HTTP/HTTPS Automatic Encryption Internet solution

Program Introduction the software involved

1. BIND: A popular domain name resolution server, we can set which domain names need to take the encrypted line.
2. Stunnel: The TCP protocol is encrypted with TLS, that is, an encrypted line is established for TCP.
3. SNI Proxy: Agent software. For the HTTP protocol, it can obtain the target station IP based on the host request header resolution, and for the HTTPS protocol, it can obtain the target station IP according to the domain name in the SNI extension.

advantages and disadvantages of this scenario

Advantages:
Automatically encrypt HTTP or HTTPS protocols for proxy-specific Web sites without having to manually set up any agents
SSH tunneling is a single path relative to our common ssh tunnels, and this scheme supports multiple concurrent connections, which can greatly speed up website access.

Disadvantages:
For the proxy HTTPS protocol, clients that need to initiate HTTPS connections, such as the SNI extensions for which the browser supports TLS. The good news is that this extension is currently supported by almost all browsers, but for some non-browser clients, SNI extensions are not supported. We can only set up a forward proxy to resolve this issue.

Scheme principle

Flow chart:

Principle Introduction:
1, first we need to prepare three servers, one is the intranet DNS server (install bind), one is an intranet Proxy server (install Stunnel), another foreign server (installation stunnel,sniproxy).
2, we also need to set DNS for the intranet DNS, and in the intranet bind DNS set Google domain name resolution IP for the intranet proxy server
3, when we visit the Google site, the first will be sent to the intranet DNS server DNS A record query, when the intranet DNS server will return the IP of the intranet proxy server.
4, the browser gets the resolution IP of Google domain name (that is, the IP of the network proxy server), will send an HTTP or HTTPS request to the intranet Proxy server.
5, at this time the network proxy server (ie, stunnel), will receive the request, after encryption, the request forwarded to the foreign server (Stunnel) on the designated port.
6, the foreign server (Stunnel) received from the domestic server (Stunnel) encrypted data, after decryption, the request forwarded to Sniproxy.
7, Sniproxy again according to the HTTP host request header or HTTPS SNI extended domain name resolves the google server IP, and forwarded the request to Google Server.
8, the Google server received from Sniproxy sent a request, immediately return to the Web content to sniproxy,sniproxy back to the original path to the browser.

programme implementation

Due to limited time, we only demonstrate installation in Ubuntu server 12.04.

Environment Introduction

System: Ubuntu Server 12.04

Intranet DNS ip:10.96.153.201 (master), 10.96.153.204 (from)

Intranet Proxy Server: 10.96.153.204

Foreign server ip:1.2.3.4

Installing BIND9

1. Install bind in primary DNS and from DNS, i.e. 10.96.153.201 (master), 10.96.153.204 (from).

    wget http://www.isc.org/downloads/file/bind-9-10-0b1-2/?version=tar.gz-O bind-9-10-0b1-2.tar.gz    tar xzf bind-9-10-0b1-2.tar.gz    cd bind-9-10-0b1-2    ./configure--prefix=/usr/local/bind make    && make Install

2. Configuring the Primary DNS server (10.96.153.201)

2.1. Generate/usr/local/bind/etc/rndc.key Key file

/usr/local/bind/sbin/rndc-confgen-a-K rndckey-c/usr/local/bind/etc/rndc.key

2.2, edit/usr/local/bind/etc/named.conf, write how content:

    Include "/usr/local/bind/etc/rndc.key";    Controls {inet 127.0.0.1 port 953 allow {127.0.0.1;} keys {"Rndckey";};};    Logging {Channel Default_syslog {syslog local2; severity notice;};    Channel Audit_log {file "/var/log/bind.log"; severity notice; print-time yes;};    Category default {Default_syslog;};    Category general {Default_syslog;};    Category security {audit_log; default_syslog;};    Category config {default_syslog;};    Category resolver {audit_log;};    Category xfer-in {audit_log;};    Category Xfer-out {audit_log;};    Category notify {Audit_log;};    Category client {Audit_log;};    Category network {Audit_log;};    Category update {audit_log;};    Category queries {audit_log;};    Category Lame-servers {audit_log;};    };    Options {directory "/USR/LOCAL/BIND/ETC";    Pid-file "/usr/local/bind/var/run/bind.pid";    Transfer-format many-answers;    Interface-interval 0;    Forward only; Forwarders {202.96.128.166;202.96.134.133;    };    allow-query {any;};    };    Zone "google.com" {type master;    File "Google.com.zone";    Allow-transfer {10.96.153.204;}; };

In this named.conf file, we only need to take care of the following:

For the options{} zone, both 202.96.128.166 and 202.96.134.133 are local DNS provided by the ISP and need to be modified to the local DNS of their ISP.
For zone "google.com" {} zones, this defines the zone file Google.com.zone for the google.com domain name, as well as allowing 10.96.153.204 (that is, from DNS) to synchronize zone files.

2.3. Establish Google.com.zone zone file:

    $TTL 3600    @ in SOA ns1.google.com. hostmaster.google.com. (    2014072015  ; Serial    3600; Refresh    900; Retry    3600000; Expire    3600); Minimum    @ in NS ns1.google.com.    @ in NS ns2.google.com.    NS1 in a 10.96.153.201    ns2 in a 10.96.153.204    @ in a 10.96.153.204    * in a 10.96.153.204

For this zone file:
Ns1 in a 10.96.153.201 points to the first DNS server, which is the primary DNS.
Ns2 in a 10.96.153.204 points to the second DNS server, which is from DNS.
@ in a 10.96.153.204 and * in a 10.96.153.204 point to the proxy Server (Stunnel) in the intranet. All we need to do is change these three places.

3. Configure the DNS server (10.96.153.204)
Edit named.conf, write the following:

    Logging {Channel Default_syslog {syslog local2; severity notice;};    Channel Audit_log {file "/var/log/bind.log"; severity notice; print-time yes;};    Category default {Default_syslog;};    Category general {Default_syslog;};    Category security {audit_log; default_syslog;};    Category config {default_syslog;};    Category resolver {audit_log;};    Category xfer-in {audit_log;};    Category Xfer-out {audit_log;};    Category notify {Audit_log;};    Category client {Audit_log;};    Category network {Audit_log;};    Category update {audit_log;};    Category queries {audit_log;};    Category Lame-servers {audit_log;};    };    Options {directory "/USR/LOCAL/BIND/ETC";    Pid-file "/usr/local/bind/var/run/bind.pid";    Transfer-format many-answers;    Interface-interval 0;    Forward only;    forwarders {202.96.128.166;202.96.134.133;};    allow-query {any;};         };    Zone "google.com" {type slave;    File "Google.com.zone"; Masters {10.96.153.201;}; };

Configuration from DNS is much simpler, just to write as above to the named.conf file. Similarly, options{} in 202.96.128.166 and 202.96.134.133 are local ISP native DNS. Zone "google.com" {} 10.96.153.201 indicates the primary DNS server IP.
4. Start the BIND DNS server

/usr/local/bind/sbin/named

Installing Stunnel

1, the network proxy server and foreign host installation Stunnel

    Apt-get Install Stunnel4

2, intranet Proxy Server Stunnel configuration
Edit/etc/default/stunnel4, set enabled=1.

    Client = yes    pid =/etc/stunnel/stunnel.pid    [http]    accept =    connect = 1.2.3.4:8082         [HTTPS]    Accept = 443    connect = 1.2.3.4:4433

This profile indicates that 80 ports have been monitored, and this port traffic is forwarded to 1.2.3.4:8082, 443 ports are monitored, and this port traffic is forwarded to 1.2.3.4:4433

3, foreign server Stunnel configuration

3.1. Generate SSL Certificate Stunnel.pem file

    OpenSSL genrsa-out key.pem 2048    OpenSSL req-new-x509-key key.pem-out cert.pem-days 1095    Cat Key.pem Cert.pem >>/etc/stunnel/stunnel.pem

3.2. Edit the/etc/stunnel/stunnel.conf file

    client = no    [http]    accept = 1.2.3.4:8082    connect = 127.0.0.1:8082    cert =/etc/stunnel/stunnel.pem         [HTTPS]    Accept = 1.2.3.4:4433    connect = 127.0.0.1:4433    cert =/etc/stunnel/stunnel.pem

This profile represents, listens for 1.2.3.4:8082, and forwards this address traffic to 127.0.0.1:8082, listens for 1.2.3.4:4433, and forwards the traffic to the address to 127.0.0.1:4433.

3.3, edit/etc/default/stunnel4, set enabled=1.

4. Start Stunnel

    Service Stunnel4 Start

Installing Sniproxy

Sniproxy Project Address: Https://github.com/dlundquist/sniproxy

1, installation Sniproxy
Also only demo is installed in Ubuntu server 12.04.

1.1, Installation Udns

    mkdir udns_packaging    cd udns_packaging    wget http://archive.ubuntu.com/ubuntu/pool/universe/u/udns/udns_ 0.4-1.DSC    wget http://archive.ubuntu.com/ubuntu/pool/universe/u/udns/udns_0.4.orig.tar.gz    wget/http archive.ubuntu.com/ubuntu/pool/universe/u/udns/udns_0.4-1.debian.tar.gz    tar xfz udns_0.4.orig.tar.gz    CD udns-0.4/    tar Xfz. /udns_0.4-1.debian.tar.gz    dpkg-buildpackage    CD.    Dpkg-i *.deb

1.2, installation Sniproxy

    Apt-get Install Autotools-dev CDBs debhelper dh-autoreconf dpkg-dev gettext libev-dev libpcre3-dev libudns-dev pkg-config    wget https://github.com/dlundquist/sniproxy/archive/master.zip    unzip master.zip    CD sniproxy-master/    dpkg-buildpackage    CD.    Dpkg-i *.deb

2, Configuration Sniproxy
/etc/sniproxy.conf content is as follows:

    User Daemon    pidfile/var/run/sniproxy.pid    error_log {        syslog deamon priority        notice    }    Listen 127.0.0.1:8082 {        proto http        table http_hosts    }    table http_hosts {            . *      *:80    }         Listen 127.0.0.1:4433 {        proto TLS        table https_hosts    }    table https_hosts {    . * *:443    }

This profile indicates that the 127.0.0.1:8082 address is monitored, the host request header in the HTTP protocol is resolved to IP, the request is forwarded to this IP, the 127.0.0.1:4433 address is listened to, and the domain name in the SNI extension in TLS is resolved to IP, and the request is forwarded to this IP.

3. Start Sniproxy

    Sniproxy

End
So far, we have completed the complete set of HTTP/HTTPS encryption Agent solution. The HTTP plaintext protocol in the scheme, using Stunnel TLS encryption, becomes the HTTPS protocol, so that packets cannot be parsed out of plaintext. The HTTPS protocol in the scheme itself is encrypted, but in order to prevent the domain name in the SNI extension from being sniffed, the Stunnel encrypted channel is taken. For clients that send HTTPS requests without support for SNI extensions, you need to set up the agent manually.

Free to provide the latest Linux technology tutorials Books, for open-source technology enthusiasts to do more and better: http://www.linuxprobe.com/

Http/https automatically encrypt the Internet solution