How to Expose an Internal IDC Server to the Internet Using Squid and Stunnel
This guide explains how to make an internal IDC server reachable from the public Internet for both HTTP and HTTPS by deploying two public servers with Squid proxies and configuring stunnel on the client, including detailed command‑line steps for Linux and Ubuntu.
Requirement
Company IDC has a server A (192.168.1.150) that is only on the internal network; it needs to be reachable from outside for HTTP (port 80) and HTTPS (port 443).
Solution Overview
Deploy two public‑facing servers B (58.68.250.8/192.168.1.8) and C (58.68.250.5/192.168.1.5) that can ping server A. Use Squid on B as an HTTP proxy and Squid on C as an HTTPS proxy, then tunnel client traffic with stunnel.
Step 1 – Configure HTTP proxy on Server B
yum install -y gcc openssl openssl-devel
yum install squid
cd /etc/squid/
cp squid.conf squid.conf_bak
vim squid.conf
# modify:
http_access allow all
http_port 192.168.1.8:3128
cache_dir ufs /var/spool/squid 100 16 256
# start
squid -k parse
squid -z
/etc/init.d/squid start
# if iptables is enabled, add:
-A INPUT -s 192.168.0.0/24 -p tcp --dport 3128 -j ACCEPT
/etc/init.d/iptables restartStep 2 – Configure HTTPS proxy on Server C
yum install -y gcc openssl openssl-devel
yum install squid
cd /etc/squid/
cp squid.conf squid.conf_bak
vim squid.conf
# generate certificate
openssl req -new > lidongbest5.csr
# (enter required DN fields, set passphrase 123456)
openssl rsa -in privkey.pem -out lidongbest5.key
openssl x509 -in lidongbest5.csr -out lidongbest5.crt -req -signkey lidongbest5.key -days 3650
# modify squid.conf
http_access allow all
#http_port 3128 # comment out
https_port 192.168.1.5:443 cert=/etc/squid/lidongbest5.crt key=/etc/squid/lidongbest5.key
cache_dir ufs /var/spool/squid 100 16 256
# restart
squid -k parse
squid -z
squid reload
/etc/init.d/squid restart
# iptables rule for 443
-A INPUT -s 192.168.0.0/24 -p tcp --dport 443 -j ACCEPT
/etc/init.d/iptables restartStep 3 – Install and configure stunnel on Server A (client)
# stop iptables
/etc/init.d/iptables stop
# install stunnel
yum install -y openssl openssl-devel gcc
# download and extract
tar -zvxf stunnel-5.45.tar.gz
cd stunnel-5.45
./configure && make && make install
# configure /usr/local/etc/stunnel/stunnel.conf
client = yes
[https]
accept = 127.0.0.1:8088
connect = 192.168.1.5:443
# start stunnel
/usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel.conf
# set proxy environment variables
export http_proxy=http://192.168.1.8:3128
export https_proxy=http://127.0.0.1:8088
source /etc/profile
# test
curl http://www.baidu.com
curl https://www.xqshijie.com
yum list
wget http://www.autohome.com.cn/3442Ubuntu client alternative
apt-get install stunnel4
cd /etc/stunnel/
vim stunnel.conf
client = yes
[https]
accept = 127.0.0.1:8088
connect = 192.168.1.8:443
# enable service
vim /etc/default/stunnel4 # set ENABLED=1
/etc/init.d/stunnel4 start
export http_proxy=http://192.168.1.8:3128
export https_proxy=http://127.0.0.1:8088
source /etc/profile
curl http://www.baidu.com
curl https://www.baidu.comOriginal article: https://www.cnblogs.com/kevingrace/p/5853199.html (copyright belongs to the author).
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.