利用squid代理+stunnel加密翻墙

一.准备工作：

操作系统：Centos6.5，

香港机器：安装Squid与stunnel服务器端，IP：1.1.1.1

国内机器：安装stunnel客户端，IP：172.16.1.1

二.开始安装

1. yum–y install squid

 vi /etc/squid/squid.conf         编辑配置文件

将  http_access deny all改为http_access allow all
将  http_port 3128改为http_port 1.1.1.1:3128

2. squid -k parse         检查配置参数是否有错

squid –z                   生成缓存

service squid restart              启动服务

3. yum–y install stunnel 安装stunnel


4. cd /etc/stunnel

opensslreq -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem       生成一个密钥文件

opensslgendh 512>> stunnel.pem       生成Diffie-Hellman部分

5. 默认配置文件在/usr/share/doc/stunnel-4.29/stunnel.conf-sample下，这里我手动创建一个


vi stunnel.conf

cert= /etc/stunnel/stunnel.pem

CAfile= /etc/stunnel/stunnel.pem

socket= l:TCP_NODELAY=1

socket= r:TCP_NODELAY=1
 
;;;chroot= /var/run/stunnel

pid= /tmp/stunnel.pid

verify= 3
 
;;;CApath = certs
;;;CRLpath = crls
;;;CRLfile = crls.pem
 
setuid= stunnel                       stunnel用户

setgid= stunnel                       stunnel组
 
;;;client=yes

compression= zlib

;;;taskbar = no

delay= no

;;;failover = rr

;;;failover = prio

sslVersion= SSLv3

debug= 4

syslog= no

output= stunnel.log
 
[sproxy]

accept= 8888                   stunnel监听的端口，需要客户端指向

connect= 1.1.1.1:3128          本地squid监听端口

6. groupadd -g 122 stunnel           创建组

       useradd -c stunnel -d /nonexistent -m -g 122 -u 122 stunnel          创建用户

7. stunnel 启动服务

8. 防火墙添加信任端口

iptables -A INPUT -m state –state NEW -mtcp -p tcp –dport 8888 -j ACCEPT

iptables -A INPUT -m state –state NEW -m tcp-p tcp –dport 3128 -j ACCEPT

/etc/init.d/iptables save

service iptables restart

9. chkconfigsquid on 开机自动启动

10. vi /etc/rc.local 配置开机允许stunnel

stunnel

11. 国内stunnelclient配置

yum –y install stunnnel

scp –r root@1.1.1.1:/etc/stunnel/stunnel.pem/etc/stunnel拷贝国外主服务器生成的密钥文件

vi /etc/stunnel/stunnel.conf 编辑配置文件

cert= /etc/stunnel/stunnel.pem
socket= l:TCP_NODELAY=1
socket= r:TCP_NODELAY=1
verify= 2
CAfile= /etc/stunnel/stunnel.pem
client=yes
compression= zlib
ciphers= AES256-SHA
delay= no
failover= prio
sslVersion= SSLv3
[sproxy]
accept= 172.16.1.1:8080     用户代理的端口
connect= 1.1.1.1:8888        国外服务器的IP及所监听的端口

12. stunnel 启动stunnel

13. 防火墙添加信任端口

iptables-A INPUT -m state –state NEW -m tcp -p tcp –dport 8080 -j ACCEPT

/etc/init.d/iptables save

service iptables restart

14. vi /etc/rc.local

stunnel

OK，所有配置完毕，可以在浏览器上挂代理了172.16.1.1:8080