Total Pageviews

Monday, 14 March 2016

用bind+stunnel+sni proxy翻墙

这里主要介绍电脑无需任何设置,就能够自动加密代理特定网站的HTTP/HTTPS协议。

方案介绍

涉及到的软件
BIND: 一个流行的域名解析服务器,我们可以设置哪些域名需要走加密线路。
Stunnel: 使用TLS对tcp协议进行加密,也就是对tcp建立一条加密线路。
SNI Proxy: 代理软件。对于HTTP协议,它可以根据Host请求头解析得出目标站IP;对于HTTPS协议,它可以根据SNI扩展中的域名解析得出目标站IP。

此方案优缺点
优点:
无需手动设置任何代理,就能够自动加密代理特定网站的HTTP或HTTPS协议
相对于我们常用的ssh隧道,ssh隧道是单路,而此方案是支持多并发连接,可以极大加速网站访问。
缺点:
对于代理HTTPS协议,需要发起HTTPS连接的客户端,比如浏览器支持TLS的SNI扩展。好消息是目前浏览器几乎都支持此扩展,但对于一些非浏览器的客户端,不支持SNI扩展。我们只能设置正向代理来解决此问题。

方案原理
流程图:


原理介绍:
1、首先我们需要准备三台服务器,一台是内网DNS服务器(安装bind),一台是内网代理服务器(安装stunnel),另一台国外服务器(安装stunnel,sniproxy)。
2、我们还需要设置DNS为内网的DNS,并在内网bind dns设置谷歌域名解析的IP为内网代理服务器
3、当我们访问谷歌网站时,首先会向内网DNS服务器发送DNS A记录查询,此时内网DNS服务器会返回内网代理服务器的IP。
4、浏览器得到谷歌域名的解析IP后(即内网代理服务器的IP),会向内网代理服务器发送HTTP或HTTPS请求。
5、此时内网代理服务器(即stunnel),会接收到请求,经过加密,把请求转发到国外服务器(stunnel)的指定端口上。
6、国外服务器(stunnel)接收到来自国内服务器(stunnel)的加密数据后,经过解密,把请求转发到sniproxy。
7、sniproxy再根据HTTP Host请求头或者HTTPS sni扩展的域名解析出谷歌服务器的IP,并把请求转发给谷歌服务器。
8、谷歌服务器收到来自sniproxy发送的请求后,马上返回网页内容给sniproxy,sniproxy再原路返回数据给浏览器。

方案实施
由于时间有限,我们仅在Ubuntu server 12.04演示安装。
环境介绍
系统:Ubuntu server 12.04
内网DNS IP: 10.96.153.201(主),10.96.153.204(从)
内网代理服务器: 10.96.153.204
国外服务器IP: 1.2.3.4

安装BIND9
1、在主DNS和从DNS安装bind,即10.96.153.201(主),10.96.153.204(从)。
wget http://www.isc.org/downloads/file/bind-9-10-0b1-2/?version=tar.gz -O bind-9-10-0b1-2.tar.gz
tar xzf bind-9-10-0b1-2.tar.gz
cd bind-9-10-0b1-2
./configure --prefix=/usr/local/bind
make && make install


2、配置主DNS服务器(10.96.153.201)
2.1、生成/usr/local/bind/etc/rndc.key密钥文件
/usr/local/bind/sbin/rndc-confgen -a -k rndckey -c /usr/local/bind/etc/rndc.key
2.2、编辑/usr/local/bind/etc/named.conf,写入如何内容:
include "/usr/local/bind/etc/rndc.key";
controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndckey"; }; };
logging {
channel default_syslog { syslog local2; severity notice; };
channel audit_log { file "/var/log/bind.log"; severity notice; print-time yes; };
category default { default_syslog; };
category general { default_syslog; };
category security { audit_log; default_syslog; };
category config { default_syslog; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { audit_log; };
category lame-servers { audit_log; };
};
options {
    directory "/usr/local/bind/etc";
pid-file "/usr/local/bind/var/run/bind.pid";
transfer-format many-answers;
interface-interval 0;
forward only;
forwarders { 202.96.128.166;202.96.134.133; };
allow-query {any;};
};
zone "google.com" {
type master;
file "google.com.zone";
allow-transfer { 10.96.153.204; };
};
在这个named.conf文件中,我们只需要关心如下内容:
对于options{}区域,202.96.128.166和202.96.134.133这两个是ISP提供的本地DNS,需要修改为自己所在ISP的本地DNS。
对于zone “google.com”{}区域,这里定义了google.com域名的区域文件google.com.zone,还有允许10.96.153.204(即从DNS)同步区域文件。
2.3、建立google.com.zone区域文件
$TTL 3600
@ IN SOA ns1.google.com. hostmaster.google.com. (
2014072015  ; Serial
3600 ; Refresh
900 ; Retry
3600000 ; Expire
3600 ) ; Minimum
@ IN NS ns1.google.com.
@ IN NS ns2.google.com.
ns1 IN A 10.96.153.201
ns2 IN A 10.96.153.204
@ IN A 10.96.153.204
* IN A 10.96.153.204
对于这个区域文件,
ns1 IN A 10.96.153.201 指向第一个dns服务器,即主DNS。
ns2 IN A 10.96.153.204 指向第二个dns服务器,即从DNS。
@ IN A 10.96.153.204和* IN A 10.96.153.204指向内网的代理服务器(stunnel)。我们只需要修改这三个地方就好了。


