本文详细介绍了如何在服务器上安装和配置Squid代理服务器,解决IPv4监听问题,以及如何安装和配置Stunnel来加密代理连接。在遇到Stunnel服务启动后立即结束的问题时,通过修改配置文件解决了问题。最后,设置了Firefox的代理设置,成功实现了安全的代理访问。
Squid
在server上面安装squid的过程很简单。
yum install squid
然后启动squid:
service squid start
再查看是否运行:
$ service squid status
Redirecting to /bin/systemctl status squid.service
● squid.service - Squid caching proxy
Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2022-01-04 14:26:36 CST; 5s ago
Process: 10368 ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF (code=exited, status=0/SUCCESS)
Process: 10362 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS)
Main PID: 10371 (squid)
Tasks: 3
Memory: 13.5M
CGroup: /system.slice/squid.service
├─10371 /usr/sbin/squid -f /etc/squid/squid.conf
├─10373 (squid-1) -f /etc/squid/squid.conf
└─10374 (logfile-daemon) /var/log/squid/access.log
Jan 04 14:26:36 iZj6c45po7f4v416r8l94nZ systemd[1]: Starting Squid caching proxy...
Jan 04 14:26:36 iZj6c45po7f4v416r8l94nZ squid[10371]: Squid Parent: will start 1 kids
Jan 04 14:26:36 iZj6c45po7f4v416r8l94nZ squid[10371]: Squid Parent: (squid-1) process 10373 started
Jan 04 14:26:36 iZj6c45po7f4v416r8l94nZ systemd[1]: Started Squid caching proxy.
再查看port是否在监听中:
$ netstat -lntpo | grep 312
tcp6 0 0 :::3128 :::* LISTEN 9016/(squid-1) off (0.00/0/0)
发现只有IPV6,没有IPV4的监听。这可怎么办?在网上搜索,发现需要修改squid的配置文件:
vim /etc/squid/squid.conf
找到http_port行,将http_port 3128改为如下:
# Squid normally listens to port 3128
http_port 0.0.0.0:3128
再重启squid并查看监听端口:
$ service squid restart
$ netstat -lntp | grep 3128
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN 10373/(squid-1)
使用curl试试是否可以通过代理访问google
$ curl -x localhost:3128 www.google.com
<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="zh-HK"><head><meta content="text/html; charset=UTF-8"...
测试成功。
Stunnel
接下来安装stunnel:
yum install stunnel
生成自签名证书:
openssl req -new -x509 -days 3650 -nodes -out stunnel.pem -keyout stunnel.pem
将生成的证书,复制到/etc/stunnel文件夹下
cp -p stunnel.pem /etc/stunnel
修改stunnel的配置/etc/stunnle/stunnle.conf:
; 设置工作目录,没有目录需要先创建
chroot = /var/run/stunnel/
; 设置stunnel的pid文件路径(在chroot下)
pid = /stunnel.pid
; 设置stunnel工作的用户(组)
setuid = root
setgid = root
; 开启日志等级:emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7)
; 默认为5
debug = 7
; 日志文件路径(我的server的版本有个bug,这个文件也被放在chroot路径下了,client的版本则是独立的=。=#)
output = /stunnel.log
; 证书文件,就是在本文2.2中用openssl生成的自签名证书(server端必须设置这两项)
cert = /etc/stunnel/stunnel.pem
; 私钥文件
key = /etc/stunnel/stunnel.pem
; 设置stunnel服务,可以设置多个服务,监听同的端口,并发给不同的server。
; 自定义服务名squid-proxy
[squid-proxy]
; 服务监听的端口,client要连接这个端口与server通信
accept = 3129
; 服务要连接的端口,连接到squid的3128端口,将数据发给squid
connect = localhost:3128
启动stunnel:
$ /usr/bin/stunnel /etc/stunnel/stunnel.conf
Clients allowed=31999
stunnel 4.56 on x86_64-redhat-linux-gnu platform
Compiled/running with OpenSSL 1.0.1e-fips 11 Feb 2013
Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
Reading configuration from file /etc/stunnel/stunnel.conf
FIPS mode is enabled
Compression not enabled
Snagged 64 random bytes from /root/.rnd
Wrote 1024 new random bytes to /root/.rnd
PRNG seeded successfully
Initializing service [squid-proxy]
Insecure file permissions on /etc/stunnel/stunnel.pem
Certificate: /etc/stunnel/stunnel.pem
Certificate loaded
Key file: /etc/stunnel/stunnel.pem
Private key loaded
Could not load DH parameters from /etc/stunnel/stunnel.pem
Using hardcoded DH parameters
DH initialized with 2048-bit key
ECDH initialized with curve prime256v1
SSL options set: 0x01000004
Configuration successful
Service [squid-proxy] (FD=12) bound to 0.0.0.0:19908
chroot: No such file or directory (2)
Closing service [squid-proxy]
Service [squid-proxy] closed (FD=12)
Sessions cached before flush: 0
Sessions cached after flush: 0
Service [squid-proxy] closed
str_stats: 15 block(s), 1233 data byte(s), 870 control byte(s)
但是在查看stunnel进程时,发现stunnel进程结束了。这是怎么回事?
后来再查资料,发现有资料提到配置项client = no。于是修改配置文件如下:
$ cat /etc/stunnel/stunnel.conf
chroot = /var/run/stunnel/
pid = /stunnel.pid
setuid = root
setgid = root
debug = 7
;compression = zlib
output = stunnel.log
cert = /etc/stunnel/stunnel.pem
key = /etc/stunnel/stunnel.pem
CAfile = /etc/stunnel/stunnel.pem
client = no
[squid-proxy]
accept = 19908
connect = localhost:3128
上面配置项也加了CAfile = /etc/stunnel/stunnel.pem。再启动stunnel,通过ps看起来运行起来了。
$ stunnel /etc/stunnel/stunnel.conf
$ ps -ef | grep stunnel
root 6813 1 0 10:01 pts/0 00:00:00 stunnel /etc/stunnel/stunnel.conf
root 6814 1 0 10:01 pts/0 00:00:00 stunnel /etc/stunnel/stunnel.conf
root 6815 1 0 10:01 pts/0 00:00:00 stunnel /etc/stunnel/stunnel.conf
root 6816 1 0 10:01 pts/0 00:00:00 stunnel /etc/stunnel/stunnel.conf
root 6817 1 0 10:01 pts/0 00:00:00 stunnel /etc/stunnel/stunnel.conf
root 6818 1 0 10:01 ? 00:00:00 stunnel /etc/stunnel/stunnel.conf
root 6825 4726 0 10:01 pts/0 00:00:00 grep --color=auto stunnel
Stunnel 客户端
服务端处理完了以后,开始部署客户端。
$ yum install stunnel
编辑/etc/stunnel/stunnel.conf
$ cat stunnel.conf
client = yes
pid = /tmp/stunnel.pid
debug = 7
foreground = no
verify = 0
[proxy]
accept = 0.0.0.0:19908
connect = 192.168.0.154:19908
检查server是否可以连上:
$ telnet 192.168.0.154 19908
Trying 192.168.0.154...
Connected to 192.168.0.154.
Escape character is '^]'.
^]q
telnet> q
Connection closed.
启动客户端的stunnel
$ stunnel /etc/stunnel/stunnel.conf
$ ps -ef | grep stunnel
root 4872 1 0 10:09 pts/1 00:00:00 stunnel /etc/stunnel/stunnel.conf
root 4873 1 0 10:09 pts/1 00:00:00 stunnel /etc/stunnel/stunnel.conf
root 4874 1 0 10:09 pts/1 00:00:00 stunnel /etc/stunnel/stunnel.conf
root 4875 1 0 10:09 pts/1 00:00:00 stunnel /etc/stunnel/stunnel.conf
root 4876 1 0 10:09 pts/1 00:00:00 stunnel /etc/stunnel/stunnel.conf
root 4877 1 0 10:09 ? 00:00:00 stunnel /etc/stunnel/stunnel.conf
root 4879 4841 0 10:09 pts/1 00:00:00 grep --color=auto stunnel
Firefox 代理设置
在Firefox的菜单“设置”页面,最后是“网络设置”,点击“设置”按钮:
然后在Firefox中打开网页,测试OK。
1668
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
