!Free-BSD で squid の時のメモ

  /usr/ports/www/squid で make install
  /etc/rc.conf に
  squid_enable="YES"
  を追加。
  
  /usr/local/etc/squid/squid.conf
  に
 # 
  acl localnet src 192.168.12.0/24
  acl localhost src 192.168.12.0/24
 #
 # cache_dir ufs /var/squid/cache/squid 2000 16 256
  cache_dir diskd /home/squid/spool/squid 1024 64 256
 #
  pid_filename /var/run/squid/squid.pid
 #
  を追加
 
  キャシュディレクトリの作成
  chown -R squid:squid /var/squid
  mkdir -p /home/squid/spool/squid
  chown -R /home/squid/
  /usr/local/sbin/squid -z
 
 /usr/local/etc/rc.d/squid start
  

! ログのローテーション
  % squid -k rotate
  % crontab -l 
  0 3 * * * /usr/local/sbin/squid -k rotate
  ( 月１の場合）
  0 3 1 * * /usr/local/sbin/squid -k rotate

! command option
 /usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf -k check
 /usr/local/sbin/squid -k reconfigure

! 緊急停止
 pkill -f 'squid'

! 動作確認
 http_proxy=http://uuu:ppp@192.xx.yy.zz:8080 https_proxy=http://uuu:ppp@192.xx.yy.zz:8080 wget -d http://wx.qq.com
 uuu // proxy_username
 ppp // proxy_password

! free-bsd sysctl 
https://calomel.org/freebsd_network_tuning.html

! WindowsXPで、WindowsUpdateができない

 WindowsXPにSP2を適用以後、WindowsUpdateができなくなる場合があります。
 これは、SP2にて WindowsUpdateが使っている転送プログラム（BITS）が更新され、
 これがIEで指定されているプロキシの情報を使っていないために、直接、
 インターネットにアクセスしようとするために発生します。
 BITSにプロキシを認識させるためには、IEの設定を引き継ぐために
 C:\>proxycfg -u
 とするか、または直接設定として
 C:\>proxycfg -d -p PTOXY-SERVER1:PORT BYPASS-ADDRESS
 （例、proxycfg -d -p proxy.robata.org:8080 127.0.0.1,*.robata.org)を実行すると良いでしょう。

! 参考
http://squid.robata.org/build_hierarchy.html

!squid のcache のリロード
 /usr/local/sbin/squidclient -p 3128 -rs http://foo.bar.domain.xx/hoge.html
 --helpにて help

!squid のcache の削除
 /usr/local/sbin/squidclient -p 3128 -m PURGE -h 127.0.0.1 http://foo.bar.domain.xx/hoge.html

 grep SWAP /home/squid/logs/access.log | awk '{print $7}' | sort | uniq -c | sort -nr

!squidclient
 squidclient -h localhost -p 3128 mgr:60min
 squidclient -h localhost -p 3128 mgr:5min
 squidclient -h localhost -p 3128 mgr:info
 squidclient -h localhost -p 3128 mgr:mem
 ##
 # squidclient -h 127.0.0.1 -p 8080 mgr:info

!cache dir build
 #!/bin/sh
 
 /usr/local/etc/rc.d/squid status
 /usr/local/etc/rc.d/squid stop
 sync
 sleep 10
 # /usr/local/sbin/squid -Z
 /usr/local/sbin/squid -z
 
 sync
 sleep 10
 /usr/local/etc/rc.d/squid start
 
 /usr/local/etc/rc.d/squid status
----
!squid.conf 

 ## https のセッション を稼ぐ
 client_persistent_connections off
 server_persistent_connections off
 ## IPv4 を優先
 dns_v4_first on
 #
 request_body_max_size 0 KB
 # dns_nameservers 127.0.0.1
 #


