Skip to content

Squid+stunnel实现安全代理访问Google等站点

前言:

身为一名iter,上Google搜索资料是常有的事情了,但是在国内访问国外网站是经常无法访问的,所以大家就都需要有个VPN或者代理服务器来实现需求。

这里我带大家用squid+stunnel的方式实现访问国外网站。


首先:

你要有一个国外的VPS,我自己用的是VULTR主机。 


1. 代理服务器(VPS):vps主机,安装Squid+Stunnel;

2. 本地服务器:局域网多客户端环境下使用,安装Stunnel;

3. 客户端:通过HTTP代理连接本地服务器;

PS:如果是自己搭建来用,直接客户端安装Stunnel连接代理服务器即可;

VPS配置:

1). 安装Squid、Stunnel

yum -y install squid stunnel

PS:扩展http://home.arcor.de/pangj/squid/ 《squid权威指南》


2). 配置Squid

vim /etc/squid/squid.conf
将 http_access deny all 
改为 http_access allow all
注释:http_port 3128
添加:httpp_port 3333   //出于安全考虑,建议不要用默认端口。
启动squid: service squid start

3). 生成pem证书

cd /etc/stunnel    //进入stunnel目录,如果没有就创建一个。
openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem
Generating a 2048 bit RSA private key
.+++
.........................+++
writing new private key to 'stunnel.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:fandenggui          
Organizational Unit Name (eg, section) []:fandenggui
Common Name (eg, your name or your server's hostname) []:fandenggui.com
Email Address []:admin@fandenggui.com  
# 配置追加 DH parameters 信息
openssl gendh 512 >> stunnel.pem 


4). 配置Stunnel

useradd -r -M stunnel
mkdir /var/run/stunnel
vim /etc/stunnel/stunnel.conf
; **************************************************************************
; * Global options                                                         *
; **************************************************************************
chroot = /var/run/stunnel/ 
setuid = stunnel
setgid = stunnel

pid = /stunnel.pid
;debug = 7
;output = stunnel.log

; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************
cert = /etc/stunnel/stunnel.pem
;key = /etc/stunnel/mail.pem

;verify = 2
;CApath = /certs
CAfile = /etc/stunnel/stunnel.pem
;CAfile = /etc/pki/tls/certs/ca-bundle.crt
;CRLpath = /crls
;CRLfile = /etc/stunnel/crls.pem

options = NO_SSLv2
;options = DONT_INSERT_EMPTY_FRAGMENTS
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE

; **************************************************************************
; * Service definitions (remove all services for inetd mode)               *
; **************************************************************************
[sproxy]
accept = 4444
connect = 127.0.0.1:3333

执行stunnel命令可直接启动进程,如果有提示说明没有启动,根据提示检查问题所在。
stunnel
ps aux | grep stunnel   //检查进程是否已经启动; stunnel可参考配置文件:/usr/share/doc/stunnel-4.56/stunnel.conf-sample

本地服务器安装配置Stunnel:

yum install stunnel -y
useradd -r -M stunnel
mkdir /var/run/stunnel

# 把VPS上面创建的证书下载到本地服务器
vim /etc/stunnel/stunnel.conf
; **************************************************************************
; * Global options                                                         *
; **************************************************************************
chroot = /var/run/stunnel/ 
setuid = stunnel
setgid = stunnel

pid = /stunnel.pid
;debug = 7
;output = stunnel.log

; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************
cert = /etc/stunnel/stunnel.pem    //与VPS上一样的证书;
;key = /etc/stunnel/mail.pem

;verify = 2
;CApath = /certs
CAfile = /etc/stunnel/stunnel.pem   //与VPS上一样的证书;
;CAfile = /etc/pki/tls/certs/ca-bundle.crt
;CRLpath = /crls
;CRLfile = /etc/stunnel/crls.pem

options = NO_SSLv2
;options = DONT_INSERT_EMPTY_FRAGMENTS
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE

; **************************************************************************
; * Service definitions (remove all services for inetd mode)               *
; **************************************************************************
[contovps]
accept = 0.0.0.0:1080
connect = 代理服务器IP:4444

stunnel   //启动服务;
ps aux | grep stunnel  //检查服务启动状态;


客户端连接测试:

1). 如果使用了本地服务器,我们可以直接通过SwitchyOmega浏览器插件配置http代理,也可以用IE默认的HTTP代理,但前者更为灵活。

本地服务器IP:1080  

2). 如果没有本地服务器,从https://www.stunnel.org/downloads.html 下载系统对应的客户端

编辑配置文件:
client = yes
[cotovps]
accept = 0.0.0.0:1080
connect = 代理服务器IP:4444

启动该程序后,一样使用浏览器插件/IE代理设置HTTP代理;

127.0.0.1:1080


Published in其它服务应用

Be First to Comment

发表评论

电子邮件地址不会被公开。 必填项已用*标注