squid代理http和https方式上網的操作記錄

 

需求說明：公司IDC機房有一臺伺服器A，只有內網環境：192.168.1.150現在需要讓這臺伺服器能對外訪問，能正常訪問http和https請求（即80埠和443埠）
操作思路：在IDC機房裡另找其他兩臺有公網環境的伺服器B（58.68.250.8/192.168.1.8）和伺服器C（58.68.250.5/192.168.1.5），且這兩臺伺服器和內網環境的伺服器A能相互ping通。（當然也可以將下面B的http和C機器的https代理環境放在一臺機器上部署）其中：
在伺服器B上部署squid的http代理，讓伺服器C通過它的squid代理上網，能成功訪問http
在伺服器C上部署squid的https代理，讓伺服器C通過它的squid代理上網，能成功訪問https  [需要在客戶端安裝stunnel ]

一、伺服器B上的操作記錄（http代理）

1）安裝squid
yum命令直接線上安裝squid
[root@openstack ~]# yum install -y gcc openssl openssl-devel #依賴軟體要先提前安裝
[root@openstack ~]# yum install squid

安裝完成後，修改squid.conf 檔案中的內容，修改之前可以先備份該檔案
[root@openstack ~]# cd /etc/squid/
[root@openstack squid]# cp squid.conf squid.conf_bak
[root@openstack squid]# vim squid.conf
http_access allow all                                                   #修改deny為allow
http_port 192.168.1.8:3128 
cache_dir ufs /var/spool/squid 100 16 256                    #開啟這個註釋，保證/var/spool/squid這個快取目錄存在

2）啟動squid，啟動前進行測試和初始化
[root@openstack squid]# squid -k parse                    #測試
2016/08/09 13:35:04| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2016/08/09 13:35:04| Processing: acl manager proto cache_object
..............
..............
2016/08/09 13:35:04| Processing: refresh_pattern . 0 20% 4320
2016/08/09 13:35:04| Initializing https proxy context

[root@openstack squid]# squid -z                            #初始化
2016/08/09 13:35:12| Creating Swap Directories

[root@openstack squid]# /etc/init.d/squid start
Starting squid: . [ OK ]

-------------------------------------------------------------------------------------------
如果開啟了防火牆iptables規則，則還需要在/etc/sysconfig/iptables裡新增下面一行，即允許3128埠訪問：
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
--------------------------------------------------------------------------------------------

然後重啟iptables服務
[root@openstack squid]# /etc/init.d/iptables restart

二、伺服器C上的的操作記錄（https代理）

1）安裝squid
yum命令直接線上安裝squid
[root@openstack ~]# yum install -y gcc openssl openssl-devel #依賴軟體要先提前安裝
[root@openstack ~]# yum install squid
[root@openstack ~]# cd /etc/squid/
[root@openstack squid]# cp squid.conf squid.conf_bak

2）現在開始生成加密代理證書:
[root@bastion-IDC squid]# pwd
/etc/squid
[root@bastion-IDC squid]# openssl req -new > lidongbest5.csr
Generating a 2048 bit RSA private key
..........................................................................+++
.........................................................................................................+++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:                                                                   #輸入密碼，後面會用到，比如這裡輸入123456
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn                                                  #國家
State or Province Name (full name) []:beijing                                       #省份
Locality Name (eg, city) [Default City]:beijing                                      #地區名字
Organization Name (eg, company) [Default Company Ltd]:huanqiu        #公司名
Organizational Unit Name (eg, section) []:Technology                            #部門
Common Name (eg, your name or your server's hostname) []:huanqiu    #CA主機名
Email Address []:wangshibo@xqshijie.cn                                              #郵箱

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456                                                         #證書請求金鑰，CA讀取證書的時候需要輸入密碼
An optional company name []:huanqiu                                                #-公司名稱，CA讀取證書的時候需要輸入名稱

[root@bastion-IDC squid]# openssl rsa -in privkey.pem -out lidongbest5.key
Enter pass phrase for privkey.pem:                                                     #輸入上面設定的密碼123456
writing RSA key

[root@bastion-IDC squid]# openssl x509 -in lidongbest5.csr -out lidongbest5.crt -req -signkey lidongbest5.key -days 3650
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=huanqiu/OU=Technology/CN=huanqiu/emailAddress=wangshibo@xqshijie.cn
Getting Private key

修改squid.conf配置檔案
[root@bastion-IDC squid]# vim squid.conf
http_access allow all #deny修改為allow
#http_port 3128                                                                    #註釋掉 
https_port 192.168.1.5:443 cert=/etc/squid/lidongbest5.crt key=/etc/squid/lidongbest5.key            #新增這一行
cache_dir ufs /var/spool/squid 100 16 256                             #開啟這個註釋，保證/var/spool/squid這個快取目錄存在

3）重啟squid服務
[root@bastion-IDC squid]# squid -k parse 
[root@bastion-IDC squid]# squid -z
[root@bastion-IDC squid]# squid reload
[root@bastion-IDC squid]# /etc/init.d/squid restart

-------------------------------------------------------------------------------------------
如果開啟了防火牆iptables規則，則還需要在/etc/sysconfig/iptables裡新增下面一行，即允許443埠訪問：
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-------------------------------------------------------------------------------------------

