Linux operation and architecture-dnsmasq+stunnel+sniproxy encryption agent

1. Introduction to the Environment

[Email protected] ~]# cat/etc/redhat-6.8~]# uname-R4.10. 4-1~]# uname-mi686

2. Installing DNSMASQ Domain Name Resolution system

DNSMASQ is much easier to use than bind, can do forward, reverse DNS resolution, support DHCP service. You can also do internal DNS server use. By default DNSMASQ uses the system's/etc/resolv.conf and reads the/etc/hosts file

① Software Installation

Yum Install Dnsmasq-y

② Editing a configuration file/etc/dnsmasq.conf

resolv-file=/etc/dnsresolv.conf #上一级DNS, DNSMASQ will look for a superior DNS server from this file strict-order################################################# #address=/google.com/106.3.129.107Address=/pinterest.com/106.3.129.107Address=/qiye.aliyun.com/59.110.92.128Address=/mail.55bbs.com/59.110.92.128Listen-address=106.3.129.107,127.0.0.1########################################## #no-Hostscache-size= #缓存数目Local-ttl= #DHCP租约时间neg-ttl= +Log-Querieslog-facility=/var/log/dns.log#日志文件

③ to edit the parent DNS configuration file/etc/dns_resolv.conf

/etc/#设置的是真正的nameserver, can use telecommunications, unicom and other public DNS114.114. 114.114  223.5. 5.5  114.114. 114.114

④ Start DNSMASQ Service

/etc/init.d/DNSMASQ startlsof-I.: -COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE namednsmasq23173Nobody4uIPv431366420t0 UDP *:d omain dnsmasq23173Nobody5uIPv431366430t0 TCP *:d omain (LISTEN) dnsmasq23173Nobody6uIPv631366440t0 UDP *:d omain dnsmasq23173Nobody7uIPv631366450t0 TCP *:d omain (LISTEN)

3, Installation Stunnel

Use TLS to encrypt the TCP protocol, that is, to establish an encrypted line for TCP

① Network DNS server and foreign servers are installed Stunnel

Yum Install Stunnel-y

② Generating an SSL certificate STUNNEL.PEM file

OpenSSL Genrsa-out2048-new -x509-key Key.pem-out1095   >>/etc/stunnel/stunnel.pem

③ Edit/etc/stunnel/stunnel.conf

Cat >/etc/stunnel/stunnel.conf <<eofclient=no[http]accept= 1. 2.3. 4:8082 #此处地址为国外服务器ipConnect=127.0.0.1:8082cert=/etc/stunnel/stunnel.pem[https]accept=1.2.3. 4:4433Connect=127.0.0.1:4433cert=/etc/stunnel/stunnel.pemeof
Description: This profile represents, listens for 1.2.3.4:8082, and forwards this address traffic to 127.0.0.1:8082, listens for 1.2.3.4:4433, and forwards the traffic to the address to 127.0.0.1:4433 

④ Start Startup Stunnel

Stunnel

4, Installation Sniproxy

Agent software, for the HTTP protocol, it can be based on the host request header resolution to obtain the target station IP, for the HTTPS protocol, it can be based on the domain name in the SNI extension resolution of the target station IP

① installation Epel

Wget-o/etc/yum.repos.d/epel.repo http://Mirrors.aliyun.com/repo/epel-6.repo

② Installing dependent software

Yum Install autoconf Automake Curl gettext-devel libev-devel pcre-devel perl pkgconfig rpm-build udns-devel gcc-c++ cc-y

③ prefer a high version of the dependency package can also choose to compile the installation

cd/server/toolswget http://dist.schmorp.de/libev/attic/libev-4.22.tar.gzTar xzf libev-4.22. TAR.GZCD Libev-4.22./Configuremakemake Installecho-E'/usr/local/lib\n/usr/local/lib64'>/etc/ld.so.conf.d/local.confldconfig CD/optwget http://www.corpit.ru/mjt/udns/udns-0.4.tar.gzTar xzf udns-0.4. TAR.GZCD Udns-0.4./CONFIGUREMAKECD. MV Udns-0.4/usr/local/Udnsecho-E'/usr/local/udns'>/etc/ld.so.conf.d/Udns.confldconfig

④ Creating a Storage software Directory

Mkdir/server/tools-p && cd/server/tools/-o sniproxy-0.4. 0. tar.gz https://github.com/dlundquist/sniproxy/archive/0.4.0.tar.gzTar XF sniproxy- 0.4. 0 . tar.gz CD sniproxy-0.4. 0 . /autogen.sh &&/configure && make install

⑤ Edit/etc/sniproxy.conf

# sniproxy Example configuration Fileuser nobodypidfile/var/tmp/Sniproxy.piderror_log {syslog daemon priority notice}access_log {filename/tmp/sniproxy-Access.log}listen127.0.0.1:8082{proto HTTP table http_hosts access_log {filename/tmp/Sniproxy.log}} Table Http_hosts {.*\.google\.com *: the    .*\.google\.com\$172.217.0.228  thegoogle\.com\$172.217.0.228  the}listen127.0.0.1:4433{Proto TLS table https_hosts access_log {filename/tmp/Sniproxy.log}} table https_hosts {.*\.google\.com *443    .*\.google\.com\$172.217.0.228 443google\.com\$172.217.0.228 443}
Description: This profile indicates that the 127.0.0.1:8082 address is monitored, the host request header in the HTTP protocol is resolved to IP, and then the request is forwarded to this IP, and the 127.0.0.1:4433 address is listened to.
and resolves the domain name in the SNI extension in TLS to IP, and forwards the request to this IP 

⑥ Start Sniproxy Service

Sniproxy

The HTTP plaintext protocol in the scheme, using Stunnel TLS encryption, becomes the HTTPS protocol, so that packets cannot be parsed out of plaintext. The HTTPS protocol in the scenario itself is encrypted, but in order to prevent the domain name in the SNI extension from being sniffed, or to take the Stunnel encrypted channel

Linux operations, Architecture-dnsmasq+stunnel+sniproxy Encryption agent