Public domain
cd /usr/src
wget -c http://www.squid-cache.org/Versions/v3/3.1/squid-3.1.15.tar.gz
tar xf squid-3.1.15.tar.gz
cd squid-3.1.15
ulimit -HSn 16384
ulimit -HSd unlimited
./configure \
--prefix=/usr/local/squid \
--enable-forward-log \
--enable-follow-x-forwarded-for \
--enable-snmp \
--enable-linux-netfilter \
--enable-http-violations \
--enable-delay-pools \
--enable-storeio=diskd,aufs,ufs \
--with-large-files \
--enable-large-cache-files \
--with-filedescriptors=16384 \
--enable-async-io=128 \
--enable-removal-policies=lru,heap \
--enable-useragent-log \
--enable-referer-log \
--enable-err-languages=English \
--enable-default-err-language=English \
--enable-zph-qos \
--enable-icap-client \
&& make && make install
cp /usr/local/squid/etc/squid.conf{,.bak}
# Minimum ACL configuration
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Protect innocent web applications running on the
# proxy server who think the only one who can access
# services on "localhost" is a local user
http_access deny to_localhost
# Clients access rules
acl localnet src 192.168.123.240/28 192.168.84.0/28
http_access allow localnet
http_access allow localhost
# Finally deny all other access to this proxy
http_access deny all
# Deny all ICP requests to this proxy
icp_access deny all
# Deny all HTCP requests to this proxy
htcp_access deny all
# Squid normall listener
#http_port 3128
http_port 3128 tcpkeepalive=60,10,6
# TPROXY spoof listener
#http_port 3129 tproxy
http_port 3129 tproxy tcpkeepalive=60,10,6 disable-pmtu-discovery=transparent
# Override /etc/resolv.conf
#dns_nameservers 8.8.8.8
# Protect dynamic content
hierarchy_stoplist cgi-bin ? dll aspx
# Cache memory should be at most half of RAM size in MB
cache_mem 11264 MB
# These objects should be kept in memory
maximum_object_size_in_memory 40 KB
# Which objects are replaced when memory space is needed
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA
# Disk swap directories
cache_dir aufs /cache/1 122880 512 2048
cache_dir aufs /cache/2 122880 512 2048
cache_dir aufs /cache/3 122880 512 2048
cache_dir aufs /cache/4 122880 512 2048
# These objects should be kept on hard disk
maximum_object_size 65536 KB
# Water marks for cache object replacement
cache_swap_high 95
cache_swap_low 93
# Logfile format
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
# Access log address
access_log /usr/local/squid/var/logs/access.log squid
# Number of old logfiles
logfile_rotate 0
# Watchdog configs
#acl watchdog src 192.168.0.17
#log_access deny watchdog
# Leave coredumps in the first cache dir
coredump_dir /cache/1
# Continues downloading abort
quick_abort_min 16 KB
quick_abort_max 16 KB
quick_abort_pct 98
# Time-to-Live for failed requests
negative_ttl 3 minutes
# How log shuold cache positive DNS responses
positive_dns_ttl 1 hours
# Maximum size for HTTP headers
request_header_max_size 100 KB
# Shutdown pending time
shutdown_lifetime 15 seconds
# Administrator
cache_mgr Pejman_Moghadam@yahoo.com
# Hostname
visible_hostname CacheServer
# Don't show version in error pages
httpd_suppress_version_string on
# Costume error pages
#error_directory /usr/local/squid/share/errors/mine/
# SNMP settings for MRTG access
acl mrtg src 127.0.0.1 # 192.168.0.17
acl snmppublic snmp_community public
snmp_access allow snmppublic mrtg
snmp_access deny all
snmp_port 3401
# Inter Cache Communication Protocol
icp_port 0
# Hyper Text Caching Protocol discovery
htcp_port 0
# Water marks for the IP cache
ipcache_size 40960
ipcache_high 95
ipcache_low 90
# Parallel requests from a pipeline.
pipeline_prefetch on
# Close immediately half-closed connections
half_closed_clients off
# Transparent Headers
forwarded_for transparent
via off
# Mark HIT packets
qos_flows local-hit=0x30
# Purge: squidclient -m PURGE http://www.google.com
acl purge method PURGE
http_access allow purge localhost