然後重啟iptables服務
[root@bastion-IDC squid]# /etc/init.d/iptables restart

三、伺服器A（即客戶端）上的操作記錄

1）安裝配置stunnel
關閉客戶端的iptables防火牆
[root@dev-new-test1 ~]# /etc/init.d/iptables stop

[root@dev-new-test1 ~]# cd /usr/local/src/
[root@dev-new-test1 src]# pwd
/usr/local/src


官網下載：http://www.stunnel.org/downloads.html
百度雲盤下載：https://pan.baidu.com/s/1JXqfB7yc6H2GY9qtBVO4iw     提取密碼：4kt8
[root@dev-new-test1 ~]#yum install -y openssl openssl-devel gcc

[root@dev-new-test1 src]# ls
stunnel-5.45.tar.gz
[root@dev-new-test1 src]# tar -zvxf stunnel-5.45.tar.gz
[root@dev-new-test1 src]# ls
stunnel-5.45 stunnel-5.45.tar.gz
[root@dev-new-test1 src]# cd stunnel-5.45
[root@dev-new-test1 stunnel-5.45]# ./configure
[root@dev-new-test1 stunnel-5.45]# make && make install

安裝完成後，配置stunnel.conf
[root@dev-new-test1 stunnel-5.45]# cd /usr/local/etc/stunnel/
[root@dev-new-test1 stunnel]# ls
stunnel.conf-sample
[root@dev-new-test1 stunnel]# cp stunnel.conf-sample stunnel.conf
[root@dev-new-test1 stunnel]# ls
stunnel.conf stunnel.conf-sample 
[root@dev-new-test1 stunnel]# cat stunnel.conf              #把原來內容清空，寫入：
client = yes
[https]
accept = 127.0.0.1:8088
connect = 192.168.1.5:443                               #執行本機stunnel埠8088連線squid服務端192.168.1.5的443埠，然後在/etc/profile裡配置本機8088埠代理（如下）

2）啟動stunnel服務
[root@dev-new-test1 stunnel]# /usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel.conf
[root@dev-new-test1 stunnel]# ps -ef|grep stunnel
root 20281 1 0 02:23 ? 00:00:00 /usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel.conf
root 20283 13002 0 02:23 pts/0 00:00:00 grep --color stunnel
[root@dev-new-test1 stunnel]# lsof -i:8088
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
stunnel 20281 root 7u IPv4 745475 0t0 TCP localhost:radan-http (LISTEN)

3）配置/etc/profile系統環境變數
底部新增下面兩行
[root@dev-new-test1 stunnel]# vim /etc/profile 
...............
export http_proxy=http://192.168.1.8:3128                          #這個是通過服務端A機器的3128埠的squid上網（http代理）
export https_proxy=http://127.0.0.1:8088                            #這個是通過服務端B機器的443埠的squid上網（https代理）

[root@dev-new-test1 stunnel]# source /etc/profile                   #配置生效

4）測試：
[root@dev-new-test1 stunnel]# curl http://www.baidu.com                           #訪問80埠ok
[root@dev-new-test1 stunnel]# curl https://www.xqshijie.com                      #訪問443埠ok
[root@dev-new-test1 stunnel]# yum list                                                     #yum可以正常使用
[root@dev-new-test1 stunnel]# wget http://www.autohome.com.cn/3442      #wget正常下載

++++++++++++++++++++++++++++++++++++++++++++++++++++

如果客戶機是ubuntu系統，則安裝配置stunnel記錄如下：
root@kevin-KVM:~# apt-get install stunnel4
root@kevin-KVM:~# cd /etc/stunnel/
root@kevin-KVM:/etc/stunnel# ls
README
root@kevin-KVM:/etc/stunnel# vim stunnel.conf    #手動建立該配置檔案
client = yes
[https]
accept = 127.0.0.1:8088
connect = 192.168.1.8:443

root@kevin-KVM:/etc/stunnel# vim /etc/default/stunnel4
......
ENABLED=1          #預設為0

=========================================================
注意：
上面的ENABLED一定要修改為1，否則啟動stunne服務時會失敗，通過status檢視報錯為：
5月 27 00:45:56 kevin-KVM systemd[1]: Starting LSB: Start or stop stunnel 4.x (SSL tunnel for network daemons)...
5月 27 00:45:56 kevin-KVM stunnel4[23356]: SSL tunnels disabled, see /etc/default/stunnel4
5月 27 00:45:56 kevin-KVM systemd[1]: Started LSB: Start or stop stunnel 4.x (SSL tunnel for network daemons).
=========================================================

接著啟動stunne服務
root@kevin-KVM:~# /etc/init.d/stunnel4 start  
root@kevin-KVM:~# /etc/init.d/stunnel4 restart
root@kevin-KVM:/etc/stunnel# lsof -i:8088
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
stunnel4 23625 root    7u  IPv4 138476      0t0  TCP localhost:omniorb (LISTEN)

然後進行代理的環境變數配置
root@kevin-KVM:~# cat /etc/profile
......
export http_proxy=http://192.168.1.8:3128
export https_proxy=http://127.0.0.1:8088

root@kevin-KVM:~# source /etc/profile

測試上網：
root@kevin-KVM:~# curl http://www.baidu.com
root@kevin-KVM:~# curl https://www.baidu.com