我已经构建了一个匿名 stunnel 5.29 + squid 3.3 SSL 代理服务器,用于一些目的,我想启用 PSK 授权。stunnel 服务器的配置如下:
pid = /run/stunnel.pid
chroot = /var/lib/stunnel
client = no
setuid = stunnel
setgid = stunnel
cert = /etc/stunnel/stunnel.pem
debug = 7
;output = stunnel.log
foreground = yes
[server_psk]
accept = 443
accept = :::443
connect = 127.0.0.1:8443
ciphers = PSK
PSKsecrets = /etc/stunnel/psk.txt
[server_proxy]
accept = 8443
connect = 127.0.1:3128
sslVersion = all
ciphers = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PS
options = NO_SSLv2
options = NO_SSLv3
options = CIPHER_SERVER_PREFERENCE
但我发现我无法连接互联网,并且在客户端收到此消息:
LOG5[676]: Service [squid] accepted connection from 127.0.0.1:60216
LOG3[676]: s_connect: s_poll_wait 192.169.169.152:443: TIMEOUTconnect exceeded
LOG5[676]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
SSL Error当我使用 HTTPS 访问 Google 和Connection Reset访问未启用 HTTPS 的网站时,浏览器(Firefox 43)会报告两个错误。以下是客户端配置:
client = yes
[local_proxy]
accept = 127.0.0.1:8089
connect = 192.169.169.152:443
PSKsecrets = psk.txt
CAfile = ca-certs.pem
sslVersion = all
options = NO_SSLv2
options = NO_SSLv3
我已经确认 squid 配置正确并且运行正常,所以我确定问题出在 stunnel 上。有没有熟悉 stunnel 的人可以帮我?
答案1
经过一天的研究,我终于找到了解决问题的方法。提示是:客户端必须像服务器端一样分成两个部分。所以我将客户端配置改为这样:
[local_psk]
client = yes
accept = 127.0.0.1:8443
connect = 192.168.169.152:443
PSKsecrets = psk.txt
[local_proxy]
client = yes
accept = 127.0.0.1:8089
connect = 127.0.0.1:8443
sslVersion = all
options = NO_SSLv2
options = NO_SSLv3
这个过程是这样的:
browser <--> [local_proxy] <--> [local_psk] <==> [server_psk] <--> [server_proxy] <==> website
其中-表示本地流量,=表示互联网流量,[]表示 stunnel 中的配置部分
然后我将服务器配置[squid]部分accept选项从更新8443为127.0.0.1:8443。这告诉 stunnel 仅接受来自本地主机的连接,否则该[PSK]部分将变得无用。以下是更改后的样子:
[server_proxy]
accept = 127.0.0.1:8443
connect = 127.0.1:3128
sslVersion = all
ciphers = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PS
options = NO_SSLv2
options = NO_SSLv3
options = CIPHER_SERVER_PREFERENCE
笔记
这些配置仅用于开发/测试。如果您想要一个高度安全的匿名代理服务器,您必须在 stunnel 配置文件中设置debug = 0禁用日志记录和守护进程foreground = no,并正确设置 squid 配置和 iptables 规则。