利用squid代理+stunnel加密翻墙

一.准备工作:

操作系统:Centos6.5,

香港机器:安装Squid与stunnel服务器端,IP:1.1.1.1

国内机器:安装stunnel客户端,IP:172.16.1.1

二.开始安装

1. yum–y install squid

 vi /etc/squid/squid.conf         编辑配置文件

将 http_access deny all改为http_access allow all
将 http_port 3128改为http_port 1.1.1.1:3128

2. squid -k parse         检查配置参数是否有错

squid –z                   生成缓存

service squid restart              启动服务

3. yum–y install stunnel 安装stunnel


4. cd /etc/stunnel

opensslreq -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem       生成一个密钥文件

opensslgendh 512>> stunnel.pem       生成Diffie-Hellman部分

5. 默认配置文件在/usr/share/doc/stunnel-4.29/stunnel.conf-sample下,这里我手动创建一个


vi stunnel.conf

cert= /etc/stunnel/stunnel.pem
CAfile= /etc/stunnel/stunnel.pem
socket= l:TCP_NODELAY=1
socket= r:TCP_NODELAY=1
;;;chroot= /var/run/stunnel
pid= /tmp/stunnel.pid
verify= 3
;;;CApath = certs
;;;CRLpath = crls
;;;CRLfile = crls.pem
setuid= stunnel stunnel用户
setgid= stunnel stunnel组
;;;client=yes
compression= zlib
;;;taskbar = no
delay= no
;;;failover = rr
;;;failover = prio
sslVersion= SSLv3
debug= 4
syslog= no
output= stunnel.log
[sproxy]
accept= 8888 stunnel监听的端口,需要客户端指向
connect= 1.1.1.1:3128 本地squid监听端口

6. groupadd -g 122 stunnel           创建组

       useradd -c stunnel -d /nonexistent -m -g 122 -u 122 stunnel          创建用户

7. stunnel 启动服务

8. 防火墙添加信任端口

iptables -A INPUT -m state –state NEW -mtcp -p tcp –dport 8888 -j ACCEPT

iptables -A INPUT -m state –state NEW -m tcp-p tcp –dport 3128 -j ACCEPT

/etc/init.d/iptables save

service iptables restart

9. chkconfigsquid on 开机自动启动

10. vi /etc/rc.local 配置开机允许stunnel

stunnel

11. 国内stunnelclient配置

yum –y install stunnnel

scp –r root@1.1.1.1:/etc/stunnel/stunnel.pem/etc/stunnel拷贝国外主服务器生成的密钥文件

vi /etc/stunnel/stunnel.conf 编辑配置文件

cert= /etc/stunnel/stunnel.pem
socket= l:TCP_NODELAY=1
socket= r:TCP_NODELAY=1
verify= 2
CAfile= /etc/stunnel/stunnel.pem
client=yes
compression= zlib
ciphers= AES256-SHA
delay= no
failover= prio
sslVersion= SSLv3
[sproxy]
accept= 172.16.1.1:8080 用户代理的端口
connect= 1.1.1.1:8888 国外服务器的IP及所监听的端口

12. stunnel 启动stunnel

13. 防火墙添加信任端口

iptables-A INPUT -m state –state NEW -m tcp -p tcp –dport 8080 -j ACCEPT

/etc/init.d/iptables save

service iptables restart

14. vi /etc/rc.local

stunnel

OK,所有配置完毕,可以在浏览器上挂代理了172.16.1.1:8080