navigaid
12/13/2016 - 5:43 PM

ssl_proxy.md

stunnel.conf
content_copyfile_download
; Sample stunnel configuration file by Michal Trojnara 2002-2009
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of the chroot jail)

; Certificate/key is needed in server mode and optional in client mode
;cert = /etc/ssl/certs/stunnel.pem
cert = /etc/stunnel/stunnel.pem
;key = /etc/ssl/certs/stunnel.pem

; Protocol version (all, SSLv2, SSLv3, TLSv1)
#sslVersion = SSLv3
sslVersion = TLSv1

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = zlib

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
options = NO_SSLv2

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem

foreground = yes

; Some debugging stuff useful for troubleshooting
;debug = 7
output = /var/log/stunnel4/stunnel.log

; Use it for client mode
;client = yes
client = no
; Service-level configuration

;[pop3s]
;accept  = 995
;connect = 110

;[imaps]
;accept  = 993
;connect = 143

;[ssmtp]
;accept  = 465
;connect = 25

;[https]
;accept  = 58080
;connect = 127.0.0.1:3128 
;TIMEOUTclose = 0

[squid]
accept = 8888
connect = 3128

; vim:ft=dosini
ssl_proxy.md
content_copyfile_download
  • Rendered
  • Source

虚拟机 ubuntu 12.04

$ sudo aptitude install stunnel
$ sudo aptitude install squid3

squid3的默认http端口是3128

/etc/stunnel/stunnel.conf中的foreground = yes, 是用来调试用的 如果用superviord来管理stunnel 这个选项也会用得到

/etc/stunnel/stunnel.pem, 这个pair是这样得到的 最主要的就是Common Name这个了,其他的随便填

$ openssl genrsa -out privkey.pem 2048
$ openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095

Common Name (e.g. server FQDN or YOUR name) []:192.168.56.2

$ cat privkey.pem cacert.pem > stunnel.pem

在192.168.56.2这台虚拟机上执行

$ sudo stunnel4 /etc/stunnel/stunnel.conf

然后用这个插件 https://chrome.google.com/webstore/detail/falcon-proxy/gchhimlnjdafdlkojbffdkogjhhkdepf 代理类型选https proxy, host填192.168.56.2, port填8888

懂得pac的 可以用

function FindProxyForURL(url, host) { return “HTTPS 192.168.56.2:8888; }

剩下的工作就是导入证书了

windows的按照这篇这样弄就可以了 打开ie 敲入 https://192.168.56.2:8888

(8步 vista/win7都应该那样做)

http://productforums.google.com/forum/#!topic/chrome/bds-Ao9LigA

  1. Open Internet Explorer (IE) and navigate to the site hosting the self-signed certificate.
  2. IE should display a page warning that, 'There is a problem with this web site's security certificate.'
  3. Click the, 'Continue to this website (not recommended)' link.
  4. Once the page has loaded, look to the right of the address bar. A red/pink button, labeled 'Certificate Error,' should be visible. Click that button.
  5. A pop-up, titled 'Untrusted Certificate,' will appear. Click the 'View certificates' link at the bottom of the pop-up.
  6. Another pop-up, titled 'Certificate,' will appear. Click the 'Install Certificate...' button.
  7. The 'Certificate Import Wizard' will be started. Click the 'Next' button.
  • For XP:
  1. Leave 'Automatically select the certificate...' option selected, and click the 'Next' button.
  • For Vista/win7:
  1. Choose 'Place all certificates in the following store' option, and click the 'Browse' button.
  2. Click the 'Show physica stores' checkbox.
  3. Expand the 'Third-Party Root Certification Authorities' folder, and choose 'Local Computer'. Click the 'OK' button.
  4. Click the 'Next' button.
  5. This should display the 'Completing the Certificate Import Wizard' dialog. Click the 'Finish' button.
  6. A 'Security Warning' pop-up will appear. The warning is informing you that the certificate's origin cannot actually be validated. You should know where the certificate is coming from. If you do, click the 'Yes' button to install the certificate.
  7. A final pop-up informing you that, 'The import was successful,' will be displayed. Click the 'OK' button.
  8. Restart/Open Chrome and navigate to the site in question. You should not be greeted by the security warning page.

其他系统的证书导入可以参照

http://wiki.cacert.org/FAQ/BrowserClients?action=show&redirect=BrowserClients#Linux

http://blog.avirtualhome.com/adding-ssl-certificates-to-google-chrome-linux-ubuntu/

最后一点 如果想要加认证 可以用squid auth , 以前squid 2.7用的apache的basic http auth,现在squid3里不知道又是什么样子了 或者用pam或者传说中的ldap