#!

/bin/bash
apt-get update
apt-get install build-essential devscripts libcppunit-dev openssl libssl-dev libcapdev ccze pkg-config libkrb5-dev -y
wget http://www.measurement-factory.com/tmp/ecap/libecap-1.0.0.tar.gz
tar xzvf libecap-1.0.0.tar.gz
cd libecap-1.0.0
./configure && make && make install
echo '/usr/local/lib' >> /etc/ld.so.conf
ldconfig
cd
wget --no-check-certificate -O ecap_adapter_DSI.tgz
https://www.dropbox.com/s/z4levwr2frun3c9/ecap_adapter_DSI.tgz?dl=0
tar xzvf ecap_adapter_DSI.tgz
cd ecap_adapter_sample-1.0.0
./configure && make && make install
cd
wget http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.15-20160229r13997.tar.gz
tar xzvf squid-3.5.15-20160229-r13997.tar.gz
wget -O squid_forgery.patch http://www.squid-cache.org/mail-archive/squidusers/201404/att-0240/squid_forgery.patch.txt
cd squid-3.5.15-20160229-r13997
patch -p0 <../squid_forgery.patch
./configure --prefix=/usr \
--bindir=/usr/bin \
--sbindir=/usr/sbin \
--libexecdir=/usr/lib/squid \
--sysconfdir=/etc/squid \
--localstatedir=/var \

--libdir=/usr/lib \
--includedir=/usr/include \
--datadir=/usr/share/squid \
--mandir=/usr/share/man \
--enable-storeio=ufs,aufs,diskd,rock \
--enable-removal-policies=lru,heap \
--enable-stacktrace \
--enable-zph=qos \
--enable-ssl-crtd \
--enable-ecap \
--enable-wccpv2 \
--disable-ident-lookup \
--disable-auth \
--disable-auth-basic \
--disable-auth-digest \
--disable-auth-negotiate \
--disable-auth-ntlm \
--disable-url-rewriter-helpers \
--disable-storeid-rewrite-helpers \
--with-logdir=/var/log/squid \
--with-pid-file=/var/run/squid.pid \
--with-swap-dir=/cache-1 \
--with-swap-dir=/cache-2 \
--with-swap-dir=/cache-3 \
--with-swap-dir=/cache-4 \
--with-swap-dir=/cache-5 \
--with-large-files \
--with-openssl

make
make install
chown -R nobody /var/log/squid
chown -R nobody /cache
mkdir -p /etc/squid/ssl_cert
openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -keyout
/etc/squid/ssl_cert/warnet.pem -out /etc/squid/ssl_cert/warnet.pem -subj
"/C=ID/ST=Jawa Barat/L=Cikarang/O=DSI/CN=Wartzoe.Net"
openssl x509 -in /etc/squid/ssl_cert/warnet.pem -outform DER -out
/etc/squid/ssl_cert/warnet.der
openssl x509 -in /etc/squid/ssl_cert/warnet.pem -outform DER -out
/etc/squid/ssl_cert/warnet.crt
/usr/lib/squid/ssl_crtd -c -s /var/lib/ssl_db
chown -R nobody /var/lib/ssl_db
echo '#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10

acl SSL_ports port 443

acl Safe_ports port 80
acl Safe_ports port 21

acl Safe_ports port 443

acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT

acl step1 at_step SslBump1

acl step2 at_step SslBump2
acl step3 at_step SslBump3

acl PURGE method PURGE

#http://empire.goodgamestudios.com/
#acl bypass_ssl dst 37.48.88.132

#BBM-http://bgp.he.net/search?search%5Bsearch
%5D=blackberry+messenger&commit=Search
#acl bypass_ssl dst 68.171.224.0/19 #BBM
#acl bypass_ssl dst 74.82.64.0/19 #BBM

#
# Recommended minimum Access Permission configuration:
#

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost

http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

http_access allow localhost purge

http_access deny purge

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy

http_access deny all

# Squid normally listens to port 3128 (forward proxy)

http_port 3128

#SSL Tunnel
http_port 3127 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/warnet.pem

#transparent proxy intercept

#http_port 3129 intercept
#https_port 3127 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/warnet.pem

#transparent proxy tproxy

#http_port 3129 tproxy
#https_port 3127 tproxy ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/warnet.pem

#caching konten https

#ssl_bump splice bypass_ssl
ssl_bump peek step1 all
ssl_bump bump all

#opsi caching konten https

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE #Jika menggunakan
versi setelah squid-3.5.12-20151222-r13967

sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EEC
DH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aR
SA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!
PSK:!SRP:!DSS

# Uncomment and adjust the following to add a disk cache directory.

cache_dir aufs /cache 1000 16 256
cache_mem 16 MB

cache_swap_low 97
cache_swap_high 98
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF

#Maximum Object Size

maximum_object_size 1024 MB
maximum_object_size_in_memory 1024 KB

#partial 206
#range_offset_limit 1 MB
#atau (pilih salah satu)
#request_header_access Range deny all

#Administrative
cache_mgr admin_squid@dokter-squid.com
visible_hostname s-proxy1-dsi

# Leave coredumps in the first cache dir

coredump_dir /var/log/squid

#debugging
strip_query_terms off
#debug_options 11,2 22,3
logfile_rotate 1
#cache_store_log /var/log/squid/store.log

#ecap
#yt_quality: tiny = 144px small = 240px medium = 360px large = 480px HD720
= Hd720px
acl youtube_240 dstdomain .youtube.com
request_header_access Accept-Encoding deny youtube_240
loadable_modules /usr/local/lib/ecap_adapter_modifying.so
ecap_enable on
ecap_service ecapModifier respmod_precache uri=ecap://dokter-squid.com/ecap
yt_quality=small
adaptation_access ecapModifier allow youtube_240
adaptation_access ecapModifier deny all

#storeid
acl getmethod method GET
acl loop_302 http_status 302

acl youtube url_regex -i ^http.*\.googlevideo\.com\/videoplayback\?

send_hit deny loop_302

store_id_program /etc/squid/storeid.pl
store_id_children 50 startup=5 idle=2 concurrency=200
store_id_access deny !getmethod
store_id_access allow youtube
store_id_access deny all

store_id_extras "%{Referer}>h %>a/%>A %un %>rm myip=%la myport=%lp"

refresh_pattern -i ^http.*\.internal 43200 0% 0 override-expire ignore-private

refresh_pattern -i \.(htm|html|xml|css|chm|txt|dll|dat)(\?.*)?$ 1440 100% 4320

refresh_pattern -i \.(3gp|7z|ace|asx|bin|deb|divx|dvr-ms|ram|rpm|exe|inc|cab|qt)
(\?.*)?$ 4320 100% 43200
refresh_pattern -i \.(rar|jar|gz|tgz|bz2|iso|m1v|m2(v|p)|mo(d|v)|arj|lha|lzh|zip|tar)
(\?.*)?$ 4320 100% 43200
refresh_pattern -i \.(jp(e?g|e|2)|gif|pn[pg]|bm?|ico|swf|ad)(\?.*)?$ 43200 100%
43200
refresh_pattern -i \.(avi|ac4|mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p)|og(x|v|a|g)|rm|
r(a|p)m|snd|vob)(\?.*)?$ 43200 100% 43200
refresh_pattern -i \.((pp(t?x)|s|t)|pdf|rtf|wax|wm(a|v)|wmx|wpl|cb(r|z|t)|xl(s?x)|
do(c?x)|flv|x-flv)(\?.*)?$ 43200 100% 43200

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

qos_flows local-hit=0x30 ' > /etc/squid/squid.conf

echo '#!/usr/bin/perl
$|=1;
while (<>) {
@X = split;
$x = $X[1];
$y = $X[0] . " ";
$z = $X[2];

if ($x =~ m/^https?:\/\/.*(youtube|google).*videoplayback.*/){
@itag = m/[&?](itag\=[0-9]*)/;
@mime = m/[&?](mime\=[^\&\s]*)/;
@range = m/[&?](range\=[^\&\s]*)/;
if($z =~ m/^https?:\/\/.*\?v\=(.*)/){
$id=$1;}

print $y . "OK store-id=http://video.youtube.doktersquid.internal/videoid=$id&@itag&@mime&@range\n" ;

} else {
print $y . "ERR\n";
}
} ' > /etc/squid/storeid.pl
chmod +x /etc/squid/storeid.pl
squid -zN
wget --no-check-certificate -O /etc/init.d/squid
https://gist.githubusercontent.com/e7d/1f784339df82c57a43bf/raw/squid.sh
chmod +x /etc/init.d/squid
update-rc.d squid defaults
service squid start

echo '#tproxy
#iptables -t mangle -N DIVERT
#iptables -t mangle -A DIVERT -j MARK --set-mark 1
#iptables -t mangle -A DIVERT -j ACCEPT
#iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
#iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark
0x1/0x1 --on-port 3129
#iptables -t mangle -A PREROUTING -p tcp --dport 443 -j TPROXY --tproxy-mark
0x1/0x1 --on-port 3127
#ip rule add fwmark 1 lookup 212
#ip route add local 0.0.0.0/0 dev lo table 212

#intercept
#iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --toports 3129
#iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT
--to-ports 3127

exit 0' > /etc/rc.local

tailf /var/log/squid/access.log | ccze

SUMUR: DSI