";			## unused

$sucks="sucks" if ($debug>=1);

$timenow="";

$printtimenow=1;  		## print timenow: 0|1

my $logfile = '/var/log/squid/storeid.log';

open my $logfh, '>>', $logfile

    or die "Couldn't open $logfile for appending: $!\n" if $debug;

$logfh->autoflush(1) if $debug;

while (<>) {

$timenow=time()." " if ($printtimenow);

print $logfh "$timenow"."in : input=$_" if ($debug>=1);

@X = split;

if ($X[0] =~ m/^http.*/) {

	$url		= $X[0];

	$referer	= $X[1];

	$urlreferer	= $X[0] ." ". $X[1];	

} else { 

	$chanel		= $X[0];

	$url		= $X[1];

	$referer	= $X[2];

	$urlreferer	= $X[1] ." ". $X[2];

}

if ($bypassallrules){

 $out="$url"; ## map 1:1

#youtube googlevideo

} elsif ($url =~ m/^https?\:\/\/.*google.*video(playback|goodput).*/){

	@cpn	= m/[=%&?\/]cpn[=%&?\/]([^\&\s]*)/;

	@id	= m/[=%&?\/]id[=%&?\/]([^\&\s]*)/;

	@itag	= m/[=%&?\/]itag[=%&?\/]([\d]*)/;

	@range	= m/[=%&?\/]range[=%&?\/]([\d]*-[\d]*)/;

	@mime	= m/[=%&?\/]mime[=%&?\/]([^\&\s]*)/;

	if ($referer =~ m/^https?\:\/\/www\.youtube\.com\/(watch\?v|embed|v)[=%&?\/]([^\&\s\?]*)/){

		@id	= $2;

	} else {

		if (defined(@cpn[0])){

			if (-e "/tmp/@cpn"){

				open FILE, "/tmp/@cpn";

				@id = <FILE>;

				close FILE;

			}

		}

	}

	$out="OK store-id=http://squid/google/video/id=@id/itag=@itag/mime=@mime/range=@range";

#youtube parameter

} elsif (

	($url =~ m/^https?\:\/\/.*youtube.*(stream_204|watchtime|qoe|atr|csi_204|playback).*[=%&?\/]docid[=%&?\/]([^\&\s]*)/) ||

	($url =~ m/^https?\:\/\/.*youtube.*(ptracking|set_awesome).*[=%&?\/]video_id[=%&?\/]([^\&\s]*)/) ||

	($url =~ m/^https?\:\/\/.*youtube.*(player_204).*[=%&?\/]v[=%&?\/]([^\&\s]*)/)

	){

	@id	= $2;

	@cpn    = m/[=%&?\/]cpn[=%&?\/]([^\&\s]*)/;

	if ($referer !~ m/^https?\:\/\/www\.youtube\.com\/(watch\?v|embed|v)[=%&?\/]([^\&\s\?]*)/){

		unless (-e "/tmp/@cpn"){

			open FILE, ">/tmp/@cpn";

			print FILE @id;

			close FILE;

		}

	}

	$out = "ERR";

#utmgif

} elsif ($url =~ m/^https?\:\/\/www\.google-analytics\.com\/__utm\.gif\?.*/) {

	$out="OK store-id=http://squid/google-analytics/__utm.gif";

#fbcdn.net or akamaihd.net video range

} elsif ($url =~ m/^https?\:\/\/.*(fbcdn\.net|akamaihd\.net).*\/([\w-]+\.[\w]{2,4}).*(bytestart[=%&?\/][\d]+[&\/]byteend[=%&?\/][\d]+)/) {

	$out="OK store-id=http://squid/$1/$2/$3";

#fbcdn.net or akamaihd.net with size

} elsif ($url =~ m/^https?\:\/\/.*(fbcdn\.net|akamaihd\.net).*\/([a-zA-Z][\d]+[x][\d]+\/[\w-]+\.[\w]{2,4})($|\?)/) {

	$out="OK store-id=http://squid/$1/$2";

#fbcdn.net or akamaihd.net safe_image.php

} elsif ($url =~ m/^https?\:\/\/.*(fbcdn\.net|akamaihd\.net).*\/safe_image\.php\?(.*)/) {

	$out="OK store-id=http://squid/$1/$2";

#reverbnation

} elsif ($url =~ m/^https?\:\/\/c2lo\.reverbnation\.com\/audio_player\/ec_stream_song\/(.*)\?.*/) {

	$out="OK store-id=http://squid/reverbnation/$1";

#playstore

} elsif ($url =~ m/^https?\:\/\/.*\.c\.android\.clients\.google\.com\/market\/GetBinary\/GetBinary\/(.*\/.*)\?.*/) {

	$out="OK store-id=http://squid/android/market/$1";

#filehost

} elsif ($url =~ m/^https?\:\/\/.*datafilehost.*\/get\.php.*file\=(.*)/) {

	$out="OK store-id=http://squid/datafilehost/$1";

