Squid代理http和https方式上网的操作记录

Verifying – Enter PEM pass phrase:

You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,

4. 用户名密码认证 squid

 

Country Name (2 letter code) [XX]:cn #国家

思路:
在IDC机房里另找其他两台有公网环境的服务器B(58.68.250.8/192.168.1.8)和服务器C(58.68.250.5/192.168.1.5),且这两台服务器和内网环境的服务器A能相互ping通。
其中:
在服务器B上部署squid的http代理,让服务器C通过它的squid代理上网,能成功访问http
在服务器C上部署squid的https代理,让服务器C通过它的squid代理上网,能成功访问https
  [需要在客户端安装stunnel ]

 

#error_log logs/error.log notice;

查看nginx编译参数:/usr/local/nginx/sbin/nginx -V


图片 1

``include      mime.types;

cd /usr/local/nginx/conf/ssl #进入目录

[root@openstack squid]# squid -z                          
 #初始化
2016/08/09 13:35:12| Creating Swap Directories

8.1 签发生成SSL证书

下面是手动颁发证书的操作:
[root@linux-node1 ~]# cd /usr/local/nginx/conf/
[root@linux-node1 conf]# mkdir ssl
[root@linux-node1 conf]# cd ssl/
[root@linux-node1 ssl]# openssl
genrsa -des3 -out aoshiwei.com.key 1024

Generating RSA private key, 1024 bit long modulus
…………………………..++++++
………………………………++++++
e is 65537 (0x10001)
Enter pass phrase for aoshiwei.com.key:                    #提示输入密码,比如这里我输入123456
Verifying – Enter pass phrase for aoshiwei.com.key:     #确认密码,继续输入123456

#标记证书使用上述私钥和CSR

然后重启iptables服务
[root@openstack squid]# /etc/init.d/iptables restart

/usr/bin/htpasswd -c /etc/squid/passwd
 mimvp-guest

events {

An optional company name []:osyunwei
#公司名称,CA读取证书的时候需要输入密码

下面开始记录这一需求的操作记录:

 

http {

A challenge password []:123456
#证书请求密钥,CA读取证书的时候需要输入密码

1)安装squid
yum命令直接在线安装squid
[root@openstack ~]# yum install -y gcc openssl openssl-devel
#依赖软件要先提前安装
[root@openstack ~]# yum install squid

添加后配置如下:

1)编译安装nginx
[root@opd ~]# yum install -y pcre pcre-devel openssl openssl-devel
gcc
[root@opd ~]# cd /usr/loca/src
[root@src ~]# wget
[root@src ~]# tar -zxvf nginx-1.8.0.tar.gz
[root@src ~]# cd nginx-1.8.0
#添加www用户,其中-M参数表示不添加用户家目录,-s参数表示指定shell类型

二、防火墙开启https协议默认端口443

如果开启了防火墙iptables规则,则还需要在/etc/sysconfig/iptables里添加下面一行,即允许3128端口访问:
-A INPUT -s 192.168.1.0/24 -p tcp -m state –state NEW -m tcp –dport
3128 -j ACCEPT

5.1 参数检查

#error_log logs/error.log info;

:wq! #保存退出

背景:
公司IDC机房有一台服务器A,只有内网环境:192.168.1.150
现在需要让这台服务器能对外访问,能正常访问http和https请求(即80端口和443端口)

 

 

to be sent with your certificate request


如果开启了防火墙iptables规则,则还需要在/etc/sysconfig/iptables里添加下面一行,允许3128端口访问:

user  nobody;

ssl_certificate_key /usr/local/nginx/conf/ssl/server_nopassword.key;

安装完成后,修改squid.conf 文件中的内容,修改之前可以先备份该文件
[root@openstack ~]# cd /etc/squid/
[root@openstack squid]# cp squid.conf squid.conf_bak
[root@openstack squid]# vim squid.conf
http_access allow all             
                                     #修改deny为allow
http_port 192.168.1.8:3128
cache_dir ufs /var/spool/squid 100 16
256                   
#打开这个注释,保证/var/spool/squid这个缓存目录存在

systemctl enable squid.service 

``client_body_buffer_size 256k;  <br>

#根据提示输入相应的信息

一、服务器B上的操作记录(http代理)