3、配置从DNS服务器(10.96.153.204)
编辑named.conf,写入如下内容
logging {
channel default_syslog { syslog local2; severity notice; };
channel audit_log { file "/var/log/bind.log"; severity notice; print-time yes; };
category default { default_syslog; };
category general { default_syslog; };
category security { audit_log; default_syslog; };
category config { default_syslog; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { audit_log; };
category lame-servers { audit_log; };
};
options {
    directory "/usr/local/bind/etc";
pid-file "/usr/local/bind/var/run/bind.pid";
transfer-format many-answers;
interface-interval 0;
forward only;
forwarders { 202.96.128.166;202.96.134.133; };
allow-query {any;};
};

zone "google.com" {
type slave;
file "google.com.zone";
masters { 10.96.153.201; };
};
配置从DNS就简单得多,只需要写入如上内容到named.conf文件。同样的,
options{}中202.96.128.166和202.96.134.133这两个是当地ISP本地dns。
zone “google.com”{}中10.96.153.201指明主DNS服务器IP。
4、启动bind dns服务器
/usr/local/bind/sbin/named
安装Stunnel
1、在内网代理服务器和国外主机安装stunnel
apt-get install stunnel4
2、内网代理服务器stunnel配置
编辑/etc/default/stunnel4,设置ENABLED=1。
编辑/etc/stunnel/stunnel.conf,内容如下:
client = yes
pid = /etc/stunnel/stunnel.pid
[http]
accept = 80
connect = 1.2.3.4:8082

[https]
accept = 443
connect = 1.2.3.4:4433
此配置文件表示,监听了80端口,并把此端口流量转发到1.2.3.4:8082,监听了443端口,并把此端口流量转发到1.2.3.4:4433
3、国外服务器stunnel配置
3.1、生成ssl证书stunnel.pem文件
openssl genrsa -out key.pem 2048
openssl req -new -x509 -key key.pem -out cert.pem -days 1095
cat key.pem cert.pem >> /etc/stunnel/stunnel.pem
3.2、编辑/etc/stunnel/stunnel.conf文件
client = no
[http]
accept = 1.2.3.4:8082
connect = 127.0.0.1:8082
cert = /etc/stunnel/stunnel.pem

[https]
accept = 1.2.3.4:4433
connect = 127.0.0.1:4433
cert = /etc/stunnel/stunnel.pem
此配置文件表示,监听了1.2.3.4:8082,并转发此地址流量到127.0.0.1:8082,监听了1.2.3.4:4433,并转发给地址流量到127.0.0.1:4433。
3.3、编辑/etc/default/stunnel4,设置ENABLED=1。
4、启动stunnel
service stunnel4 start
安装sniproxy
sniproxy项目地址:https://github.com/dlundquist/sniproxy
1、安装sniproxy
同样只演示在ubuntu server 12.04安装。
1.1、安装UDNS
mkdir udns_packaging
cd udns_packaging
wget http://archive.ubuntu.com/ubuntu/pool/universe/u/udns/udns_0.4-1.dsc
wget http://archive.ubuntu.com/ubuntu/pool/universe/u/udns/udns_0.4.orig.tar.gz
wget http://archive.ubuntu.com/ubuntu/pool/universe/u/udns/udns_0.4-1.debian.tar.gz
tar xfz udns_0.4.orig.tar.gz
cd udns-0.4/
tar xfz ../udns_0.4-1.debian.tar.gz
dpkg-buildpackage
cd ..
dpkg -i *.deb
1.2、安装sniproxy
apt-get install autotools-dev cdbs debhelper dh-autoreconf dpkg-dev gettext libev-dev libpcre3-dev libudns-dev pkg-config
wget https://github.com/dlundquist/sniproxy/archive/master.zip
unzip master.zip
cd sniproxy-master/
dpkg-buildpackage
cd ..
dpkg -i *.deb
2、配置sniproxy
/etc/sniproxy.conf内容如下:
user daemon
pidfile /var/run/sniproxy.pid
error_log {
    syslog deamon
    priority notice
}
listen 127.0.0.1:8082 {
    proto http
    table http_hosts
}
table http_hosts {
        .*      *:80
}

listen 127.0.0.1:4433 {
    proto tls
    table https_hosts
}
table https_hosts {
.* *:443
}
此配置文件表示,监听了127.0.0.1:8082地址,并解析http协议中的Host请求头为IP,然后转发请求到此IP;监听了127.0.0.1:4433地址,并解析TLS中SNI扩展中的域名为IP,并转发请求到此IP。
3、启动sniproxy:
sniproxy

结束
到目前为止,我们已经搭建完成了整套HTTP/HTTPS加密代理方案。方案中的HTTP明文协议,利用stunnel使用了TLS加密,变成了HTTPS协议,使得数据包无法被解析出明文。方案中的HTTPS协议,本身是加密的,但为了防止SNI扩展的中域名被嗅探,还是走了stunnel的加密通道。对于发送HTTPS请求而不支持SNI扩展的客户端,需要手动设置下代理。

相关帖子:
http://briteming.blogspot.com/2015/08/dnsmasq-dnscrypt-sni-proxy.html
http://briteming.blogspot.com/2012/01/vpsstunnel.html
-------------------------------------

SNI Proxy

Proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session. This enables HTTPS name-based virtual hosting to separate backend servers without installing the private key on the proxy machine.

News

First user survey, please take a moment to offer your input.

Features

  • Name-based proxying of HTTPS without decrypting traffic. No keys or certificates required.
  • Supports both TLS and HTTP protocols.
  • Supports IPv4, IPv6 and Unix domain sockets for both back end servers and listeners.
  • Supports multiple listening sockets per instance.

Usage

Usage: sniproxy [-c <config>] [-f] [-n <max file descriptor limit>] [-V]
    -c  configuration file, defaults to /etc/sniproxy.conf
    -f  run in foreground, do not drop privileges
    -n  specify file descriptor limit
    -V  print the version of SNIProxy and exit

Installation

For Debian or Fedora based Linux distributions see building packages below.
Prerequisites
  • Autotools (autoconf, automake, gettext and libtool)
  • libev4, libpcre and libudns development headers
  • Perl and cURL for test suite
Install
./autogen.sh && ./configure && make check && sudo make install
Building Debian/Ubuntu package
This is the preferred installation method on recent Debian based distributions:
  1. Install required packages
    sudo apt-get install autotools-dev cdbs debhelper dh-autoreconf dpkg-dev gettext libev-dev libpcre3-dev libudns-dev pkg-config fakeroot devscripts
    
  2. Build a Debian package
    ./autogen.sh && dpkg-buildpackage
    
  3. Install the resulting package
    sudo dpkg -i ../sniproxy_<version>_<arch>.deb
    
Building Fedora/RedHat package
This is the preferred installation method for modern Fedora based distributions.
  1. Install required packages
    sudo yum install autoconf automake curl gettext-devel libev-devel pcre-devel perl pkgconfig rpm-build udns-devel
    
  2. Build a distribution tarball:
    ./autogen.sh && ./configure && make dist
    
  3. Build a RPM package
    rpmbuild --define "_sourcedir `pwd`" -ba redhat/sniproxy.spec
    
  4. Install resulting RPM
    sudo yum install ../sniproxy-<version>.<arch>.rpm
    
I've used Scientific Linux 6 a fair amount, but I prefer Debian based distributions. RPM builds are tested in Travis-CI on Ubuntu, but not natively. This build process may not follow the current Fedora packaging standards, and may not even work.
Building on OS X with Homebrew
  1. install dependencies.
    brew install libev pcre udns autoconf automake gettext libtool
    
  2. Read the warning about gettext and force link it so autogen.sh works. We need the GNU gettext for the macro AC_LIB_HAVE_LINKFLAGS which isn't present in the default OS X package.
    brew link --force gettext
    
  3. Make it so
    ./autogen.sh && ./configure && make
    
OS X support is a best effort, and isn't a primary target platform.

