Jumat, 31 Agustus 2007

pengaturan bandwidth menggunakan HTB-tools

Mungkin rekan-rekan sudah sering mendengar mengenai limiter menggunakan metode HTB ( Hierarchical Token Bucket), tetapi masih sering banyak pertanyaan-pertanyaan dalam pengaplikasian limiter bandwidth.
Di sini saya mencoba menggunakan HTB-tool yang sudah tersedia.
Saya menggunakan distro centos(redhat family) dan dapat berjalan dengan baik :)
sebelum melakukan instalasi sebaiknya di pastikan dahulu bahwa server mendukung:
- GNU/Linux distribution;
- GCC compiler;
- Iproute2 (the latest version is recommended from here);
- Linux Kernel 2.4.32 or 2.6.15.1 (www.kernel.org);
- dialog for HTB-tools beta 4 (the latest version from here)
- Apache and php for web q_show and web HTB-tools config file generator.
- flex version 2.5.4a.

langkah instalasi:
download HTB-tools
http://htb-tools.arny.ro/download.php --> pilih yang sesuai dengan distro yang digunakan.
setelah itu ekstrak file dan install. saya mendownload htb-tools versi 0.2.7a
#tar xzvf HTB-tools-0.2.7a.tar.gz
masuk ke direktory HTB-tools
# cd HTB-tools-0.2.7a
#make
#make full
#make install

setelah itu ikuti petunjuk dalam instalasinya
kalau di redhat, maka semua program HTB-tools akan di install dalam direktory /etc/
bila sudah selasai, dan tidak ada error, maka tinggal mengkonfigurasi htb tersebut
# mcedit /etc/htb/eth1-qos.cfg -->> untuk mengkonfigurasi downstream
################
# eth1-qos.cfg #
################
# for how to configure and use see docs/HowTo/

class class_1 {
bandwidth 160;
limit 670;
burst 2;
priority 1;

client group_1 {
bandwidth 16;
limit 64;
burst 2;
priority 1;
dst {
192.168.100.2/32;
192.168.100.40/32;
};
};

client group_2 {
bandwidth 45;
limit 200;
burst 2;
priority 1;
dst {
192.168.100.11/32;
192.168.100.12/32;
192.168.100.13/32;
192.168.100.14/32;
192.168.100.15/32;
};
};

client group_3 {
bandwidth 45;
limit 200;
burst 2;
priority 1;
dst {
192.168.100.16/32;
192.168.100.17/32;
192.168.100.18/32;
192.168.100.19/32;
192.168.100.20/32;
};
};

client group_4 {
bandwidth 45;
limit 200;
burst 2;
priority 1;
dst {
192.168.100.21/32;
192.168.100.22/32;
192.168.100.23/32;
192.168.100.24/32;
192.168.100.25/32;
192.168.100.26/32;
};
};

};

class default { bandwidth 200; };
Dalam contoh di atas, saya membagi dalam kelompok. tiap kelompok ada 5 clien, dan dalam setiap kelompok diberikan bandwidth sebesar 45kbps bila trafic sibuk, dan 200kbps bila bandwidth tidak terpakai.
cukup mudah kan...
dibandingkan dengan membuat skript tc seperti contoh di bawah ini
#!/bin/sh
# script written by robby
# this script only creates the qdiscs and classes required for shaping, it
# does NOT create the necessary filters

rc_done=" done"
rc_failed=" failed"
return=$rc_done
#interface
interface='eth1'

TC='/sbin/tc'
tc_reset ()
{
$TC qdisc del dev $interface root 2> /dev/null > /dev/null
}
###############
#seting script#
###############
tcclass='/sbin/tc class add dev eth1 parent'
tcqdisc='/sbin/tc qdisc add dev eth1 parent'
tcfilter='/sbin/tc filter add dev eth1 protocol ip parent 1:0 prio'
tcfilteru32ip='/sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 25 u32 match ip dst'

tc_status ()
{
echo "[qdisc - $interface]"
$TC -s qdisc show dev $interface
echo "------------------------"
echo
echo "[class - $interface]"
$TC -s class show dev $interface
}
tc_showfilter ()
{
echo "[filter - $interface]"
$TC -s filter show dev $interface
}
case "$1" in
start )
echo -n "wait....Starting traffic shaping"
tc_reset

#configure interface

# add root qdisc
$TC qdisc add dev eth1 root handle 1: htb default 100 r2q 2
#add master qdisc
$tcclass 1: classid 1:1 htb rate 1024kbit

