内容纲要
使用Squid来代理Http和Https
前言
工作的地方,经常有使用Squid来代理访问网络的需求。有这么一个使用场景,就是有2台代理服务器Proxy1和proxy2,我们需要是用这两台服务器分别代理我们位于内网的服务器来访问外内部的网络。
加入我们需要访问的外网的服务器名为test,我们需要分别配置Proxy1和proxy2一个为Http代理,另一个为Https代理。
参考网上大佬的文章最后成功实现了。记录一下
要实现这个需求需要 如下操作来实现。
安装Squid(Proxy1-http)
安装依赖
yum install -y gcc openssl openssl-devel
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Package 1:openssl-1.0.2k-24.amzn2.0.7.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package gcc.x86_64 0:7.3.1-15.amzn2 will be installed
--> Processing Dependency: cpp = 7.3.1-15.amzn2 for package: gcc-7.3.1-15.amzn2.x86_64
...
Dependency Installed:
cpp.x86_64 0:7.3.1-15.amzn2 glibc-devel.x86_64 0:2.26-63.amzn2 glibc-headers.x86_64 0:2.26-63.amzn2 kernel-headers.x86_64 0:5.10.184-175.749.amzn2
keyutils-libs-devel.x86_64 0:1.5.8-3.amzn2.0.2 krb5-devel.x86_64 0:1.15.1-55.amzn2.2.5 libatomic.x86_64 0:7.3.1-15.amzn2 libcilkrts.x86_64 0:7.3.1-15.amzn2
libcom_err-devel.x86_64 0:1.42.9-19.amzn2.0.1 libitm.x86_64 0:7.3.1-15.amzn2 libkadm5.x86_64 0:1.15.1-55.amzn2.2.5 libmpc.x86_64 0:1.0.1-3.amzn2.0.2
libmpx.x86_64 0:7.3.1-15.amzn2 libquadmath.x86_64 0:7.3.1-15.amzn2 libsanitizer.x86_64 0:7.3.1-15.amzn2 libselinux-devel.x86_64 0:2.5-12.amzn2.0.2
libsepol-devel.x86_64 0:2.5-8.1.amzn2.0.2 libverto-devel.x86_64 0:0.2.5-4.amzn2.0.2 mpfr.x86_64 0:3.1.1-4.amzn2.0.2 pcre-devel.x86_64 0:8.32-17.amzn2.0.3
zlib-devel.x86_64 0:1.2.7-19.amzn2.0.2
Complete!安装Squid
yum install squid修改squid.conf文件
49 # Example rule allowing access from your local networks.
50 # Adapt localnet in the ACL section to list your (internal) IP networks
51 # from where browsing should be allowed
52 http_access allow localnet
53 http_access allow localhost
54
55 # And finally deny all other access to this proxy
56 http_access allow all #修改deny为allow
57
58 # Squid normally listens to port 3128
59 http_port 3128
60
61 # Uncomment and adjust the following to add a disk cache directory.
62 #cache_dir ufs /var/spool/squid 100 16 256
63
64 # Leave coredumps in the first cache dir
65 coredump_dir /var/spool/squid ##打开这个注释,保证/var/spool/squid这个缓存目录存在保存退出
启动服务
squid -z #初始化
systemctl start squid #启动squid
systemctl status squid #查看状态
对于AWS,我们可以在安全组里来配置指定test服务器的IP地址可访问3128端口来增强安全性。
安装Squid(Proxy2-https)
申请自签证书
[root@ip-172-31-44-161 squid]# openssl req -new > test.csr
Generating a 2048 bit RSA private key
.................................................................................+++
.........+++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
139923847673760:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:831:You must type in 4 to 1024 characters
139923847673760:error:0906406D:PEM routines:PEM_def_callback:problems getting password:pem_lib.c:116:
139923847673760:error:0907E06F:PEM routines:DO_PK8PKEY:read key:pem_pk8.c:130:
[root@ip-172-31-44-161 squid]# openssl req -new > test.csr
Generating a 2048 bit RSA private key
...........................................................+++
...............................+++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:tutu
Locality Name (eg, city) [Default City]:tokyo
Organization Name (eg, company) [Default Company Ltd]:tokyo
Organizational Unit Name (eg, section) []:tutu
Common Name (eg, your name or your server's hostname) []:tutu
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:tutu
[root@ip-172-31-44-161 squid]# ls
cachemgr.conf cachemgr.conf.default errorpage.css errorpage.css.default mime.conf mime.conf.default privkey.pem squid.conf squid.conf.default test.csr
[root@ip-172-31-44-161 squid]# openssl rsa -in privkey.pem -out tutu.key
Enter pass phrase for privkey.pem:
writing RSA key
[root@ip-172-31-44-161 squid]# openssl x509 -in test.csr -out tutu.crt -req -signkey tutu.key -days 3650
Signature ok
subject=/C=cn/ST=tutu/L=tokyo/O=tokyo/OU=tutu/CN=tutu/[email protected]
Getting Private key启动服务
squid -z #初始化
systemctl start squid #启动
systemctl status squid #查看状态到这里我们的两台代理服务器就设置好了。
设置代理
最后我们需要对内网的机器设置使用代理服务器
来到test服务器
首先我们需要修改test服务器环境变量
编辑 /etc/profile
在最后一行加上
export http_proxy=http://172.31.3.191:3128 #这个是通过proxy1机器的3128端口的squid上网(http代理)
export https_proxy=http://127.0.0.1:8088 #这个是通过proxy2机器的443端口的squid上网(https代理)
下载stunnel
我们需要下载stunnel来实现https的访问
stunnel是一种用于加密和解密网络连接的开源软件。它允许将非加密的网络连接(如HTTP、SMTP、POP3等)通过SSL/TLS进行加密,从而提供更高的安全性。
yum install -y openssl openssl-devel gcc #安装依赖
cd /root #进入root目录
wget https://www.stunnel.org/downloads/stunnel-5.70.tar.gz #下载stunnel
tar -zvxf ./stunnel-5.70.tar.gz #解压压缩包
cd stunnel-5.70/ 进入解压缩后的目录
./configure #预编译
make && make install #编译安装
编译安装后
进入/usr/local/etc/stunnel/目录
cd /usr/local/etc/stunnel/
cp stunnel.conf-sample stunnel.conf
vim stunnel.conf #删除里面所有内容后编辑编辑stunnel.conf
输入如下内容
; Sample stunnel configuration file for Unix by Michal Trojnara 1998-2023
client = yes
[my_service]
accept = 127.0.0.1:8088
connect = proxy2服务器的IP地址:443
运行stunnel
sudo stunnel /usr/local/etc/stunnel/stunnel.conf查看运行状态
lsof -i:8088 #查看stunnel是否在监听端口8088应用环境变量
source /etc/profile测试
你可以使用curl来看看是否可以访问
curl https://google.com