您的位置:首页 > 运维架构 > 反向代理

stunnel+squid搭建代理服务器

2018-01-22 15:32 453 查看

一、网络环境

主机A :192.168.0.11

主机B:66.0.0.6

主机C:4.2.2.2

主机A和B互通,B和C互通,A访问C网络较慢或不通,可以通过stunnel+squid代理跳转访问。

二、squid 安装配置

squid和stunnel可以在主机B上配置,也可在不同主机配置实现网络跳转。这里squid和stunnel server在主机B配置,stunnel client 在客户端主机A配置

安装 
yum install squid


配置 
vim /etc/squid/squid.conf
,主要配置如下两处

acl localnet src 66.0.0.6/32  # 根据实际情况修改,添加允许 stunnel-client 的ip地址
http_port 3128  # squid监听端口


启动服务 
service squid start


三、stunnel 配置

安装
yum -y install stunnel openssl openssl-devel


1、stunnel server 配置

生成证书认证文件

openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem
openssl gendh 512>> stunnel.pem   #不是必须的


配置

vim  /etc/stunnel/stunnel_ser.conf   (;;; 注释形式)

cert = /etc/stunnel/stunnel.pem   ;;;# 认证文件
CAfile = /etc/stunnel/stunnel.pem  ;;;# 认证文件
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;;;chroot = /var/run/stunnel
pid = /tmp/stunnel_server.pid
verify = 3
;;; CApath = certs
;;; CRLpath = crls
;;; CRLfile = crls.pem
setuid = web
setgid = web
;;; client=yes
compression = zlib
;;; taskbar = no
delay = no
;;; failover = rr
;;; failover = prio
;;; sslVersion = TLSv1
;;; fips=no
sslVersion = all
;;; options = NO_SSLv2
;;; options = NO_SSLv3
debug = 7
syslog = no
output = /var/logs/stunnel_server.log
client = no  ;;;# 服务端
[sproxy]
accept = 44550  ;;;# 监听端口
connect = 66.0.0.6:3128  ;;;# squid服务连接端口


启动服务 
stunnel /etc/stunnel/stunnel_ser.conf


2、squid client 安装配置

yum -y install stunnel openssl openssl-devel
vim  /etc/stunnel/stunnel_cli.conf

cert = /usr/local/etc/stunnel/stunnel_cli.pem  ;;;#步骤1中生成的stunnel.pem,改了名字而已
CAfile = /usr/local/etc/stunnel/stunnel_cli.pem
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

;;;chroot = /var/run/stunnel
pid = /tmp/stunnel.pid
verify = 3

;;; CApath = certs
;;; CRLpath = crls
;;; CRLfile = crls.pem

setuid = web
setgid = web

;;; client=yes
compression = zlib
;;; taskbar = no
delay = no
;;; failover = rr
;;; failover = prio
;;; fips=no
sslVersion = all
;;; options = NO_SSLv2
;;; options = NO_SSLv3

debug = 7
syslog = no
output = /data/logs/stunnel.log
client = yes   ;;;# 客户端

[sproxy]
accept = 0.0.0.0:44550  ;;;# 监听地址
connect = 66.0.0.6:44550  ;;;# stunnel 服务端地址


四、测试及错误解决

测试:配置代理服务器地址:192.168.0.11,端口44550后,可以访问主机C

错误解决:

stunnel 报错:CERT: Verification error: certificate has expired


stunnel客户端连不上服务端,连上几秒就断开了,具体报错信息如下

# stunnel 客户端:
2017.09.25 10:16:19 LOG7[13955:140155381970688]: Starting certificate verification: depth=0, /C=CN/L=Default City/O=Default Company Ltd
2017.09.25 10:16:19 LOG4[13955:140155381970688]: CERT: Verification error: certificate has expired
2017.09.25 10:16:19 LOG4[13955:140155381970688]: Certificate check failed: depth=0, /C=CN/L=Default City/O=Default Company Ltd
2017.09.25 10:16:19 LOG7[13955:140155381970688]: SSL alert (write): fatal: certificate expired
2017.09.25 10:16:19 LOG3[13955:140155381970688]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2017.09.25 10:16:19 LOG5[13955:140155381970688]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2017.09.25 10:16:19 LOG7[13955:140155381970688]: Remote socket (FD=13) closed
2017.09.25 10:16:19 LOG7[13955:140155381970688]: Local socket (FD=3) closed
2017.09.25 10:16:19 LOG7[13955:140155381970688]: Service [sproxy] finished (0 left)

# stunnel 服务端:
2017.09.25 10:13:24 LOG7[15546:140344803059456]: SSL state (accept): SSLv3 flush data
2017.09.25 10:13:24 LOG7[15546:140344803059456]: SSL alert (read): fatal: certificate expired
2017.09.25 10:13:24 LOG3[15546:140344803059456]: SSL_accept: 14094415: error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired
2017.09.25 10:13:24 LOG5[15546:140344803059456]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2017.09.25 10:13:24 LOG7[15546:140344803059456]: sproxy finished (0 left)


需要安装上面的证书生成命令,重新生成证书后手动更新

openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: 
相关文章推荐
新的分享
章节导航