Program Introduction
the software involved
- BIND: A popular domain name resolution server, we can set which domain names need to take the encrypted line.
- Stunnel: The TCP protocol is encrypted with TLS, that is, an encrypted line is established for TCP.
- SNI Proxy: Agent software. For the HTTP protocol, it can obtain the target station IP based on the host request header resolution, and for the HTTPS protocol, it can obtain the target station IP according to the domain name in the SNI extension.
advantages and disadvantages of this scenario
Advantages:
Automatically encrypt HTTP or HTTPS protocols for proxy-specific Web sites without having to manually set up any agents
SSH tunneling is a single path relative to our common ssh tunnels, and this scheme supports multiple concurrent connections, which can greatly speed up website access.
Disadvantages:
For the proxy HTTPS protocol, clients that need to initiate HTTPS connections, such as the SNI extensions for which the browser supports TLS. The good news is that this extension is currently supported by almost all browsers, but for some non-browser clients, SNI extensions are not supported. We can only set up a forward proxy to resolve this issue.
Scheme principle
Flow chart:
Principle Introduction:
1, first we need to prepare three servers, one is the intranet DNS server (install bind), one is an intranet Proxy server (install Stunnel), another foreign server (installation stunnel,sniproxy).
2, we also need to set DNS for the intranet DNS, and in the intranet bind DNS set Google domain name resolution IP for the intranet proxy server
3, when we visit the Google site, the first will be sent to the intranet DNS server DNS A record query, when the intranet DNS server will return the IP of the intranet proxy server.
4, the browser gets the resolution IP of Google domain name (that is, the IP of the network proxy server), will send an HTTP or HTTPS request to the intranet Proxy server.
5, at this time the network proxy server (ie, stunnel), will receive the request, after encryption, the request forwarded to the foreign server (Stunnel) on the designated port.
6, the foreign server (Stunnel) received from the domestic server (Stunnel) encrypted data, after decryption, the request forwarded to Sniproxy.
7, Sniproxy again according to the HTTP host request header or HTTPS SNI extended domain name resolves the google server IP, and forwarded the request to Google Server.
8, the Google server received from Sniproxy sent a request, immediately return to the Web content to sniproxy,sniproxy back to the original path to the browser.
programme implementation
Due to limited time, we only demonstrate installation in Ubuntu server 12.04.
Environment Introduction
System: Ubuntu Server 12.04
Intranet DNS ip:10.96.153.201 (master), 10.96.153.204 (from)
Intranet Proxy Server: 10.96.153.204
Foreign server ip:1.2.3.4
Installing BIND9
1. Install bind in primary DNS and from DNS, i.e. 10.96.153.201 (master), 10.96.153.204 (from).
wget http://www.isc.org/downloads/file/bind-9-10-0b1-2/?version=tar.gz-O bind-9-10-0b1-2.tar.gz tar xzf bind-9-10-0b1-2.tar.gz cd bind-9-10-0b1-2 ./configure--prefix=/usr/local/bind make && make Install
2. Configuring the Primary DNS server (10.96.153.201)
2.1. Generate/usr/local/bind/etc/rndc.key Key file
/usr/local/bind/sbin/rndc-confgen-a-K rndckey-c/usr/local/bind/etc/rndc.key
2.2, edit/usr/local/bind/etc/named.conf, write how content:
Include "/usr/local/bind/etc/rndc.key"; Controls {inet 127.0.0.1 port 953 allow {127.0.0.1;} keys {"Rndckey";};}; Logging {Channel Default_syslog {syslog local2; severity notice;}; Channel Audit_log {file "/var/log/bind.log"; severity notice; print-time yes;}; Category default {Default_syslog;}; Category general {Default_syslog;}; Category security {audit_log; default_syslog;}; Category config {default_syslog;}; Category resolver {audit_log;}; Category xfer-in {audit_log;}; Category Xfer-out {audit_log;}; Category notify {Audit_log;}; Category client {Audit_log;}; Category network {Audit_log;}; Category update {audit_log;}; Category queries {audit_log;}; Category Lame-servers {audit_log;}; }; Options {directory "/USR/LOCAL/BIND/ETC"; Pid-file "/usr/local/bind/var/run/bind.pid"; Transfer-format many-answers; Interface-interval 0; Forward only; Forwarders {202.96.128.166;202.96.134.133; }; allow-query {any;}; }; Zone "google.com" {type master; File "Google.com.zone"; Allow-transfer {10.96.153.204;}; };
In this named.conf file, we only need to take care of the following:
For the options{} zone, both 202.96.128.166 and 202.96.134.133 are local DNS provided by the ISP and need to be modified to the local DNS of their ISP.
For zone "google.com" {} zones, this defines the zone file Google.com.zone for the google.com domain name, as well as allowing 10.96.153.204 (that is, from DNS) to synchronize zone files.
2.3. Establish Google.com.zone zone file:
$TTL 3600 @ in SOA ns1.google.com. hostmaster.google.com. ( 2014072015 ; Serial 3600; Refresh 900; Retry 3600000; Expire 3600); Minimum @ in NS ns1.google.com. @ in NS ns2.google.com. NS1 in a 10.96.153.201 ns2 in a 10.96.153.204 @ in a 10.96.153.204 * in a 10.96.153.204
For this zone file:
Ns1 in a 10.96.153.201 points to the first DNS server, which is the primary DNS.
Ns2 in a 10.96.153.204 points to the second DNS server, which is from DNS.
@ in a 10.96.153.204 and * in a 10.96.153.204 point to the proxy Server (Stunnel) in the intranet. All we need to do is change these three places.
3. Configure the DNS server (10.96.153.204)
Edit named.conf, write the following:
Logging {Channel Default_syslog {syslog local2; severity notice;}; Channel Audit_log {file "/var/log/bind.log"; severity notice; print-time yes;}; Category default {Default_syslog;}; Category general {Default_syslog;}; Category security {audit_log; default_syslog;}; Category config {default_syslog;}; Category resolver {audit_log;}; Category xfer-in {audit_log;}; Category Xfer-out {audit_log;}; Category notify {Audit_log;}; Category client {Audit_log;}; Category network {Audit_log;}; Category update {audit_log;}; Category queries {audit_log;}; Category Lame-servers {audit_log;}; }; Options {directory "/USR/LOCAL/BIND/ETC"; Pid-file "/usr/local/bind/var/run/bind.pid"; Transfer-format many-answers; Interface-interval 0; Forward only; forwarders {202.96.128.166;202.96.134.133;}; allow-query {any;}; }; Zone "google.com" {type slave; File "Google.com.zone"; Masters {10.96.153.201;}; };
Configuration from DNS is much simpler, just to write as above to the named.conf file. Similarly, options{} in 202.96.128.166 and 202.96.134.133 are local ISP native DNS. Zone "google.com" {} 10.96.153.201 indicates the primary DNS server IP.
4. Start the BIND DNS server
/usr/local/bind/sbin/named
Installing Stunnel
1, the network proxy server and foreign host installation Stunnel
Apt-get Install Stunnel4
2, intranet Proxy Server Stunnel configuration
Edit/etc/default/stunnel4, set enabled=1.
Client = yes pid =/etc/stunnel/stunnel.pid [http] accept = connect = 1.2.3.4:8082 [HTTPS] Accept = 443 connect = 1.2.3.4:4433
This profile indicates that 80 ports have been monitored, and this port traffic is forwarded to 1.2.3.4:8082, 443 ports are monitored, and this port traffic is forwarded to 1.2.3.4:4433
3, foreign server Stunnel configuration
3.1. Generate SSL Certificate Stunnel.pem file
OpenSSL genrsa-out key.pem 2048 OpenSSL req-new-x509-key key.pem-out cert.pem-days 1095 Cat Key.pem Cert.pem >>/etc/stunnel/stunnel.pem
3.2. Edit the/etc/stunnel/stunnel.conf file
client = no [http] accept = 1.2.3.4:8082 connect = 127.0.0.1:8082 cert =/etc/stunnel/stunnel.pem [HTTPS] Accept = 1.2.3.4:4433 connect = 127.0.0.1:4433 cert =/etc/stunnel/stunnel.pem
This profile represents, listens for 1.2.3.4:8082, and forwards this address traffic to 127.0.0.1:8082, listens for 1.2.3.4:4433, and forwards the traffic to the address to 127.0.0.1:4433.
3.3, edit/etc/default/stunnel4, set enabled=1.
4. Start Stunnel
Service Stunnel4 Start
Installing Sniproxy
Sniproxy Project Address: Https://github.com/dlundquist/sniproxy
1, installation Sniproxy
Also only demo is installed in Ubuntu server 12.04.
1.1, Installation Udns
mkdir udns_packaging cd udns_packaging wget http://archive.ubuntu.com/ubuntu/pool/universe/u/udns/udns_ 0.4-1.DSC wget http://archive.ubuntu.com/ubuntu/pool/universe/u/udns/udns_0.4.orig.tar.gz wget/http archive.ubuntu.com/ubuntu/pool/universe/u/udns/udns_0.4-1.debian.tar.gz tar xfz udns_0.4.orig.tar.gz CD udns-0.4/ tar Xfz. /udns_0.4-1.debian.tar.gz dpkg-buildpackage CD. Dpkg-i *.deb
1.2, installation Sniproxy
Apt-get Install Autotools-dev CDBs debhelper dh-autoreconf dpkg-dev gettext libev-dev libpcre3-dev libudns-dev pkg-config wget https://github.com/dlundquist/sniproxy/archive/master.zip unzip master.zip CD sniproxy-master/ dpkg-buildpackage CD. Dpkg-i *.deb
2, Configuration Sniproxy
/etc/sniproxy.conf content is as follows:
User Daemon pidfile/var/run/sniproxy.pid error_log { syslog deamon priority notice } Listen 127.0.0.1:8082 { proto http table http_hosts } table http_hosts { . * *:80 } Listen 127.0.0.1:4433 { proto TLS table https_hosts } table https_hosts { . * *:443 }
This profile indicates that the 127.0.0.1:8082 address is monitored, the host request header in the HTTP protocol is resolved to IP, the request is forwarded to this IP, the 127.0.0.1:4433 address is listened to, and the domain name in the SNI extension in TLS is resolved to IP, and the request is forwarded to this IP.
3. Start Sniproxy
Sniproxy
End
So far, we have completed the complete set of HTTP/HTTPS encryption Agent solution. The HTTP plaintext protocol in the scheme, using Stunnel TLS encryption, becomes the HTTPS protocol, so that packets cannot be parsed out of plaintext. The HTTPS protocol in the scheme itself is encrypted, but in order to prevent the domain name in the SNI extension from being sniffed, the Stunnel encrypted channel is taken. For clients that send HTTPS requests without support for SNI extensions, you need to set up the agent manually.
Free to provide the latest Linux technology tutorials Books, for open-source technology enthusiasts to do more and better: http://www.linuxprobe.com/
Http/https automatically encrypt the Internet solution