1, Network environment

Host A: 192.168.0.11

Host B: 66.0.0.6

Host C: 4.2.2.2

Host A and host B communicate with each other, and host B and host C communicate with each other. If A accesses C network slowly or not, it can be accessed through stunnel+squid agent.

2, squid installation configuration

Squid and stunnel can be configured on host B, or can be configured on different hosts to realize network jump. Here, squid and stunnel server are configured in host B, and stunnel client is configured in client host A

  • Install yum install squid

  • Configure vim /etc/squid/squid.conf, mainly as follows

acl localnet src 66.0.0.6/32  # Modify according to the actual situation, add the ip address that allows stunnel client
http_port 3128  # squid listening port

Start service service squid start

3, stunnel configuration

  • Install Yum - y install stunnel OpenSSL OpenSSL devel

1. stunnel server configuration

  • Generate certificate authentication file

    openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem
    openssl gendh 512>> stunnel.pem   #It's not necessary
  • To configure

vim  /etc/stunnel/stunnel_ser.conf   (;;; Note form)

cert = /etc/stunnel/stunnel.pem   ;;;# authenticated document
CAfile = /etc/stunnel/stunnel.pem  ;;;# authenticated document
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;;;chroot = /var/run/stunnel
pid = /tmp/stunnel_server.pid
verify = 3
;;; CApath = certs
;;; CRLpath = crls
;;; CRLfile = crls.pem
setuid = web
setgid = web
;;; client=yes
compression = zlib
;;; taskbar = no
delay = no
;;; failover = rr
;;; failover = prio
;;; sslVersion = TLSv1
;;; fips=no
sslVersion = all
;;; options = NO_SSLv2
;;; options = NO_SSLv3
debug = 7
syslog = no
output = /var/logs/stunnel_server.log
client = no  ;;;# Server
[sproxy]
accept = 44550  ;;;# Listening port
connect = 66.0.0.6:3128  ;;;# squid service connection port
  • Start the service stunnel /etc/stunnel/stunnel_ser.conf

2. squid client installation configuration

yum -y install stunnel openssl openssl-devel
vim  /etc/stunnel/stunnel_cli.conf 

cert = /usr/local/etc/stunnel/stunnel_cli.pem  ;;;#The stunnel.pem generated in step 1 has changed its name
CAfile = /usr/local/etc/stunnel/stunnel_cli.pem
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

;;;chroot = /var/run/stunnel
pid = /tmp/stunnel.pid
verify = 3

;;; CApath = certs
;;; CRLpath = crls
;;; CRLfile = crls.pem

setuid = web
setgid = web

;;; client=yes
compression = zlib
;;; taskbar = no
delay = no
;;; failover = rr
;;; failover = prio
;;; fips=no
sslVersion = all
;;; options = NO_SSLv2
;;; options = NO_SSLv3

debug = 7
syslog = no
output = /data/logs/stunnel.log
client = yes   ;;;# client

[sproxy]
accept = 0.0.0.0:44550  ;;;# Monitor address
connect = 66.0.0.6:44550  ;;;# stunnel server address

4, Testing and troubleshooting

  • Test: after configuring the proxy server address: 192.168.0.11 and port 44550, you can access host C
  • Error resolution:

stunnel error: CERT: Verification error: certificate has expired

The stunnel client can't connect to the server. It will be disconnected after several seconds. The specific error message is as follows

# stunnel client:
2017.09.25 10:16:19 LOG7[13955:140155381970688]: Starting certificate verification: depth=0, /C=CN/L=Default City/O=Default Company Ltd
2017.09.25 10:16:19 LOG4[13955:140155381970688]: CERT: Verification error: certificate has expired
2017.09.25 10:16:19 LOG4[13955:140155381970688]: Certificate check failed: depth=0, /C=CN/L=Default City/O=Default Company Ltd
2017.09.25 10:16:19 LOG7[13955:140155381970688]: SSL alert (write): fatal: certificate expired
2017.09.25 10:16:19 LOG3[13955:140155381970688]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2017.09.25 10:16:19 LOG5[13955:140155381970688]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2017.09.25 10:16:19 LOG7[13955:140155381970688]: Remote socket (FD=13) closed
2017.09.25 10:16:19 LOG7[13955:140155381970688]: Local socket (FD=3) closed
2017.09.25 10:16:19 LOG7[13955:140155381970688]: Service [sproxy] finished (0 left)

# stunnel server:
2017.09.25 10:13:24 LOG7[15546:140344803059456]: SSL state (accept): SSLv3 flush data
2017.09.25 10:13:24 LOG7[15546:140344803059456]: SSL alert (read): fatal: certificate expired
2017.09.25 10:13:24 LOG3[15546:140344803059456]: SSL_accept: 14094415: error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired
2017.09.25 10:13:24 LOG5[15546:140344803059456]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2017.09.25 10:13:24 LOG7[15546:140344803059456]: sproxy finished (0 left)

The above certificate generation command needs to be installed and manually updated after the certificate is regenerated

openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem