Create one link for ftp user
ftp://username:password@ip server/folder or filename
Tuesday, March 24, 2015
Tuesday, March 17, 2015
delay pool and limit files
Setting delay pool and limit download files
acl admin src "/etc/squid/admin"
#acl management src "/etc/squid/management"
acl staff src 192.168.130.0/24
#
delay_pools 2
delay_class 1 1
delay_parameters 1 -1/-1
delay_access 1 allow admin
#delay_access 1 allow admin management
delay_access 1 deny all
delay_class 2 2
delay_parameters 2 -1/-1 256000/4000000
delay_access 2 allow staff
delay_access 2 deny all
reply_body_max_size 2 GB admin
reply_body_max_size 10 MB staff
acl admin src "/etc/squid/admin"
#acl management src "/etc/squid/management"
acl staff src 192.168.130.0/24
#
delay_pools 2
delay_class 1 1
delay_parameters 1 -1/-1
delay_access 1 allow admin
#delay_access 1 allow admin management
delay_access 1 deny all
delay_class 2 2
delay_parameters 2 -1/-1 256000/4000000
delay_access 2 allow staff
delay_access 2 deny all
reply_body_max_size 2 GB admin
reply_body_max_size 10 MB staff
Thursday, March 12, 2015
Limit download squid
Vi squid.conf
acl t1 src 192.168.254.200
acl t2 src 192.168.254.0/24
http_access allow t1
http_access allow t2
reply_body_max_size 0 allow t1
reply_body_max_size 10 MB allow t2
acl t1 src 192.168.254.200
acl t2 src 192.168.254.0/24
http_access allow t1
http_access allow t2
reply_body_max_size 0 allow t1
reply_body_max_size 10 MB allow t2
Monday, March 9, 2015
Konfigurasi squid with ssl filtering
#
# Recommended minimum configuration:
#
via on
#pid filename /var/run/squid.pid
acl query urlpath_regex cgi \?
no_cache deny query
forwarded_for transparent
#forwarded_for truncate
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
visible_hostname proxy-sunter1
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
#http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
dns_nameservers 202.145.0.1
dns_nameservers 202.145.0.2
# And finally deny all other access to this proxy
#http_access deny all
# Squid normally listens to port 3128
http_port 8001
http_port 8002 intercept
https_port 8003 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/certificate/ipeka.org.private cert=/certificate/ipeka.org.cert
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/log/squid/squid_ssldb -M 4MB
sslcrtd_children 20 startup=5 idle=1
#always_direct allow broken_sites
sslproxy_capath /etc/pki/tls/certs
#sslproxy_capath /certificate/
sslproxy_cafile /etc/pki/tls/certs/ca-bundle.crt
#sslproxy_cafile /certificate/ipeka.org.private
#acl broken_sites dstdomain "/etc/squid/broken_sites"
acl broken_sites dstdom_regex -i "/etc/squid/broken_sites"
acl open src "/etc/squid/open-ssl"
always_direct allow broken_sites
ssl_bump none localhost
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_error allow all
ssl_bump server-first all
icap_enable on
icap_preview_enable on
icap_preview_size 4096
icap_persistent_connections on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Client-Username
icap_service_failure_limit -1
icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod
icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod
acl qlproxy_icap_edomains dstdomain "/opt/qlproxy/etc/squid/icap_exclusions_domains.conf"
#acl qlproxy_icap_etypes rep_mime_type "/opt/qlproxy/etc/squid/icap_exclusions_contenttypes.conf"
adaptation_access qlproxy1 allow qlproxy_icap_edomains
#adaptation_access qlproxy2 deny qlproxy_icap_edomains
#adaptation_access qlproxy2 deny qlproxy_icap_etypes
adaptation_access qlproxy1 allow all
adaptation_access qlproxy2 allow all
ssl_bump none broken_sites qlproxy_icap_edomains
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 1000 16 256
cache allow all
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log stdio:/var/log/squid/access.log
#max_filedesc 4096
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
#cache_effective_user squid
#cache_effective_group squid
cache_mem 10 MB
memory_replacement_policy heap LRU
cache_replacement_policy heap LRU
minimum_object_size 0 KB
maximum_object_size_in_memory 4 KB
offline_mode off
cache_swap_low 90
cache_swap_high 95
#cache_dir ufs /var/spool/squid 1000 16 256
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Recommended minimum configuration:
#
via on
#pid filename /var/run/squid.pid
acl query urlpath_regex cgi \?
no_cache deny query
forwarded_for transparent
#forwarded_for truncate
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
visible_hostname proxy-sunter1
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
#http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
dns_nameservers 202.145.0.1
dns_nameservers 202.145.0.2
# And finally deny all other access to this proxy
#http_access deny all
# Squid normally listens to port 3128
http_port 8001
http_port 8002 intercept
https_port 8003 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/certificate/ipeka.org.private cert=/certificate/ipeka.org.cert
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/log/squid/squid_ssldb -M 4MB
sslcrtd_children 20 startup=5 idle=1
#always_direct allow broken_sites
sslproxy_capath /etc/pki/tls/certs
#sslproxy_capath /certificate/
sslproxy_cafile /etc/pki/tls/certs/ca-bundle.crt
#sslproxy_cafile /certificate/ipeka.org.private
#acl broken_sites dstdomain "/etc/squid/broken_sites"
acl broken_sites dstdom_regex -i "/etc/squid/broken_sites"
acl open src "/etc/squid/open-ssl"
always_direct allow broken_sites
ssl_bump none localhost
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_error allow all
ssl_bump server-first all
icap_enable on
icap_preview_enable on
icap_preview_size 4096
icap_persistent_connections on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Client-Username
icap_service_failure_limit -1
icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod
icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod
acl qlproxy_icap_edomains dstdomain "/opt/qlproxy/etc/squid/icap_exclusions_domains.conf"
#acl qlproxy_icap_etypes rep_mime_type "/opt/qlproxy/etc/squid/icap_exclusions_contenttypes.conf"
adaptation_access qlproxy1 allow qlproxy_icap_edomains
#adaptation_access qlproxy2 deny qlproxy_icap_edomains
#adaptation_access qlproxy2 deny qlproxy_icap_etypes
adaptation_access qlproxy1 allow all
adaptation_access qlproxy2 allow all
ssl_bump none broken_sites qlproxy_icap_edomains
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 1000 16 256
cache allow all
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log stdio:/var/log/squid/access.log
#max_filedesc 4096
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
#cache_effective_user squid
#cache_effective_group squid
cache_mem 10 MB
memory_replacement_policy heap LRU
cache_replacement_policy heap LRU
minimum_object_size 0 KB
maximum_object_size_in_memory 4 KB
offline_mode off
cache_swap_low 90
cache_swap_high 95
#cache_dir ufs /var/spool/squid 1000 16 256
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
Linux Enable IP Forwarding
Open /etc/sysctl.conf file using a text editor, enter:
Set net.ipv4.ip_forward to 1, enter:
# vi /etc/sysctl.confSet net.ipv4.ip_forward to 1, enter:
net.ipv4.ip_forward = 1Save and close the file. Reload the changes by typing the following command:
# sysctl -p
Subscribe to:
Posts (Atom)