Stunnel SSL to SSL代理
可以使用Stunnel设置SSL to SSL,实现类似中间人的数据转发。
该方法不会修改传输内容,所以无法当做普通的反向代理使用(例如,反代web服务器可能由于header host标识的缘故,部分网站无法正常返回页面)
以下配置示例,IMAP邮箱服务器代理,代理126(不校验证书),代理gmail(校验证书),使用证书加密链接,保证安全。
这种代理方式配置特别简单,相对于nginx、perdition等各种工具配置起来特别方便。
; PID file is created inside the chroot jail (if enabled)
pid = /var/run/stunnel.pid
; Debugging stuff (may be useful for troubleshooting)
;foreground = yes
debug = info
output = /var/log/stunnel.log
;include = /etc/stunnel/conf.d
[Tunnel_out]
client = yes
accept = 127.0.0.1:54333
connect = imap.126.com:993
[Tunnel_in]
client = no
accept = 0.0.0.0:1993
connect = 127.0.0.1:54333
cert = /server.pem
[gmail-imap]
client = yes
accept = 127.0.0.1:143
connect = imap.gmail.com:993
verifyChain = yes
CApath = /etc/ssl/certs
checkHost = imap.gmail.com
OCSPaia = yes
[imaps]
accept = 993
connect = 143
cert = /etc/stunnel/stunnel.pem
注意:需要的证书文件必须是公钥私钥放在一个文件的,可以用以下命令生成(就是两个文件的内容放一块)。
cat server.crt server.key > server.includesprivatekey.pem
参考链接:
- https://serverfault.com/questions/727855/stunnel-ssl-to-ssl
- https://www.v2ex.com/t/218498
- https://www.v2ex.com/t/345608
- https://fast.v2ex.com/t/237551
- https://gist.github.com/xdtianyu/df7cdd6dce957f03fec6a25ba7d48109
- https://gist.github.com/jeremiahsnapp/6426298
- https://stackoverflow.com/questions/991758/how-to-get-pem-file-from-key-and-crt-files
- https://wen.fan/how-to-set-a-reverse-proxy-for-gmail-smtpimap