http_access deny purge
# Web Services workaround
ignore_expect_100 on
# Maximum connection limit of single client IP
#client_ip_max_connections -1
# eCAP Gzip (UNSTABLE)
#ecap_enable on
#ecap_service gzip_service respmod_precache 0 ecap://www.vigos.com/ecap_gzip
#loadable_modules /usr/local/lib/ecap_adapter_gzip.so
#acl GZIP_HTTP_STATUS http_status 200
#adaptation_access gzip_service allow GZIP_HTTP_STATUS
wccp2_router 172.16.106.233
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service dynamic 80
wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80
wccp2_service dynamic 90
wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80
# Refresh patterns (refresh-ims)
# Image files
refresh_pattern -i \.png$ 10080 90% 43200
refresh_pattern -i \.gif$ 10080 90% 43200
refresh_pattern -i \.jpg$ 10080 90% 43200
refresh_pattern -i \.jpeg$ 10080 90% 43200
refresh_pattern -i \.bmp$ 10080 90% 43200
refresh_pattern -i \.tif$ 10080 90% 43200
refresh_pattern -i \.tiff$ 10080 90% 43200
# Compressed files
refresh_pattern -i \.zip$ 10080 90% 43200
refresh_pattern -i \.rar$ 10080 90% 43200
refresh_pattern -i \.tar$ 10080 90% 43200
refresh_pattern -i \.gz$ 10080 90% 43200
refresh_pattern -i \.tgz$ 10080 90% 43200
refresh_pattern -i \.z$ 10080 90% 43200
refresh_pattern -i \.arj$ 10080 90% 43200
refresh_pattern -i \.lha$ 10080 90% 43200
refresh_pattern -i \.lzh$ 10080 90% 43200
# Binary files
refresh_pattern -i \.exe$ 10080 90% 43200
refresh_pattern -i \.msi$ 10080 90% 43200
# Multimedia files
refresh_pattern -i \.mp3$ 10080 90% 43200
refresh_pattern -i \.wav$ 10080 90% 43200
refresh_pattern -i \.mid$ 10080 90% 43200
refresh_pattern -i \.midi$ 10080 90% 43200
refresh_pattern -i \.ram$ 10080 90% 43200
refresh_pattern -i \.ra$ 10080 90% 43200
refresh_pattern -i \.mov$ 10080 90% 43200
refresh_pattern -i \.avi$ 10080 90% 43200
refresh_pattern -i \.wmv$ 10080 90% 43200
refresh_pattern -i \.mpg$ 10080 90% 43200
refresh_pattern -i \.mpeg$ 10080 90% 43200
refresh_pattern -i \.swf$ 10080 90% 43200
# Document files
refresh_pattern -i \.pdf$ 10080 90% 43200
refresh_pattern -i \.ps$ 10080 90% 43200
refresh_pattern -i \.doc$ 10080 90% 43200
refresh_pattern -i \.ppt$ 10080 90% 43200
refresh_pattern -i \.pps$ 10080 90% 43200
# Default patterns
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
#!/bin/bash
#
# /etc/rc.d/rc.squid
#
PIDFILE="/usr/local/squid/var/run/squid.pid"
TIMEOUT=60
start()
{
echo -n 'Starting TPROXY Squid . . . '
PROCESS=$(ps -A | egrep ' squid$')
if [ "$PROCESS" == "" ]; then
if [ -f ${PIDFILE} ] ; then
rm ${PIDFILE}
fi
fi
ulimit -HSn 16384
ulimit -HSd unlimited
/usr/local/squid/sbin/squid
echo "Ok"
}
stop()
{
echo 'Stoping TPROXY Squid'
/usr/local/squid/sbin/squid -k shutdown
TIME=0
while [ "$TIME" != "$TIMEOUT" ] ; do
TIME=$(( $TIME + 1 ))
echo -n $TIME
if [ "$(pgrep '^squid$')" == "" ]; then
if [ -f ${PIDFILE} ] ; then
rm ${PIDFILE}
fi
break
else
echo -n "."
fi
sleep 1
done
killall squid &> /dev/null
killall squid &> /dev/null
killall squid &> /dev/null
echo ".Ok"
}
case "$1" in
'start')
start
;;
'stop')
stop
;;
'restart')
stop
start
;;
'rotate')
echo -n 'Rotating TPROXY Squid log files . . . '
/usr/local/squid/sbin/squid -k rotate
echo "Ok"
;;
*)
echo "usage $0 start|stop|restart|rotate"
;;
esac
#!/bin/bash
PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin"
# vlan config
ifconfig eth0 0.0.0.0 up
vconfig add eth0 976
ifconfig eth0.976 172.16.106.234 netmask 255.255.255.248
route add default gw 172.16.106.233
#!/bin/bash
PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin"
# Load NAT and GRE Modules
#for MOD in $(/usr/bin/find /lib/modules/$(uname -r)/kernel/net -name "*nat*"); do
# /usr/bin/echo Loading $(/usr/bin/basename $MOD .ko)
# /sbin/modprobe $(/usr/bin/basename $MOD .ko)
#done
#for MOD in $(/usr/bin/find /lib/modules/$(uname -r)/kernel/net -name "*_gre.ko"); do
