Squid Agent HTTP and HTTPS mode of operation of the Internet record

Background:
Company IDC Room has a server A, only intranet environment: 192.168.1.150
Now you need to make this server accessible, with normal access to HTTP and HTTPS requests (that is, 80 ports and 443 ports)

Ideas:
In the IDC room, find two other server B (58.68.250.8/192.168.1.8) and Server C (58.68.250.5/192.168.1.5) with a public network environment, and the two servers and the intranet environment Server A can ping each other.
which
Deploy Squid's HTTP proxy on server B so that Server C can access HTTP through its squid proxy.
Deploy squid on server C HTTPS proxy, let server C through its Squid proxy Internet access, can successfully access HTTPS [need to install Stunnel on the client]

The following record of operations for this requirement is started:
--------------------------------------------------------------------------------------------------------------- ------------
One, the action record on Server B (HTTP proxy)

1) Install Squid
Yum command to install squid directly online
[email protected] ~]# Yum install-y gcc OpenSSL openssl-devel #依赖软件要先提前安装
[email protected] ~]# Yum install squid

After the installation is complete, modify the contents of the squid.conf file, and you can back up the file before modifying it
[Email protected] ~]# Cd/etc/squid/
[email protected] squid]# CP squid.conf Squid.conf_bak
[Email protected] squid]# vim squid.conf
http_access Allow all #修改deny为allow
Http_port 192.168.1.8:3128
cache_dir Ufs/var/spool/squid #打开这个注释 to ensure/var/spool/squid this cache directory exists

2) Start squid, test and initialize before starting
[Email protected] squid]# Squid-k parse #测试
2016/08/09 13:35:04| Processing Configuration File:/etc/squid/squid.conf (depth 0)
2016/08/09 13:35:04| Processing:acl Manager Proto Cache_object
..............
..............
2016/08/09 13:35:04| Processing:refresh_pattern. 0 20% 4320
2016/08/09 13:35:04| Initializing HTTPS Proxy context

[Email protected] squid]# squid-z #初始化
2016/08/09 13:35:12| Creating Swap Directories

[[email protected] squid]#/etc/init.d/squid start
Starting squid:. [OK]

If the firewall iptables rule is turned on, you also need to add the following line in the/etc/sysconfig/iptables, which allows 3128 port access:
-A input-s 192.168.1.0/24-p tcp-m state--state new-m TCP--dport 3128-j ACCEPT

Then restart the Iptables service
[Email protected] squid]#/etc/init.d/iptables restart

--------------------------------------------------------------------------------------------------------------- ------------
Second, the operation record on Server C (HTTPS proxy)

1) Install Squid
Yum command to install squid directly online
[email protected] ~]# Yum install-y gcc OpenSSL openssl-devel #依赖软件要先提前安装
[email protected] ~]# Yum install squid
[Email protected] ~]# Cd/etc/squid/
[email protected] squid]# CP squid.conf Squid.conf_bak

2) now start generating the cryptographic proxy certificate:
[Email protected] squid]# pwd
/etc/squid
[Email protected] squid]#OpenSSL req-new > LIDONGBEST5.CSR
Generating a 2048 bit RSA private key
..........................................................................+++
.........................................................................................................+++
Writing new private key to ' Privkey.pem '
Enter PEM Pass phrase: #输入密码, which will be used later, for example, enter 123456 here
Verifying-enter PEM Pass Phrase:
-----
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [XX]:CN #国家
State or province name (full name) []:beijing #省份
Locality Name (eg, city) [Default city]:beijing #地区名字
Organization Name (eg, company) [Default company Ltd]:huanqiu #公司名
Organizational Unit Name (eg, section) []:technology #部门
Common name (eg, your name or your server ' s hostname) []:huanqiu #CA主机名
Email Address []:[email protected] #邮箱

Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []:123456 #证书请求密钥, the CA needs to enter a password when reading the certificate
An optional company name []:huanqiu #-name, the CA reads the certificate, you need to enter it

[Email protected] squid]# OpenSSL rsa-in privkey.pem-out lidongbest5.key
Enter Pass phrase for Privkey.pem: #输入上面设置的密码123456
Writing RSA Key

[Email protected] squid]# OpenSSL x509-in lidongbest5.csr-out lidongbest5.crt-req-signkey Lidongbest5.key-da Ys 3650
Signature OK
Subject=/c=cn/st=beijing/l=beijing/o=huanqiu/ou=technology/cn=huanqiu/[email protected]
Getting Private Key

Modify squid.conf configuration file
[[email protected] squid]# vim squid.conf
http_access allow all #deny修改为allow
Span style= "color: #0000ff;" > #http_port 3128                             and nbsp                          ,         &NB Sp   #注释掉
https_port 192.168.1.5:443 cert=/etc/squid/lidongbest5.crt key=/etc/ Squid/lidongbest5.key             #添加这一行
cache_ Dir ufs/var/spool/squid                       &NB Sp       #打开这个注释 to ensure that the/var/spool/squid cache directory exists

3) Restart Squid service
[Email protected] squid]# Squid-k Parse
[Email protected] squid]# squid-z
[email protected] squid]# Squid reload
[Email protected] squid]#/etc/init.d/squid restart

If the firewall iptables rule is turned on, you also need to add the following line in the/etc/sysconfig/iptables, which allows 443 port access:
-A input-s 192.168.1.0/24-p tcp-m state--state new-m TCP--dport 443-j ACCEPT

Then restart the Iptables service
[Email protected] squid]#/etc/init.d/iptables restart

--------------------------------------------------------------------------------------------------------------- ------------
Third, the operation record on Server A (that is, client)

1) Installation Configuration Stunnel

Shutting down the client's iptables firewall
[[email protected] ~]#/etc/init.d/iptables stop

[[email protected] ~]# cd/usr/local/src/
[[email protected] src]# pwd
/usr/local/src
[[ email protected] src]# ls
stunnel-5.35.tar.gz
[[email protected] src]# tar-zvxf stunnel-5.35.tar.gz
[[email protected] src]# ls
stunnel-5.35 stunnel-5.35.tar.gz
[[email protected] src]# CD stunnel-5.35
[[email protected] stunnel-5.35]#./configure
[[email protected] stunnel-5.35]# make && make install

After the installation is complete, configure stunnel.conf
[[email protected] stunnel-5.35]# cd/usr/local/etc/stunnel/
[[email  Protected] stunnel]# ls
stunnel.conf-sample
[[email protected] stunnel]# CP stunnel.conf-sample Stunnel.conf
[[email protected] stunnel]# ls
stunnel.conf stunnel.conf-sample
[[email  Protected] stunnel]# cat stunnel.conf               #把原来内容清空, write:
client = yes
[https]
accept = 127.0.0.1:8088
connect = 192.168.1.5:443         & nbsp                     #运行本机stunnel端口8088连接squid服务端192.168.1.5 443 port, then Etc/profile Configure the native 8088 port proxy (below)

2) Start the Stunnel service
[[email protected] stunnel]#/usr/local/bin/stunnel/usr/local/etc/stunnel/stunnel.conf
[[email protected] stunnel]# ps-ef|grep stunnel
Root 20281 1 0 02:23? 00:00:00/usr/local/bin/stunnel/usr/l ocal/etc/stunnel/stunnel.conf
Root 20283 13002 0 02:23 pts/0 00:00:00 grep--color stunnel
[[email protected ] stunnel]# lsof-i:8088
COMMAND PID USER FD TYPE DEVICE size/off NODE NAME
Stunnel 20281 root 7u IPv4 745475 0t0 TC P localhost:radan-http (LISTEN)

3) Configuring/etc/profile system environment variables
Add the following two lines at the bottom
[Email protected] stunnel]# Vim/etc/profile
...............
Export http_proxy=http://192.168.1.8:3128 #这个是通过服务端A机器的3128端口的squid上网 (http proxy)
Export https_proxy=http://127.0.0.1:8088 #这个是通过服务端B机器的443端口的squid上网 (HTTPS proxy)

[Email protected] stunnel]# Source/etc/profile #配置生效

4) Test:
[Email protected] stunnel]# Curl http://www.baidu.com #访问80端口ok
[Email protected] stunnel]# Curl https://www.xqshijie.com #访问443端口ok
[email protected] stunnel]# Yum list #yum可以正常使用
[Email protected] stunnel]# wget http://www.autohome.com.cn/3442 #wget正常下载

Squid Agent HTTP and HTTPS mode of operation of the Internet record