首页 > 代码库 > 金庸武功之“碧血剑法”----squid做透明代理

金庸武功之“碧血剑法”----squid做透明代理

一.试验目的:公司阿里云环境要求之开放一个代理服务器,其他服务器不允许有外网IP


二.环境拓扑:

A:代理服务器:(利用squid做透明代理) (centos7.2)

[root@captain squid]# ip a

 eth0:10.30.204.122

 eth1:116.62.XX.XX

B:客户端服务器:(centos7.2)

[root@captain squid]# ip a

 eth0:10.30.204.90

三.试验环境准备(A,B都执行)

  1. yum  -y update

  2. 关闭SEliunx

[root@localhost~]# vi /etc/sysconfig/selinux

 SELINUX=disabled

3.关闭防火墙

[root@localhost~]#  systemctl  stop     firewalld 

 [root@localhost~]#  systemctl disable    firewalld

 [root@localhost~]#  systemctl  status    firewalld

4.同步系统时间

  [root@localhost~]# rm -rf  /etc/localtime

  [root@localhost ~]# ln  -s   /usr/share/zoneinfo/Asia/Shanghai  /etc/localtime

  [root@localhost~]#  yum  install  -y  ntpdate

  [root@localhost~]# /usr/sbin/ntpdate -u202.120.2.101 && hwclock -w

systemctl enable ntpdate && systemctlstart ntpdate

  [root@localhost~]#  crontab  -e

  */5 * * * * /usr/sbin/ntpdate -u 202.120.2.101 && hwclock -w


5.修改主机名

 hostnamectl --static set-hostname XXX

6.打开路由转发

     vi /etc/sysctl.conf

     输入net.ipv4.ip_forward=1

四.A代理服务器配置

[root@openstack ~]# yum install -y gcc openssl openssl-devel #依赖软件要先提前安装

[root@openstack ~]#    yum install squid

[root@openstack ~] #   cd /etc/squid

[root@openstack ~] # openssl req -new > lidongbest5.csr

Generating a 2048 bit RSA private key

..........................................................................+++

.........................................................................................................+++

writing new private key to ‘privkey.pem‘

Enter PEM pass phrase:                                                                   #输入密码,后面会用到,比如这里输入123456

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [XX]:cn                                                  #国家

State or Province Name (full name) []:beijing                                       #省份

Locality Name (eg, city) [Default City]:beijing                                      #地区名字

Organization Name (eg, company) [Default Company Ltd]:sjwl        #公司名

Organizational Unit Name (eg, section) []:Technology                            #部门

Common Name (eg, your name or your server‘s hostname) []:sjwl    #CA主机名

Email Address []:mengxl@shengjing360.com                  #邮箱


Please enter the following ‘extra‘ attributes

to be sent with your certificate request

A challenge password []:123456      #证书请求密钥,CA读取证书的时候需要输入密码

An optional company name []:sjwl     #-公司名称,CA读取证书的时候需要输入名称



[root@bastion-IDC squid]# openssl rsa -in privkey.pem -out lidongbest5.key

Enter pass phrase for privkey.pem: #输入上面设置的密码123456

writing RSA key



[root@bastion-IDC squid]# openssl x509 -in lidongbest5.csr -out lidongbest5.crt -req -signkey lidongbest5.key -days 3650

Signature ok

subject=/C=cn/ST=beijing/L=beijing/O=huanqiu/OU=Technology/CN=huanqiu/emailAddress=wangshibo@xqshijie.cn

Getting Private key


[root@openstack ~] #   cp squid.conf squidbackup.conf

[root@openstack ~]#    vi  squid.conf

                http_access deny all     改成 http_access allow all                     

     # Squid normally listens to port 3128

     http_port 8086 transparent

     https_port 443 cert=/etc/squid/lidongbest5.crt key=/etc/squid/lidongbest5.key

     dns_nameservers 8.8.8.8

     cache_mem 1600 MB

     cache_log /var/log/squid/cache.log

     visible_hostname captain


启动squid,启动前进行测试和初始化
[root@openstack squid]# squid -k parse                    #测试
2016/08/09 13:35:04| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2016/08/09 13:35:04| Processing: acl manager proto cache_object
..............
..............
2016/08/09 13:35:04| Processing: refresh_pattern . 0 20% 4320
2016/08/09 13:35:04| Initializing https proxy context