!参考
https://www.l2tp.org/archives/165

! log のパラメータを追加

 logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt %tl

https://www.robata.org/docs/squid/faq_6.html

----
!cache のパラメータ サンプル
 refresh_pattern ^ftp: 1440 20% 10080
 refresh_pattern ^gopher: 1440 0% 1440
 refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 ignore-expire ignore-no-cache ignore-no-store ignore-private
 refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 ignore-expire ignore-no-cache ignore-no-store ignore-private
 refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 ignore-expire ignore-no-cache ignore-no-store ignore-private 
 refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
 refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
 refresh_pattern . 0 40% 40320
ネタ元
http://www.itmedia.co.jp/enterprise/articles/0812/01/news024.html
 squid3
 # 1 year = 525600 mins, 1 month = 43800 mins
 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
 refresh_pattern \.(ico|video-stats)$ 129600 100% 129600 override-expire ignore reload ignore-no-cache ignore-no-store ignore-private ignore-auth override-lastmod ignore-must-revalidate
 refresh_pattern imeem.*\.flv$ 0 0% 0 override-lastmod override-expire
 refresh_pattern \.rapidshare.*\/[0-9]*\/.*\/[^\/]* 161280 90% 161280 ignore-reload
 refresh_pattern (get_video\?|videoplayback\?|videodownload\?|\.flv?) 129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims
 refresh_pattern (get_video\?|videoplayback\?id|videoplayback.*id|videodownload\?|\.flv?) 129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims
 refresh_pattern ^.*(utm\.gif|ads\?|rmxads\.com|ad\.z5x\.net|bh\.contextweb\.com|bstats\.adbrite\.com|a1\.interclick\.com|ad\.trafficmp\.com|ads\.cubics\.com|ad\.xtendmedia\.com|\.googlesyndication\.com|advertising\.com|yieldmanager|game-advertising\.com|pixel\.quantserve\.com|adperium\.com|doubleclick\.net|adserving\.cpxinteractive\.com|syndication\.com|media.fastclick.net).* 129600 20% 129600 ignore-no-cache ignore-no-store ignore-private override-expire ignore-reload ignore-auth ignore-must-revalidate
 refresh_pattern ^.*safebrowsing.*google 129600 100% 129600 override-expire ignore-reload ignore-no-cache ignore-private ignore-auth ignore-must-revalidate
 refresh_pattern ^http://((cbk|mt|khm|mlt)[0-9]?)\.google\.co(m|\.uk) 129600 100% 129600 override-expire ignore-reload ignore-private
 refresh_pattern ytimg\.com.*\.jpg 129600 100% 129600 override-expire ignore-reload
 refresh_pattern images\.friendster\.com.*\.(png|gif) 129600 100% 129600 override-expire ignore-reload
 refresh_pattern garena\.com 129600 100% 129600 override-expire reload-into-ims
 refresh_pattern photobucket.*\.(jp(e?g|e|2)|tiff?|bmp|gif|png) 129600 100% 129600 override-expire ignore-reload
 refresh_pattern vid\.akm\.dailymotion\.com.*\.on2\? 129600 100% 129600 ignore-no-cache override-expire override-lastmod
 refresh_pattern mediafire.com\/images.*\.(jp(e?g|e|2)|tiff?|bmp|gif|png) 129600 100% 129600 reload-into-ims override-expire ignore-private
 refresh_pattern ^http:\/\/images|pics|thumbs[0-9]\. 129600 100% 129600 reload-into-ims ignore-no-cache ignore-no-store ignore-reload override-expire
 refresh_pattern ^http:\/\/www.onemanga.com.*\/ 129600 100% 129600 reload-into-ims ignore-no-cache ignore-no-store ignore-reload override-expire
 # ANTI VIRUS
 refresh_pattern guru.avg.com/.*\.(bin) 43200 100% 43200 ignore-no-cache ignore-no-store ignore-reload reload-into-ims
 refresh_pattern (avgate|avira).*(idx|gz)$ 43200 100% 43200 ignore-no-cache ignore-no-store ignore-reload reload-into-ims
 refresh_pattern kaspersky.*\.avc$ 43200 100% 43200 ignore-no-cache ignore-no-store ignore-reload reload-into-ims
 refresh_pattern kaspersky 43200 100% 43200 ignore-no-cache ignore-no-store ignore-reload reload-into-ims
 refresh_pattern update.nai.com/.*\.(gem|zip|mcs) 43200 100% 43200 ignore-no-cache ignore-no-store ignore-reload reload-into-ims
 refresh_pattern ^http:\/\/liveupdate.symantecliveupdate.com.*\(zip) 43200 100% 43200 ignore-no-cache ignore-no-store ignore-reload reload-into-ims
 refresh_pattern windowsupdate.com/.*\.(cab|exe) 43200 100% 129600 ignore-no-cache ignore-no-store ignore-reload reload-into-ims
 refresh_pattern update.microsoft.com/.*\.(cab|exe) 43200 100% 129600 ignore-no-cache ignore-no-store ignore-reload reload-into-ims
 refresh_pattern download.microsoft.com/.*\.(cab|exe) 43200 100% 129600 ignore-no-cache ignore-no-store ignore-reload reload-into-ims
 #images facebook
 refresh_pattern ((facebook.com)|(85.131.151.39)).*\.(jpg|png|gif) 129600 100% 129600 ignore-reload override-expire ignore-no-cache ignore-no-store
 refresh_pattern -i \.fbcdn.net.*\.(jpg|gif|png|swf|mp3) 129600 100% 129600 ignore-reload override-expire ignore-no-cache ignore-no-store
 refresh_pattern static\.ak\.fbcdn\.net*\.(jpg|gif|png) 129600 100% 129600 ignore-reload override-expire ignore-no-cache ignore-no-store
 refresh_pattern ^http:\/\/profile\.ak\.fbcdn.net*\.(jpg|gif|png) 129600 100% 129600 ignore-reload override-expire ignore-no-cache ignore-no-store
 #banner IIX
 refresh_pattern ^http:\/\/openx.*\.(jp(e?g|e|2)|gif|pn[pg]|swf|ico|css|tiff?) 129600 100% 129600 reload-into-ims ignore-reload override-expire ignore-no-cache ignore-no-store
 refresh_pattern ^http:\/\/ads(1|2|3).kompas.com.*\/ 43200 100% 129600 reload-into-ims ignore-reload override-expire ignore-no-cache ignore-no-store
 refresh_pattern ^http:\/\/img.ads.kompas.com.*\/ 43200 100% 129600 reload-into-ims ignore-reload override-expire ignore-no-cache ignore-no-store
 refresh_pattern .kompasimages.com.*\.(jpg|gif|png|swf) 43200 100% 129600 reload-into-ims ignore-reload override-expire ignore-no-cache ignore-no-store
 refresh_pattern ^http:\/\/openx.kompas.com.*\/ 43200 100% 129600 reload-into-ims ignore-reload override-expire ignore-no-cache ignore-no-store
 refresh_pattern kaskus.\us.*\.(jp(e?g|e|2)|gif|png|swf) 43200 100% 129600 reload-into-ims ignore-reload override-expire ignore-no-cache ignore-no-store
 refresh_pattern ^http:\/\/img.kaskus.us.*\.(jpg|gif|png|swf) 43200 100% 129600 reload-into-ims ignore-reload override-expire ignore-no-cache ignore-no-store
 #IIX DOWNLOAD
 refresh_pattern ^http:\/\/\.www[0-9][0-9]\.indowebster\.com\/(.*)(mp3|rar|zip|flv|wmv|3gp|mp(4|3)|exe|msi|zip) 43200 100% 129600 reload-into-ims ignore-reload override-expire ignore-no-cache ignore-no-store ignore-auth
 refresh_pattern -i ^http://(khm?)([^/]*?)\.google\.(de|com) 129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
 refresh_pattern -i ^http://ecn\.t\d\.tiles\.virtualearth\.net/tiles/\w*\.jpeg 129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload

!freebsdのsysctl
 # /etc/sysctl.conf
 kern.maxfiles=16384
 kern.maxfilesperproc=14745
 kern.ipc.somaxconn=4096
 kern.ipc.maxsockbuf=1048576
 # net.inet.tcp.msl=5000
 net.inet.tcp.msl=10000 
 
 net.inet.tcp.sendspace=524280
 net.inet.tcp.recvspace=524280
 net.inet.udp.recvspace=524280
 # # scale factor of 16 [65535*2^4  1048560]
 # # scale factor of  8 [65535*2^3   524280]
 # # scale factor of  4 [65535*2^2   262140]
 # # scale factor of  2 [65535*2^1   131070]
 # # scale factor of  0 [65535]
 #
 ###################################
 # TIME_WAIT = 10sec
 # net.inet.tcp.msl=5000
 ###################################
 #
 ###################################
 # net.inet.tcp.rfc1323=1
 # net.inet.tcp.delayed_ack=0
 # net.local.stream.recvspace=65535
 # net.local.stream.sendspace=65535
 net.inet.tcp.rfc1323=1
 net.inet.tcp.delayed_ack=0
 net.local.stream.recvspace=131070
 net.local.stream.sendspace=131070
 ###################################
 kern.ipc.nmbclusters=262144
 kern.ipc.maxsockets=204800
 #
 net.inet.icmp.icmplim=350
 ###################################
         kern.ipc.msgmnb=8192
         kern.ipc.msgssz=64
         kern.ipc.msgtql=2048
 ###################################
         net.graph.maxdata=65536
         net.graph.maxalloc=65536
 ###################################


 ** FreeBSD で は、スロースタートフライトサイズを net.inet.tcp.slowstart_flightsize sysctl で増やすことの方が、遅延確認応答をオフにするより、利益があるでしょ う。
 net.inet.tcp.inflight.enable sysctl は、すべての TCP コネクションに対し、 バンド幅と遅延の積による制限を適用します。システムは、各コネクションに対 してバンド幅と遅延の積を計算し
https://kaworu.jpn.org/doc/FreeBSD/jman/man7/tuning.7.php

! SSL bump
https://help.kaspersky.com/KWTS/6.0/ja-JP/166244.htm

https://help.kaspersky.com/KWTS/6.0/ja-JP/166244.htm

https://www.websense.com/content/support/library/web/v773/wcg_help/squid.aspx

https://qiita.com/tosier/items/30297afb6ffbd4567eb5

https://www.websense.com/content/support/library/web/v773/wcg_help/squid.aspx

https://calomel.org/freebsd_network_tuning.html


! sysctl check
 # squidclient mgr:info | grep 'file descri'
        Maximum number of file descriptors:   350271
        Available number of file descriptors: 350171
        Reserved number of file descriptors:   100

!trafic_server
*https://trafficserver.apache.org/