金庸武功之“碧血剑法”----squid做透明代理
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了金庸武功之“碧血剑法”----squid做透明代理相关的知识,希望对你有一定的参考价值。
一.试验目的:公司阿里云环境要求之开放一个代理服务器,其他服务器不允许有外网IP
二.环境拓扑:
A:代理服务器:(利用squid做透明代理) (centos7.2)
[[email protected] squid]# ip a
eth0:10.30.204.122
eth1:116.62.XX.XX
B:客户端服务器:(centos7.2)
[[email protected] squid]# ip a
eth0:10.30.204.90
三.试验环境准备(A,B都执行)
yum -y update
关闭SEliunx
[[email protected]~]# vi /etc/sysconfig/selinux
SELINUX=disabled
3.关闭防火墙
[[email protected]~]# systemctl stop firewalld
[[email protected]~]# systemctl disable firewalld
[[email protected]~]# systemctl status firewalld
4.同步系统时间
[[email protected]~]# rm -rf /etc/localtime
[[email protected] ~]# ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
[[email protected]~]# yum install -y ntpdate
[[email protected]~]# /usr/sbin/ntpdate -u202.120.2.101 && hwclock -w
systemctl enable ntpdate && systemctlstart ntpdate
[[email protected]~]# crontab -e
*/5 * * * * /usr/sbin/ntpdate -u 202.120.2.101 && hwclock -w
5.修改主机名
hostnamectl --static set-hostname XXX
6.打开路由转发
vi /etc/sysctl.conf
输入net.ipv4.ip_forward=1
四.A代理服务器配置
[[email protected] ~]# yum install -y gcc openssl openssl-devel #依赖软件要先提前安装
[[email protected] ~]# yum install squid
[[email protected] ~] # cd /etc/squid
[[email protected] ~] # openssl req -new > lidongbest5.csr
Generating a 2048 bit RSA private key
..........................................................................+++
.........................................................................................................+++
writing new private key to ‘privkey.pem‘
Enter PEM pass phrase: #输入密码,后面会用到,比如这里输入123456
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn #国家
State or Province Name (full name) []:beijing #省份
Locality Name (eg, city) [Default City]:beijing #地区名字
Organization Name (eg, company) [Default Company Ltd]:sjwl #公司名
Organizational Unit Name (eg, section) []:Technology #部门
Common Name (eg, your name or your server‘s hostname) []:sjwl #CA主机名
Email Address []:[email protected] #邮箱
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:123456 #证书请求密钥,CA读取证书的时候需要输入密码
An optional company name []:sjwl #-公司名称,CA读取证书的时候需要输入名称
[[email protected] squid]# openssl rsa -in privkey.pem -out lidongbest5.key
Enter pass phrase for privkey.pem: #输入上面设置的密码123456
writing RSA key
[[email protected] squid]# openssl x509 -in lidongbest5.csr -out lidongbest5.crt -req -signkey lidongbest5.key -days 3650
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=huanqiu/OU=Technology/CN=huanqiu/[email protected]
Getting Private key
[[email protected] ~] # cp squid.conf squidbackup.conf
[[email protected] ~]# vi squid.conf
http_access deny all 改成 http_access allow all
# Squid normally listens to port 3128
http_port 8086 transparent
https_port 443 cert=/etc/squid/lidongbest5.crt key=/etc/squid/lidongbest5.key
dns_nameservers 8.8.8.8
cache_mem 1600 MB
cache_log /var/log/squid/cache.log
visible_hostname captain
启动squid,启动前进行测试和初始化
[[email protected] squid]# squid -k parse #测试
2016/08/09 13:35:04| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2016/08/09 13:35:04| Processing: acl manager proto cache_object
..............
..............
2016/08/09 13:35:04| Processing: refresh_pattern . 0 20% 4320
2016/08/09 13:35:04| Initializing https proxy context
[[email protected] squid]# squid -z #初始化
2016/08/09 13:35:12| Creating Swap Directories
[[email protected] squid]# systemctl start squid.service
[[email protected] squid]# systemctl enable squid.service
iptables配置安装:
[[email protected] squid]# systemctl stop firewall.service
[[email protected] squid]# systemctl disable firewalld.service
[[email protected] squid]# yum install iptables-services
[[email protected] squid]# cd /etc/sysconfig/
[[email protected] squid]# vi iptables
# Generated by iptables-save v1.4.21 on Tue Mar 28 17:42:00 2017
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8086
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8086
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 443
COMMIT
# Completed on Tue Mar 28 17:42:00 2017
# Generated by iptables-save v1.4.21 on Tue Mar 28 17:42:00 2017
*filter
:INPUT ACCEPT [42:2941]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1950:331902]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
COMMIT
# Completed on Tue Mar 28 17:42:00 2017
[[email protected] squid]# systemctl restart iptables.service
五.客户端服务器配置:
客户端安装配置stunnel
1,安装
[[email protected] squid]# yum install stunnel -y #这里虽是阿里云内网,但有它内部的yum源
[[email protected] squid]# vi /etc/stunnel/stunnel.conf
client = yes
[https]
accept = 127.0.0.1:8088
connect = 10.30.204.122:443
如果报,FIPS_mode_set: 2D06C06E: error:2D06C06E:FIPS routines:FIPS_module_mode_set:fingerprint does not match,
stunnel.conf配置文件中加上,fips = no
2.启动stunnel并查看
[[email protected] squid]# stunnel //启动,默认配置文件路径 /etc/stunnel/stunnel.conf
[[email protected] squid]# ps -ef |grep stunnel //查看
root 15972 0.0 0.0 103256 848 pts/0 S+ 17:30 0:00 grep stunnel
root 21099 0.0 0.0 41532 1060 pts/0 S 15:42 0:00 stunnel
root 21100 0.0 0.0 41532 1060 pts/0 S 15:42 0:00 stunnel
root 21101 0.0 0.0 41532 1060 pts/0 S 15:42 0:00 stunnel
root 21102 0.0 0.0 41532 1060 pts/0 S 15:42 0:00 stunnel
root 21103 0.0 0.0 41532 1060 pts/0 S 15:42 0:00 stunnel
root 21104 0.0 0.0 2077984 6824 ? Ss 15:42 0:00 stunnel
3.配置/etc/profile系统环境变量
底部添加下面两行
[[email protected] stunnel]# vim /etc/profile
export http_proxy=http://10.30.204.122:8086
export https_proxy=http://127.0.0.1:8088
4.测试
curl https://www.baidu.com
curl www.baidu.com
5.额外的要求:
如果需要做访问控制(比如只允许某些IP的客户端才能连接代理服务器)
试验中是只允许
http://blog.chinaunix.net/uid-25266990-id-2722465.html
参考:http://www.linuxidc.com/Linux/2017-02/140398.htm
http://www.xuexila.com/diannao/xitong/linux/648947.html
http://www.centoscn.com/CentOS/config/2016/0708/7599.html
本文出自 “冷月葬玉魂” 博客,请务必保留此出处http://mxlmgl.blog.51cto.com/9834691/1911671
以上是关于金庸武功之“碧血剑法”----squid做透明代理的主要内容,如果未能解决你的问题,请参考以下文章