背景:
公司IDC机房有一台服务器A,只有内网环境:192.168.1.150
现在需要让这台服务器能对外访问,能正常访问http和https请求(即80端口和443端口)
思路:
在IDC机房里另找其他两台有公网环境的服务器B(58.68.250.8/192.168.1.8)和服务器C(58.68.250.5/192.168.1.5),且这两台服务器和内网环境的服务器A能相互ping通。
其中:
在服务器B上部署squid的http代理,让服务器C通过它的squid代理上网,能成功访问http
在服务器C上部署squid的https代理,让服务器C通过它的squid代理上网,能成功访问https [需要在客户端安装stunnel ]
下面开始记录这一需求的操作记录:
---------------------------------------------------------------------------------------------------------------------------
一、服务器B上的操作记录(http代理)
1)安装squid
yum命令直接在线安装squid
[root@openstack ~]# yum install -y gcc openssl openssl-devel #依赖软件要先提前安装
[root@openstack ~]# yum install squid
安装完成后,修改squid.conf 文件中的内容,修改之前可以先备份该文件
[root@openstack ~]# cd /etc/squid/
[root@openstack squid]# cp squid.conf squid.conf_bak
[root@openstack squid]# vim squid.conf
http_access allow all #修改deny为allow
http_port 192.168.1.8:3128
cache_dir ufs /var/spool/squid 100 16 256 #打开这个注释,保证/var/spool/squid这个缓存目录存在
2)启动squid,启动前进行测试和初始化
[root@openstack squid]# squid -k parse #测试
2016/08/09 13:35:04| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2016/08/09 13:35:04| Processing: acl manager proto cache_object
..............
..............
2016/08/09 13:35:04| Processing: refresh_pattern . 0 20% 4320
2016/08/09 13:35:04| Initializing https proxy context
[root@openstack squid]# squid -z #初始化
2016/08/09 13:35:12| Creating Swap Directories
[root@openstack squid]# /etc/init.d/squid start
Starting squid: . [ OK ]
如果开启了防火墙iptables规则,则还需要在/etc/sysconfig/iptables里添加下面一行,即允许3128端口访问:
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
然后重启iptables服务
[root@openstack squid]# /etc/init.d/iptables restart
---------------------------------------------------------------------------------------------------------------------------
二、服务器C上的的操作记录(https代理)
1)安装squid
yum命令直接在线安装squid
[root@openstack ~]# yum install -y gcc openssl openssl-devel #依赖软件要先提前安装
[root@openstack ~]# yum install squid
[root@openstack ~]# cd /etc/squid/
[root@openstack squid]# cp squid.conf squid.conf_bak
2)现在开始生成加密代理证书:
[root@bastion-IDC squid]# pwd
/etc/squid
[root@bastion-IDC squid]# openssl req -new > lidongbest5.csr
Generating a 2048 bit RSA private key
..........................................................................+++
.........................................................................................................+++
writing new private key to 'privkey.pem'
Enter PEM pass phrase: #输入密码,后面会用到,比如这里输入123456
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn #国家
State or Province Name (full name) []:beijing #省份
Locality Name (eg, city) [Default City]:beijing #地区名字
Organization Name (eg, company) [Default Company Ltd]:huanqiu #公司名
Organizational Unit Name (eg, section) []:Technology #部门
Common Name (eg, your name or your server's hostname) []:huanqiu #CA主机名
Email Address []:wangshibo@xqshijie.cn #邮箱