> For the complete documentation index, see [llms.txt](https://close.gitbook.io/yun-wei-bi-ji/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://close.gitbook.io/yun-wei-bi-ji/centos/ke-xue-shang-wang/stunnel-jia-mi-squid-dai-li-fu-wu.md). # Stunnel 加密 Squid 代理服务 加密代理功能的实现,越过封锁限制,访问被墙的国外站点,比如 Google、FaceBook。 用户访问配置了代理服务的浏览器(可使用扩展实现自动切换代理,代理服务即国内 stunnel 监听地址), 国内 stunnel 开启加密连接国外 stunnel 再连接国外 squid 真实代理服务器请求实际网站并返回数据, 如下架构图: ![](/files/r2QyJmYyxRCA0wMGdidQ) 按照上述图,也就是需要两台服务器,不过可以简化,国内 stunnel 可以直接在用户个人笔记本 / 台式机 启动,因为 stunnel 程序支持 windows、macOS、Linux。 以下步骤适用于 CentOS/RHEL 7.x 系统,stunnel 版本 4.56 ## 一、国外的服务器安装 squid 和 stunnel ### 1. 安装 Squid ``` yum -y install squid openssl openssl-devel ``` ### 2. 生成证书 ```bash openssl genrsa -out key.pem 2048 openssl req -new -x509 -days 3650 -key key.pem -out cert.pem -subj "/C=CN/ST=HeNan/L=ZhengZhou/O=devops/OU=know/CN=devops.com" # ls cert.pem key.pem ``` squid 配置文件中添加: ```bash https_port 4430 cert=/path/to/cert.pem key=/path/to/key.pem # SSL PATH ``` /etc/squid/squid.conf 我的全部配置信息,按需修改 ```bash acl localnet src 127.0.0.1/8 acl localnet src http_access allow localhost http_access allow localnet http_access deny all # PORT AND SSL PATH, 提供个 stunnel 高匿隧道 https_port 4430 cert=/path/to/cert.pem key=/path/to/key.pem # 定义 squid 的cache 存放路径、cache目录容量、一级缓存目录数量、二级缓存目录数量 cache_dir ufs /var/spool/squid 100 16 256 coredump_dir /var/spool/squid # 设置squid磁盘缓存最大文件,超过4M的不保存在硬盘 maximum_object_size_in_memory 4 MB fqdncache_size 1024 cache_mem 300 MB max_open_disk_fds 0 minimum_object_size 1 KB maximum_object_size 20 MB cache_swap_low 90 0%时停止 # 目录使用量大于95%时,开始清理旧的 cache_swap_high 95 ipcache_size 2048 ipcache_low 90 ipcache_high 95 refresh_pattern . 0 20% 4320 override-expire override-lastmod reload-into-ims ignore-reload # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # 高匿 request_header_access via deny all request_header_access X-Forwarded-For deny all ``` ### 3. 启动 squid ```bash # 初始化检测,并启动 squid -z systemctl enabled squid && systemctl start squid ``` ## 二、国内服务器安装 stunnel ### 1. 安装 stunnel ``` yum -y install stunnel ``` ### 2. 修改配置文件 ```ini # vi /etc/stunnel/stunnel.conf 默认没有这个文件,手动创建,默认读取这个文件 client=yes [sproxy] accept = 0.0.0.0:7071 connect = 国外服务器IP:4430 ``` 解释说明: accept = 0.0.0.0:7071 即是用户要开放的端口, connect = 国外服务器 IP:4430 squid 服务器地址 ### 3. 启动 stunnel 服务 ```bash stunnel # 或者 stunnel /etc/stunnel/stunnel.conf ``` 此时用户连接到国内服务器 7071 作为代理就可以访问一些被墙的网站。 在国内没有服务器,可以在本地安装的一个 Stunnel,用来加解密,所以没有国内服务也不要紧。 去 stunnel 官网下载一个 windows 版的客户端(也许被 qiang,[这里](https://static.saintic.com/download/soft/stunnel-5.55-win64-installer.exe)是 5.55,可直接下载) ### 注意: 同步时间 > 最好同步下国外服务器的时间,并与国内保持一致时区,否则有可能 SSL 验证错误。 `stunnel.pem` 详细参数 ```ini ;;; CAfile = /etc/stunnel/stunnel.pem ;;; socket = l:TCP_NODELAY=1 ;;; socket = r:TCP_NODELAY=1 ;;;chroot = /var/run/stunnel pid = /tmp/stunnel.pid ;;; verify = 3 ;;; CApath = certs ;;; CRLpath = crls ;;; CRLfile = crls.pem ;;; setuid = stunnel ;;; setgid = stunnel client=yes compression = zlib ;;; taskbar = no ;;; delay = no ;;; failover = rr ;;; failover = prio ;;; sslVersion = TLSv1 ;;; fips=no ;;; debug = 7 ;;; syslog = no output = /etc/stunnel/stunnel.log [sproxy] accept = 34567 connect = 127.0.0.1:3128 ``` ## 三、Ansible 批量部署 ```bash [root@localhost squid]# tree . |-- hosts |-- install.yml `-- roles |-- squid | |-- files | | |-- cert.pem | | `-- key.pem | |-- handlers | | `-- main.yml | |-- tasks | | `-- main.yml | `-- templates | `-- squid.conf.j2 `-- stunnel |-- handlers | `-- main.yml |-- tasks | `-- main.yml `-- templates `-- stunnel.conf.j2 ``` ### hosts 和 install.yml ```bash [root@localhost squid]# more hosts install.yml :::::::::::::: hosts :::::::::::::: [squid] 192.168.1.33 [stunnel] 192.168.1.33 [all:vars] ansible_ssh_port=22 ansible_ssh_user=root ansible_ssh_pass=1 squid_ssl_port=4430 :::::::::::::: install.yml :::::::::::::: --- - name: 'Deployment to squid' gather_facts: false hosts: squid roles: - { role: 'squid', tags: "install_squid" } - name: 'Deployment to stunnel' gather_facts: false hosts: stunnel roles: - { role: 'stunnel', tags: "install_stunnel" } ``` ### squid 相关配置 ```bash [root@localhost squid]# more roles/squid/handlers/main.yml roles/squid/tasks/main.yml roles/squid/templates/squid.conf.j2 :::::::::::::: roles/squid/handlers/main.yml :::::::::::::: - name: restart squid systemd: name: squid state: restarted enabled: yes :::::::::::::: roles/squid/tasks/main.yml :::::::::::::: - name: "Install squid stunnel openssl openssl-devel" yum: name: "{{ item.line }}" state: installed with_items: - {line: 'squid'} - {line: 'openssl'} - {line: 'openssl-devel'} - name: 'Copy Squid pem to remote' copy: src: "{{ item.src }}" dest: "{{ item.dest }}" with_items: - {src: 'key.pem', dest: '/etc/squid/key.pem'} - {src: 'cert.pem', dest: '/etc/squid/cert.pem'} - name: 'template squid conf to remote' template: src: "{{ item.src }}" dest: "{{ item.dest }}" with_items: - {src: "squid.conf.j2", dest: "/etc/squid/squid.conf"} notify: - restart squid - name: 'Crontab for restart squid' cron: name: restartSquid state: present hour: '23' job: "sync && echo 3 >/proc/sys/vm/drop_caches && rm -f /var/log/squid/access.log ; systemctl restart squid" - name: 'Crontab for check squid' cron: name: CheckSquid state: present minute: '*' job: 'sleep 5 && systemctl status squid || systemctl start squid' - name: 'See Port' shell: 'ss -tnlp |grep squid' register: return_status - debug: # msg: '{{ return_status.stdout_lines }}' var: return_status.stdout_lines #when: return_status.rc != 0 :::::::::::::: roles/squid/templates/squid.conf.j2 :::::::::::::: acl localnet src 127.0.0.1/8 #acl localnet src {{ ansible_ssh_host }} {% for host in groups['stunnel'] %} acl localnet src {{ host }} {% endfor %} http_access allow localhost http_access allow localnet http_access deny all # PORT AND SSL PATH, 提供个 stunnel 高匿隧道 https_port {{ squid_ssl_port }} cert=/etc/squid/cert.pem key=/etc/squid/key.pem # 定义 squid 的cache 存放路径、cache目录容量、一级缓存目录数量、二级缓存目录数量 cache_dir ufs /var/spool/squid 100 16 256 coredump_dir /var/spool/squid # 设置squid磁盘缓存最大文件,超过4 maximum_object_size_in_memory 4 MB fqdncache_size 1024 cache_mem 300 MB max_open_disk_fds 0 minimum_object_size 1 KB maximum_object_size 20 MB cache_swap_low 90 0%时停 # 目录使用量大于95%时,开始清理旧的 cache_swap_high 95 ipcache_size 2048 ipcache_low 90 ipcache_high 95 refresh_pattern . 0 20% 4320 override-expire override-lastmod reload-into-ims ignore-reload # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # 高匿 request_header_access via deny all request_header_access X-Forwarded-For deny all ``` ### stunnel相关配置 ```bash [root@localhost squid]# more roles/stunnel/handlers/main.yml roles/stunnel/tasks/main.yml roles/stunnel/templates/stunnel.conf.j2 :::::::::::::: roles/stunnel/handlers/main.yml :::::::::::::: - name: restart stunnel shell: "ps -ef |grep stunnel |grep -v grep |awk '{print $2}' |xargs kill -9 || stunnel" :::::::::::::: roles/stunnel/tasks/main.yml :::::::::::::: - name: "Install stunnel" yum: name: "{{ item.line }}" state: installed with_items: - {line: 'stunnel'} - name: 'Template stunnel conf to remote' template: src: "{{ item.src }}" dest: "{{ item.dest }}" with_items: - {src: "stunnel.conf.j2", dest: "/etc/stunnel/stunnel.conf"} notify: - restart stunnel - name: 'See Port' shell: 'ss -tnlp |grep stunnel' register: return_status - debug: var=return_status.stdout_lines when: return_status.rc == 0 :::::::::::::: roles/stunnel/templates/stunnel.conf.j2 :::::::::::::: client=yes {% for host in groups['squid'] %} [squid_{{ loop.index }}] accept = 882{{ loop.index }} connect = {{ host }}:{{ squid_ssl_port }} {% endfor %} ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://close.gitbook.io/yun-wei-bi-ji/centos/ke-xue-shang-wang/stunnel-jia-mi-squid-dai-li-fu-wu.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.