$tcclass 1:1 classid 1:100 htb rate 1024kbit ceil 1024kbit burst 200k
$tcqdisc 1:100 handle 100: sfq perturb 10
$tcfilter 10 u32 match ip protocol 1 0xff flowid 1:100

#operator
$tcclass 1:1 classid 1:101 htb rate 20kbit ceil 56kbit burst 1k prio 1
$tcqdisc 1:101 handle 101: sfq perturb 10
$tcfilteru32ip 192.168.100.2/32 flowid 1:101

#group WS1-WS5
$tcclass 1:2 classid 1:102 htb rate 64kbit ceil 256kbit burst 1k prio 1
$tcqdisc 1:102 handle 102: sfq perturb 10
$tcfilteru32ip 192.168.100.3/32 flowid 1:102
$tcfilteru32ip 192.168.100.4/32 flowid 1:102
$tcfilteru32ip 192.168.100.5/32 flowid 1:102
$tcfilteru32ip 192.168.100.6/32 flowid 1:102
$tcfilteru32ip 192.168.100.7/32 flowid 1:102

#group WS6-WS10
$tcclass 1:2 classid 1:103 htb rate 40kbit ceil 200kbit burst 1k prio 1
$tcqdisc 1:103 handle 103: sfq perturb 10
$tcfilteru32ip 192.168.100.8/32 flowid 1:103
$tcfilteru32ip 192.168.100.9/32 flowid 1:103
$tcfilteru32ip 192.168.100.10/32 flowid 1:103
$tcfilteru32ip 192.168.100.11/32 flowid 1:103
$tcfilteru32ip 192.168.100.12/32 flowid 1:103

#filter tcp ack
$TC filter add dev $interface protocol ip parent 1: prio 1 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid 1:2

#--------------------------------------------------------------
#end
tc_status
;;
stop)
echo -n "Stopping traffic shaper"
tc_reset || return=$rc_failed
echo -e "$return"
;;
restart|reload)
$0 stop && $0 start || return=$rc_failed
;;
stats|status)
tc_status
;;
filter)
tc_showfilter
;;
*)
echo "Usage: $0 {start|stop|restart|stats|filter}"
exit 1
esac
test "$return" = "$rc_done" || exit 1
#-------------------------------------------------------------

Kamis, 30 Agustus 2007

optimalisasi koneksi internet menggunakan proxy



mungkin banyak rekan-rekan yang sudah tidak asing dengan kata "proxy" dan untuk saat ini sudah banyak program-program yang mendukung untuk membuat proxy server, salah satunya yang populer adalah squid.
setiap admin memiliki 'trik' sendiri-sendiri untuk melakukan penyetingan squid ini.
dalam blog ini saya ingin berbagi pengalaman mengenai seting squid ini

#------------listing squid.conf----------------------
http_port 3128
#icp_port 3130
hierarchy_stoplist cgi-bin ? % = + asp jsp php xml pl
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 32 MB
redirect_rewrites_host_header off
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
di sini saya menggunakan port 3128 sebagai port proxy, dan mengalokasikan untuk memory yang di pergunakan cache sebesar 32MB, ada yang menyarankan untuk menggunakan sepertiga dari memory bebas. untuk object yang akan di simpan maksimal sebesar 4MB, lebih dari 4MB tidak akan di simpan di dalam cache.
maximum_object_size_in_memory 8 KB

# ipcache_size 1024
# ipcache_low 90
# ipcache_high 95

cache_replacement_policy heap LRU
memory_replacement_policy heap LFUDA
cache_dir ufs /var/spool/squid 20000 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
mime_table /etc/squid/mime.conf
log_mime_hdrs on
pid_filename /var/run/squid.pid

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

request_header_max_size 20 KB

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

#tambahan
refresh_pattern ^http://h.msn.com/$ 30 90% 600
refresh_pattern ^http://global.msads.net/$ 30 90% 600
refresh_pattern ^http://by17fd.bay17.hotmail.msn.com/$ 30 90% 600
refresh_pattern ^http://hotmail.com/$ 30 90% 600
refresh_pattern ^http://loginnet.passport.com/$ 30 90% 600
refresh_pattern ^http://graphics.hotmail.com/$ 30 90% 600
refresh_pattern ^http://rad.msn.com/$ 30 90% 600
refresh_pattern ^http://cb.msn.com/$ 30 90% 600
refresh_pattern ^http://hotmail.msn.com/$ 30 90% 600
refresh_pattern ^http://cb2.msn.com/$ 30 90% 600
refresh_pattern ^http://login.passport.net/$ 30 90% 600
refresh_pattern ^http://www.hotmail.com/$ 30 90% 600
refresh_pattern ^http://.*\.com\.net 360 50% 430
refresh_pattern -i /index.*/default.* 30 90% 600

