Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "how to configure HTTP/HTTPS automatic encryption to surf the Internet". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Scheme introduction

The software involved

BIND: a popular domain name resolution server, we can set which domain names need to be encrypted. Stunnel: use TLS to encrypt the tcp protocol, that is, to establish an encrypted line to the tcp. SNI Proxy: agent software. For the HTTP protocol, it can get the target station IP; for the HTTPS protocol according to the Host request header resolution, and it can get the target station IP according to the domain name resolution in the SNI extension.

Advantages and disadvantages of this scheme

Advantages:

You can automatically encrypt HTTP or HTTPS protocols for a specific proxy site without manually setting up any agents.

Compared with our commonly used ssh tunnel, ssh tunnel is single, and this scheme supports multiple concurrent connections, which can greatly accelerate website access.

Disadvantages:

For the proxy HTTPS protocol, you need a client that initiates a HTTPS connection, such as a browser that supports TLS's SNI extension. The good news is that currently almost all browsers support this extension, but for some non-browser clients, the SNI extension is not supported. We can only set up a forward proxy to solve this problem.

Principle of scheme

Introduction to the principle:

1. First of all, we need to prepare three servers, one is an intranet DNS server (installing bind), one is an intranet proxy server (installing stunnel), and the other is a foreign server (installing stunnel,sniproxy).

2. We also need to set DNS as the DNS of the intranet, and bind dns of the intranet to set the IP of Google domain name resolution as the proxy server of the intranet.

3. When we visit Google's website, we will first send DNS A record query to the private network DNS server. At this time, the private network DNS server will return the IP of the private network proxy server.

4. After the browser gets the resolution IP of Google domain name (that is, the IP of the private network proxy server), it will send a HTTP or HTTPS request to the private network proxy server.

5. At this time, the private network proxy server (that is, stunnel) will receive the request, encrypt it, and forward it to the designated port of the foreign server (stunnel).

6. After receiving the encrypted data from the domestic server (stunnel), the foreign server (stunnel) decrypts the request and forwards the request to sniproxy.

7. Sniproxy resolves the IP of the Google server according to the HTTP Host request header or the domain name extended by HTTPS sni, and forwards the request to the Google server.

8. After the Google server receives the request from sniproxy, it immediately returns the content of the web page to sniproxy,sniproxy and then returns the data to the browser.

Program implementation

Due to time constraints, we will only demonstrate the installation on Ubuntu server 12.04.

Environment introduction

System: Ubuntu server 12.04

Private network DNS IP: 10.96.153.201 (master), 10.96.153.204 (slave)

Private network proxy server: 10.96.153.204

Foreign server IP: 1.2.3.4

Install BIND9

1. Install bind in master DNS and slave DNS, that is, 10.96.153.201 (master) and 10.96.153.204 (slave).

Wget http://www.isc.org/downloads/file/bind-9-10-0b1-2/?version=tar.gz-O bind-9-10-0b1-2.tar.gz tar xzf bind-9-10-0b1-2.tar.gz cd bind-9-10-0b1-2. / configure-- prefix=/usr/local/bind make & & make install

2. Configure the primary DNS server (10.96.153.201)

2.1.Generate / usr/local/bind/etc/rndc.key key file

/ usr/local/bind/sbin/rndc-confgen-a-k rndckey-c / usr/local/bind/etc/rndc.key

2.2. Edit / usr/local/bind/etc/named.conf, how to write:

Include "/ usr/local/bind/etc/rndc.key"; controls {inet 127.0.0.1 port 953 allow {127.0.0.1;} keys {"rndckey";}; logging {channel default_syslog {syslog local2; severity notice;}; channel audit_log {file "/ var/log/bind.log"; severity notice; print-time yes;}; category default {default_syslog;}; category general {default_syslog;} Category security {audit_log; default_syslog;}; category config {default_syslog;}; category resolver {audit_log;}; category xfer-in {audit_log;}; category xfer-out {audit_log;}; category notify {audit_log;}; category client {audit_log;}; category network {audit_log;}; category update {audit_log;}; category queries {audit_log;} Category lame-servers {audit_log;};}; options {directory "/ usr/local/bind/etc"; pid-file "/ usr/local/bind/var/run/bind.pid"; transfer-format many-answers; interface-interval 0; forward only; forwarders {202.96.128.166 / 202.96.134.133;}; allow-query {any;};} Zone "google.com" {type master; file "google.com.zone"; allow-transfer {10.96.153.204;};}

In this named.conf file, we only need to care about the following:

For the options {} region, 202.96.128.166 and 202.96.134.133 are the local DNS provided by ISP and need to be modified to the local DNS of your own ISP.

For the zone "google.com" {} zone, the zone file google.com.zone for the google.com domain name is defined, and 10.96.153.204 (that is, from DNS) is allowed to synchronize the zone file.

2.3.Founding the google.com.zone area file:

$TTL 3600 @ IN SOA ns1.google.com. Hostmaster.google.com. (2014072015; Serial 3600; Refresh 900; Retry 3600000; Expire 3600); Minimum @ IN NS ns1.google.com. @ IN NS ns2.google.com. Ns1 IN A 10.96.153.201 ns2 IN A 10.96.153.204 @ IN A 10.96.153.204 * IN A 10.96.153.204

For this area file:

Ns1 IN A 10.96.153.201 points to the first dns server, the primary DNS.

Ns2 IN A 10.96.153.204 points to the second dns server, the slave DNS.

@ IN A 10.96.153.204 and * IN A 10.96.153.204 point to the proxy server (stunnel) of the intranet. We only need to modify these three places.

3. Configure the slave DNS server (10.96.153.204)

Edit the named.conf and write the following

Logging {channel default_syslog {syslog local2; severity notice;}; channel audit_log {file "/ var/log/bind.log"; severity notice; print-time yes;}; category default {default_syslog;}; category general {default_syslog;}; category security {audit_log; default_syslog;}; category config {default_syslog;}; category resolver {audit_log;}; category xfer-in {audit_log;} Category xfer-out {audit_log;}; category notify {audit_log;}; category client {audit_log;}; category network {audit_log;}; category update {audit_log;}; category queries {audit_log;}; category lame-servers {audit_log;};}; options {directory "/ usr/local/bind/etc" Pid-file "/ usr/local/bind/var/run/bind.pid"; transfer-format many-answers; interface-interval 0; forward only; forwarders {202.96.128.166 political 202.96.134.133;}; allow-query {any;};}; zone "google.com" {type slave; file "google.com.zone"; masters {10.96.153.201;};}

Configuration is much easier from DNS, and you only need to write the above to the named.conf file. Similarly, 202.96.128.166 and 202.96.134.133 in options {} are local ISP local dns. 10.96.153.201 in zone "google.com" {} indicates the primary DNS server IP.

4. Start the bind dns server

/ usr/local/bind/sbin/named install Stunnel

1. Install stunnel on intranet proxy servers and foreign hosts

Apt-get install stunnel4

2. Stunnel configuration of private network proxy server

Edit / etc/default/stunnel4 and set the ENABLED=1.

Client = yes pid = / etc/stunnel/stunnel.pid [http] accept = 80 connect = 1.2.3.4 client 8082 [https] accept = 443 connect = 1.2.3.4 http 4433

This profile indicates that port 80 is monitored and traffic on this port is forwarded to 1.2.3.4virtual 8082, port 443 is monitored, and traffic on this port is forwarded to 1.2.3.4frex4433

3. Stunnel configuration of foreign servers

Generate ssl certificate stunnel.pem file

Openssl genrsa-out key.pem 2048 openssl req-new-x509-key key.pem-out cert.pem-days 1095 cat key.pem cert.pem > > / etc/stunnel/stunnel.pem

3.2.Editing / etc/stunnel/stunnel.conf file

Client = no [http] accept = 1.2.3.4http 8082 connect = 127.0.0.1 http 8082 cert = / etc/stunnel/stunnel.pem [https] accept = 1.2.3.4Visual4433 connect = 127.0.0.1 http 4433 cert = / etc/stunnel/stunnel.pem

This configuration file indicates that 1.2.3.4virtual 8082 is monitored and the address traffic is forwarded to 127.0.0.1virtual 8082, 1.2.3.4virtual 4433 is monitored, and the address traffic is forwarded to 127.0.0.1virtual 4433.

Edit / etc/default/stunnel4, set ENABLED=1.

4. Start stunnel

Service stunnel4 start install sniproxy

Sniproxy project address: https://github.com/dlundquist/sniproxy

1. Install sniproxy

Also demonstrate installation on ubuntu server 12.04 only.

1.1.install UDNS

Mkdir udns_packaging cd udns_packaging wget http://archive.ubuntu.com/ubuntu/pool/universe/u/udns/udns_0.4-1.dsc wget http://archive.ubuntu.com/ubuntu/pool/universe/u/udns/udns_0.4.orig.tar.gz wget http://archive.ubuntu.com/ubuntu/pool/universe/u/udns/udns_0.4-1.debian.tar.gz tar xfz udns_0.4.orig.tar .gz cd udns-0.4/ tar xfz.. / udns_0.4-1.debian.tar.gz dpkg-buildpackage cd.. Dpkg-I * .deb

1.2. install sniproxy

Apt-get install autotools-dev cdbs debhelper dh-autoreconf dpkg-dev gettext libev-dev libpcre3-dev libudns-dev pkg-config wget https://github.com/dlundquist/sniproxy/archive/master.zip unzip master.zip cd sniproxy-master/ dpkg-buildpackage cd.. Dpkg-I * .deb

2. Configure sniproxy

/ etc/sniproxy.conf is as follows:

User daemon pidfile / var/run/sniproxy.pid error_log {syslog deamon priority notice} listen 127.0.0.1 listen 8082 {proto http table http_hosts} table http_hosts {. * *: 80} listen 127.0.1 listen 4433 {proto tls table https_hosts} table https_ Hosts {. *: 443}

This configuration file indicates that the 127.0.0.1 TLS 8082 address is monitored and the Host request header in the http protocol is parsed as IP, then the request is forwarded to this IP; to listen on the 127.0.0.1 IP 4433 address, and the domain name in the SNI extension in TLS is resolved as IP, and the request is forwarded to this IP.

3. Start sniproxy

This is the end of sniproxy's "how to configure HTTP/HTTPS to automatically encrypt the Internet". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.