Shulou(Shulou.com)06/02 Report--

The squid used by jayproxy is detected as the proxy server, and we also use this software to build the proxy server.

× × Analysis: Squid is a good proxy server, but it cannot be directly because it has been walled in the process of connecting to Squid. So we have to encrypt the transmitted data first and then transmit it, which is tantamount to bypassing the firewall, so we need to use Stunnel to transmit encrypted data.

Server requirements:

1. A server with normal access to the Internet, code A (foreign)

2. A domestic server with normal access to server A, code B

Access process:

1. The user sets the port on which the proxy points to the Stunnel service of server B to listen, and visits the website.

2. Enter ldap user information in the pop-up box when visiting foreign websites, and you can visit foreign websites through authentication.

3. At this time, the Stunnel of server B will encrypt the information and send it to the Stunnel service of server A.

4. The Stunnel of A server will decrypt the encrypted information and send it to the Squid service of A server.

5. The Squid of A server will request data from the target website and return the information.

Implementation steps: first, install Squid and Stunnel on server A

1. Install Squid

/ / install

Yum-y install squid

/ / initialize squid

Squid-z

/ / start squid

Service squid start

If nothing is changed, the default product number is 3128. At this time, you can open your browser, set the proxy, fill in the IP and 3128 port number of server A, visit baidu, and enter ip to see if the ip address is the ip of the proxy server. If so, it means that Squid can be used normally, but not × × yet.

2. Install Stunnel

/ / download the software package

$wget http://www.stunnel.org/downloads/stunnel-5.01.tar.gz

/ / decompress

$tar-zvxf stunnel-5.01.tar.gz

/ / enter the software package

$cd stunnel-5.01

/ / compile and install

$. / configure

$make

$make install

Configure Stunnel:

Stunnel is more troublesome than Squid, because if you set up everything in Squid, you can also run it, but not Stunnel. It requires a configuration file and a signing certificate.

/ / Advanced to directory

Cd / etc/stunnel/

$openssl req-new-x509-days 365-nodes-out stunnel.pem-keyout stunnel.pem

This will generate the key file stunnel.pem in / etc/sutnnel/

Then generate the Diffie-Hellman section for it:

$openssl gendh 512 > > stunnel.pem

The Internet says this is a must for version 4.X, but the 5.01 I used did the same.

Set up the profile:

There is a stunnel.conf.simple file in the / etc/stunnel/ directory (it looks like this). You can cp a stunnel.conf or create a new stunnel.conf. Here, use the new

$vim stunnel.conf

Copy the following

Cert = / etc/stunnel/stunnel.pem

CAfile = / etc/stunnel/stunnel.pem

Socket = l:TCP_NODELAY=1

Socket = r:TCP_NODELAY=1

; chroot = / var/run/stunnel

Pid = / tmp/stunnel.pid

Verify = 3

; CApath = certs

; CRLpath = crls

; CRLfile = crls.pem

Setuid = stunnel

Setgid = stunnel

; client=yes

Compression = zlib

; taskbar = no

Delay = no

; failover = rr

; failover = prio

SslVersion = TLSv1

Fips=no

Debug = 7

Syslog = no

Output = stunnel.log

[sproxy]

Accept = 34567

Connect = 127.0.0.1purl 3128

Here are a few settings to explain:

The first and second lines are the location of the key file, which must be correct if you follow the previous approach.

Setuid = stunnel

Setgid = stunnel

Set users and user groups, both of which are stunnel, and generally will not have them, so create new users and user groups:

$groupadd-g 122 stunnel

$useradd-c stunnel-d / nonexistent-m-g 122-u 122 stunnel

Accept = 34567 is the port number of the listener, that is, the location to which server B points.

Connect = 127.0.0.1 connect 3128 is the port number that the server A Squid listens on, which is 3128.

After saving and exiting, you can try to start stunnel

$stunnel

If the normal does not output any content, if there is a problem, it will give the problem, careful investigation, basically there will be no problem.

Check to see if it is working properly:

$ps-ef | grep stunnel

If you see the stunnel that the stunnel user is running, it has been run successfully.

In this way, the Squid and Stunnel of server An are configured, and then the Stunnel of domestic server B is configured. Server B does not need Squid, so you only need to configure Stunnel

Second, install and configure Stunnel on server B.

Install the same as A, do not generate the key again, copy it from server A.

Log in to server A, go to the / etc/stunnel/ directory, and copy the stunnel.pem key to server B's / etc/stunnel/ directory:

$cd / etc/stunnel/

IP:/etc/stunnel/ of $scp stunnel.pem root@ server B

Then log in to server B and set the configuration file, which is the same as server A. You can either cp or create a new one, which is also created here:

$cd / etc/stunnel/

$vim stunnel.conf

Copy the following into it:

Cert = / etc/stunnel/stunnel.pem

Socket = l:TCP_NODELAY=1

Socket = r:TCP_NODELAY=1

Verify = 2

CAfile = / etc/stunnel/stunnel.pem

Client=yes

Compression = zlib

Ciphers = AES256-SHA

Delay = no

Failover = prio

SslVersion = TLSv1

Fips = no

[sproxy]

Accept = 0.0.0.0pur7071

Connect = IP:34567 of server A

What I want to say here is:

7071 of accept = 0.0.0.0 is the proxy port that the user needs to set, which can be set as long as it is greater than 500. 0.0.0.0 is for the external network to use. If it is only for internal use, change it to 127.0.0.1.

Connect = IP:34567 of server A, obviously what to fill in here, 34567 is the port number of server A's Stunnel listener, keep it right as soon as it arrives.

After saving and exiting, you can start Stunnel

$stunnel

If there is no accident, the whole agent will run normally, open the browser, set the IP+ 7071 port number of server B, and then you can visit the foreign website.

Configure squid server to use LDAP authentication

1. Install the ldap client

Yum-y install openldap-clients nss-pam-ldapd openldap

Add ldap server information

Vim / etc/openldap/ldap.conf

Add the following 2 lines

BASE dc=shuyun,dc=com

URI ldap://ldap.shuyun.com:389

Restart the nslcd service

/ etc/init.d/nslcd restart

Test connectivity to the ldap server

Ldapsearch-x

2. Configure squid to communicate with ldap

Execute this command to test whether squid can connect to ldap

/ usr/lib64/squid/squid_ldap_auth-u-cn-f "uid=%s"-b "ou=people,dc=shuyun,dc=com"-D "cn=user,ou=people,dc=shuyun,dc=com"-w "password"-H ldap://ldap.shuyun.com

You need to enter the user and password during execution, and ok will be displayed when connected.

Please edit / etc/squid/squid.conf file after connection

Comment out everything that starts with http_access and add the following four lines at the end

Auth_param basic program / usr/lib64/squid/squid_ldap_auth-u-cn-f "uid=%s"-b "ou=people,dc=shuyun,dc=com"-D "cn=user,ou=people,dc=shuyun,dc=com"-w "password"-H ldap://ldap.shuyun.com

Acl ldapauth proxy_auth REQUIRED

Http_access allow ldapauth

Http_access deny all

Restart squid

/ etc/init.d/squid/restart

Open the website to see if a dialog box pops up asking for a user name and password

4. Generate PAC file and define whitelist × × website

You can download the shadowsocks software and run it, and then extract the local pac file inside.

Then change the address of the server in the pac file to the address of server B.

Var proxy = "PROXY B server address: 7071; DIRECT;"

After the pac file is saved, download it locally and then use the pac file in the browser proxy settings to realize the domain name of × × to go through the foreign server line.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.