1、详细描述一次加密通讯的过程,结合图示最佳。
A给B发送一份数据:只能B看到,不能被篡改。 A: 1)用单向加密提取数据的特征码。 2)用自己的私钥加密这个特征码并放在原有数据的后面。 3)用B的公钥加密,发送给B,于是只有B能解密。 B: 1)首先用自己的私钥解密,能解密,则身份得到验证。 2)用对方公钥解密特征码,得到特征码。 3)用同样的算法,对特征码进行加密,对比特征码是否相同,如果相同,则内容是完整的。
2、描述创建私有CA的过程,以及为客户端发来的证书请求进行办法证书。
openssl是一个开源程序的套件、这个套件有三个部分组成: libcryto:具有通用功能的加密库,里面实现了众多的加密库。 libssl:实现ssl机制的,它是用于实现TLS/SSL的功能。 openssl:多功能命令行工具,它可以实现加密解密,甚至还可以当CA来用,可以让你创建证书、吊销证书。 默认情况ubuntu和CentOS上都已安装好openssl。CentOS 6.x 上有关ssl证书的目录结构: /etc/pki/CA/ newcerts 存放CA签署(颁发)过的数字证书(证书备份目录) private 用于存放CA的私钥 crl 吊销的证书 /etc/pki/tls/ cert.pem 软链接到certs/ca-bundle.crt certs/ 该服务器上的证书存放目录,可以房子自己的证书和内置证书 ca-bundle.crt 内置信任的证书 private 证书密钥存放目录 openssl.cnf openssl的CA主配置文件 1)创建所需要的初始文件 [root@localhost ~]# cd /etc/pki/CA/ [root@localhost CA]# touch index.txt [root@localhost CA]# echo 01 > serial 2)创建CA密钥 [root@localhost CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ..........................................+++ ...+++ e is 65537 (0x10001) 3)创建CA自签证书 选项: -new:生成新证书签署请求; -x509:专用于CA生成自签证书; -key:生成请求时用到的私钥文件; -days n:证书的有效期限; -out /PATH/TO/SOMECERTFILE:证书的保存路径 [root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -days 365 -out cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:HB Locality Name (eg, city) []:WH Organization Name (eg, company) [Internet Widgits Pty Ltd]:HYS Organizational Unit Name (eg, section) []:OPS Common Name (e.g. server FQDN or YOUR name) []:www.ops.com Email Address []:admin@ops.com 4)发证 (a)用到证书的主机生成证书请求 创建密钥 [root@localhost httpd]# mkdir /etc/httpd/ssl [root@localhost httpd]# cd /etc/httpd/ssl [root@localhost ssl]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048) Generating RSA private key, 2048 bit long modulus .......................................................................+++ ....................... 创建证书 [root@localhost ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:HB Locality Name (eg, city) []:WH Organization Name (eg, company) [Internet Widgits Pty Ltd]:HYS Organizational Unit Name (eg, section) []:OPS Common Name (e.g. server FQDN or YOUR name) []:www.ops.com Email Address []:admin@ops.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []: (b)CA签署证书 [root@localhost ] cd /etc/pki [root@localhost pki]# openssl ca -in /etc/httpd/ssl/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365 Using configuration from /opt/CollabNet_Subversion/openssl/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Oct 20 06:53:08 2016 GMT Not After : Oct 20 06:53:08 2017 GMT Subject: countryName = CN stateOrProvinceName = HB organizationName = HYS organizationalUnitName = OPS commonName = www.ops.com emailAddress = admin@ops.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 53:9C:7B:40:0B:EE:DE:93:05:E7:D8:DC:8F:F1:9D:3B:5D:E2:33:40 X509v3 Authority Key Identifier: keyid:3E:7D:73:EA:D7:62:78:77:42:DA:10:D7:E9:BC:05:16:9B:A4:61:A7 Certificate is to be certified until Oct 20 06:53:08 2017 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
3、搭建一套DNS服务器,负责解析magedu.com域名(自行设定主机名及IP)
(1)、能够对一些主机名进行正向解析和逆向解析;
修改主配置文件
[root@localhost ~]# vim /etc/named.conf
options { //全局配置段
listen-on port 53 { any; }; //修改为监听所有地址上的53号端口
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; //修改为允许来自所有地址的查询请求
recursion yes;
dnssec-enable no; //关闭dnssec相关功能
dnssec-validation no; //关闭dnssec相关功能
/* Path to ISC DLV key */
// bindkeys-file "/etc/named.iscdlv.key"; //关闭dnssec相关功能
// managed-keys-directory "/var/named/dynamic"; //关闭dnssec相关功能
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
DNS正向解析区域
1、定义区域
[root@localhost ]# vim /etc/named.rfc1912.zones
zone "magedu.com." IN { //magedu.com是需要定义的正向区域
type master; //master 为主服务器
file "magedu.com"; //文件名为/var/named/下的magedu.com
allow-update { none; }; //不允许自动更新文件
};
2、添加区域解析库
[root@localhost # vim /var/named/magedu.com
$TTL 1D
$ORIGIN magedu.com.