# /usr/bin/echo Loading $(/usr/bin/basename $MOD .ko)
# /sbin/modprobe $(/usr/bin/basename $MOD .ko)
#done
# Make GRE Tunnel between cache and router
ROUTER=172.16.106.233
CACHE=172.16.106.234
modprobe ip_gre
ip link set eth0.976 mtu 1476
ip tunnel add wccp0 mode gre remote $ROUTER local $CACHE dev eth0.976
ip addr add $CACHE dev wccp0
ip link set wccp0 up
#!/bin/sh
#
# /etc/rc.d/rc.local: Local system initialization script.
#
# Put any local startup commands in here. Also, if you have
# anything that needs to be run at shutdown time you can
# make an /etc/rc.d/rc.local_shutdown script and put those
# commands in there.
/root/scripts/vlan.sh
/root/scripts/gre-tunnel.sh
# use less swap memory
echo 50 > /proc/sys/vm/swappiness
# tcp keep alive tuning
echo 60 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 10 > /proc/sys/net/ipv4/tcp_keepalive_intvl
echo 6 > /proc/sys/net/ipv4/tcp_keepalive_probes
echo 65000 > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo 1024 65000 > /proc/sys/net/ipv4/ip_local_port_range
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 1 > /proc/sys/net/ipv4/tcp_timestamps
echo 33554432 > /proc/sys/net/core/rmem_max
echo 33554432 > /proc/sys/net/core/wmem_max
echo 4096 87380 33554432 > /proc/sys/net/ipv4/tcp_rmem
echo 4096 87380 33554432 > /proc/sys/net/ipv4/tcp_wmem
echo 1 > /proc/sys/net/ipv4/tcp_no_metrics_save
echo 3000 > /proc/sys/net/core/netdev_max_backlog
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 256960 > /proc/sys/net/core/rmem_default
echo 256960 > /proc/sys/net/core/wmem_default
echo 524288 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle
# Start TPROXY Squid Cache Server:
if [ -x /etc/rc.d/rc.squid ]; then
/etc/rc.d/rc.squid start
fi
# TPROXY Divert
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
# TPROXY Route
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
#!/bin/bash
# Stop TPROXY Squid Cache server:
if [ -x /etc/rc.d/rc.squid ]; then
/etc/rc.d/rc.squid stop
fi
/usr/local/squid/var/logs/access.log {
daily
rotate 186
start 1
copytruncate
compress
compresscmd /usr/bin/bzip2
compressext .bz2
compressoptions -sq9
dateext
notifempty
missingok
}
/usr/local/squid/var/logs/cache.log /usr/local/squid/var/logs/store.log {
daily
rotate 31
start 1
copytruncate
compress
compresscmd /usr/bin/bzip2
compressext .bz2
compressoptions -sq9
dateext
notifempty
missingok
sharedscripts
postrotate
/usr/local/squid/sbin/squid -k rotate
endscript
}
# cat /etc/fstab
/dev/cciss/c0d0p1 swap swap defaults 0 0
/dev/cciss/c0d0p2 / reiserfs defaults 1 1
/dev/cdrom /mnt/cdrom auto noauto,owner,ro 0 0
/dev/fd0 /mnt/floppy auto noauto,owner 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
proc /proc proc defaults 0 0
tmpfs /dev/shm tmpfs defaults 0 0
/dev/cciss/c0d0p5 /cache/1 reiserfs noatime,notail 1 2
/dev/cciss/c0d0p6 /cache/2 reiserfs noatime,notail 1 2
/dev/cciss/c0d0p7 /cache/3 reiserfs noatime,notail 1 2
/dev/cciss/c0d0p8 /cache/4 reiserfs noatime,notail 1 2
# df -h
Filesystem Type Size Used Avail Use% Mounted on
/dev/root reiserfs 21G 4.9G 16G 25% /
tmpfs tmpfs 32G 0 32G 0% /dev/shm
/dev/cciss/c0d0p5 reiserfs 182G 200M 182G 1% /cache/1
/dev/cciss/c0d0p6 reiserfs 182G 200M 182G 1% /cache/2
/dev/cciss/c0d0p7 reiserfs 182G 200M 182G 1% /cache/3
/dev/cciss/c0d0p8 reiserfs 191G 200M 190G 1% /cache/4
# free -m
total used free shared buffers cached
Mem: 64448 345 64102 0 20 122
-/+ buffers/cache: 201 64246
Swap: 65538 0 65538
mkdir /usr/local/squid/var/cache
mkdir -p /cache/{1,2,3,4}
chown -R nobody:nobody /cache
chown -R nobody:nobody /usr/local/squid/var/logs
chmod +x /etc/rc.d/rc.local_shutdown
chmod +x /root/scripts/vlan.sh
chmod +x /root/scripts/gre-tunnel.sh
chmod +x /etc/rc.d/rc.squid
/usr/local/squid/sbin/squid -z
/etc/rc.d/rc.squid start
# telnet 172.16.106.233
Trying 172.16.106.233...
