金庸武功之“碧血剑法”----squid做透明代理

Posted 2020-09-07

一.试验目的:公司阿里云环境要求之开放一个代理服务器，其他服务器不允许有外网IP

二.环境拓扑:

A:代理服务器：（利用squid做透明代理） (centos7.2)

[[email protected] squid]# ip a

 eth0:10.30.204.122

 eth1:116.62.XX.XX

B：客户端服务器：(centos7.2)

[[email protected] squid]# ip a

 eth0:10.30.204.90

三.试验环境准备(A,B都执行）

1. yum  -y update

2. 关闭SEliunx

[[email protected]~]# vi /etc/sysconfig/selinux

 SELINUX=disabled

3.关闭防火墙

[[email protected]~]#  systemctl  stop     firewalld 

 [[email protected]~]#  systemctl disable    firewalld

 [[email protected]~]#  systemctl  status    firewalld

4.同步系统时间

  [[email protected]~]# rm -rf  /etc/localtime

  [[email protected] ~]# ln  -s   /usr/share/zoneinfo/Asia/Shanghai  /etc/localtime

  [[email protected]~]#  yum  install  -y  ntpdate

  [[email protected]~]# /usr/sbin/ntpdate -u202.120.2.101 && hwclock -w

systemctl enable ntpdate && systemctlstart ntpdate

  [[email protected]~]#  crontab  -e

  */5 * * * * /usr/sbin/ntpdate -u 202.120.2.101 && hwclock -w

5.修改主机名

 hostnamectl --static set-hostname XXX

6.打开路由转发

     vi /etc/sysctl.conf

     输入net.ipv4.ip_forward=1

四.A代理服务器配置

[[email protected] ~]# yum install -y gcc openssl openssl-devel #依赖软件要先提前安装

[[email protected] ~]#    yum install squid

[[email protected] ~] #   cd /etc/squid

[[email protected] ~] # openssl req -new > lidongbest5.csr

Generating a 2048 bit RSA private key

..........................................................................+++

.........................................................................................................+++

writing new private key to ‘privkey.pem‘

Enter PEM pass phrase:                                                                   #输入密码，后面会用到，比如这里输入123456

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [XX]:cn                                                  #国家

State or Province Name (full name) []:beijing                                       #省份

Locality Name (eg, city) [Default City]:beijing                                      #地区名字

Organization Name (eg, company) [Default Company Ltd]:sjwl        #公司名

Organizational Unit Name (eg, section) []:Technology                            #部门

Common Name (eg, your name or your server‘s hostname) []:sjwl    #CA主机名

Email Address []:[email protected]                  #邮箱

Please enter the following ‘extra‘ attributes

to be sent with your certificate request

A challenge password []:123456      #证书请求密钥，CA读取证书的时候需要输入密码

An optional company name []:sjwl     #-公司名称，CA读取证书的时候需要输入名称

[[email protected] squid]# openssl rsa -in privkey.pem -out lidongbest5.key

Enter pass phrase for privkey.pem: #输入上面设置的密码123456

writing RSA key

[[email protected] squid]# openssl x509 -in lidongbest5.csr -out lidongbest5.crt -req -signkey lidongbest5.key -days 3650

Signature ok

subject=/C=cn/ST=beijing/L=beijing/O=huanqiu/OU=Technology/CN=huanqiu/[email protected]

Getting Private key

[[email protected] ~] #   cp squid.conf squidbackup.conf

[[email protected] ~]#    vi  squid.conf

                http_access deny all     改成 http_access allow all                     

     # Squid normally listens to port 3128

     http_port 8086 transparent

     https_port 443 cert=/etc/squid/lidongbest5.crt key=/etc/squid/lidongbest5.key

     dns_nameservers 8.8.8.8

     cache_mem 1600 MB

     cache_log /var/log/squid/cache.log

     visible_hostname captain

启动squid，启动前进行测试和初始化
[[email protected] squid]# squid -k parse                    #测试
2016/08/09 13:35:04| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2016/08/09 13:35:04| Processing: acl manager proto cache_object
..............
..............
2016/08/09 13:35:04| Processing: refresh_pattern . 0 20% 4320
2016/08/09 13:35:04| Initializing https proxy context

[[email protected] squid]# squid -z                            #初始化
2016/08/09 13:35:12| Creating Swap Directories

[[email protected] squid]# systemctl start squid.service

[[email protected] squid]# systemctl enable squid.service

iptables配置安装：

[[email protected] squid]#  systemctl stop firewall.service

[[email protected] squid]#  systemctl disable firewalld.service
[[email protected] squid]#  yum install iptables-services

[[email protected] squid]#  cd /etc/sysconfig/

[[email protected] squid]#  vi iptables

# Generated by iptables-save v1.4.21 on Tue Mar 28 17:42:00 2017

*nat

:PREROUTING ACCEPT [0:0]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8086

-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8086

-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 443

COMMIT

# Completed on Tue Mar 28 17:42:00 2017

# Generated by iptables-save v1.4.21 on Tue Mar 28 17:42:00 2017

*filter

:INPUT ACCEPT [42:2941]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [1950:331902]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

COMMIT

# Completed on Tue Mar 28 17:42:00 2017

[[email protected] squid]#   systemctl   restart   iptables.service

五.客户端服务器配置：

客户端安装配置stunnel

　　1，安装

　　[[email protected] squid]#  yum install stunnel -y  #这里虽是阿里云内网，但有它内部的yum源

　　[[email protected] squid]#  vi /etc/stunnel/stunnel.conf

     client = yes

     [https]

     accept = 127.0.0.1:8088

     connect = 10.30.204.122:443

如果报，FIPS_mode_set: 2D06C06E: error:2D06C06E:FIPS routines:FIPS_module_mode_set:fingerprint does not match，

stunnel.conf配置文件中加上，fips = no

2.启动stunnel并查看

        [[email protected] squid]#  stunnel   //启动，默认配置文件路径 /etc/stunnel/stunnel.conf

   [[email protected] squid]#  ps -ef |grep stunnel //查看

   

  root 15972 0.0 0.0 103256 848 pts/0 S+ 17:30 0:00 grep stunnel

　　root 21099 0.0 0.0 41532 1060 pts/0 S 15:42 0:00 stunnel

　　root 21100 0.0 0.0 41532 1060 pts/0 S 15:42 0:00 stunnel

　　root 21101 0.0 0.0 41532 1060 pts/0 S 15:42 0:00 stunnel

　　root 21102 0.0 0.0 41532 1060 pts/0 S 15:42 0:00 stunnel

　　root 21103 0.0 0.0 41532 1060 pts/0 S 15:42 0:00 stunnel

　　root 21104 0.0 0.0 2077984 6824 ? Ss 15:42 0:00 stunnel

3.配置/etc/profile系统环境变量
底部添加下面两行
[[email protected] stunnel]# vim /etc/profile 

export http_proxy=http://10.30.204.122:8086

export https_proxy=http://127.0.0.1:8088

4.测试

curl https://www.baidu.com

curl www.baidu.com

5.额外的要求：

如果需要做访问控制（比如只允许某些IP的客户端才能连接代理服务器）

试验中是只允许

http://blog.chinaunix.net/uid-25266990-id-2722465.html

参考：http://www.linuxidc.com/Linux/2017-02/140398.htm

         http://www.xuexila.com/diannao/xitong/linux/648947.html

          http://www.centoscn.com/CentOS/config/2016/0708/7599.html

          

     

本文出自 “冷月葬玉魂” 博客，请务必保留此出处http://mxlmgl.blog.51cto.com/9834691/1911671