使用Squid来代理Http和Https
使用Squid来代理Http和Https

使用Squid来代理Http和Https

内容目录

使用Squid来代理Http和Https

前言

工作的地方,经常有使用Squid来代理访问网络的需求。有这么一个使用场景,就是有2台代理服务器Proxy1和proxy2,我们需要是用这两台服务器分别代理我们位于内网的服务器来访问外内部的网络。

加入我们需要访问的外网的服务器名为test,我们需要分别配置Proxy1和proxy2一个为Http代理,另一个为Https代理。
参考网上大佬的文章最后成功实现了。记录一下
要实现这个需求需要 如下操作来实现。

安装Squid(Proxy1-http)

安装依赖

yum install -y gcc openssl openssl-devel

Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Package 1:openssl-1.0.2k-24.amzn2.0.7.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package gcc.x86_64 0:7.3.1-15.amzn2 will be installed
--> Processing Dependency: cpp = 7.3.1-15.amzn2 for package: gcc-7.3.1-15.amzn2.x86_64
...
Dependency Installed:
  cpp.x86_64 0:7.3.1-15.amzn2                      glibc-devel.x86_64 0:2.26-63.amzn2          glibc-headers.x86_64 0:2.26-63.amzn2    kernel-headers.x86_64 0:5.10.184-175.749.amzn2  
  keyutils-libs-devel.x86_64 0:1.5.8-3.amzn2.0.2   krb5-devel.x86_64 0:1.15.1-55.amzn2.2.5     libatomic.x86_64 0:7.3.1-15.amzn2       libcilkrts.x86_64 0:7.3.1-15.amzn2              
  libcom_err-devel.x86_64 0:1.42.9-19.amzn2.0.1    libitm.x86_64 0:7.3.1-15.amzn2              libkadm5.x86_64 0:1.15.1-55.amzn2.2.5   libmpc.x86_64 0:1.0.1-3.amzn2.0.2               
  libmpx.x86_64 0:7.3.1-15.amzn2                   libquadmath.x86_64 0:7.3.1-15.amzn2         libsanitizer.x86_64 0:7.3.1-15.amzn2    libselinux-devel.x86_64 0:2.5-12.amzn2.0.2      
  libsepol-devel.x86_64 0:2.5-8.1.amzn2.0.2        libverto-devel.x86_64 0:0.2.5-4.amzn2.0.2   mpfr.x86_64 0:3.1.1-4.amzn2.0.2         pcre-devel.x86_64 0:8.32-17.amzn2.0.3           
  zlib-devel.x86_64 0:1.2.7-19.amzn2.0.2          

Complete!

安装Squid

yum install squid

修改squid.conf文件

 49 # Example rule allowing access from your local networks.
 50 # Adapt localnet in the ACL section to list your (internal) IP networks
 51 # from where browsing should be allowed
 52 http_access allow localnet
 53 http_access allow localhost
 54
 55 # And finally deny all other access to this proxy
 56 http_access allow all           #修改deny为allow
 57
 58 # Squid normally listens to port 3128
 59 http_port 3128
 60
 61 # Uncomment and adjust the following to add a disk cache directory.
 62 #cache_dir ufs /var/spool/squid 100 16 256
 63
 64 # Leave coredumps in the first cache dir
 65 coredump_dir /var/spool/squid       ##打开这个注释,保证/var/spool/squid这个缓存目录存在

保存退出

启动服务

squid -z                            #初始化
systemctl start squid       #启动squid
systemctl status squid  #查看状态

对于AWS,我们可以在安全组里来配置指定test服务器的IP地址可访问3128端口来增强安全性。

安装Squid(Proxy2-https)

申请自签证书

[root@ip-172-31-44-161 squid]# openssl req -new > test.csr
Generating a 2048 bit RSA private key
.................................................................................+++
.........+++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
139923847673760:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:831:You must type in 4 to 1024 characters
139923847673760:error:0906406D:PEM routines:PEM_def_callback:problems getting password:pem_lib.c:116:
139923847673760:error:0907E06F:PEM routines:DO_PK8PKEY:read key:pem_pk8.c:130:
[root@ip-172-31-44-161 squid]# openssl req -new > test.csr
Generating a 2048 bit RSA private key
...........................................................+++
...............................+++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:tutu
Locality Name (eg, city) [Default City]:tokyo
Organization Name (eg, company) [Default Company Ltd]:tokyo
Organizational Unit Name (eg, section) []:tutu
Common Name (eg, your name or your server's hostname) []:tutu
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:tutu
[root@ip-172-31-44-161 squid]# ls
cachemgr.conf  cachemgr.conf.default  errorpage.css  errorpage.css.default  mime.conf  mime.conf.default  privkey.pem  squid.conf  squid.conf.default  test.csr
[root@ip-172-31-44-161 squid]# openssl rsa -in privkey.pem -out tutu.key
Enter pass phrase for privkey.pem:
writing RSA key
[root@ip-172-31-44-161 squid]# openssl x509 -in test.csr -out tutu.crt -req -signkey tutu.key -days 3650
Signature ok
subject=/C=cn/ST=tutu/L=tokyo/O=tokyo/OU=tutu/CN=tutu/[email protected]
Getting Private key

启动服务

squid -z                #初始化
systemctl start squid   #启动
systemctl status squid  #查看状态

到这里我们的两台代理服务器就设置好了。

设置代理

最后我们需要对内网的机器设置使用代理服务器

来到test服务器

首先我们需要修改test服务器环境变量

编辑 /etc/profile

在最后一行加上

export http_proxy=http://172.31.3.191:3128                          #这个是通过proxy1机器的3128端口的squid上网(http代理)
export https_proxy=http://127.0.0.1:8088                            #这个是通过proxy2机器的443端口的squid上网(https代理)

下载stunnel

我们需要下载stunnel来实现https的访问

stunnel是一种用于加密和解密网络连接的开源软件。它允许将非加密的网络连接(如HTTP、SMTP、POP3等)通过SSL/TLS进行加密,从而提供更高的安全性。

yum install -y openssl openssl-devel gcc    #安装依赖

cd /root    #进入root目录

wget https://www.stunnel.org/downloads/stunnel-5.70.tar.gz  #下载stunnel

tar -zvxf ./stunnel-5.70.tar.gz     #解压压缩包

cd stunnel-5.70/    进入解压缩后的目录

./configure     #预编译
make && make install    #编译安装

编译安装后

进入/usr/local/etc/stunnel/目录

cd /usr/local/etc/stunnel/
cp stunnel.conf-sample stunnel.conf
vim stunnel.conf  #删除里面所有内容后编辑

编辑stunnel.conf

输入如下内容

; Sample stunnel configuration file for Unix by Michal Trojnara 1998-2023
client = yes

[my_service]
accept = 127.0.0.1:8088
connect = proxy2服务器的IP地址:443

运行stunnel

sudo stunnel /usr/local/etc/stunnel/stunnel.conf

查看运行状态

lsof -i:8088    #查看stunnel是否在监听端口8088

应用环境变量

source /etc/profile

测试

你可以使用curl来看看是否可以访问

curl https://google.com

参考

https://blog.51cto.com/u_6215974/4938225

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注