Connected to 172.16.106.233.
Escape character is '^]'.
User Access Verification
Password:
router3845>enable
Password:
router3845#show version
Cisco IOS Software, 3800 Software (C3845-SPSERVICESK9-M), Version 15.0(1)M4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Thu 28-Oct-10 21:00 by prod_rel_team
ROM: System Bootstrap, Version 12.4(13r)T15, RELEASE SOFTWARE (fc1)
router3845 uptime is 19 hours, 17 minutes
System returned to ROM by power-on
System image file is "flash:c3845-spservicesk9-mz.150-1.M4.bin"
Last reload type: Normal Reload
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 3845 (revision 1.0) with 487423K/36864K bytes of memory.
Processor board ID FHK1504F0MJ
2 Gigabit Ethernet interfaces
DRAM configuration is 64 bits wide with parity enabled.
447K bytes of NVRAM.
126976K bytes of ATA System CompactFlash (Read/Write)
License Info:
License UDI:
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO3845-MB FOC14512NFP
Configuration register is 0x2142 (will be 0x2102 at next reload)
router3845#dir flash:
Directory of flash:/
1 -rw- 56307576 Jan 21 2011 09:39:36 +00:00 c3845-spservicesk9-mz.150-1.M4.bin
2 -rw- 2903 Jan 21 2011 09:49:14 +00:00 cpconfig-38xx.cfg
3 -rw- 2938880 Jan 21 2011 09:49:26 +00:00 cpexpress.tar
4 -rw- 1038 Jan 21 2011 09:49:32 +00:00 home.shtml
5 -rw- 122880 Jan 21 2011 09:49:40 +00:00 home.tar
6 -rw- 793739 Jan 21 2011 09:49:48 +00:00 256MB.sdf
7 -rw- 1697952 Jan 21 2011 09:50:02 +00:00 securedesktop-ios-3.1.1.45-k9.pkg
8 -rw- 415956 Jan 21 2011 09:50:14 +00:00 sslclient-win-1.1.4.176.pkg
129748992 bytes total (67457024 bytes free)
router3845#sh run
Building configuration...
Current configuration : 1975 bytes
!
! Last configuration change at 23:08:10 UTC Wed Sep 21 2011
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router3845
!
boot-start-marker
boot-end-marker
!
enable secret **********
enable password **********
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
no ip domain lookup
ip wccp web-cache
ip wccp 80 redirect-list 100
ip wccp 90 redirect-list 100
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
voice-card 0
!
!
!
!
!
!
!
!
!
!
license udi pid CISCO3845-MB sn FOC14512NFP
!
!
!
!
!
!
!
interface GigabitEthernet0/0
description to ne80(801)
no ip address
duplex full
speed auto
media-type sfp
no negotiation auto
no mop enabled
!
interface GigabitEthernet0/0.998
description to cisco
encapsulation dot1Q 998
ip address 172.16.106.226 255.255.255.252
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1.975
description Clients-Network
encapsulation dot1Q 975
ip address 10.92.107.6 255.255.255.252
ip wccp 80 redirect in
ip wccp 90 redirect out
!
interface GigabitEthernet0/1.976
description Squid-Tproxy-WCCP
encapsulation dot1Q 976
ip address 172.16.106.233 255.255.255.248
ip wccp redirect exclude in
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.16.106.225
ip route 192.168.123.240 255.255.255.240 10.92.107.5
ip route 192.168.84.0 255.255.255.240 10.92.107.5
!
access-list 100 permit ip 192.168.123.240 0.0.0.15 any
access-list 100 permit ip any 192.168.123.240 0.0.0.15
access-list 100 permit ip 192.168.84.0 0.0.0.15 any
access-list 100 permit ip any 192.168.84.0 0.0.0.15
access-list 100 deny ip any any
dialer-list 1 protocol ip permit
!
snmp-server community ******** RO
!
!
control-plane
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password **********
login
!
scheduler allocate 20000 1000
end
router3845#exit
Connection closed by foreign host.
http://devel.squid-cache.org/cgi-bin/test
http://onlamp.com/pub/a/onlamp/2005/11/17/tcp_tuning.html?page=2
http://fasterdata.es.net/TCP-tuning//linux.html
http://fasterdata.es.net/TCP-tuning//TCP-tuning.html
BY: Pejman Moghadam
TAG: squid, tproxy, wccp, cisco3845
DATE: 2011-09-22 02:44:55