#speedtest

} elsif ($url =~ m/^https?\:\/\/.*(speedtest|espeed).*\/(.*\.(txt|jpg)).*/) {

	$out="OK store-id=http://squid/speedtest/$2";

#filehippo

} elsif ($url =~ m/^https?\:\/\/.*\.filehippo\.com\/.*\/([\w-]+\.[\w]{2,4})\?.*/) {

	$out="OK store-id=http://squid/filehippo/$1";

#4shared preview.mp3

} elsif ($url =~ m/^https?\:\/\/.*\.4shared\.com\/.*\/(.*\/.*)\/dlink.*preview.mp3/) {

	$out="OK store-id=http://squid/4shared/preview/$1";

#4shared

} elsif ($url =~ m/^https?\:\/\/.*\.4shared\.com\/download\/(.*\/.*)\?tsid.*/) {

	$out="OK store-id=http://squid/4shared/download/$1";

#savefile-animeindo.tv

} elsif ($url =~ m/^https?:\/\/www\.savefile\.co\:182\/.*\/(.*\.(mp4|flv|3gp)).*/) {

	$out="OK store-id=http://squid/savefile:182/$1";

#imdb

} elsif ($url =~ m/^https?\:\/\/video\-http\.media\-imdb\.com\/(.*\.mp4)\?.*/) {

	$out="OK store-id=http://squid/imdb/$1";

#sourceforge

} elsif ($url =~ m/^https?\:\/\/.*\.dl\.sourceforge\.net\/([\w-]+\.[\w]{2,3})/) {

	$out="OK store-id=http://squid/sourceforge/$1";

#steampowered dota 2

#} elsif ($url =~ m/^https?\:\/\/.*(steam(powered|content).*\/(client|depot)\/[\d]+\/(chunk|manifest)\/[^\?\s]*).*/) {

#	$out="OK store-id=http://squid/$1";

#steampowered dota 2

} elsif ($url =~ m/^https?\:\/\/.*steam(powered|content).*\/((client|depot)\/[\d]+\/(chunk|manifest)\/[^\?\s]*).*/) {

	$out="OK store-id=http://squid/steam/content-powered/$2";

} else {

	$out="ERR";

}

if ($X[0] =~ m/^http.*/) {

	print $logfh "$timenow"."in : url=$urlreferer\n" if ($debug>=1);

	print $logfh "$timenow"."out: $out\n" if ($debug>=1);

	print $logfh "\n" if ($debug>=1);

	print "$out\n";

} else {

	print $logfh "$timenow"."in : chanel=$chanel url=$urlreferer\n" if ($debug>=1);

	print $logfh "$timenow"."out: chanel=$chanel $out\n" if ($debug>=1);

	print $logfh "\n" if ($debug>=1);

	print "$chanel $out\n";

}

}

close $logfh if ($debug);

#### akhir script storeid.pl, jangan ditulis ###

### awal speedtest.pl, jangan ditulis ###

#!/usr/bin/perl

$|=1;

while (<>) {

@X = split;

if ($X[0] =~ m/^http.*/) {

    $url        = $X[0];

    $referer    = $X[1];

    $urlreferer = $X[0] ." ". $X[1];   

} else {

    $chanel     = $X[0];

    $url        = $X[1];

    $referer    = $X[2];

    $urlreferer = $X[1] ." ". $X[2];

}

if ($url=~ m/^https?\:\/\/.*(speedtest|espeed).*\/((latency|upload|random.*)\.(jpg|txt|php))/) {

    $out="OK rewrite-url=http://10.212.212.212:8033/speedtest/$2";

} else {

$out="ERR";

}

if ($X[0] =~ m/^http.*/) {

    print "$out\n";

} else {

    print "$chanel $out\n";

}

}

### akhir speedtest.pl, jangan ditulis ###

chmod +x /etc/squid/squid.conf

chmod +x /etc/squid/storeid.pl

chmod +x /etc/squid/speedtest.pl

squid -zN

wget --no-check-certificate -O /etc/init.d/squid https://gist.githubusercontent.com/e7d/1f784339df82c57a43bf/raw/squid.sh

chmod +x /etc/init.d/squid

update-rc.d squid defaults

service squid start

### edit isi /etc/rc.local, tambahkan baris berikut :

### awal penambahan di rc.local, jangan ditulis ###

iptables -t mangle -N DIVERT

iptables -t mangle -A DIVERT -j MARK --set-mark 1

iptables -t mangle -A DIVERT -j ACCEPT

iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

iptables -t mangle -A PREROUTING -p tcp --dport 8080 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

iptables -t mangle -A PREROUTING -p tcp --dport 8777 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

iptables -t mangle -A PREROUTING -p tcp --dport 182 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

iptables -t mangle -A PREROUTING -p tcp --dport 5050 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

iptables -t mangle -A PREROUTING -p tcp --dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3127

ip rule add fwmark 1 lookup 212

ip route add local 0.0.0.0/0 dev lo table 212

#intercept

#iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129

#iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127

### akhir penambahan rc.local, jangan ditulis ###

reboot