金庸武功之“碧血剑法”
一.试验目的:公司阿里云环境要求之开放一个代理服务器,其他服务器不允许有外网IP二.环境拓扑:
A:代理服务器:(利用squid做透明代理) (centos7.2)
# ip a
eth0:10.30.204.122
eth1:116.62.XX.XX
B:客户端服务器:(centos7.2)
# ip a
eth0:10.30.204.90
三.试验环境准备(A,B都执行)
[*]yum-y update
[*] 关闭SEliunx
# vi /etc/sysconfig/selinux
SELINUX=disabled
3.关闭防火墙
#systemctlstop firewalld
#systemctl disable firewalld
#systemctlstatus firewalld
4.同步系统时间
# rm -rf/etc/localtime
# ln-s /usr/share/zoneinfo/Asia/Shanghai/etc/localtime
#yuminstall-yntpdate
# /usr/sbin/ntpdate -u202.120.2.101 && hwclock -w
systemctl enable ntpdate && systemctlstart ntpdate
#crontab-e
*/5 * * * * /usr/sbin/ntpdate -u 202.120.2.101 && hwclock -w
5.修改主机名
hostnamectl --static set-hostname XXX
6.打开路由转发
vi /etc/sysctl.conf
输入net.ipv4.ip_forward=1
四.A代理服务器配置
# yum install -y gcc openssl openssl-devel #依赖软件要先提前安装
# yum install squid
# cd /etc/squid
# openssl req -new > lidongbest5.csr
Generating a 2048 bit RSA private key
..........................................................................+++
.........................................................................................................+++
writing new private key to 'privkey.pem'
Enter PEM pass phrase: #输入密码,后面会用到,比如这里输入123456
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :cn #国家
State or Province Name (full name) []:beijing #省份
Locality Name (eg, city) :beijing #地区名字
Organization Name (eg, company) :sjwl #公司名
Organizational Unit Name (eg, section) []:Technology #部门
Common Name (eg, your name or your server's hostname) []:sjwl #CA主机名
Email Address []:mengxl@shengjing360.com #邮箱
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456 #证书请求密钥,CA读取证书的时候需要输入密码
An optional company name []:sjwl #-公司名称,CA读取证书的时候需要输入名称
# openssl rsa -in privkey.pem -out lidongbest5.key
Enter pass phrase for privkey.pem: #输入上面设置的密码123456
writing RSA key
# openssl x509 -in lidongbest5.csr -out lidongbest5.crt -req -signkey lidongbest5.key -days 3650
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=huanqiu/OU=Technology/CN=huanqiu/emailAddress=wangshibo@xqshijie.cn
Getting Private key
# cp squid.conf squidbackup.conf
# visquid.conf
http_access deny all 改成 http_access allow all
# Squid normally listens to port 3128
http_port 8086 transparent
https_port 443 cert=/etc/squid/lidongbest5.crt key=/etc/squid/lidongbest5.key
dns_nameservers 8.8.8.8
cache_mem 1600 MB
cache_log /var/log/squid/cache.log
visible_hostname captain
启动squid,启动前进行测试和初始化
# squid -k parse #测试
2016/08/09 13:35:04| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2016/08/09 13:35:04| Processing: acl manager proto cache_object
..............
..............
2016/08/09 13:35:04| Processing: refresh_pattern . 0 20% 4320
2016/08/09 13:35:04| Initializing https proxy context
# squid -z #初始化
2016/08/09 13:35:12| Creating Swap Directories
# systemctl start squid.service
# systemctl enable squid.service
iptables配置安装:
#systemctl stop firewall.service
#systemctl disable firewalld.service
#yum install iptables-services
#cd /etc/sysconfig/
#vi iptables
# Generated by iptables-save v1.4.21 on Tue Mar 28 17:42:00 2017
*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8086
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8086
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 443
COMMIT
# Completed on Tue Mar 28 17:42:00 2017
# Generated by iptables-save v1.4.21 on Tue Mar 28 17:42:00 2017
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
COMMIT
# Completed on Tue Mar 28 17:42:00 2017
# systemctl restart iptables.service
五.客户端服务器配置:
客户端安装配置stunnel
1,安装
#yum install stunnel -y#这里虽是阿里云内网,但有它内部的yum源
#vi /etc/stunnel/stunnel.conf
client = yes
accept = 127.0.0.1:8088
connect = 10.30.204.122:443
如果报,FIPS_mode_set: 2D06C06E: error:2D06C06E:FIPS routines:FIPS_module_mode_set:fingerprint does not match,
stunnel.conf配置文件中加上,fips = no
2.启动stunnel并查看
#stunnel //启动,默认配置文件路径 /etc/stunnel/stunnel.conf
#ps -ef |grep stunnel //查看
root 15972 0.0 0.0 103256 848 pts/0 S+ 17:30 0:00 grep stunnel
root 21099 0.0 0.0 41532 1060 pts/0 S 15:42 0:00 stunnel
root 21100 0.0 0.0 41532 1060 pts/0 S 15:42 0:00 stunnel
root 21101 0.0 0.0 41532 1060 pts/0 S 15:42 0:00 stunnel
root 21102 0.0 0.0 41532 1060 pts/0 S 15:42 0:00 stunnel
root 21103 0.0 0.0 41532 1060 pts/0 S 15:42 0:00 stunnel
root 21104 0.0 0.0 2077984 6824 ? Ss 15:42 0:00 stunnel
3.配置/etc/profile系统环境变量
底部添加下面两行
# vim /etc/profile
export http_proxy=http://10.30.204.122:8086
export https_proxy=http://127.0.0.1:8088
4.测试
curl https://www.baidu.com
curl www.baidu.com
5.额外的要求:
如果需要做访问控制(比如只允许某些IP的客户端才能连接代理服务器)
试验中是只允许
http://blog.chinaunix.net/uid-25266990-id-2722465.html
参考:http://www.linuxidc.com/Linux/2017-02/140398.htm
http://www.xuexila.com/diannao/xitong/linux/648947.html
http://www.centoscn.com/CentOS/config/2016/0708/7599.html
页:
[1]