@ IN SOA @ lf.magedu.com (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns1
IN NS ns2
ns1.magedu.com. IN A 192.168.122.94
ns2.magedu.com. IN A 192.168.122.95
www IN A 192.168.122.94
ftp IN A 192.168.122.95
3、检查配置文件语法和区域数据文件语法
1)检查配置文件
named-checkconf
2)检查解析库文件
[root@localhost named]# named-checkzone magedu.com. /var/named/magedu.com
zone magedu.com/IN: loaded serial 0
OK
3)设定解析库权限
[root@localhost named]# chown :named /var/named/magedu.com
[root@localhost named]# ll /var/named/magedu.com
-rw-r----- 1 root named 307 10月 20 16:00 /var/named/magedu.com
4、重启并测试
[root@localhost named]# service named restart
停止 named:. [确定]
启动 named: [确定]
[root@localhost named]# dig -t NS magedu.com. @127.0.0.1
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.1 <<>> -t NS magedu.com. @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24014
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;magedu.com. IN NS
;; ANSWER SECTION:
magedu.com. 86400 IN NS ns1.magedu.com.
magedu.com. 86400 IN NS ns2.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 86400 IN A 192.168.122.94
ns2.magedu.com. 86400 IN A 192.168.122.95
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Oct 20 16:03:59 2016
;; MSG SIZE rcvd: 96
DNS反向解析区域
1、定义区域
[root@localhost ]# vim /etc/named.rfc1912.zones
zone "122.168.192.in-addr.arpa" IN { //122.168.192.in-addr.arpa是需要定义的反向区域
type master; //master 为主服务器
file "magedu.arpa"; //文件名为/var/named/下的magedu.arpa
allow-update { none; }; //不允许自动更新文件
};
2、添加区域解析库
[root@localhost] vim magedu.arpa
$TTL 1D
$ORIGIN 122.168.192.in-addr.arpa.
@ IN SOA @ lf.magedu.com (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns1.magedu.com.
IN NS ns2.magedu.com.
IN NS ns3.magedu.com.
94 IN PTR ns1.magedu.com.
95 IN PTR ns2.magedu.com.
94 IN PTR www.magedu.com.
95 IN PTR ftp.magedu.com.
3、检查配置文件语法和区域数据文件语法
1)检查配置文件
named-checkconf
2)检查解析库文件
指明区域名称,和区域数据文件的位置
[root@localhost named]# named-checkzone "122.168.192.in-addr.arpa." /var/named/magedu.arpa
zone 122.168.192.in-addr.arpa/IN: loaded serial 0
OK
3)设定解析库权限
[root@localhost named]# chown :named /var/named/magedu.arpa
[root@localhost named]# ll /var/named/magedu.arpa
-rw-r----- 1 root named 351 10月 18 14:32 /var/named/magedu.arpa
4、重启并测试
[root@localhost named]# service named restart
停止 named:. [确定]
启动 named: [确定]
[root@localhost ~]# dig -x 192.168.122.94 @127.0.0.1
[root@localhost named]# dig -x 192.168.122.94 @127.0.0.1
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.1 <<>> -x 192.168.122.94 @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22490
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 2
;; QUESTION SECTION:
;94.122.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
94.122.168.192.in-addr.arpa. 86400 IN PTR www.magedu.com.
94.122.168.192.in-addr.arpa. 86400 IN PTR ns1.magedu.com.
;; AUTHORITY SECTION:
122.168.192.in-addr.arpa. 86400 IN NS ns1.magedu.com.
122.168.192.in-addr.arpa. 86400 IN NS ns2.magedu.com.
122.168.192.in-addr.arpa. 86400 IN NS ns3.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 86400 IN A 192.168.122.94
ns2.magedu.com. 86400 IN A 192.168.122.95
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Oct 20 16:09:38 2016
;; MSG SIZE rcvd: 173(2)、对子域cdn.magedu.com进行子域授权,子域负责解析对应子域中的主机名;
子域授权
在前的magedu.com.这个域中,添加一个子域,子域的域名为:cdn.magedu.com. ,该子域自己内部有自己的DNS服务器
这样在父域的DNS服务器上实现对子域的解析,都交给子域自己去实现,而不是直接利用父域上添加相应的资源记录来实现。
1、修改ops.com.这个域的配置
[root@localhost ~]# vim /var/named/magedu.com
$TTL 1D
$ORIGIN magedu.com.
@ IN SOA @ lf.magedu.com (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns1
IN NS ns2
cdn IN NS ns3
ns1 IN A 192.168.122.94
ns2 IN A 192.168.122.95
ns3 IN A 192.168.122.105
www IN A 192.168.122.94
ftp IN A 192.168.122.95
2、重启服务
[root@localhost ~]# service named restart
停止 named:. [确定]
启动 named: [确定]
3、修改子域配置文件
[root@localhost named]# vim /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
// bindkeys-file "/etc/named.iscdlv.key";
// managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@localhost named]# vim /etc/named.rfc1912.zones
zone "cdn.magedu.com." IN {
type master;
file "cdn.magedu.com";
allow-update { none; };
};
4、添加子域解析库
$TTL 1D
$ORIGIN cdn.magedu.com.
@ IN SOA @ admin.163.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1
ns1 A 192.168.122.105
www A 192.168.122.105
5、检查配置文件语法和区域数据文件语法
1)检查配置文件
named-checkconf
2)检查解析库文件
[root@localhost ~]# named-checkzone "cdn.magedu.com." /var/named/cdn.magedu.com
zone cdn.magedu.com/IN: loaded serial 0
OK
3)设定解析库权限
[root@localhost named]# chown :named /var/named/cdn.magedu.com
[root@localhost named]# ll /var/named/cdn.magedu.com
-rw-r----- 1 root named 351 10月 18 14:32 /var/named/cdn.magedu.com
6、重启并测试
[root@yaojianju named]# service named restart
停止 named:. [确定]
启动 named: [确定]
[root@localhost named]# dig -t NS "cdn.magedu.com." @192.168.122.105
[root@localhost ~]# dig -t NS "cdn.magedu.com." @192.168.122.105
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.1 <<>> -t NS cdn.magedu.com. @192.168.122.105
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35905
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;cdn.magedu.com. IN NS
;; ANSWER SECTION:
cdn.magedu.com. 86400 IN NS ns1.cdn.magedu.com.
;; ADDITIONAL SECTION:
ns1.cdn.magedu.com. 86400 IN A 192.168.122.105
;; Query time: 0 msec
;; SERVER: 192.168.122.105#53(192.168.122.105)
;; WHEN: Thu Oct 20 16:22:58 2016
;; MSG SIZE rcvd: 66
7、父域测试是否能解析
[root@localhost named]# dig -t NS cdn.magedu.com. @127.0.0.1
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.1 <<>> -t NS cdn.magedu.com. @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41730
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;cdn.magedu.com. IN NS
;; ANSWER SECTION:
cdn.magedu.com. 86395 IN NS ns1.cdn.magedu.com.
;; ADDITIONAL SECTION:
ns1.cdn.magedu.com. 86395 IN A 192.168.122.105
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Oct 20 16:27:37 2016
;; MSG SIZE rcvd: 66(3)、为了保证DNS服务系统的高可用性,请设计一套方案,并写出详细的实施过程
可以使用主从DNS来保障DNS服务器的高可用
主从复制:
1)应该为一台独立的名称服务器;
2)主服务器的区域解析库文件中必须有一条NS记录是指向从服务器;
3)从服务器只需要定义区域,而无须提供解析库文件;解析库文件应该放置于/var/named/slaves/目录中;
4)主服务器得允许从服务器作区域传送;
5)主从服务器时间应该同步,可通过ntp进行;
6)bind程序的版本应该保持一致;否则,应该从高,主低;
1、主服务器配置
[root@localhost ~]# vim /var/named/magedu.com $TTL 1D $ORIGIN magedu.com. @ IN SOA @ lf.magedu.com ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum IN NS ns1 IN NS ns2 cdn IN NS ns3 ns1 IN A 192.168.122.94 ns2 IN A 192.168.122.95 ;从服务器IP ns3 IN A 192.168.122.105 www IN A 192.168.122.94 ftp IN A 192.168.122.95
2、从服务器配置
[root@localhost ~]# vim /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
// dnssec-lookaside auto;
/* Path to ISC DLV key */
// bindkeys-file "/etc/named.iscdlv.key";
// managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@localhost ~]# vim /etc/named.rfc1912.zones
zone "magedu.com." IN {
type slave;
file "slaves/magedu.com";
masters { 192.168.122.94; };
};
3、重启并测试
[root@localhost ~]# service named restart
停止 named:. [确定]
启动 named: [确定]
[root@localhost ~]# cat /var/named/slaves/magedu.com
$ORIGIN .
$TTL 86400 ; 1 day
magedu.com IN SOA magedu.com. lf.magedu.com.magedu.com. (
0 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
604800 ; expire (1 week)
10800 ; minimum (3 hours)
)
NS ns1.magedu.com.
NS ns2.magedu.com.
$ORIGIN magedu.com.
cdn NS ns3
ftp A 192.168.122.95
ns1 A 192.168.122.94
ns2 A 192.168.122.95
ns3 A 192.168.122.105
www A 192.168.122.94
[root@localhost ~]# ll /var/named/slaves/
总用量 4
-rw-r--r-- 1 named named 444 10月 24 09:03 magedu.com
[root@localhost ~]# dig -t NS "magedu.com." @192.168.122.95
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t NS magedu.com. @192.168.122.95
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21719
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;magedu.com. IN NS
;; ANSWER SECTION:
magedu.com. 86400 IN NS ns2.magedu.com.
magedu.com. 86400 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 86400 IN A 192.168.122.94
ns2.magedu.com. 86400 IN A 192.168.122.95
;; Query time: 0 msec
;; SERVER: 192.168.122.95#53(192.168.122.95)
;; WHEN: Mon Oct 24 09:07:19 2016
;; MSG SIZE rcvd: 964、请描述一次完整的http请求处理过程;
(1) 建立或处理连接:接收客户端的请求,建立连接,或是拒绝其请求
(2) 接收请求:接收来自于网络的请求报文中对某资源的一次请求的过程时,web服务器也分几种模型对并发请求进行响应:
1).单进程I/O结构:启动一个进程处理用户请求,而且一次只处理一个;多个请求被串行响应;实质就是排队机制,第一个用户的请求处理完再处理第二个,其它排队等待。这种方式串行执行,效率不高。
2). 多进程I/O结构:并行启动多个进程,每个进程响应一个请求;
3). 复用I/O结构:一个进程响应n个请求;
4). 多线程模型:一个进程生成N个线程,每个线程响应一个用户请求;
5). 复用的多进程I/O结构:启动多个(m)进程,每个进程响应n个请求;此模式实质上为事件驱动:event-driven,效率最高。
(3) 处理请求:对请求报文进行解析,并获取请求的资源及请求方法等相关信息
(4) 访问资源:获取请求报文中请求的资源
(5) 拿到需要的资源之后,就会构建响应报文,准备向用户回复
(6) 发送响应报文,回复请求
(7) 记录日志:对每个请求资源,详细记录访问日志信息,以便于以后的安全审查或数据分析。
5、httpd所支持的处理模型有哪些,他们的分别使用于哪些环境。
httpd所支持的事务处理模型主要有:
prefork
worker
event
他们分别使用于以下场景:、
prefork: 多进程模型,每个进程负责响应一个请求。prefork模型在工作时,由一个主进程负责生成n个子进程,即工作进程,每个工作进程响应一个用户请求,即使当前没有用户请求,它亦会预先生成多个空闲进程,随时等待请求连接,这样的好处是,服务器不用等到请求到达时,才去临时建立进程,缩短了进程创建的时间。提高连接效率。但受限于linux的特性,工作进程数上限为1024个,如超出该数量,服务器性能会急剧降低。
prefork模型的最大并发连接数量最大为1024。由于每个工作进程相对独立,就算崩溃了,也不会对其它进程有明显影响。所以,该模型的特点是稳定可靠,
适合于并发量适中而又追求稳定的用户使用。
worker:多线程模型,每个线程响应一个请求。worker模型在工作时,也有一个主进程负责生成多个子进程,同时每个子进程负责生个多个线程,每个线程响应一个用户请求。同理,worker模型也会预先创建一些空闲线程来等待用户连接。并发连接数,如果生成进程数为m,线程为n,则并发数可达到m*n个。但由于在linux中,原生不支持线程,且进程本身就足够轻量化,与线程的区别不是十分巨大,因而,worker模型在linux环境中的实际性能表现与prefork相差无几。
event:事件驱动模型,每个线程响应多个用户请求。event模型工作时,由主进程生成n个子进程,每个单独的子进程可响应n个用户请求。因而,event的并发数量可达到m*n个,同时,因为event的子进程为一对多,节省了大量CPU进程间切换上下文的时间,也没有了linux系统的1024个进程限制,所以,event模型是三种模型中效率最高的一种。
可以实破c10k的限制(即并发数1w),对海量并发的系统特别适用。
6、建立httpd服务器(基于编译的方式进行),要求:
提供两个基于名称的虚拟主机:
(a)www1.stuX.com,页面文件目录为/web/vhosts/www1;错误日志为/var/log/httpd/www1.err,访问日志为/var/log/httpd/www1.access;
(b)www2.stuX.com,页面文件目录为/web/vhosts/www2;错误日志为/var/log/httpd/www2.err,访问日志为/var/log/httpd/www2.access;
(c)为两个虚拟主机建立各自的主页文件index.html,内容分别为其对应的主机名;
(d)通过www1.stuX.com/server-status输出httpd工作状态相关信息,且只允许提供帐号密码才能访问(status:status);
1)编译安装httpd
编译安装apr
[root@localhost ]# cd apr-1.5.1 [root@localhost apr-1.5.1]# ./configure --prefix=/usr/local/apr [root@localhost apr-1.5.1]#make && make install
编译安装apr-util
[root@localhost ]# cd apr-util-1.5.4 [root@localhost apr-util-1.5.4]# ./configure --with-apr=/usr/local/apr --prefix=/usr/local/apr-util [root@localhost apr-util-1.5.4]# make && make install
编译安装htppd
