Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456 #证书请求密钥,CA读取证书的时候需要输入密码
An optional company name []:huanqiu #-公司名称,CA读取证书的时候需要输入名称
[root@bastion-IDC squid]# openssl rsa -in privkey.pem -out lidongbest5.key
Enter pass phrase for privkey.pem: #输入上面设置的密码123456
writing RSA key
[root@bastion-IDC squid]# openssl x509 -in lidongbest5.csr -out lidongbest5.crt -req -signkey lidongbest5.key -days 3650
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=huanqiu/OU=Technology/CN=huanqiu/emailAddress=wangshibo@xqshijie.cn
Getting Private key
修改squid.conf配置文件
[root@bastion-IDC squid]# vim squid.conf
http_access allow all #deny修改为allow
#http_port 3128 #注释掉
https_port 192.168.1.5:443 cert=/etc/squid/lidongbest5.crt key=/etc/squid/lidongbest5.key #添加这一行
cache_dir ufs /var/spool/squid 100 16 256 #打开这个注释,保证/var/spool/squid这个缓存目录存在
3)重启squid服务
[root@bastion-IDC squid]# squid -k parse
[root@bastion-IDC squid]# squid -z
[root@bastion-IDC squid]# squid reload
[root@bastion-IDC squid]# /etc/init.d/squid restart
如果开启了防火墙iptables规则,则还需要在/etc/sysconfig/iptables里添加下面一行,即允许443端口访问:
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
然后重启iptables服务
[root@bastion-IDC squid]# /etc/init.d/iptables restart
---------------------------------------------------------------------------------------------------------------------------
三、服务器A(即客户端)上的操作记录
1)安装配置stunnel
关闭客户端的iptables防火墙
[root@dev-new-test1 ~]# /etc/init.d/iptables stop
[root@dev-new-test1 ~]# cd /usr/local/src/
[root@dev-new-test1 src]# pwd
/usr/local/src
下载: (提取秘钥:pc7p)
[root@dev-new-test1 ~]#yum install -y openssl openssl-devel gcc
[root@dev-new-test1 src]# ls
stunnel-5.35.tar.gz
[root@dev-new-test1 src]# tar -zvxf stunnel-5.35.tar.gz
[root@dev-new-test1 src]# ls
stunnel-5.35 stunnel-5.35.tar.gz
[root@dev-new-test1 src]# cd stunnel-5.35
[root@dev-new-test1 stunnel-5.35]# ./configure
[root@dev-new-test1 stunnel-5.35]# make && make install
安装完成后,配置stunnel.conf
[root@dev-new-test1 stunnel-5.35]# cd /usr/local/etc/stunnel/
[root@dev-new-test1 stunnel]# ls
stunnel.conf-sample
[root@dev-new-test1 stunnel]# cp stunnel.conf-sample stunnel.conf
[root@dev-new-test1 stunnel]# ls
stunnel.conf stunnel.conf-sample
[root@dev-new-test1 stunnel]# cat stunnel.conf #把原来内容清空,写入:
client = yes
[https]
accept = 127.0.0.1:8088
connect = 192.168.1.5:443 #运行本机stunnel端口8088连接squid服务端192.168.1.5的443端口,然后在/etc/profile里配置本机8088端口代理(如下)