IGOS Nusantara dan proxy server squid kompilasi
Optimasi squid dapat lebih ditingkatkan dengan melakukan kompilasi dari source squid. Berikut ini kompilasi untuk spesifikasi:
- Sistem Operasi memakai IGOS Nusantara 2010 (Instal minimal)
- Posesor Intel(R) Xeon(TM) CPU 3.00GHz
- RAM 1 GB (yup memori masih kecil, harusnya update ke 4 GB)
- Harddisk 2 x 80 GB SCSI
- Harddisk1: /dev/sda (untuk menyimpan sistem operasi)
- Harddisk2: /dev/sdb (untuk menyimpan cache squid)
Daftar isi
1. Instal IGOS Nusantara 2010 untuk Server
Sistem Operasi yang akan dipasang di server sebaiknya TIDAK dipasang dari IGN2010 LiveCD. Versi IGN2010 LiveCD ditujukan untuk penggunaan Desktop. Server sebaiknya dipasang program/aplikasi minimal. Instalasi minimal dapat dilakukan dengan:
- Gunakan IGN2010 versi DVD Installer
- Booting memakai IGN2010 DVD
- Saat awal muncul menu instalasi pilih "Instal IGOS Nusantara Minimal (konsol)" [[1]]
2. Format harddisk kedua
Pada bagian atas tulisan ini ada informasi tentan harddisk yang dipakai. Harddisk kedua (tempat direktori cache) masih kosong dan akan di format memakai reiserfs. Harddisk kedua ada di /dev/sdb1.
Pasang reiserfs-utils
# yum -y install reiserfs-utils
Jika unmount /dev/sdb1 lebih dulu:
# umount /dev/sdb1
Format partisi ke reiserfs
Format partisi /dev/sdb1, jika ada data lama isi akan hilang semua. Pastikan TIDAK SALAH ketik
# mkfs.reiserfs /dev/sdb1 mkfs.reiserfs 3.6.21 (2009 www.namesys.com) A pair of credits: Jeremy Fitzhardinge wrote the teahash.c code for V3. Colin Plumb also contributed to that. Hans Reiser was the project initiator, source of all funding for the first 5.5 years. He is the architect and official maintainer. Guessing about desired format.. Kernel 2.6.35.6-37.ign5.i686.PAE is running. Format 3.6 with standard journal Count of blocks on the device: 17921280 Number of blocks consumed by mkreiserfs formatting process: 8758 Blocksize: 4096 Hash function used to sort names: "r5" Journal Size 8193 blocks (first block 18) Journal Max transaction length 1024 inode generation number: 0 UUID: <no libuuid installed> ATTENTION: YOU SHOULD REBOOT AFTER FDISK! ALL DATA WILL BE LOST ON '/dev/sdb1'! Continue (y/n):
Konfirmasi dengan mengetik "y" lalu ENTER
Continue (y/n):y Initializing journal - 0%....20%....40%....60%....80%....100% Syncing..ok ReiserFS is successfully created on /dev/sdb1.
Modifikasi /etc/fstab
Lakukan modifikasi:
/dev/sdb1 /cache reiserfs defaults,notail,noatime 1 2
Folder /cache adalah nama direktori yang akan dipakai untuk menyimpan cache.
Memuat /cache
mkdir -p /cache mount -a
3. Tuning file sistem
Saat pengguna mengakses proxy squid, kemudian squid melakukan proses atau penyimpanan cache. Proses memerlukan akses file yang besar. [pf]
Tuning langsung
TCP Tuning—You can increase number of local system ports available by running this command: [
# echo "1024 65000" > /proc/sys/net/ipv4/ip_local_port_range
File Tuning-You can increase the file descriptors by running these commands:
# echo "64000" > /proc/sys/fs/file-max
Modifikasi /etc/sysctl.conf
Tambahkan baris berikut pada akhir file /etc/sysctl.conf
fs.file-max = 64000 net.core.rmem_default = 262144 net.core.rmem_max = 262144 net.core.wmem_default = 262144 net.core.wmem_max = 262144 net.ipv4.tcp_rmem = 4096 87380 8388608 net.ipv4.tcp_wmem = 4096 65536 8388608 net.ipv4.tcp_mem = 4096 4096 4096 net.ipv4.tcp_low_latency = 1 net.core.netdev_max_backlog = 4000 net.ipv4.ip_local_port_range = 1024 65000 net.ipv4.tcp_max_syn_backlog = 16384
Penambahkan entri /etc/security/limits.conf
* - nofile 32768 * soft nofile 32768 * hard nofile 32768 proxy soft nofile 32768 proxy hard nofile 32768
Modifikasi /etc/profile
# echo "ulimit -n 8192" >> /etc/profile
4. Kompilasi Squid
Pasang paket untuk kompilasi squid
# yum -y install gcc # yum -y install gcc-c++ # yum -y install libxml2-devel libcap-devel
Instal semua dalam satu baris perintah:
# yum -y install gcc gcc-c++ libxml2-devel libcap-devel
Unduh squid-3.1.10.tar.bz2
# mkdir /root/sumber # cd /root/sumber # wget http://www.squid-cache.org/Versions/v3/3.1/squid-3.1.10.tar.bz2
Buat group dan user
Group dan user yang akan dipakai untuk menjalankan squid dibuat dengan cara:
# groupadd squid # useradd squid -c "Squid Proxy" -d /dev/null -s /bin/false -g squid
Optimasi Kompilasi
Kompilasi agar optimal perlu memakai opsi atau FLAG yang sesuai dengan prosesor. Informasi tentang prosesor ada di /proc/cpuinfo
# cat /proc/cpuinfo
# cat /proc/cpuinfo | grep family cpu family : 15 cpu family : 15
[root@intra ~]# cat /proc/cpuinfo |grep model model : 4 model name : Intel(R) Xeon(TM) CPU 3.00GHz
Informasi yang diperoleh dari /proc/cpuinfo kemudian disesuaikan dengan flag kompilasi yang ada Gentoo Wiki[1], yaitu diperoleh:
CHOST="i686-pc-linux-gnu" CFLAGS="-march=prescott -O2 -pipe -fomit-frame-pointer" CXXFLAGS="${CFLAGS}"
Opsi Kompilasi
--prefix=/usr \ --includedir=/usr/include \ --datadir=/usr/share \ --bindir=/usr/sbin \ --libexecdir=/usr/lib/squid \ --localstatedir=/var \ --sysconfdir=/etc/squid \ --enable-gnuregex \ --enable-async-io=32 \ --with-maxfd=32768 \ --with-aufs-threads=32 \ --with-pthreads \ --with-aio \ --with-dl \ --enable-storeio=aufs \ --enable-removal-policies=heap,lru \ --enable-icmp \ --enable-delay-pools \ --disable-wccp \ --disable-wccpv2 \ --enable-snmp \ --enable-cache-digests \ --enable-default-err-languages=English \ --enable-err-languages=English \ --enable-linux-netfilter \ --disable-ident-lookups \ --disable-hostname-checks \ --enable-underscores
Keterangan parameter
- --enable-async-io untuk mengaktifkan asynchronous I/O dalam proses baca/tulis ke harddisk. Memakai 16 bila memakai satu harddisk jenis lama (buffer hanya 2 MB). Bila memakai harddisk model baru dengan buffer 8 MB, 16 MB atau 32 MB dapat memakai 32.
- --enable-useragent-log berguna agar squid mencatat useragent di entri log
- --enable-snmp aktifkan snmp, misal mencatat statistik squid lalu ditampilkan dalam bentuk grafik.
- --enable-cache-digests harus diaktifkan jika memakai cache peer.
- --enable-storeio="aufs" adalah metoda penyimpanan metode I/O. AUFS adalah Asynchronous, memiliki performa yang optimal di Linux.
- --enable-removal-policies="heap,lru" adalah pilihan opsi untuk removal policies
- --with-maxfd=8192
- --enable-poll
- --disable-ident-lookups menghentikan squid dari melihat ident di setiap koneksi, bisa juga untuk mencegah serangan DDOS (membuka ribuan koneksi) yang dapat mematikan squid server
- --enable-truncate memerintahkan squid untuk selalu menggunakan truncate() ketimbang unlink() ketika menghapus file cache.
- --enable-delay-pools
Memulai Kompilasi
# cd /root/sumber # tar xjvf squid-3.1.10.tar.bz2 # cd squid-3.1.10 # CHOST="i686-pc-linux-gnu" \ CFLAGS="-march=prescott -O2 -pipe -fomit-frame-pointer" \ CXXFLAGS="${CFLAGS}" \ ./configure \ --prefix=/usr \ --includedir=/usr/include \ --datadir=/usr/share \ --bindir=/usr/sbin \ --libexecdir=/usr/lib/squid \ --localstatedir=/var \ --sysconfdir=/etc/squid \ --enable-gnuregex \ --enable-async-io=32 \ --with-maxfd=32768 \ --with-aufs-threads=32 \ --with-pthreads \ --with-aio \ --with-dl \ --enable-storeio=aufs \ --enable-removal-policies=heap,lru \ --enable-icmp \ --enable-delay-pools \ --disable-wccp \ --disable-wccpv2 \ --enable-snmp \ --enable-cache-digests \ --enable-default-err-languages=English \ --enable-err-languages=English \ --enable-linux-netfilter \ --disable-ident-lookups \ --disable-hostname-checks \ --enable-underscores
Selanjutnya ketikkan perintah
# make
Lanjutkan dengan
# make install
Ketik perintah
# strip /usr/sbin/squid /usr/lib/squid/*
5. Konfigurasi
Mengatur Log
mkdir -p /var/log/squid touch /var/log/squid/access.log chmod 770 /var/log/squid chown -R squid:root /var/log/squid touch /var/run/squid.pid chown -R squid:squid /cache/ chown -R squid:squid /var/run/pid
Buat /etc/init.d/squid
Pada bagian awal skrip /etc/init.d/squid harus memakai "ulimit -n 32768"
# wget http://repo.informatika.lipi.go.id/panduan/wiki/squid -O /etc/init.d/squid # chmod 700 /etc/init.d/squid
Create the symbolic rc.d links for Squid with the command:
# chkconfig --add squid
By default the squid script will not automatically start the proxy server on Red Hat Linux when you reboot the server. You can change it's default by executing the following command:
# chkconfig --level 345 squid on
Start your new Squid Proxy Server manually with the following command:
# /etc/rc.d/init.d/squid start
Konfigurasi squid.conf
auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours max_filedescriptors 32768 http_port 3128 transparent hierarchy_stoplist cgi-bin ? .js .jsp .awt localhost acl QUERY urlpath_regex cgi-bin \? localhost no_cache deny QUERY #acl diblok arp "/etc/squid/diblok.acl" acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 # https, snews acl Safe_ports port 80 81 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 631 # cups acl Safe_ports port 10000 # webmin acl Safe_ports port 777 # multiling http acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl CONNECT method CONNECT acl snmppublic snmp_community public http_access allow manager localhost http_access deny manager #http_access deny diblok http_access deny !Safe_ports http_access deny CONNECT !SSL_ports #acl porno url_regex -i "/etc/squid/xxx.txt" #http_access deny porno acl p2i src 192.168.228.0/24 http_access allow p2i http_access deny all icp_access allow p2i icp_access deny all miss_access allow all miss_access deny all cache_mem 256 MB minimum_object_size 0 KB maximum_object_size 128 MB maximum_object_size_in_memory 64 KB cache_swap_low 98 cache_swap_high 99 memory_replacement_policy heap LFUDA cache_replacement_policy heap GDSF cache_dir aufs /cache/squid1 50000 102 256 access_log /var/log/squid/access.log cache_log /dev/null cache_store_log none logfile_rotate 2 emulate_httpd_log off mime_table /etc/squid/mime.conf pid_filename /var/run/squid.pid coredump_dir /var/spool/squid/ #coredump_dir none log_fqdn off client_netmask 255.255.255.255 strip_query_terms off buffered_logs off refresh_pattern windowsupdate.com/.*\.(cab|exe\dll) 259200 95% 259200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private refresh_pattern download.microsoft.com/.*\.(cab|exe\dll) 259200 95% 259200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|psf) 259200 95% 259200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private refresh_pattern ^ftp: 20160 95% 259200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private refresh_pattern . 180 95% 120960 reload-into-ims override-lastmod quick_abort_min 0 KB quick_abort_max 0 KB quick_abort_pct 100 negative_ttl 2 minutes positive_dns_ttl 60 seconds negative_dns_ttl 30 seconds store_avg_object_size 15 KB vary_ignore_expire on client_lifetime 2 hours half_closed_clients off shutdown_lifetime 5 seconds cache_mgr admin cache_effective_user _squid cache_effective_group _squid visible_hostname proxy snmp_port 3401 snmp_access allow snmppublic localhost snmp_access deny all icp_port 3130 log_icp_queries off icp_hit_stale on query_icmp on dns_nameservers 192.168.0.1 ipcache_size 4096 ipcache_low 90 ipcache_high 95 fqdncache_size 4096 memory_pools off forwarded_for off reload_into_ims on reload_into_ims on pipeline_prefetch on high_response_time_warning 2000 high_page_fault_warning 2 high_memory_warning 1900 MB
6. Buat swap
Setelah konfigurasi squid.conf dilakukan, kini saatnya menjalankan squid. Ketikkan perintah agar squid membuat swap
# /usr/sbin/squid -z
7. Jalankan squid
nano /etc/init.d/squid
# tambahkan baris di awal ulimit -HSn 8192
# /etc/init.d/squid start
atau
# /usr/sbin/squid start
Cek apakah squid sudah berjalan apa belum dengan perintah
# netstat -pln | grep squid
bila muncul tampilan seperti dibawah ini, berarti squid sudah berjalan
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN 13109/(squid) udp 0 0 0.0.0.0:6628 0.0.0.0:* 13109/(squid) udp 0 0 :::41063 :::* 13109/(squid) udp 0 0 :::3401 :::* 13109/(squid) udp 0 0 :::3130 :::* 13109/(squid)
8. Periksa log
Ada di /var/log/squid/access.log
# tail -f /var/log/squid/access.log
Tampilan log ringkas
# tail -f /var/log/squid/access.log | awk '{print$3 " " $8 " " $7}'
9. Boot ulang server
Lakukan reboot, kemudian jalankan squid.
Referensi
- [1] http://forum.linux.or.id/viewtopic.php?f=40&t=20030#p117128
- [x] http://www.scribd.com/doc/47172020/Cara-Instal-dan-Optimasi-Squid-Proxy-Server
- [x] http://en.gentoo-wiki.com/wiki/Safe_Cflags/Intel
- [pf] http://directory.fedoraproject.org/wiki/Performance_Tuning
- [fd] http://www.cyberciti.biz/faq/squid-proxy-server-running-out-filedescriptors/
- http://www.linuxinfo.com.br/squid_tproxy.htm
- https://wiki.archlinux.org/index.php/Reiser4FShowto