版权声明:本文为原创文章,允许转载,转载时请务必以超链接形式标明文章 原始出处 、作者信息和本声明。 https://blog.csdn.net/fgf00/article/details/79129594
一、网络环境
主机A :192.168.0.11
主机B:66.0.0.6
主机C:4.2.2.2
主机A和B互通,B和C互通,A访问C网络较慢或不通,可以通过stunnel+squid代理跳转访问。
二、squid 安装配置
squid和stunnel可以在主机B上配置,也可在不同主机配置实现网络跳转。这里squid和stunnel server在主机B配置,stunnel client 在客户端主机A配置
安装
yum install squid
配置
vim /etc/squid/squid.conf
,主要配置如下两处
acl localnet src 66.0.0.6/32 # 根据实际情况修改,添加允许 stunnel-client 的ip地址
http_port 3128 # squid监听端口
启动服务 service squid start
三、stunnel 配置
- 安装
yum -y install stunnel openssl openssl-devel
1、stunnel server 配置
生成证书认证文件
openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem openssl gendh 512>> stunnel.pem #不是必须的
配置
vim /etc/stunnel/stunnel_ser.conf (;;; 注释形式)
cert = /etc/stunnel/stunnel.pem ;;;# 认证文件
CAfile = /etc/stunnel/stunnel.pem ;;;# 认证文件
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;;;chroot = /var/run/stunnel
pid = /tmp/stunnel_server.pid
verify = 3
;;; CApath = certs
;;; CRLpath = crls
;;; CRLfile = crls.pem
setuid = web
setgid = web
;;; client=yes
compression = zlib
;;; taskbar = no
delay = no
;;; failover = rr
;;; failover = prio
;;; sslVersion = TLSv1
;;; fips=no
sslVersion = all
;;; options = NO_SSLv2
;;; options = NO_SSLv3
debug = 7
syslog = no
output = /var/logs/stunnel_server.log
client = no ;;;# 服务端
[sproxy]
accept = 44550 ;;;# 监听端口
connect = 66.0.0.6:3128 ;;;# squid服务连接端口
- 启动服务
stunnel /etc/stunnel/stunnel_ser.conf
2、stunnel client 安装配置
yum -y install stunnel openssl openssl-devel
vim /etc/stunnel/stunnel_cli.conf
cert = /usr/local/etc/stunnel/stunnel_cli.pem ;;;#步骤1中生成的stunnel.pem,改了名字而已
CAfile = /usr/local/etc/stunnel/stunnel_cli.pem
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;;;chroot = /var/run/stunnel
pid = /tmp/stunnel.pid
verify = 3
;;; CApath = certs
;;; CRLpath = crls
;;; CRLfile = crls.pem
setuid = web
setgid = web
;;; client=yes
compression = zlib
;;; taskbar = no
delay = no
;;; failover = rr
;;; failover = prio
;;; fips=no
sslVersion = all
;;; options = NO_SSLv2
;;; options = NO_SSLv3
debug = 7
syslog = no
output = /data/logs/stunnel.log
client = yes ;;;# 客户端
[sproxy]
accept = 0.0.0.0:44550 ;;;# 监听地址
connect = 66.0.0.6:44550 ;;;# stunnel 服务端地址
四、测试及错误解决
- 测试:配置代理服务器地址:192.168.0.11,端口44550后,可以访问主机C
- 错误解决:
stunnel 报错:CERT: Verification error: certificate has expired
扫描二维码关注公众号,回复:
3780061 查看本文章
stunnel客户端连不上服务端,连上几秒就断开了,具体报错信息如下
# stunnel 客户端:
2017.09.25 10:16:19 LOG7[13955:140155381970688]: Starting certificate verification: depth=0, /C=CN/L=Default City/O=Default Company Ltd
2017.09.25 10:16:19 LOG4[13955:140155381970688]: CERT: Verification error: certificate has expired
2017.09.25 10:16:19 LOG4[13955:140155381970688]: Certificate check failed: depth=0, /C=CN/L=Default City/O=Default Company Ltd
2017.09.25 10:16:19 LOG7[13955:140155381970688]: SSL alert (write): fatal: certificate expired
2017.09.25 10:16:19 LOG3[13955:140155381970688]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2017.09.25 10:16:19 LOG5[13955:140155381970688]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2017.09.25 10:16:19 LOG7[13955:140155381970688]: Remote socket (FD=13) closed
2017.09.25 10:16:19 LOG7[13955:140155381970688]: Local socket (FD=3) closed
2017.09.25 10:16:19 LOG7[13955:140155381970688]: Service [sproxy] finished (0 left)
# stunnel 服务端:
2017.09.25 10:13:24 LOG7[15546:140344803059456]: SSL state (accept): SSLv3 flush data
2017.09.25 10:13:24 LOG7[15546:140344803059456]: SSL alert (read): fatal: certificate expired
2017.09.25 10:13:24 LOG3[15546:140344803059456]: SSL_accept: 14094415: error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired
2017.09.25 10:13:24 LOG5[15546:140344803059456]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2017.09.25 10:13:24 LOG7[15546:140344803059456]: sproxy finished (0 left)
需要安装上面的证书生成命令,重新生成证书后手动更新
openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem