SQUID 3 mode intercept HTTP&HTTPS
-
Upload
independent -
Category
Documents
-
view
0 -
download
0
Transcript of SQUID 3 mode intercept HTTP&HTTPS
PROXY SQUID
squid-3.5.0.2-20141121-r13666.tar.gz
(beta version)
INTERCEPT MODE
SUPPORT WITH HTTP AND HTTPS
Oleh :
Muhammad Fahmy Hadziqy S.T
not imposible caching even HTTPSby muhammad fahmy hadziqy S.T
SMK BAKTI ILHAM RANCAEKEK
2014
Syarat, sitem operasi sudahterinstall terlebih dahulu, dalam tulisansaya kali ini sistem operasi yangdigunakan adalan debian 6.0, testingproduksi RT/RW net pun menggunakan ubuntuserver LTS 14.04.1 sudah tidak adakendala.
Apa itu intercept modeinterceptSupport for IP-Layer interception of outgoing requests without browser settings.
dikutip dari web resmi nya squid,jadi intercept mode adalah mendukung IP-layer interception dalam permintaankeluar baik itu http ataupun https tanpamengatur browser, dengan kata lain bisadi belokan paksa oleh router, paket untuktujuan/dst 80(http) dan 443(https) kemesin/port Proxy, di squid 2.x mungkinrekan-rekan sudah tidak asing lagi yangnama nya transparent.
not imposible caching even HTTPSby muhammad fahmy hadziqy S.T
langsung saja, tp jgn lupa update dulupaket informasi
update dulu paket informasi nya
#apt-get update
install file pendukung
# apt-get install devscripts -y && apt-get install build-essential -y && apt-getinstall openssl -y && apt-get installlibssl-dev -y && apt-get install fakeroot-y && apt-get install libcppunit-dev -y&& apt-get install libsasl2-dev -y &&apt-get install cdbs -y && apt-getinstall ccze -y && apt-get installlibfile-readbackwards-perl -y && apt-getinstall libcap2 -y && apt-get installlibcap-dev -y && apt-get install libcap2-dev -y && apt-get install sysv-rc-conf -y
not imposible caching even HTTPSby muhammad fahmy hadziqy S.T
download file squid nya
#wgethttp://www.squid-cache.org/Versions/v3/3.5/squid-3.5.0.2-20141121-r13666.tar.gz
extract file yang telah di download
#tar -xzvf squid-3.5.0.2-20141121-r13666.tar.gz
masuk ke direktori hasil extract tadi
compile dengan opsi ini, boleh jugadisesuaikan dengan kebutuhan lain nya, disini sudah mendukung opsi untukmenggunakan helper external(pada bagianinstall file pendukung pun sudah), yanggunanya nanti helper external itu untukmerubah url dinamis menjadi statis, agarbisa ter-cache oleh Squid :D
configure & compile
not imposible caching even HTTPSby muhammad fahmy hadziqy S.T
#./configure --prefix=/usr --bindir=/usr/bin \
--sbindir=/usr/sbin --libexecdir=/usr/lib/squid \
--sysconfdir=/etc/squid --localstatedir=/var \
--includedir=/usr/include --datadir=/usr/share/squid \
--infodir=/usr/share/info --mandir=/usr/share/man \
--srcdir=. --disable-dependency-tracking \
--disable-strict-error-checking --enable-storeio=ufs,aufs,diskd \
--enable-removal-policies=lru,heap --disable-ipv6 \
--disable-wccp --disable-wccpv2 --enable-kill-parent-hack \
--enable-snmp --enable-cachemgr-hostname=proxy \
--enable-cache-digests --disable-select \
not imposible caching even HTTPSby muhammad fahmy hadziqy S.T
--enable-http-violations --enable-linux-netfilter \
--enable-follow-x-forwarded-for --disable-ident-lookups \
--disable-auth-basic --enable-x-accelerator-vary \
--enable-zph-qos --enable-ssl --enable-ssl-crtd --with-openssl --without-gnutls --with-default-user=proxy --with-logdir=/var/log/squid \
--with-pidfile=/var/run/squid.pid --with-swapdir=/var/spool/squid \
--with-aufs-threads=32 --with-dl --with-large-files --enable-ltdl-convenience \
--with-filedescriptors=65536
membuat binary hasil compile tadi dan memasangnya(install) ke dalam sistem operasi
# make && make install
agak lama tunggu saja sambil roko+kopi dulu, hehe
not imposible caching even HTTPSby muhammad fahmy hadziqy S.T
penampakan make
penampakan make install
cek file service squid nya nongol ga?
#ls /etc/init.d/
wah ga ada, mas bro
not imposible caching even HTTPSby muhammad fahmy hadziqy S.T
woles tar PM saya saja untuk mencegah hal-hal yang tidak di inginkan :D
bikin dulu cache direktori & hak akses & user+group kepemilikan
#mkdir /cache1 && mkdir /cache2
#chmod 777 /cache1 && chmod 777/ cache2
#chown proxy:proxy /cache1 && chown proxy:proxy /cache2
boleh di seuaikan dengan kebutuhan
buat dulu sertijab eh salah sertifikat SSL tea :D
#cd /etc/squid
not imposible caching even HTTPSby muhammad fahmy hadziqy S.T
#mkdir ssl_cert
# openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout myCA.pem -out myCA.pem
openssl x509 -in myCA.pem -outform DER -out myCA.der
sumber: http://wiki.squid-cache.org/Features/DynamicSslCert
buat direktori yg nanti nya untuk bumpingssl dari server oleh proxy
#mkdir /etc/squid/ssl_db
menyiapkan proxy ssl_crtd untuk caching sertifikat nya
/usr/lib/squid/ssl_crtd -c -s /etc/squid/ssl_db/certs
not imposible caching even HTTPSby muhammad fahmy hadziqy S.T
sesudah nya jgn lupa memberikan hak aksestulis untuk squid user, dalam hal ini di rubah menjadi owner nobody saja cukup
chown -R nobody /etc/squid/ssl_db
not imposible caching even HTTPSby muhammad fahmy hadziqy S.T
==============================
tambahkan di file squid.conf
==============================
cache_dir /cache1 aufs 100 16 256
cache_dir /cache1 aufs 100 16 256
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
sslcrtd_program /usr/lib/squid/ssl_crtd -s /etc/squid/ssl_db/certs/ -M 4MB
sslcrtd_children 32 startup=30 idle=1
ssl_unclean_shutdown on
sslproxy_version 1
always_direct allow all
not imposible caching even HTTPSby muhammad fahmy hadziqy S.T
##untuk yg ga mau di bumping pake ‘sll_bump none acl’ aja,contoh server bank jgn lupa buatin acl server bank nya
ssl_bump none localhost
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
==============================
pada bagian refresh pattern tambah kan ini agar dapat meng cache gambar hasil pencarian pada google
==============================
refresh_pattern -i \.gstatic.com\/images?.* 525600 100% 525600 override-expire ignore-auth
==============================
permision direktori log file squid
==============================
# chmod 777 /var/log/squid -R
# chown proxy:proxy /var/log/squid -R
not imposible caching even HTTPSby muhammad fahmy hadziqy S.T
==============================
buat swap direk folder cachenya
==============================
# squid -z
==============================
restarting service squid
==============================
# service squid restart
not imposible caching even HTTPSby muhammad fahmy hadziqy S.T
checking no error
# squid -k parse
membelokan paket 80 & 443 ke port proxy, sebelum nya NAT dulu ya
/etc/sysctl.conf
ipv4 forward nya enable kan :D
itpables -t nat -A POSTROUTING -s ip-network-client -j MASQUERADE
iptables -t nat -A PREROUTING -s ip-network-client -p tcp --dport 80 -j REDIRECT --to-port port-http-proxy
iptables -t nat -A PREROUTING -s ip-network-client -p tcp --dport 443 -j REDIRECT --to-port port--https-proxy
not imposible caching even HTTPSby muhammad fahmy hadziqy S.T
copy file sertifikat ber-extensi .der
import ke browser
google chrome
setting advanced HTTPS/SSL trusted Root certification authorities
import pilih file myCA.der ok JOSS
not imposible caching even HTTPSby muhammad fahmy hadziqy S.T
http://wiki.squid-cache.org/
http://www.squid-cache.org/
http://www.squid-cache.org/Doc/config/http_port/
http://wiki.squid-cache.org/Features/DynamicSslCert
not imposible caching even HTTPSby muhammad fahmy hadziqy S.T