最近公司有一需求

通过国内服务器要访问国外的google推送服务器https://android.googleapis.com/gcm/send

刚开始想过通过搭建vpn来实现，但由于公司两边都是使用linux服务器，考虑到风险，暂时没有使用这种方法

后来通过各种方法的测试，最后总结出一套好的办法来实现

方案squid认证代理+stunnel

此种方法前提条件是有一台自己的vps机器

配置步骤如下：

二，服务端安装squid

1，安装squid

# yum install squid openssl openssl-devel

2，生成加密代理证书

# cd /etc/squid
# openssl req -new > example.csr    //要求输入密码和确认密码
# openssl rsa -in privkey.pem -out example.key  //输入上面输入的密码
# openssl x509 -in example.csr -out example.crt -req -signkey example.key -days 3650

生成认证用户

# touch /etc/squid/passwd
# chown root.squid /etc/squid/passwd
# chmod 640 /etc/squid/passwd

# /usr/local/apache/bin/htpasswd /etc/squid/passwd 360push

3，配置squid

# vim /etc/squid/squid.conf

visible_hostname push.360push.com

acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 182.150.2.130/32  //push client

acl SSL_ports port 443
acl Safe_ports port 443         # https
acl Safe_ports port 1025-65535  # unregistered ports
acl CONNECT method CONNECT

https_port 443 cert=/etc/squid/example.crt key=/etc/squid/example.key

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all

cache_dir ufs /var/spool/squid 2048 16 256
coredump_dir /var/spool/squid

acl OverConnLimit maxconn 100   //限制每个IP最大允许10个连接，防止攻击
minimum_object_size 1 KB      //允午最小文件请求体大小
maximum_object_size 1 MB      //允午最大文件请求体大小
cache_swap_low 10             //最小允许使用swap 10%
cache_swap_high 25            //最大允许使用swap 25%
cache_mem 300 MB              //可使用内存

##Add auth##
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic credentialsttl 12 hours
auth_param basic realm Push Server
acl 360push proxy_auth REQUIRED

vps硬盘，内存都不富裕，所以对squid所占用的内存和硬盘等要加以控制。

4，启动squid，并查看

# squid -z   生成交换文件

# squid -k parse  检查配置文件正确性

# /etc/init.d/squid start

VPS很少有，自启动开启防火墙的，如果有先关掉，等都配置好了，在开放端口。

三，客户端安装配置stunnel

1，安装

# yum install stunnel

2，新增配置/etc/stunnel/stunnel.conf，添加以下内空

client = yes
fips = no
[https] accept = 8888
connect = VPS的IP:443

如果报，FIPS_mode_set: 2D06C06E: error:2D06C06E:FIPS routines:FIPS_module_mode_set:fingerprint does not match，stunnel.conf配置文件中加上，fips = no

3，启动stunnel并查看

# stunnel            //启动，默认配置文件路径 /etc/stunnel/stunnel.conf

curl本机测试

curl -v -x 127.0.0.1:8888 -U 360push:360push https://android.googleapis.com/gcm/send

php也可以利用代理服务器

function testCurl($url){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $gurl);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPPROXYTUNNEL, TRUE);
curl_setopt($ch, CURLOPT_PROXY, “127.0.0.1:8888″);    //ip/端口
curl_setopt($ch, CURLOPT_PROXYUSERPWD, ‘360push:360push’);  //认证用户和密码
$result=curl_exec($ch);
curl_close($ch);
return $result;
}

echo testCurl(“google.com”);

google提示错误，如下

We’re sorry… but your computer or network may be sending automated queries. To protect our users, we can’t process your request right now

解决办法。

方法一：编辑 /etc/sysctl.conf,添加如下内容

net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1

重启网卡

# /etc/init.d/networking restart

方法二，实时生效

echo ‘1’ > /proc/sys/net/ipv6/conf/lo/disable_ipv6
echo ‘1’ > /proc/sys/net/ipv6/conf/lo/disable_ipv6
echo ‘1’ > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo ‘1’ > /proc/sys/net/ipv6/conf/default/disable_ipv6