QQ咨询
阿里旺旺
#skype#
通过vpn搭建squid stunnel 代理服务器成功访问google
最近公司有一需求
通过国内服务器要访问国外的google推送服务器https://android.googleapis.com/gcm/send
刚开始想过通过搭建vpn来实现,但由于公司两边都是使用linux服务器,考虑到风险,暂时没有使用这种方法
后来通过各种方法的测试,最后总结出一套好的办法来实现
方案squid认证代理+stunnel
此种方法前提条件是有一台自己的vps机器
配置步骤如下:
二,服务端安装squid
1,安装squid
# yum install squid openssl openssl-devel
2,生成加密代理证书
# cd /etc/squid
# openssl req -new > example.csr //要求输入密码和确认密码
# openssl rsa -in privkey.pem -out example.key //输入上面输入的密码
# openssl x509 -in example.csr -out example.crt -req -signkey example.key -days 3650
生成认证用户
# touch /etc/squid/passwd
# chown root.squid /etc/squid/passwd
# chmod 640 /etc/squid/passwd
# /usr/local/apache/bin/htpasswd /etc/squid/passwd 360push
3,配置squid
# vim /etc/squid/squid.conf
visible_hostname push.360push.com
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 182.150.2.130/32 //push client
acl SSL_ports port 443
acl Safe_ports port 443 # https
acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT
https_port 443 cert=/etc/squid/example.crt key=/etc/squid/example.key
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
cache_dir ufs /var/spool/squid 2048 16 256
coredump_dir /var/spool/squid
acl OverConnLimit maxconn 100 //限制每个IP最大允许10个连接,防止攻击
minimum_object_size 1 KB //允午最小文件请求体大小
maximum_object_size 1 MB //允午最大文件请求体大小
cache_swap_low 10 //最小允许使用swap 10%
cache_swap_high 25 //最大允许使用swap 25%
cache_mem 300 MB //可使用内存
##Add auth##
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic credentialsttl 12 hours
auth_param basic realm Push Server
acl 360push proxy_auth REQUIRED
vps硬盘,内存都不富裕,所以对squid所占用的内存和硬盘等要加以控制。
4,启动squid,并查看
# squid -z 生成交换文件
# squid -k parse 检查配置文件正确性
# /etc/init.d/squid start
VPS很少有,自启动开启防火墙的,如果有先关掉,等都配置好了,在开放端口。
三,客户端安装配置stunnel
1,安装
# yum install stunnel
2,新增配置/etc/stunnel/stunnel.conf,添加以下内空
client = yes
fips = no
[https]
accept = 8888
connect = VPS的IP:443
如果报,FIPS_mode_set: 2D06C06E: error:2D06C06E:FIPS routines:FIPS_module_mode_set:fingerprint does not match,stunnel.conf配置文件中加上,fips = no
3,启动stunnel并查看
# stunnel //启动,默认配置文件路径 /etc/stunnel/stunnel.conf
curl本机测试
curl -v -x 127.0.0.1:8888 -U 360push:360push https://android.googleapis.com/gcm/send
php也可以利用代理服务器
function testCurl($url){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $gurl);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPPROXYTUNNEL, TRUE);
curl_setopt($ch, CURLOPT_PROXY, “127.0.0.1:8888″); //ip/端口
curl_setopt($ch, CURLOPT_PROXYUSERPWD, ‘360push:360push’); //认证用户和密码
$result=curl_exec($ch);
curl_close($ch);
return $result;
}
echo testCurl(“google.com”);
google提示错误,如下
We’re sorry… but your computer or network may be sending automated queries. To protect our users, we can’t process your request right now
解决办法。
方法一:编辑 /etc/sysctl.conf,添加如下内容
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1
重启网卡
# /etc/init.d/networking restart
方法二,实时生效
echo ‘1’ > /proc/sys/net/ipv6/conf/lo/disable_ipv6
echo ‘1’ > /proc/sys/net/ipv6/conf/lo/disable_ipv6
echo ‘1’ > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo ‘1’ > /proc/sys/net/ipv6/conf/default/disable_ipv6