Bind + stunnel + sniproxy

This section describes how to automatically encrypt the HTTPHTTPS protocol of a specific website on a computer without any settings. Because of the existence of a wall, you know the function. Too many sensitive magnetic fields. Use bind, stunnel, sniproxy, where stunnel is not required. Involved software BIND: a popular domain name resolution server, we can set

This section describes how to automatically encrypt the HTTP/HTTPS protocol of a specific website on the computer without any settings. Because of the existence of a wall, you know the function. Too many sensitive magnetic fields. Use bind, stunnel, sni proxy, where stunnel is not required. Involved software BIND: a popular domain name resolution server, we can set

This section describes how to automatically encrypt the HTTP/HTTPS protocol of a specific website on the computer without any settings. Because of the existence of a wall, you know the function. Too many sensitive magnetic fields. Use bind, stunnel, sni proxy, where stunnel is not required. Involved software BIND: a popular domain name resolution server, we can set which domain names need to go through encrypted lines. Stunnel: Use TLS to encrypt the tcp protocol, that is, to establish an encrypted line for tcp. SNI Proxy: Proxy software. For the HTTP protocol, it can obtain the destination site IP address based on the Host Request Header resolution; for the HTTPS protocol, it can obtain the destination site IP address based on the domain name resolution in The SNI extension. Advantages and disadvantages of this solution: You can automatically encrypt the HTTP or HTTPS protocol of a specific website as opposed to the common ssh tunnel. The ssh tunnel is a single channel, this solution supports multiple concurrent connections and greatly accelerates Website access. Disadvantage: For the proxy HTTPS protocol, the client that needs to initiate an HTTPS connection, for example, the browser supports tls sni extension. The good news is that almost all browsers currently support this extension, but some non-browser clients do not support SNI extension. We can only set forward proxy to solve this problem. Solution Principle flowchart: principles: 1. First, we need to prepare three servers, one being an intranet DNS server (with bind installed) and the other being an intranet Proxy Server (with stunnel installed ), another foreign server (install stunnel, sniproxy ). 2. We also need to set the DNS to the Intranet DNS, and set the IP address for Google domain name resolution to the Intranet proxy server in the Intranet bind dns. 3. When we access the Google website, first, the system sends a dns a record query to the Intranet DNS server. In this case, the Intranet DNS server returns the IP address of the Intranet proxy server. 4. After the browser obtains the resolved IP address of the Google domain name (that is, the IP address of the internal network proxy server), it will send HTTP or HTTPS requests to the internal network proxy server. 5. At this time, the internal network proxy server (namely stunnel) will receive the request, which is encrypted and forward the request to the specified port of the foreign server (stunnel. 6. After receiving encrypted data from the Chinese server (stunnel), the foreign server decrypts the data and forwards the request to sniproxy. 7. sniproxy then parses the IP address of the Google Server Based on the HTTP Host request header or the domain name of the HTTPS sni extension and forwards the request to the Google server. 8. After receiving a request from sniproxy, the Google server immediately returns the webpage content to sniproxy, And the sniproxy returns the original data to the browser. Due to the limited time, we only demonstrated the installation in Ubuntu server 12.04. Environment Introduction System: Ubuntu server 12.04 Intranet dns ip Address: 10.96.153.201 (master), 10.96.153.204 (slave) Intranet proxy server: 10.96.153.204 foreign server IP Address: 1.2.3.4 BIND91 is installed. bind is installed on the primary DNS and on the secondary DNS, that is, 10.96.153.201 (master) and 10.96.153.204 (slave ).

wget http://www.isc.org/downloads/file/bind-9-10-0b1-2/?version=tar.gz -O bind-9-10-0b1-2.tar.gz tar xzf bind-9-10-0b1-2.tar.gz cd bind-9-10-0b1-2 ./configure --prefix=/usr/local/bind make && make install

2. Configure the master DNS server (10.96.153.201) 2.1 and generate the/usr/local/bind/etc/rndc. key file.

/usr/local/bind/sbin/rndc-confgen -a -k rndckey -c /usr/local/bind/etc/rndc.key

2.2 edit/usr/local/bind/etc/named. conf and write the following content:

include "/usr/local/bind/etc/rndc.key"; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndckey"; }; }; logging { channel default_syslog { syslog local2; severity notice; }; channel audit_log { file "/var/log/bind.log"; severity notice; print-time yes; }; category default { default_syslog; }; category general { default_syslog; }; category security { audit_log; default_syslog; }; category config { default_syslog; }; category resolver { audit_log; }; category xfer-in { audit_log; }; category xfer-out { audit_log; }; category notify { audit_log; }; category client { audit_log; }; category network { audit_log; }; category update { audit_log; }; category queries { audit_log; }; category lame-servers { audit_log; }; }; options { directory "/usr/local/bind/etc"; pid-file "/usr/local/bind/var/run/bind.pid"; transfer-format many-answers; interface-interval 0; forward only; forwarders { 202.96.128.166;202.96.134.133; }; allow-query {any;}; }; zone "google.com" { type master; file "google.com.zone"; allow-transfer { 10.96.153.204; }; };

In this named. in the conf file, we only need to care about the following content: For the options {} region, 202.96.128.166 and 202.96.134.133 are the local DNS provided by the ISP and need to be changed to the local DNS of the ISP. For the zone "google.com" {} region, the google.com Domain Name's regional file google.com. zone is defined here, and the regional file can be synchronized from 10.96.153.204 (that is, from DNS. 2.3 create a google.com. zone region File

$TTL 3600 @ IN SOA ns1.google.com. hostmaster.google.com. ( 2014072015? ; Serial 3600 ; Refresh 900 ; Retry 3600000 ; Expire 3600 ) ; Minimum @ IN NS ns1.google.com. @ IN NS ns2.google.com. ns1 IN A 10.96.153.201 ns2 IN A 10.96.153.204 @ IN A 10.96.153.204 * IN A 10.96.153.204

For this region file, ns1 in a 10.96.153.201 points to the first dns server, that is, the primary DNS. Ns2-in A 10.96.153.204 points to the second dns server, that is, the slave DNS. @ In a 10.96.153.204 and * in a 10.96.153.204 direct to the internal network proxy server (stunnel ). We only need to modify these three places. 3. Configure to edit named. conf from the DNS server (10.96.153.204) and write the following content

logging { channel default_syslog { syslog local2; severity notice; }; channel audit_log { file "/var/log/bind.log"; severity notice; print-time yes; }; category default { default_syslog; }; category general { default_syslog; }; category security { audit_log; default_syslog; }; category config { default_syslog; }; category resolver { audit_log; }; category xfer-in { audit_log; }; category xfer-out { audit_log; }; category notify { audit_log; }; category client { audit_log; }; category network { audit_log; }; category update { audit_log; }; category queries { audit_log; }; category lame-servers { audit_log; }; }; options { directory "/usr/local/bind/etc"; pid-file "/usr/local/bind/var/run/bind.pid"; transfer-format many-answers; interface-interval 0; forward only; forwarders { 202.96.128.166;202.96.134.133; }; allow-query {any;}; };zone "google.com" { type slave; file "google.com.zone"; masters { 10.96.153.201; }; };

Configuration is much simpler from DNS. You only need to write the above content to the named. conf file. Similarly, 202.96.128.166 and 202.96.134.20.in options {} are local dns of the local ISP. 10.96.153.201 in zone "google.com" {} indicates the IP address of the primary DNS server. 4. Start the bind dns server/usr/local/bind/sbin/named to install Stunnel1, the internal network proxy server and the foreign host to install stunnel

apt-get install stunnel4

2. Edit the stunnel configuration of the Intranet Proxy Server/etc/default/stunnel4 and set ENABLED = 1. Edit/etc/stunnel. conf with the following content:

client = yes pid = /etc/stunnel/stunnel.pid [http] accept = 80 connect = 1.2.3.4:8082[https] accept = 443 connect = 1.2.3.4:4433

This configuration file indicates that port 80 is listened on and the port traffic is forwarded to port 1.2.3.4: 8082, port 443 is listened on, and the port traffic is forwarded to port 1.2.3.4: 44333. Configure stunnel on a foreign server 3.1 and generate an ssl Certificate stunnel. pem File

openssl genrsa -out key.pem 2048 openssl req -new -x509 -key key.pem -out cert.pem -days 1095 cat key.pem cert.pem >> /etc/stunnel/stunnel.pem

3.2 edit/etc/stunnel. conf file client = no [http] accept = 1.2.3.4: 8082 connect = 127.0.0.1: 8082 cert =/etc/stunnel. pem [https] accept = 1.2.3.4: 4433 connect = 127.0.0.1: 4433 cert =/etc/stunnel. pem indicates that the configuration file listens for 1.2.3.4: 8082, forwards the traffic to 127.0.0.1: 8082, listens for 1.2.3.4: 4433, and forwards the traffic to 127.0.0.1: 4433. 3.3 edit/etc/default/stunnel4 and set ENABLED = 1. 4. start stunnelservice stunnel4 start to install the sniproxysniproxy Project address: https://github.com/dlundquist/sniproxy1 Installing sniproxy also only demonstrates installing on ubuntu server 12.04. 1.1 install UDNSmkdir udns_packagingcd udns_packagingwget http://archive.ubuntu.com/ubuntu/pool/universe/u/udns/udns_0.4-1.dscwget http://archive.ubuntu.com/ubuntu/pool/universe/u/udns/udns_0.4.orig.tar.gzwget http://archive.ubuntu.com/ubuntu/pool/universe/u/udns/udns_0.4-1.debian.tar.gztar Xfz udns_0.4.orig.tar.gzcd udns-0.4/tar xfz .. /udns_0.4-1.debian.tar.gzdpkg-buildpackagecd .. dpkg-I *. deb1.2. install sniproxyapt-get install autotools-dev cdbs debhelper dh-autoreconf dpkg-dev gettext libev-dev libpcre3-dev libudns-dev pkg-configwget https://github.com/dlundquist/sniproxy/archive/master.zipunzip Master.zip cd sniproxy-master/dpkg-buildpackagmcm .. dpkg-I *. deb2, configure sniproxy/etc/sniproxy. the conf file is as follows: user daemonpidfile/var/run/sniproxy. piderror_log {syslog deamonpriority notice} listen 127.0.0.1: 8082 {proto httptable http_hosts} table http_hosts {. *????? *: 80} listen 127.0.0.1: 4433 {proto tlstable https_hosts} table https_hosts {. **: 443} This configuration file indicates that the 127.0.0.1: 8082 address is listened to, the Host request header in the http protocol is resolved to an IP address, and the request is forwarded to this IP address. The 127.0.0.1: 4433 address, resolve the SNI extension domain name in TLS as an IP address, and forward the request to this IP address. 3. sniproxysniproxy is started. So far, we have established a complete set of HTTP/HTTPS encryption proxy solutions. In the scheme, the HTTP plaintext protocol uses stunnel to use TLS encryption and becomes the HTTPS protocol, so that packets cannot be parsed in plaintext. In the scheme, the HTTPS protocol itself is encrypted, but to prevent SNI extended domain names from being sniffed, it still uses the stunnel encrypted channel. For clients that send HTTPS requests but do not support SNI extension, you need to manually set up a proxy. In the next blog, we will introduce the encrypted forward proxy solution.