Squid implemented SSL Proxy, with respect to the kinds of VPN and SSH encryption traditional means of communication, SSL proxy has better security and performance superior; Squid not only need to select a domain name and need to go through a proxy cache can effectively improve the external network access speed, you can achieve a high degree of identity hidden features, it has a good privacy security. |
Brief introduction
Server used in this paper are CentOS 7 x86_64 version, use FirewallD as a firewall.
Squid as a proxy server implementation, Stunnel conversion between HTTPS and HTTP.
This article needs to have a valid server certificate, if not please apply or self-signed, SSL certificate can be used free StartSSL / WoSign etc.
Squid
Squid is a high-performance proxy caching server, you can speed up the internal network to browse the Internet and improve the hit rate of the client.
Squid not only support HTTP protocol, but also supports FTP, gopher, SSL, and WAIS protocols.
And general proxy cache software, Squid with a single, non-modular, I O-driven process / to handle all client requests.
Stunnel
Stunnel is a free cross-platform software for providing global TLS / SSL services.
For the client and the server itself can not be TLS or SSL communication, Stunnel provides secure, encrypted connection.
The software runs under many operating systems, including Unix-like systems, and Windows. Stunnel rely on a separate library, such as OpenSSL or SSLeay, in order to implement the TLS or SSL protocol.
Build a service
System Environment
CentOS on public cloud 7 x86_64 (non OpenVZ), dual-core, 2 GB of memory, SE the Linux not open
Services Architecture
Users < - HTTPS -> Squid A < - HTTP -> Stunnel A < - HTTPS -> Squid B < - HTTP/HTTPS -> Internet
Where A server on an internal network but can access the server B, server B is located in an external network, this one is to achieve a comprehensive encryption Users are B, the second is to achieve isolation external network and internal network, under the help of the firewall can better ensure the safety and stability of a; and, once attacked B, a B can quickly switch to another server.
Prepare the
About Certificates: Use certificates contain the entire certificate chain, or it may appear on the certificate of the operating system abnormalities
Please send your certificate placed /etc/cert/ssl.crt
Please send your private key is placed in /etc/cert/ssl.key
User Authentication
This article default configuration does not enable any certification Squid, if necessary, your own configuration.
In the case of start-certified, Stunnel work will not be affected, there is no need to change the Stunnel configuration.
A server build scripts
Installation Components
yum install -y squid stunnel openssl openssl-devel firewall-cmd --add-port=443/tcp --permanent firewall-cmd --reload
Write Stunnel configuration, modify the contents of the braces under the circumstances
echo "client = yes [https] accept = 127.0.0.1:808 connect = {Server B IP:port}" > /etc/stunnel/stunnel.conf
Set Stunnel from Kai
echo "stunnel" >> /etc/rc.local
Creating agentless list of sites, such as grammar .baidu.com, each domain name row
touch /etc/squid/inner-sites
Squid modify configuration files
sed -i 's/http_access deny all/http_access allow all/g' /etc/squid/squid.conf sed -i 's/http_port 3128/https_port 443 cert=\/etc\/cert\/ssl.crt key=\/etc\/cert\/ssl.key/g' /etc/squid/squid.conf sed -i '$a\acl all src 0.0.0.0/0.0.0.0' /etc/squid/squid.conf sed -i '$a\acl inner-sites dstdomain \"/etc/squid/inner-sites\"' /etc/squid/squid.conf sed -i '$a\always_direct allow inner-sites' /etc/squid/squid.conf sed -i '$a\never_direct allow all' /etc/squid/squid.conf sed -i '$a\request_header_access Via deny all' /etc/squid/squid.conf sed -i '$a\request_header_access Via deny all' /etc/squid/squid.conf sed -i '$a\request_header_access Via deny all' /etc/squid/squid.conf
Start Service
stunnel systemctl start squid systemctl enable squid
B server build scripts
Installation Components
yum install -y squid stunnel openssl openssl-devel firewall-cmd --add-port=443/tcp --permanent firewall-cmd --reload
Squid modify configuration files
sed -i 's/http_access deny all/http_access allow all/g' /etc/squid/squid.conf sed -i 's/http_port 3128/https_port 443 cert=\/etc\/cert\/ssl.crt key=\/etc\/cert\/ssl.key/g' /etc/squid/squid.conf sed -i '$a\request_header_access Via deny all' /etc/squid/squid.conf sed -i '$a\request_header_access Via deny all' /etc/squid/squid.conf sed -i '$a\request_header_access Via deny all' /etc/squid/squid.conf
Start Service
systemctl start squid systemctl enable squid