环境规划
Squid服务器IP:192.168.0.128/24 (外网),192.168.1.254/24 (内网)
Web服务器IP:192.168.1.11/24, 网关:192.168.1.254/24
DNS服务器IP:192.168.1.10/24
win7客户机IP:192.168.1.1/24,DNS:192.168.1.10/24
配置apache服务器
安装服务和ssl模块
[root@web1 /]# yum -y install httpd mod_ssl
创建网站目录和网页
[root@web1 /]# mkdir -p netskills/www [root@web1 /]# echo "This is my web" > netskills/www/index.html
创建自签名ssl证书和目录
[root@web1 /]# mkdir ssl [root@web1 /]# cd ssl/ [root@web1 ssl]# openssl genrsa -out s.key [root@web1 ssl]# openssl req -new -key s.key -out s.csr Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:gd Locality Name (eg, city) [Default City]:qy Organization Name (eg, company) [Default Company Ltd]:you Organizational Unit Name (eg, section) []:you Common Name (eg, your name or your server's hostname) []:you Email Address []:you@163.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@web1 ssl]#openssl x509 -req -in s.csr -signkey s.key -out s.crt
编辑apache主配置文件
[root@web1 ssl]# vi /etc/httpd/conf/httpd.conf
在最底部添加,定义虚拟网站目录
<VirtualHost 192.168.1.11:443> ServerName netskills.com DocumentRoot /netskills/www DirectoryIndex index.html SSLengine on SSLCertificateFile /ssl/s.crt SSLCertificateKeyFile /ssl/s.key <Directory "/netskills/www"> require all granted </Directory> </VirtualHost> :wq 保存退出
检查配置文件是否错误和重启服务
[root@web1 /]# httpd -t [root@web1 /]# systemctl restart httpd
配置DNS服务
安装dns服务
[root@dns ~]# yum -y install bind*
编辑配置文件,将监听的网段和控制访问都设置为any
[root@dns ~]# vi /etc/named.conf 将这三处框内都改为any listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; allow-query { any; }; :wq 保存退出
创建正向解析和反向解析区域
[root@dns ~]# vi /etc/named.rfc1912.zones
在最底部添加
zone "netskills.com" IN { type master; file "named.0"; allow-update { none; }; }; zone "1.168.192.in-addr.arpa" IN { type master; file "named.1"; allow-update { none; }; }; :wq 保存退出
检查配置文件是否有书写错误
[root@dns ~]# named-checkconf
生成区域解析文件
[root@dns ~]# cd /var/named/ [root@dns named]# cp -p named.localhost named.0 [root@dns named]# cp -p named.loopback named.1
编辑正向区域文件
[root@dns named]# vi named.0 $TTL 1D @ IN SOA @ root.netskills.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS dns.netskills.com. dns A 192.168.1.254 www A 192.168.1.254 @ A 192.168.1.254 :wq 保存退出
重启dns服务
[root@dns named]# systemctl restart named
配置Squid服务器
安装服务
[root@squid ~]# yum -y install squid
将apache的ssl传输到本机上
[root@squid /]# mkdir ssl [root@web1 /]# scp /ssl/s.key 192.168.1.254:/ssl/ Are you sure you want to continue connecting (yes/no)?yes root@192.168.1.254's password: [root@web1 /]# scp /ssl/s.crt 192.168.1.254:/ssl/ root@192.168.1.254's password: [root@squid ssl]# chmod 777 *
编辑squid配置文件
[root@squid /]# vi /etc/squid/squid.conf dns_nameservers 192.168.1.10 http_port 192.168.1.254:80 accel vhost vport https_port 192.168.1.254:443 accel vhost cert=/ssl/s.crt key=/ssl/s.key cache_mem 64 MB maximum_object_size 4 MB cache_dir ufs /var/spool/squid 100 16 256 cache_peer 192.168.1.11 parent 443 0 no-query name=netskills max-conn=20 originserver ssl sslflags=DONT_VERIFY_PEER acl ssl_port port 443 cache_peer_access netskills allow ssl_port access_log /var/log/squid/access.log :wq 保存退出
检查语法错误并重启服务
[root@squid /]# squid -kcheck [root@squid /]# systemctl restart squid
客户机访问测试
浏览器是不需要设置代理访问,如果之前做实验了加上了,要去掉
访问https://192.168.1.254,成功代理到web服务器的内容
访问https://netskills.com,https://www.netskills.com同样成功
若确认配置无误,但是https访问还是不成功,可能是浏览器没开启tls和lls,在Internet选项——高级中开启