# rpm -qa | grep squid

接下来手动配置ssl证书
如果自己手动颁发证书的话,那么https是不被浏览器认可的,就是https上面会有一个大红叉
****************************************************
推荐一个免费的网站:
startssl的操作教程看这个:
****************************************************

Common Name (eg, your name or your server’s hostname) []:osyunwei
#主机名称

1)安装squid
yum命令直接在线安装squid
[root@openstack ~]# yum install -y gcc openssl openssl-devel
#依赖软件要先提前安装
[root@openstack ~]# yum install squid
[root@openstack ~]# cd /etc/squid/
[root@openstack squid]# cp squid.conf squid.conf_bak

squid -z 

``fastcgi_buffer_size 256k;

configure arguments: –prefix=/usr/local/nginx
–with-google_perftools_module –without-http_memcached_module
–user=www –group=www –with-http_stub_status_module
–with-http_sub_module –with-http_ssl_module
–with-http_gzip_static_module
–with-openssl=/usr/local/src/openssl-1.0.1h
–with-zlib=/usr/local/src/zlib-1.2.8
–with-pcre=/usr/local/src/pcre-8.35

2)启动squid,启动前进行测试和初始化
[root@openstack squid]# squid -k parse                    #测试
2016/08/09 13:35:04| Processing Configuration File:
/etc/squid/squid.conf (depth 0)
2016/08/09 13:35:04| Processing: acl manager proto cache_object
…………..
…………..
2016/08/09 13:35:04| Processing: refresh_pattern . 0 20% 4320
2016/08/09 13:35:04| Initializing https proxy context

并添加相应的用户信息

 

ssl_certificate /usr/local/nginx/conf/ssl/server.crt;

2)现在开始生成加密代理证书:
[root@bastion-IDC squid]# pwd
/etc/squid
[root@bastion-IDC squid]# openssl req
-new > lidongbest5.csr

Generating a 2048 bit RSA private key
………………………………………………………………..+++
……………………………………………………………………………………………+++
writing new private key to ‘privkey.pem’
Enter PEM pass phrase:                                                  
                #输入密码,后面会用到,比如这里输入123456

 

``'"$http_user_agent" "$http_cookie" $host $request_time'``;

openssl x509 -req -days 365 -in server.csr -signkey
server_nopassword.key -out server.crt

 

 

}

State or Province Name (full name) []:zhejiang #省份

If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [XX]:cn                                  
               #国家
State or Province Name (full name) []:beijing                        
              #省份
Locality Name (eg, city) [Default City]:beijing                      
               #地区名字
Organization Name (eg, company) [Default Company Ltd]:huanqiu      
 #公司名
Organizational Unit Name (eg, section) []:Technology                  
         #部门
Common Name (eg, your name or your server’s hostname) []:huanqiu  
 #CA主机名
Email Address []:wangshibo@xqshijie.cn                                
             #邮箱

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:123456                                        
                #证书请求密钥,CA读取证书的时候需要输入密码
An optional company name []:huanqiu                                  
             #-公司名称,CA读取证书的时候需要输入名称

[root@bastion-IDC squid]# openssl rsa
-in privkey.pem -out lidongbest5.key

Enter pass phrase for privkey.pem:                                      
              #输入上面设置的密码123456
writing RSA key

[root@bastion-IDC squid]# openssl
x509 -in lidongbest5.csr -out lidongbest5.crt -req -signkey
lidongbest5.key -days 3650

Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=huanqiu/OU=Technology/CN=huanqiu/emailAddress=wangshibo@xqshijie.cn
Getting Private key

 

修改squid.conf配置文件
[root@bastion-IDC squid]# vim squid.conf
http_access allow all #deny修改为allow
#http_port 3128                 
                                                  #注释掉
https_port 192.168.1.5:443
cert=/etc/squid/lidongbest5.crt key=/etc/squid/lidongbest5.key   
        #添加这一行
cache_dir ufs /var/spool/squid 100 16
256                           
 #打开这个注释,保证/var/spool/squid这个缓存目录存在

3)重启squid服务
[root@bastion-IDC squid]# squid -k parse
[root@bastion-IDC squid]# squid -z
[root@bastion-IDC squid]# squid reload
[root@bastion-IDC squid]# /etc/init.d/squid restart

 

如果开启了防火墙iptables规则,则还需要在/etc/sysconfig/iptables里添加下面一行,即允许443端口访问:
-A INPUT -s 192.168.1.0/24 -p tcp -m state –state NEW -m tcp –dport
443 -j ACCEPT

