Squid代理http和https方式上网的操作记录(2)

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456                                                         #证书请求密钥，CA读取证书的时候需要输入密码
An optional company name []:huanqiu                                                #-公司名称，CA读取证书的时候需要输入名称

[root@bastion-IDC squid]# openssl rsa -in privkey.pem -out lidongbest5.key
Enter pass phrase for privkey.pem:                                                     #输入上面设置的密码123456
writing RSA key

[root@bastion-IDC squid]# openssl x509 -in lidongbest5.csr -out lidongbest5.crt -req -signkey lidongbest5.key -days 3650
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=huanqiu/OU=Technology/CN=huanqiu/emailAddress=wangshibo@xqshijie.cn
Getting Private key

修改squid.conf配置文件
[root@bastion-IDC squid]# vim squid.conf
http_access allow all #deny修改为allow
#http_port 3128                                                                    #注释掉
https_port 192.168.1.5:443 cert=/etc/squid/lidongbest5.crt key=/etc/squid/lidongbest5.key            #添加这一行
cache_dir ufs /var/spool/squid 100 16 256                             #打开这个注释，保证/var/spool/squid这个缓存目录存在

3）重启squid服务
[root@bastion-IDC squid]# squid -k parse
[root@bastion-IDC squid]# squid -z
[root@bastion-IDC squid]# squid reload
[root@bastion-IDC squid]# /etc/init.d/squid restart

如果开启了防火墙iptables规则，则还需要在/etc/sysconfig/iptables里添加下面一行，即允许443端口访问：
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

然后重启iptables服务
[root@bastion-IDC squid]# /etc/init.d/iptables restart

---------------------------------------------------------------------------------------------------------------------------
三、服务器A（即客户端）上的操作记录

1）安装配置stunnel

关闭客户端的iptables防火墙
[root@dev-new-test1 ~]# /etc/init.d/iptables stop

[root@dev-new-test1 ~]# cd /usr/local/src/
[root@dev-new-test1 src]# pwd
/usr/local/src

下载： （提取秘钥：pc7p）
[root@dev-new-test1 ~]#yum install -y openssl openssl-devel gcc

[root@dev-new-test1 src]# ls
stunnel-5.35.tar.gz
[root@dev-new-test1 src]# tar -zvxf stunnel-5.35.tar.gz
[root@dev-new-test1 src]# ls
stunnel-5.35 stunnel-5.35.tar.gz
[root@dev-new-test1 src]# cd stunnel-5.35
[root@dev-new-test1 stunnel-5.35]# ./configure
[root@dev-new-test1 stunnel-5.35]# make && make install

安装完成后，配置stunnel.conf
[root@dev-new-test1 stunnel-5.35]# cd /usr/local/etc/stunnel/
[root@dev-new-test1 stunnel]# ls
stunnel.conf-sample
[root@dev-new-test1 stunnel]# cp stunnel.conf-sample stunnel.conf
[root@dev-new-test1 stunnel]# ls
stunnel.conf stunnel.conf-sample
[root@dev-new-test1 stunnel]# cat stunnel.conf              #把原来内容清空，写入：
client = yes
[https]
accept = 127.0.0.1:8088
connect = 192.168.1.5:443                               #运行本机stunnel端口8088连接squid服务端192.168.1.5的443端口，然后在/etc/profile里配置本机8088端口代理（如下）