[root@localhost ]# cd httpd-2.4.23 [root@localhost httpd-2.4.23]# ./configure --prefix=/usr/local/apache --enable-so --enable-ssl --enable-cgi --enable-rewrite --with-zlib --with-pcre --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util/ --enable-modules=most --enable-mpms-shared=all --with-mpm=prefork [root@localhost httpd-2.4.23]# make && make install
创建站点目录
[root@localhost httpd-2.4.23]# mkdir -pv /web/vhosts/{www1,www2}/
mkdir: 已创建目录 "/web"
mkdir: 已创建目录 "/web/vhosts"
mkdir: 已创建目录 "/web/vhosts/www1/"
mkdir: 已创建目录 "/web/vhosts/www2/"创建站点文件
[root@localhost httpd-2.4.23]# echo "www1.stuX.com" > /web/vhosts/www1/index.html [root@localhost httpd-2.4.23]# echo "www2.stuX.com" > /web/vhosts/www2/index.html
创建虚拟主机
编译主配置文件
[root@localhost httpd-2.4.23]# vim /usr/local/apache/conf/httpd.conf #DocumentRoot "/usr/local/apache/htdocs" Include conf/extra/httpd-vhosts.conf
编译虚拟主机文件
[root@localhost httpd-2.4.23]# vim /usr/local/apache/conf/extra/httpd-vhosts.conf <VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com DocumentRoot "/web/vhosts/www1" ServerName www1.stuX.com # ServerAlias www.dummy-host.example.com ErrorLog "/var/log/httpd/www1.err" CustomLog "/var/log/httpd/www1.access" common <Directory "/web/vhosts/www1"> options none allowoverride none Require all granted </Directory> </VirtualHost> <VirtualHost *:80> # ServerAdmin webmaster@dummy-host2.example.com DocumentRoot "/web/vhosts/www2" ServerName www2.stuX.com ErrorLog "/var/log/httpd/www2.err" CustomLog "/var/log/httpd/www2.access" common <Directory "/web/vhosts/www2"> options none allowoverride none Require all granted </Directory> </VirtualHost>
创建status监控页面并添加认证功能
[root@localhost apache]# vim /usr/local/apache/conf/extra/httpd-vhosts.conf <VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com DocumentRoot "/web/vhosts/www1" ServerName www1.stuX.com # ServerAlias www.dummy-host.example.com ErrorLog "/var/log/httpd/www1.err" CustomLog "/var/log/httpd/www1.access" common <location /server-status> SetHandler server-status AuthType Basic AuthName "Server-Status" AuthUserFile "/usr/local/apache/.htpasswd" Require valid-user </location> <Directory "/web/vhosts/www1"> options none allowoverride none Require all granted </Directory> </VirtualHost> 创建虚拟用户 [root@localhost ]#htpasswd -c -m /usr/local/apache/.htpasswd status 重启并测试 [root@localhost]# /usr/local/apache/bin/apachectl restart [root@localhost apache]# curl www1.stuX.com www1.stuX.com [root@localhost apache]# curl www2.stuX.com www2.stuX.com [root@localhost ]# elinks www1.stuX.com/server-status
7、为第6题中的第2个虚拟主机提供https服务,使得用户可以通过https安全的访问此web站点;
(1)要求使用证书认证,证书中要求使用的国家(CN)、州(HA)、城市(ZZ)和组织(MageEdu);
(2)设置部门为Ops,主机名为www2.stuX.com,邮件为admin@stuX.com;
