一、環境介紹
[root@kimissVPN ~]# cat /etc/redhat-release CentOS release 6.8 (Final) [root@kimissVPN ~]# uname -r 4.10.4-1.el6.elrepo.i686 [root@kimissVPN ~]# uname -m i686
原理圖:
二、安裝Dnsmasq域名解析系統
Dnsmasq使用上比bind要簡便得多,可以做正向、反向dns解析,支持DHCP服務。也可以做內部dns服務器用。默認下dnsmasq使用系統的/etc/resolv.conf,並讀取/etc/hosts文件
①軟件安裝
yum install dnsmasq -y
②編輯配置文件/etc/dnsmasq.conf
resolv-file=/etc/dnsresolv.conf #上一級DNS,dnsmasq會從這個文件尋找上級dns服務器 strict-order ################################################## address=/pinterest.com/108.3.139.110 address=/qiye.aliyun.com/56.110.55.136 listen-address=108.3.139.106,127.0.0.1 ########################################### no-hosts cache-size=1500 #緩存數目 local-ttl=1000 #DHCP租約時間 neg-ttl=1000 log-queries log-facility=/var/log/dns.log #日志文件
③編輯上級DNS配置文件/etc/dns_resolv.conf
/etc/dns_resolv.conf #設置的是真正的nameserver,可以用電信、聯通等公共的DNS nameserver 114.114.114.114 nameserver 223.5.5.5 nameserver 114.114.114.114
④啟動dnsmasq服務
/etc/init.d/dnsmasq start lsof -i:53 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME dnsmasq 23173 nobody 4u IPv4 3136642 0t0 UDP *:domain dnsmasq 23173 nobody 5u IPv4 3136643 0t0 TCP *:domain (LISTEN) dnsmasq 23173 nobody 6u IPv6 3136644 0t0 UDP *:domain dnsmasq 23173 nobody 7u IPv6 3136645 0t0 TCP *:domain (LISTEN)
三、安裝Stunnel
使用TLS對tcp協議進行加密,也就是對tcp建立一條加密線路
①在內網dns服務器和國外服務器都安裝stunnel
yum install stunnel -y
②生成ssl證書stunnel.pem文件
openssl genrsa -out key.pem 2048 openssl req -new -x509 -key key.pem -out cert.pem -days 1095 cat key.pem cert.pem >> /etc/stunnel/stunnel.pem
③編輯/etc/stunnel/stunnel.conf
cat > /etc/stunnel/stunnel.conf <<EOF client = no [http] accept = 1.2.3.4:8082 #此處地址為國外服務器ip connect = 127.0.0.1:8082 cert = /etc/stunnel/stunnel.pem [https] accept = 1.2.3.4:4433 connect = 127.0.0.1:4433 cert = /etc/stunnel/stunnel.pem EOF
說明:此配置文件表示,監聽了1.2.3.4:8082,並轉發此地址流量到127.0.0.1:8082,監聽了1.2.3.4:4433,並轉發給地址流量到127.0.0.1:4433
④啟動啟動stunnel
stunnel
四、安裝sniproxy
代理軟件,對於HTTP協議,它可以根據Host請求頭解析得出目標站IP;對於HTTPS協議,它可以根據SNI擴展中的域名解析得出目標站IP
①安裝epel源
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo
②安裝依賴軟件
yum install autoconf automake curl gettext-devel libev-devel pcre-devel perl pkgconfig rpm-build udns-devel gcc-c++ cc -y
③喜歡高版本的依賴包也可以選擇編譯安裝
cd /server/tools wget http://dist.schmorp.de/libev/Attic/libev-4.22.tar.gz tar xzf libev-4.22.tar.gz cd libev-4.22 ./configure make make install echo -e '/usr/local/lib\n/usr/local/lib64' > /etc/ld.so.conf.d/local.conf ldconfig cd /opt wget http://www.corpit.ru/mjt/udns/udns-0.4.tar.gz tar xzf udns-0.4.tar.gz cd udns-0.4 ./configure make cd .. mv udns-0.4 /usr/local/udns echo -e '/usr/local/udns' > /etc/ld.so.conf.d/udns.conf ldconfig
④創建存放軟件目錄
mkdir /server/tools -p && cd /server/tools/ wget -O sniproxy-0.4.0.tar.gz https://github.com/dlundquist/sniproxy/archive/0.4.0.tar.gz tar xf sniproxy-0.4.0.tar.gz cd sniproxy-0.4.0 ./autogen.sh && ./configure && make install
⑤編輯/etc/sniproxy.conf
# sniproxy example configuration file user nobody pidfile /var/tmp/sniproxy.pid error_log { syslog daemon priority notice } access_log { filename /tmp/sniproxy-access.log } listen 127.0.0.1:8082 { proto http table http_hosts access_log { filename /tmp/sniproxy.log } } table http_hosts { .*\.google\.com *:80 .*\.google\.com\$ 172.217.0.228 80 google\.com\$ 172.217.0.228 80 } listen 127.0.0.1:4433 { proto tls table https_hosts access_log { filename /tmp/sniproxy.log } } table https_hosts { .*\.google\.com * 443 .*\.google\.com\$ 172.217.0.228 443 google\.com\$ 172.217.0.228 443 }
說明:此配置文件表示,監聽了127.0.0.1:8082地址,並解析http協議中的Host請求頭為IP,然后轉發請求到此IP;監聽了127.0.0.1:4433地址,
並解析TLS中SNI擴展中的域名為IP,並轉發請求到此IP
⑥啟動sniproxy服務
sniproxy
方案中的HTTP明文協議,利用stunnel使用了TLS加密,變成了HTTPS協議,使得數據包無法被解析出明文。方案中的HTTPS協議,本身是加密的,但為了防止SNI擴展的中域名被嗅探,還是走了stunnel的加密通道