标签：stunnel

一、网络环境

• 主机A ：192.168.0.11

• 主机B：66.0.0.6

• 主机C：4.2.2.2

主机A和B互通，B和C互通，A访问C网络较慢或不通，可以通过stunnel+squid代理跳转访问。

二、squid 安装配置

squid和stunnel可以在主机B上配置，也可在不同主机配置实现网络跳转。这里squid和stunnel server在主机B配置，stunnel client 在客户端主机A配置

• 安装 yum install squid

• 配置 vim /etc/squid/squid.conf，主要配置如下两处

acl localnet src 66.0.0.6/32  # 根据实际情况修改，添加允许 stunnel-client 的ip地址
http_port 3128  # squid监听端口

启动服务 service squid start

三、stunnel 配置

• 安装yum -y install stunnel openssl openssl-devel

1、stunnel server 配置

• 生成证书认证文件

openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem
openssl gendh 512>> stunnel.pem   #不是必须的

• 配置

vim /etc/stunnel/stunnel_ser.conf (;;; 注释形式)

cert = /etc/stunnel/stunnel.pem   ;;;# 认证文件
CAfile = /etc/stunnel/stunnel.pem  ;;;# 认证文件
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;;;chroot = /var/run/stunnel
pid = /tmp/stunnel_server.pid
verify = 3
;;; CApath = certs
;;; CRLpath = crls
;;; CRLfile = crls.pem
setuid = web
setgid = web
;;; client=yes
compression = zlib
;;; taskbar = no
delay = no
;;; failover = rr
;;; failover = prio
;;; sslVersion = TLSv1
;;; fips=no
sslVersion = all
;;; options = NO_SSLv2
;;; options = NO_SSLv3
debug = 7
syslog = no
output = /var/logs/stunnel_server.log
client = no  ;;;# 服务端
[sproxy]
accept = 44550  ;;;# 监听端口
connect = 66.0.0.6:3128  ;;;# squid服务连接端口

• 启动服务 stunnel /etc/stunnel/stunnel_ser.conf

2、squid client 安装配置

yum -y install stunnel openssl openssl-devel
vim  /etc/stunnel/stunnel_cli.conf 

cert = /usr/local/etc/stunnel/stunnel_cli.pem  ;;;#步骤1中生成的stunnel.pem，改了名字而已
CAfile = /usr/local/etc/stunnel/stunnel_cli.pem
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

;;;chroot = /var/run/stunnel
pid = /tmp/stunnel.pid
verify = 3

;;; CApath = certs
;;; CRLpath = crls
;;; CRLfile = crls.pem

setuid = web
setgid = web

;;; client=yes
compression = zlib
;;; taskbar = no
delay = no
;;; failover = rr
;;; failover = prio
;;; fips=no
sslVersion = all
;;; options = NO_SSLv2
;;; options = NO_SSLv3

debug = 7
syslog = no
output = /data/logs/stunnel.log
client = yes   ;;;# 客户端

[sproxy]
accept = 0.0.0.0:44550  ;;;# 监听地址
connect = 66.0.0.6:44550  ;;;# stunnel 服务端地址

四、测试及错误解决

• 测试：配置代理服务器地址：192.168.0.11，端口44550后，可以访问主机C
• 错误解决：

stunnel 报错:CERT: Verification error: certificate has expired

stunnel客户端连不上服务端，连上几秒就断开了，具体报错信息如下

# stunnel 客户端：
2017.09.25 10:16:19 LOG7[13955:140155381970688]: Starting certificate verification: depth=0, /C=CN/L=Default City/O=Default Company Ltd
2017.09.25 10:16:19 LOG4[13955:140155381970688]: CERT: Verification error: certificate has expired
2017.09.25 10:16:19 LOG4[13955:140155381970688]: Certificate check failed: depth=0, /C=CN/L=Default City/O=Default Company Ltd
2017.09.25 10:16:19 LOG7[13955:140155381970688]: SSL alert (write): fatal: certificate expired
2017.09.25 10:16:19 LOG3[13955:140155381970688]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2017.09.25 10:16:19 LOG5[13955:140155381970688]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2017.09.25 10:16:19 LOG7[13955:140155381970688]: Remote socket (FD=13) closed
2017.09.25 10:16:19 LOG7[13955:140155381970688]: Local socket (FD=3) closed
2017.09.25 10:16:19 LOG7[13955:140155381970688]: Service [sproxy] finished (0 left)

# stunnel 服务端：
2017.09.25 10:13:24 LOG7[15546:140344803059456]: SSL state (accept): SSLv3 flush data
2017.09.25 10:13:24 LOG7[15546:140344803059456]: SSL alert (read): fatal: certificate expired
2017.09.25 10:13:24 LOG3[15546:140344803059456]: SSL_accept: 14094415: error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired
2017.09.25 10:13:24 LOG5[15546:140344803059456]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2017.09.25 10:13:24 LOG7[15546:140344803059456]: sproxy finished (0 left)

需要安装上面的证书生成命令，重新生成证书后手动更新

openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem