Enable External HTTP/HTTPS Access for an Internal Server with Squid and Stunnel
This guide explains how to expose an internal‑only server to the Internet by deploying Squid HTTP and HTTPS proxies on two public servers, configuring stunnel on the client, adjusting firewall rules, and testing connectivity for both ports.
Requirement
The IDC data center has a server A with only an internal IP (192.168.1.150). It needs to access external HTTP (port 80) and HTTPS (port 443) services.
Operation Idea
Use two other servers with public IPs (B: 58.68.250.8/192.168.1.8 and C: 58.68.250.5/192.168.1.5) that can ping server A. Deploy an HTTP proxy on B and an HTTPS proxy on C, then let server A reach the Internet through these proxies via stunnel.
Server B – HTTP Proxy Setup
<code># Install dependencies and squid
yum install -y gcc openssl openssl-devel
yum install squid
# Backup and edit squid.conf
cd /etc/squid
cp squid.conf squid.conf_bak
vim squid.conf
# Allow all access and set listening port
http_access allow all
http_port 192.168.1.8:3128
cache_dir ufs /var/spool/squid 100 16 256
# Test and start squid
squid -k parse
squid -z
/etc/init.d/squid start
# If iptables is enabled, allow port 3128
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
/etc/init.d/iptables restart</code>Server C – HTTPS Proxy Setup
<code># Install dependencies and squid
yum install -y gcc openssl openssl-devel
yum install squid
cd /etc/squid
cp squid.conf squid.conf_bak
vim squid.conf
# Generate SSL certificate for squid
openssl req -new > lidongbest5.csr
# (follow prompts, set password e.g., 123456)
openssl rsa -in privkey.pem -out lidongbest5.key
openssl x509 -in lidongbest5.csr -out lidongbest5.crt -req -signkey lidongbest5.key -days 3650
# Configure squid for HTTPS
http_access allow all
#http_port 3128 # comment out
https_port 192.168.1.5:443 cert=/etc/squid/lidongbest5.crt key=/etc/squid/lidongbest5.key
cache_dir ufs /var/spool/squid 100 16 256
# Restart squid
squid -k parse
squid -z
squid reload
/etc/init.d/squid restart
# Open firewall for port 443 if needed
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
/etc/init.d/iptables restart</code>Server A (Client) – stunnel Configuration
<code># Install stunnel and dependencies
yum install -y openssl openssl-devel gcc
# Extract and install stunnel
tar -zxvf stunnel-5.45.tar.gz
cd stunnel-5.45
./configure && make && make install
# Create stunnel.conf
cp /etc/stunnel/stunnel.conf-sample /etc/stunnel/stunnel.conf
cat > /etc/stunnel/stunnel.conf <<'EOF'
client = yes
[https]
accept = 127.0.0.1:8088
connect = 192.168.1.5:443
EOF
# Start stunnel
/usr/local/bin/stunnel /etc/stunnel/stunnel.conf
# Disable iptables on the client (optional)
/etc/init.d/iptables stop
# Add proxy environment variables to /etc/profile
export http_proxy=http://192.168.1.8:3128
export https_proxy=http://127.0.0.1:8088
source /etc/profile
# Test connectivity
curl http://www.baidu.com # should succeed (port 80)
curl https://www.xqshijie.com # should succeed (port 443)
</code>Ubuntu Client – stunnel Setup (Alternative)
<code># Install stunnel4
apt-get install stunnel4
# Create /etc/stunnel/stunnel.conf
cat > /etc/stunnel/stunnel.conf <<'EOF'
client = yes
[https]
accept = 127.0.0.1:8088
connect = 192.168.1.8:443
EOF
# Enable the service
sed -i 's/^ENABLED=0/ENABLED=1/' /etc/default/stunnel4
/etc/init.d/stunnel4 start
# Set proxy variables
export http_proxy=http://192.168.1.8:3128
export https_proxy=http://127.0.0.1:8088
source /etc/profile
# Verify
curl http://www.baidu.com
curl https://www.baidu.com
</code>Raymond Ops
Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.