然后重启iptables服务
[root@bastion-IDC squid]# /etc/init.d/iptables restart


三、服务器A(即客户端)上的操作记录

1)安装配置stunnel

关闭客户端的iptables防火墙
[root@dev-new-test1 ~]# /etc/init.d/iptables stop

[root@dev-new-test1 ~]# cd /usr/local/src/
[root@dev-new-test1 src]# pwd
/usr/local/src

下载:
(提取秘钥:pc7p)

[root@dev-new-test1 ~]#yum install -y openssl openssl-devel gcc

[root@dev-new-test1 src]# ls
stunnel-5.35.tar.gz
[root@dev-new-test1 src]# tar -zvxf stunnel-5.35.tar.gz
[root@dev-new-test1 src]# ls
stunnel-5.35 stunnel-5.35.tar.gz
[root@dev-new-test1 src]# cd stunnel-5.35
[root@dev-new-test1 stunnel-5.35]# ./configure
[root@dev-new-test1 stunnel-5.35]# make && make install

安装完成后,配置stunnel.conf
[root@dev-new-test1 stunnel-5.35]# cd /usr/local/etc/stunnel/
[root@dev-new-test1 stunnel]# ls
stunnel.conf-sample
[root@dev-new-test1 stunnel]# cp stunnel.conf-sample stunnel.conf
[root@dev-new-test1 stunnel]# ls
stunnel.conf stunnel.conf-sample
[root@dev-new-test1 stunnel]# cat stunnel.conf            
 #把原来内容清空,写入:
client = yes
[https]
accept = 127.0.0.1:8088
connect = 192.168.1.5:443          
                   
#运行本机stunnel端口8088连接squid服务端192.168.1.5的443端口,然后在/etc/profile里配置本机8088端口代理(如下)

2)启动stunnel服务
[root@dev-new-test1 stunnel]# /usr/local/bin/stunnel
/usr/local/etc/stunnel/stunnel.conf
[root@dev-new-test1 stunnel]# ps -ef|grep stunnel
root 20281 1 0 02:23 ? 00:00:00 /usr/local/bin/stunnel
/usr/local/etc/stunnel/stunnel.conf
root 20283 13002 0 02:23 pts/0 00:00:00 grep –color stunnel
[root@dev-new-test1 stunnel]# lsof -i:8088
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
stunnel 20281 root 7u IPv4 745475 0t0 TCP localhost:radan-http (LISTEN)

3)配置/etc/profile系统环境变量
底部添加下面两行
[root@dev-new-test1 stunnel]# vim /etc/profile
……………
export
http_proxy=                        
 #这个是通过服务端A机器的3128端口的squid上网(http代理)
export https_proxy=
                         
 #这个是通过服务端B机器的443端口的squid上网(https代理)

[root@dev-new-test1 stunnel]# source /etc/profile                  
#配置生效

4)测试:
[root@dev-new-test1 stunnel]# curl          
                #访问80端口ok
[root@dev-new-test1 stunnel]# curl                
     #访问443端口ok
[root@dev-new-test1 stunnel]# yum list                              
                      #yum可以正常使用
[root@dev-new-test1 stunnel]# wget    
 #wget正常下载

本文永久更新链接地址:http://www.linuxidc.com/Linux/2017-02/140398.htm

图片 2

systemctl start squid.service

``gzip_http_version 1.1;

:wq! #保存退出

二、服务器C上的的操作记录(https代理)

7. 查看日志 squid

``log_format  main  ``'$http_x_forwarded_for $remote_addr $remote_user [$time_local] "$request" '

Organization Name (eg, company) [Default Company Ltd]:osyunwei #公司

[root@openstack squid]# /etc/init.d/squid start
Starting squid: . [ OK ]

Squid,一个高性能的代理缓存服务器,支持FTP、gopher、HTTP协议。

``client_header_timeout 600s;

Email Address []:[email protected] #邮箱

 

#cache_dir ufs /var/spool/squid 100 16
256 

[root@nginx-1.8.0 conf]# ulimit -n 65535
[root@nginx-1.8.0 conf]# mkdir vhosts

fastcgi_param HTTPS $https if_not_empty;
#有https协议时自动使用https,否则忽略这个参数。