[root@openstack squid]# squid -z                            #初始化
2016/08/09 13:35:12| Creating Swap Directories

[root@openstack squid]# systemctl start squid.service

[root@openstack squid]# systemctl enable squid.service


iptables配置安装:

[root@openstack squid]#  systemctl stop firewall.service

[root@openstack squid]#  systemctl disable firewalld.service
[root@openstack squid]#  yum install iptables-services

[root@openstack squid]#  cd /etc/sysconfig/

[root@openstack squid]#  vi iptables

# Generated by iptables-save v1.4.21 on Tue Mar 28 17:42:00 2017

*nat

:PREROUTING ACCEPT [0:0]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8086

-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8086

-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 443

COMMIT

# Completed on Tue Mar 28 17:42:00 2017

# Generated by iptables-save v1.4.21 on Tue Mar 28 17:42:00 2017

*filter

:INPUT ACCEPT [42:2941]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [1950:331902]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

COMMIT

# Completed on Tue Mar 28 17:42:00 2017


[root@openstack squid]#   systemctl   restart   iptables.service


五.客户端服务器配置:

客户端安装配置stunnel

  1,安装

  [root@openstack squid]#  yum install stunnel -y  #这里虽是阿里云内网,但有它内部的yum源

  [root@openstack squid]#  vi /etc/stunnel/stunnel.conf

     client = yes

     [https]

     accept = 127.0.0.1:8088

     connect = 10.30.204.122:443



如果报,FIPS_mode_set: 2D06C06E: error:2D06C06E:FIPS routines:FIPS_module_mode_set:fingerprint does not match,

stunnel.conf配置文件中加上,fips = no

2.启动stunnel并查看

        [root@openstack squid]#  stunnel   //启动,默认配置文件路径 /etc/stunnel/stunnel.conf

   [root@openstack squid]#  ps -ef |grep stunnel //查看

   

  root 15972 0.0 0.0 103256 848 pts/0 S+ 17:30 0:00 grep stunnel

  root 21099 0.0 0.0 41532 1060 pts/0 S 15:42 0:00 stunnel

  root 21100 0.0 0.0 41532 1060 pts/0 S 15:42 0:00 stunnel

  root 21101 0.0 0.0 41532 1060 pts/0 S 15:42 0:00 stunnel

  root 21102 0.0 0.0 41532 1060 pts/0 S 15:42 0:00 stunnel

  root 21103 0.0 0.0 41532 1060 pts/0 S 15:42 0:00 stunnel

  root 21104 0.0 0.0 2077984 6824 ? Ss 15:42 0:00 stunnel

3.配置/etc/profile系统环境变量
底部添加下面两行
[root@dev-new-test1 stunnel]# vim /etc/profile 

export http_proxy=http://10.30.204.122:8086

export https_proxy=http://127.0.0.1:8088


4.测试

curl https://www.baidu.com

curl www.baidu.com




5.额外的要求:

如果需要做访问控制(比如只允许某些IP的客户端才能连接代理服务器)

试验中是只允许


http://blog.chinaunix.net/uid-25266990-id-2722465.html








参考:http://www.linuxidc.com/Linux/2017-02/140398.htm

         http://www.xuexila.com/diannao/xitong/linux/648947.html

          http://www.centoscn.com/CentOS/config/2016/0708/7599.html

          

















     

本文出自 “冷月葬玉魂” 博客,请务必保留此出处http://mxlmgl.blog.51cto.com/9834691/1911671

金庸武功之“碧血剑法”----squid做透明代理