squid代理http和https方式上网的操作记录

 

需求说明：公司IDC机房有一台服务器A，只有内网环境：192.168.1.150现在需要让这台服务器能对外访问，能正常访问http和https请求（即80端口和443端口）
操作思路：在IDC机房里另找其他两台有公网环境的服务器B（58.68.250.8/192.168.1.8）和服务器C（58.68.250.5/192.168.1.5），且这两台服务器和内网环境的服务器A能相互ping通。（当然也可以将下面B的http和C机器的https代理环境放在一台机器上部署）其中：
在服务器B上部署squid的http代理，让服务器C通过它的squid代理上网，能成功访问http
在服务器C上部署squid的https代理，让服务器C通过它的squid代理上网，能成功访问https  [需要在客户端安装stunnel ]

一、服务器B上的操作记录（http代理）

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

1）安装squid yum命令直接在线安装squid [root@openstack ~]# yum install -y gcc openssl openssl-devel #依赖软件要先提前安装 [root@openstack ~]# yum install squid   安装完成后，修改squid.conf 文件中的内容，修改之前可以先备份该文件 [root@openstack ~]# cd /etc/squid/ [root@openstack squid]# cp squid.conf squid.conf_bak [root@openstack squid]# vim squid.conf http_access allow all                                                   #修改deny为allow http_port 192.168.1.8:3128 cache_dir ufs /var/spool/squid 100 16 256                    #打开这个注释，保证/var/spool/squid这个缓存目录存在   2）启动squid，启动前进行测试和初始化 [root@openstack squid]# squid -k parse                    #测试 2016/08/09 13:35:04| Processing Configuration File: /etc/squid/squid.conf (depth 0) 2016/08/09 13:35:04| Processing: acl manager proto cache_object .............. .............. 2016/08/09 13:35:04| Processing: refresh_pattern . 0 20% 4320 2016/08/09 13:35:04| Initializing https proxy context   [root@openstack squid]# squid -z                            #初始化 2016/08/09 13:35:12| Creating Swap Directories   [root@openstack squid]# /etc/init.d/squid start Starting squid: . [ OK ]   ------------------------------------------------------------------------------------------- 如果开启了防火墙iptables规则，则还需要在/etc/sysconfig/iptables里添加下面一行，即允许3128端口访问： -A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT --------------------------------------------------------------------------------------------   然后重启iptables服务 [root@openstack squid]# /etc/init.d/iptables restart

二、服务器C上的的操作记录（https代理）

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67

1）安装squid yum命令直接在线安装squid [root@openstack ~]# yum install -y gcc openssl openssl-devel #依赖软件要先提前安装 [root@openstack ~]# yum install squid [root@openstack ~]# cd /etc/squid/ [root@openstack squid]# cp squid.conf squid.conf_bak   2）现在开始生成加密代理证书: [root@bastion-IDC squid]# pwd /etc/squid [root@bastion-IDC squid]# openssl req -new > lidongbest5.csr Generating a 2048 bit RSA private key ..........................................................................+++ .........................................................................................................+++ writing new private key to 'privkey.pem' Enter PEM pass phrase:                                                                   #输入密码，后面会用到，比如这里输入123456 Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn                                                  #国家 State or Province Name (full name) []:beijing                                       #省份 Locality Name (eg, city) [Default City]:beijing                                      #地区名字 Organization Name (eg, company) [Default Company Ltd]:huanqiu        #公司名 Organizational Unit Name (eg, section) []:Technology                            #部门 Common Name (eg, your name or your server's hostname) []:huanqiu    #CA主机名 Email Address []:wangshibo@xqshijie.cn                                              #邮箱   Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456                                                         #证书请求密钥，CA读取证书的时候需要输入密码 An optional company name []:huanqiu                                                #-公司名称，CA读取证书的时候需要输入名称   [root@bastion-IDC squid]# openssl rsa -in privkey.pem -out lidongbest5.key Enter pass phrase for privkey.pem:                                                     #输入上面设置的密码123456 writing RSA key   [root@bastion-IDC squid]# openssl x509 -in lidongbest5.csr -out lidongbest5.crt -req -signkey lidongbest5.key -days 3650 Signature ok subject=/C=cn/ST=beijing/L=beijing/O=huanqiu/OU=Technology/CN=huanqiu/emailAddress=wangshibo@xqshijie.cn Getting Private key   修改squid.conf配置文件 [root@bastion-IDC squid]# vim squid.conf http_access allow all #deny修改为allow #http_port 3128                                                                    #注释掉 https_port 192.168.1.5:443 cert=/etc/squid/lidongbest5.crt key=/etc/squid/lidongbest5.key            #添加这一行 cache_dir ufs /var/spool/squid 100 16 256                             #打开这个注释，保证/var/spool/squid这个缓存目录存在   3）重启squid服务 [root@bastion-IDC squid]# squid -k parse [root@bastion-IDC squid]# squid -z [root@bastion-IDC squid]# squid reload [root@bastion-IDC squid]# /etc/init.d/squid restart   ------------------------------------------------------------------------------------------- 如果开启了防火墙iptables规则，则还需要在/etc/sysconfig/iptables里添加下面一行，即允许443端口访问： -A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -------------------------------------------------------------------------------------------   然后重启iptables服务 [root@bastion-IDC squid]# /etc/init.d/iptables restart

三、服务器A（即客户端）上的操作记录

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58

1）安装配置stunnel 关闭客户端的iptables防火墙 [root@dev-new-test1 ~]# /etc/init.d/iptables stop   [root@dev-new-test1 ~]# cd /usr/local/src/ [root@dev-new-test1 src]# pwd /usr/local/src     官网下载：http://www.stunnel.org/downloads.html 百度云盘下载：https://pan.baidu.com/s/1JXqfB7yc6H2GY9qtBVO4iw     提取密码：4kt8 [root@dev-new-test1 ~]#yum install -y openssl openssl-devel gcc   [root@dev-new-test1 src]# ls stunnel-5.45.tar.gz [root@dev-new-test1 src]# tar -zvxf stunnel-5.45.tar.gz [root@dev-new-test1 src]# ls stunnel-5.45 stunnel-5.45.tar.gz [root@dev-new-test1 src]# cd stunnel-5.45 [root@dev-new-test1 stunnel-5.45]# ./configure [root@dev-new-test1 stunnel-5.45]# make && make install   安装完成后，配置stunnel.conf [root@dev-new-test1 stunnel-5.45]# cd /usr/local/etc/stunnel/ [root@dev-new-test1 stunnel]# ls stunnel.conf-sample [root@dev-new-test1 stunnel]# cp stunnel.conf-sample stunnel.conf [root@dev-new-test1 stunnel]# ls stunnel.conf stunnel.conf-sample [root@dev-new-test1 stunnel]# cat stunnel.conf              #把原来内容清空，写入： client = yes [https] accept = 127.0.0.1:8088 connect = 192.168.1.5:443                               #运行本机stunnel端口8088连接squid服务端192.168.1.5的443端口，然后在/etc/profile里配置本机8088端口代理（如下）   2）启动stunnel服务 [root@dev-new-test1 stunnel]# /usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel.conf [root@dev-new-test1 stunnel]# ps -ef|grep stunnel root 20281 1 0 02:23 ? 00:00:00 /usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel.conf root 20283 13002 0 02:23 pts/0 00:00:00 grep --color stunnel [root@dev-new-test1 stunnel]# lsof -i:8088 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME stunnel 20281 root 7u IPv4 745475 0t0 TCP localhost:radan-http (LISTEN)   3）配置/etc/profile系统环境变量 底部添加下面两行 [root@dev-new-test1 stunnel]# vim /etc/profile ............... export http_proxy=http://192.168.1.8:3128                          #这个是通过服务端A机器的3128端口的squid上网（http代理） export https_proxy=http://127.0.0.1:8088                            #这个是通过服务端B机器的443端口的squid上网（https代理）   [root@dev-new-test1 stunnel]# source /etc/profile                   #配置生效   4）测试： [root@dev-new-test1 stunnel]# curl http://www.baidu.com                           #访问80端口ok [root@dev-new-test1 stunnel]# curl https://www.xqshijie.com                      #访问443端口ok [root@dev-new-test1 stunnel]# yum list                                                     #yum可以正常使用 [root@dev-new-test1 stunnel]# wget http://www.autohome.com.cn/3442      #wget正常下载

++++++++++++++++++++++++++++++++++++++++++++++++++++

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41

如果客户机是ubuntu系统，则安装配置stunnel记录如下： root@kevin-KVM:~# apt-get install stunnel4 root@kevin-KVM:~# cd /etc/stunnel/ root@kevin-KVM:/etc/stunnel# ls README root@kevin-KVM:/etc/stunnel# vim stunnel.conf    #手动创建该配置文件 client = yes [https] accept = 127.0.0.1:8088 connect = 192.168.1.8:443   root@kevin-KVM:/etc/stunnel# vim /etc/default/stunnel4 ...... ENABLED=1          #默认为0   ========================================================= 注意： 上面的ENABLED一定要修改为1，否则启动stunne服务时会失败，通过status查看报错为： 5月 27 00:45:56 kevin-KVM systemd[1]: Starting LSB: Start or stop stunnel 4.x (SSL tunnel for network daemons)... 5月 27 00:45:56 kevin-KVM stunnel4[23356]: SSL tunnels disabled, see /etc/default/stunnel4 5月 27 00:45:56 kevin-KVM systemd[1]: Started LSB: Start or stop stunnel 4.x (SSL tunnel for network daemons). =========================================================   接着启动stunne服务 root@kevin-KVM:~# /etc/init.d/stunnel4 start  root@kevin-KVM:~# /etc/init.d/stunnel4 restart root@kevin-KVM:/etc/stunnel# lsof -i:8088 COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME stunnel4 23625 root    7u  IPv4 138476      0t0  TCP localhost:omniorb (LISTEN)   然后进行代理的环境变量配置 root@kevin-KVM:~# cat /etc/profile ...... export http_proxy=http://192.168.1.8:3128 export https_proxy=http://127.0.0.1:8088   root@kevin-KVM:~# source /etc/profile   测试上网： root@kevin-KVM:~# curl http://www.baidu.com root@kevin-KVM:~# curl https://www.baidu.com