refresh_pattern -i \.gz$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.xls$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.doc$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.deb$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.rpm$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.wmp$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.dat$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.msi$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.cab$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.mov$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.bzip2$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.tar.gz$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.zip$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.exe$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.avi$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.asf$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.qtm$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.mid$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.wav$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.viv$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.mpg$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.gif$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.jpg$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.jpeg$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.rar$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.swf$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.mpeg$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.pdf$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.bmp$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.ad$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.3gp$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.js$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.psf$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
#refresh_pattern -i \.html$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
#refresh_pattern -i \.htm$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.css$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
#refresh_pattern -i \.shtml$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
#refresh_pattern -i \.xml$ 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern ^http:// 1080 90% 2060 override-expire override-lastmod reload-into-ims ignore-reload

#-----end---------
sedangkan alokasi memory yang dipergunakan untuk menyimpan cache sementara sebesar 8KB.
direktory yang dipergunakan untuk menyimpan cache sebesar 2GB dengan 16 direktori dan 256 sub direktori.untuk alokasi media penyimpanan cache di sesuaikan dengan kapasitas harddisk yang ada. pada umumnya mereka menggunakan 80% dari kapasitas harddisk yang di peruntukkan penyimpanan cache.
Di sini saya juga menambahkan beberapa rule refresh pattern, yang fungsinya untuk menyimpan data yang sudah pernah di akses, dan akan di refresh pada waktu tertentu. tujuan dari refresh pattern untuk menghemat trafic keluar(internet)

negative_ttl 2 minutes
positive_dns_ttl 6 hours

half_closed_clients off

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl VIRUS urlpath_regex winnt/system32/cmd.exe?
acl nastyfile dstdom_regex -i WIN[.*]BUG[.*]EXE
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl post method POST

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl local src 192.168.20.0/24
acl inlocal src 216.236.107.5/32
http_access allow local
http_access allow inlocal
http_access allow localhost
http_access allow purge localhost
http_access deny purge
http_access deny VIRUS
http_access deny nastyfile
http_access deny all

di sini saya tambahkan untuk rule ip network berapa saja yang mempunyai hak akses yang dapat menggunakan server proxy

http_reply_access allow all
icp_access deny post
icp_access allow all

cache_mgr robby@anticode.net
cache_effective_user squid
cache_effective_group squid
visible_hostname proxy.anticode.net
konfigurasi untuk hak akses squid dan group di seting di sini, di sini saya seting untuk user dan group adalah squid.

#limiter delay pool
#
acl download url_regex -i \.mp3$ \.rm$ \.mpg$ \.mpeg$ \.avi$ \.dat$ \.bmp$ \.exe$ ftp \.vqf$ .tar.gz .gz .rpm .zip .rar .mpe .qt .ram .rm .iso .raw .wav .mov



delay_pools 1

delay_class 1 1
delay_parameters 1 2000/64000
delay_access 1 allow download
delay_access 1 deny all
#--------eof------------

ini adalah bagian di mana bila kita ingin menambahkan rule limiter untuk download file-file tertentu (dengan ekstensi tertentu)
di sini saya membatasi download sebesar 16kbps bila file yang di download sebesar 64KB.
agar proxy tersebut menjadi tansparan(tidak perlu menyeting manual tiap-tiap komputer clien), saya tambahkan
#---------trans--------
httpd_accel_port 80
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
#-----------------------

dan untuk mengoptimalkan proxy, agar cache yang di dapat lebih besar, ada baiknya proxy server yang di buat dilakukan seting sibling dengan proxy server induk

dns_testnames anticode.net
logfile_rotate 6
memory_pools on
# forwarded_for on

#if sibling setting off
icp_hit_stale off
buffered_logs on
reload_into_ims on
header_access Accept allow all
icon_directory /usr/share/squid/icons
error_directory /etc/squid/errors
offline_mode off
nonhierarchical_direct off
prefer_direct on
coredump_dir /var/spool/squid
redirector_bypass off
store_dir_select_algorithm round-robin
ie_refresh on