Configuration Syntax

user daemon

pidfile /tmp/sniproxy.pid

error_log {
    syslog daemon
    priority notice
}

listener 127.0.0.1:443 {
    protocol tls
    table TableName

    # Specify a server to use if the initial client request doesn't contain
    # a hostname
    fallback 192.0.2.5:443
}

table TableName {
    # Match exact request hostnames
    example.com 192.0.2.10:4343
    example.net [2001:DB8::1:10]:443
    # Or use regular expression to match
    .*\\.com    [2001:DB8::1:11]:443
    # Combining regular expression and wildcard will resolve the hostname
    # client requested and proxy to it
    .*\\.edu    *:443
}

DNS Resolution

Using hostnames or wildcard entries in the configuration requires sniproxy to be built with UDNS. SNIProxy will still build without UDNS, but these features will be unavailable.
UDNS uses a single UDP socket for all queries, so it is recommended you use a local caching DNS resolver (with a single socket each DNS query is protected by spoofing by a single 16 bit query ID, which makes it relatively easy to spoof).
UDNS is currently not available in Debian stable, but a package can be easily built from the Debian testing or Ubuntu source packages:
mkdir udns_packaging
cd udns_packaging
wget http://archive.ubuntu.com/ubuntu/pool/universe/u/udns/udns_0.4-1.dsc
wget http://archive.ubuntu.com/ubuntu/pool/universe/u/udns/udns_0.4.orig.tar.gz
wget http://archive.ubuntu.com/ubuntu/pool/universe/u/udns/udns_0.4-1.debian.tar.gz
tar xfz udns_0.4.orig.tar.gz
cd udns-0.4/
tar xfz ../udns_0.4-1.debian.tar.gz
dpkg-buildpackage
cd ..
sudo dpkg -i libudns-dev_0.4-1_amd64.deb libudns0_0.4-1_amd64.deb
from https://github.com/dlundquist/sniproxy
-------------

部署 SNI Proxy 加速网页访问 反代 无需证书

我们都知道可以使用 nginx 反代功能来实现跨境访问外网,不过,这种方式有很多的制约,比如说很难实现登录验证,比如说需要针对转发模块单独做编译,比如说需要你有一个有效的 ssl 签名证书等等。
这次,我们来介绍另外一款神器 SNI Proxy,是用 dnsmasq 配合 sniproxy 可以实现无证书任意网站反代。它使用SNI 技术将 TLS 连接通过 TCP 代理到目标网站,这样就避免了对代理服务器的证书需求,而且访问到的网站证书也是原原本本的证书。

编译 SNI Proxy(可以跳过)

示例环境为 Ubuntu 14.04
从git上克隆 sni的源文件: https://github.com/dlundquist/sniproxy.git

准备环境

安装配置 SNI Proxy


编辑 /etc/sniproxy.conf来开启反代:
像上边这样开启针对某个域名的反代,但是这样太麻烦了,每次新增加一个网站,都需要对这个列表增加——为此,我们为了方便稍微牺牲一点安全性——且我不需要对邮件进行反代(容易被滥用,国外对垃圾邮件服务器是深恶痛绝的。),那么我可以直接这样写:
这样就只打开了 https 反代,而且是只要被解析到这个服务器的域名都会被反代,这样一来,我们就可以只通过 dnsmasq 的解析来控制哪个域名反代了。(有那么一点安全隐患就是一旦被别人发现,你可能你服务器的流量会意外流失咯~记得监控你的服务器带宽?)

运行 sniproxy

直接使用命令sniproxy 即可运行,默认配置文件就是“/etc/sniproxy.conf”它会自动加载,如果你使用了其他路径或者配置文件名,那么你需要使用“-c”选项来指定路径:

端口重定向

那么,一般我们访问网站不喜欢输入端口号或者协议名称,那么默认访问的是80端口怎么办?作为辅助,我们安装一个轻量级的 nginx,让它把所有访问80端口的流量转移到443上边去,使用301重定向即可。
我们编辑 nginx 的配置文件“/etc/nginx/sites-available/default
改为如下内容:

域名解析

sniproxy 搭建成功,但是它是不能被直接访问的,你需要将域名解析过去,这样它才能根据域名来代理你的 ssl 链接,那么你可能就需要在自己的 hosts 上修改解析啦。