背景
A公司出于信息安全考虑,禁止员工访问互联网,实行一段时间后发现员工不能上网对工作效率影响很大,希望能够通过节约成本的方式,允许部分员工有权限访问公司允许访问的网站。
可行性分析
为满足公司的需求,网管想出了以下方案:
- 方案1:够买专业的“上网行为管理”设备;
- 方案2:在公司配置一台允许上网的电脑,需要上网的员工临时使用这台电脑上网;
- 方案3:在公司配置一台有部分网络访问权限的服务器,需要上网的员工将个人电脑和服务器建立通信实现上网。
方案确认
在上述三个方案中
- 方案1可以满足需求,但成本太高不予采纳;
- 方案2一次只能一个员工使用,使用起来也不方便;
- 方案3可以满足需求,成本也低,支持多人同时使用。
经研究决定采纳方案3,网络示意图如下:
现在我们主要讨论如何让销售的电脑能够通过“有部分网络访问权限的服务器”访问互联网。
※“有部分网络访问权限的服务器”上安装有监管和防火墙软件,可以监管员工的上网行为和限制访问非法网站,本文对此不作详细介绍。
方案实现
演示模型
http proxy
下面我们以squid软件配置服务器为例,演示如何通过服务器访问网站。
服务器信息:
ip:192.168.21.134
操作系统:CentOS7
可以正常上网
服务器配置:
# 安装squid
sudo yum instal squid
# 启动squid服务
sudo systemctl start squid
# 服务器防火墙允许squid 3128端口
sudo firewall-cmd --add-port 3128/tcp
windows客户机信息:
ip:192.168.21.129
操作系统:windows10
不能上网(没有配置网关和dns)
windows测试通过服务器上网:
# 使用curl确认是否能上网--不能上网
C:\Windows\system32>curl -sSI www.baidu.com
curl: (6) Could not resolve host: www.baidu.com
# 使用代理服务器上网--成功
C:\Windows\system32>curl --proxy http://192.168.21.134:3128 -sSI www.baidu.com
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Content-Length: 277
Content-Type: text/html
Date: Sat, 23 Sep 2023 07:26:32 GMT
ETag: "575e1f71-115"
Last-Modified: Mon, 13 Jun 2016 02:50:25 GMT
Pragma: no-cache
Server: bfe/1.0.8.18
X-Cache: MISS from 192.168.21.134
X-Cache-Lookup: MISS from 192.168.21.134:3128
Via: 1.1 192.168.21.134 (squid/3.5.20)
Connection: keep-alive
windows10也可以在系统设置里面配置http代理,配置完后浏览器可以通过服务器访问网页。
配置前:
配置,方法如下所示:
重新访问网页
linux客户机信息:
ip:192.168.21.132
操作系统:kali linux
不能上网(删除默认路由)
# 删除默认路由
┌──(root㉿kali)-[~]
└─# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.21.2 0.0.0.0 UG 100 0 0 eth0
192.168.21.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
┌──(root㉿kali)-[~]
└─# route del default
┌──(root㉿kali)-[~]
└─# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.21.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
# 测试网页访问--不通过服务器访问失败
┌──(root㉿kali)-[~]
└─# curl www.baidu.com
curl: (7) Failed to connect to www.baidu.com port 80 after 32 ms: Couldn't connect to server
# 通过服务器访问网页--成功
┌──(root㉿kali)-[~]
└─# curl --proxy http://192.168.21.134:3128 -sSI -v www.baidu.com
* Trying 192.168.21.134:3128...
* Connected to 192.168.21.134 (192.168.21.134) port 3128 (#0)
> HEAD http://www.baidu.com/ HTTP/1.1
> Host: www.baidu.com
> User-Agent: curl/7.88.1
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
< Content-Length: 277
Content-Length: 277
< Content-Type: text/html
Content-Type: text/html
< Date: Sat, 23 Sep 2023 09:59:02 GMT
Date: Sat, 23 Sep 2023 09:59:02 GMT
< ETag: "575e1f71-115"
ETag: "575e1f71-115"
< Last-Modified: Mon, 13 Jun 2016 02:50:25 GMT
Last-Modified: Mon, 13 Jun 2016 02:50:25 GMT
< Pragma: no-cache
Pragma: no-cache
< Server: bfe/1.0.8.18
Server: bfe/1.0.8.18
< X-Cache: MISS from 192.168.21.134
X-Cache: MISS from 192.168.21.134
< X-Cache-Lookup: MISS from 192.168.21.134:3128
X-Cache-Lookup: MISS from 192.168.21.134:3128
< Via: 1.1 192.168.21.134 (squid/3.5.20)
Via: 1.1 192.168.21.134 (squid/3.5.20)
< Connection: keep-alive
Connection: keep-alive
<
* Connection #0 to host 192.168.21.134 left intact
linux系统也可以通过配置环境变量http_proxy,https_proxy,no_proxy启用代理,如下所示:
# 通过环境变量配置代理
┌──(root㉿kali)-[~]
└─# export http_proxy=http://192.168.21.134:3128
┌──(root㉿kali)-[~]
└─# export https_proxy=http://192.168.21.134:3128
# 测试网页访问--成功(执行curl命令时不需要--proxy参数指定代理服务器)
┌──(root㉿kali)-[~]
└─# curl -sSI -v http://www.baidu.com
* Uses proxy env variable http_proxy == 'http://192.168.21.134:3128'
* Trying 192.168.21.134:3128...
* Connected to 192.168.21.134 (192.168.21.134) port 3128 (#0)
> HEAD http://www.baidu.com/ HTTP/1.1
> Host: www.baidu.com
> User-Agent: curl/7.88.1
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
< Content-Length: 277
Content-Length: 277
< Content-Type: text/html
Content-Type: text/html
< Date: Sat, 23 Sep 2023 10:03:25 GMT
Date: Sat, 23 Sep 2023 10:03:25 GMT
< ETag: "575e1f72-115"
ETag: "575e1f72-115"
< Last-Modified: Mon, 13 Jun 2016 02:50:26 GMT
Last-Modified: Mon, 13 Jun 2016 02:50:26 GMT
< Pragma: no-cache
Pragma: no-cache
< Server: bfe/1.0.8.18
Server: bfe/1.0.8.18
< X-Cache: MISS from 192.168.21.134
X-Cache: MISS from 192.168.21.134
< X-Cache-Lookup: MISS from 192.168.21.134:3128
X-Cache-Lookup: MISS from 192.168.21.134:3128
< Via: 1.1 192.168.21.134 (squid/3.5.20)
Via: 1.1 192.168.21.134 (squid/3.5.20)
< Connection: keep-alive
Connection: keep-alive
<
* Connection #0 to host 192.168.21.134 left intact
socks
下面我们以ss-libev为例演示客户端如何通过socks服务器上网
socks服务器信息:
ip:192.168.21.135
操作系统:ubuntu20.04
可以正常上网
socks服务器配置:
# 安装ss-liveb
sudo apt install s9s-libev
# 启动服务
sudo systemctl start s9s-libev
# 配置服务器
# 编辑配置文件:/etc/s9s-libev/config.json
vi /etc/s9s-libev/config.json
# 确认配置文件内容
root@ubuntu:~# cat /etc/s9s-libev/config.json
{
"server":["::0", "0.0.0.0"],
"mode":"tcp_and_udp",
"server_port":8443,
"password":"dCZgb1Wf4ONm",
"timeout":60,
"method":"chacha20-ietf-poly1305"
}
# server:服务器监听地址,server_port:监听端口,method:加密算法,password:连接密码
# 重启ss-liveb服务
sudo systemctl restart s9s-libev
# 确认端口已监听
# 安装netstat工具
sudo apt install net-tools
# 查看监听端口,确认8443端口是否监听
root@ubuntu:~# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 898/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1585/sshd: /usr/sbi
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 1963/sshd: ubuntu@p
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 3031/ss-server
tcp6 0 0 :::22 :::* LISTEN 1585/sshd: /usr/sbi
tcp6 0 0 ::1:6010 :::* LISTEN 1963/sshd: ubuntu@p
tcp6 0 0 :::8443 :::* LISTEN 3031/ss-server
window客户机通过socks服务器上网:
windows系统配置使用上述socks服务器上网可以通过安装图形化客户端工具进行配置,图形化配置,操作简单,这里不进行详细演示,大家可以自行搜索配置方法。socks服务器原理如下所示:
客户机配置好后,在客户端启用时会自动配置windows的“设置-->网络和internet-->代理”的配置项,将服务器地址配置为客户端的监听地址“127.0.0.1”,端口配置为“1080”。
通过代理上网过程如下:
linux客户机使用socks服务器上网:
linux实现socks服务器上网与windows实现socks代理上网原理相同,都是将数据先发送给客户端软件,然后再由服务器将请求的数据返回给客户端,然后再交给应用程序,数据在客户端与服务器之间是通过加密传输。
其实ss-libev不仅可以作为服务器,也可以作为客户端软件使用,下面我们将演示使用ss-libev分别作为客户端和服务器进行演示。
服务器信息:
ip:10.0.0.251
操作系统:ubuntu
服务器配置:
# 服务器端ss-libev配置信息
ubuntu@server:~$ cat /etc/s9s-libev/config.json
{
"server":["::0", "0.0.0.0"],
"mode":"tcp_and_udp",
"server_port":8443,
"password":"70D3fZDgxxxx",
"timeout":86400,
"method":"chacha20-ietf-poly1305"
}
客户机信息:
ip:10.0.0.209
操作系统:ubuntu
客户机配置:
# 修改ss-libev的服务,启动客户端程序
# 服务配置文件:/lib/systemd/system/s9s-libev.service
# 修改ExecStart所在行,其它不变
root@client:~# cat /lib/systemd/system/s9s-libev.service
[Unit]
Description=s9s-libev Default Server Service
Documentation=man:s9s-libev(8)
After=network-online.target
[Service]
Type=simple
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
DynamicUser=true
EnvironmentFile=/etc/default/s9s-libev
LimitNOFILE=32768
#ExecStart=/usr/bin/ss-server -c $CONFFILE $DAEMON_ARGS
ExecStart=/usr/bin/ss-local -c $CONFFILE $DAEMON_ARGS
[Install]
WantedBy=multi-user.target
# 刷新服务
sudo systemctl daemon-reload
# 修改配置文件:/etc/s9s-libev/config.json
root@client:~# cat /etc/s9s-libev/config.json
{
"local_port":1080,
"server":"10.0.0.251",
"mode":"tcp_and_udp",
"server_port":8443,
"password":"70D3fZDgxxxx",
"timeout":60,
"method":"chacha20-ietf-poly1305"
}
# 重新启动服务
sudo systemctl restart s9s-libev
# 确认1080端口正常监听
root@xray-02:~# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:1080 0.0.0.0:* LISTEN 6034/ss-local
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 735/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 833/sshd: /usr/sbin
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/init
904/nginx: master p
tcp6 0 0 :::22 :::* LISTEN 833/sshd: /usr/sbin
tcp6 0 0 :::111 :::* LISTEN 1/init
# 使用curl测试通过socks代理服务器上网--成功
root@client:~# curl --proxy socks5h://localhost:1080 -sSI -v https://www.baidu.com
* Trying 127.0.0.1:1080...
* TCP_NODELAY set
* SOCKS5 communication to www.baidu.com:443
* SOCKS5 connect to www.baidu.com:443 (remotely resolved)
* SOCKS5 request granted.
* Connected to localhost (127.0.0.1) port 1080 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=CN; ST=beijing; L=beijing; O=Beijing Baidu Netcom Science Technology Co., Ltd; CN=baidu.com
* start date: Jul 6 01:51:06 2023 GMT
* expire date: Aug 6 01:51:05 2024 GMT
* subjectAltName: host "www.baidu.com" matched cert's "*.baidu.com"
* issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
* SSL certificate verify ok.
> HEAD / HTTP/1.1
> Host: www.baidu.com
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
< Connection: keep-alive
Connection: keep-alive
< Content-Length: 277
Content-Length: 277
< Content-Type: text/html
Content-Type: text/html
< Date: Sat, 23 Sep 2023 11:54:28 GMT
Date: Sat, 23 Sep 2023 11:54:28 GMT
< Etag: "575e1f6f-115"
Etag: "575e1f6f-115"
< Last-Modified: Mon, 13 Jun 2016 02:50:23 GMT
Last-Modified: Mon, 13 Jun 2016 02:50:23 GMT
< Pragma: no-cache
Pragma: no-cache
< Server: bfe/1.0.8.18
Server: bfe/1.0.8.18
<
* Connection #0 to host localhost left intact
总结
本文介绍并演示了公司由于信息安全要求,只允许部分员工访问互联网,员工也应当遵守公司的规章制度,仅访问公司许可的网站。