创建CA [root@dockerM CA]# touch index.txt [root@dockerM CA]# echo 01 > serial [root@dockerM CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ................+++ .........................................................................................................................+++ e is 65537 (0x10001) [root@dockerM CA]# openssl req -new -x509 -key private/cakey.pem -days 365 -out cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HA Locality Name (eg, city) [Default City]:ZZ Organization Name (eg, company) [Default Company Ltd]:MageEdu Organizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server's hostname) []:www2.stux.com Email Address []:admin@stux.com 创建主机证书 [root@dockerS ssl]# cd /etc/httpd/ssl [root@dockerS ssl]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048) Generating RSA private key, 2048 bit long modulus ....+++ .+++ e is 65537 (0x10001) [root@dockerS ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HA Locality Name (eg, city) [Default City]:ZZ Organization Name (eg, company) [Default Company Ltd]:MageEdu Organizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server's hostname) []:www2.stux.com Email Address []:admin@stux.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: 发证 [root@dockerM CA]# cd /etc/pki [root@dockerM pki]# openssl ca -in /root/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Oct 28 09:06:03 2016 GMT Not After : Oct 28 09:06:03 2017 GMT Subject: countryName = CN stateOrProvinceName = HA organizationName = MageEdu organizationalUnitName = Ops commonName = www2.stux.com emailAddress = admin@stux.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: F4:43:72:0A:24:A7:84:2A:61:D0:78:5C:C1:17:65:79:0D:32:F8:4D X509v3 Authority Key Identifier: keyid:2F:AB:89:DE:C4:B8:8B:A6:22:1D:76:9A:00:89:1A:14:F2:09:FB:31 Certificate is to be certified until Oct 28 09:06:03 2017 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 配置https [root@dockerS ssl]# vim /etc/httpd/conf.d/ssl.conf DocumentRoot "/web/vhosts/www2" ServerName www2.stuX.com SSLCertificateFile /etc/httpd/ssl/httpd.crt SSLCertificateKeyFile /etc/httpd/ssl/httpd.key <Directory "/web/vhosts/www2"> options none allowoverride none Require all granted </Directory> [root@dockerM ~]# curl --cacert /etc/pki/CA/cacert.pem https://www2.stux.com www2.stuX.com
8、建立samba共享,共享目录为/data,要求:(描述完整的过程)
1)共享名为shared,工作组为magedu;
2)添加组develop,添加用户gentoo,centos和ubuntu,其中gentoo和centos以develop为附加组,ubuntu不属于develop组;密码均为用户名;
3)添加samba用户gentoo,centos和ubuntu,密码均为“mageedu”;
4)此samba共享shared仅允许develop组具有写权限,其他用户只能以只读方式访问;
5)此samba共享服务仅允许来自于172.16.0.0/16网络的主机访问;
[root@localhost ~]#yum install samba -y #新增用户和组 ###################################### [root@localhost ~]# groupadd develop [root@localhost ~]# useradd -G develop gentoo [root@localhost ~]# useradd -G develop centos [root@localhost ~]# useradd ubuntu [root@dockerM ~]# echo "gentoo"| passwd --stdin gentoo Changing password for user gentoo. passwd: all authentication tokens updated successfully. [root@dockerM ~]# echo "centos"| passwd --stdin centos Changing password for user centos. passwd: all authentication tokens updated successfully. [root@dockerM ~]# echo "ubuntu"| passwd --stdin ubuntu Changing password for user ubuntu. passwd: all authentication tokens updated successfully. #增加samba用户,新增的samba用户必须是系统中已经存在的 #################################### [root@localhost ~]# smbpasswd -a gentoo New SMB password: Retype new SMB password: Added user gentoo. [root@localhost ~]# smbpasswd -a centos New SMB password: Retype new SMB password: Added user centos. [root@localhost ~]# smbpasswd -a ubuntu New SMB password: Retype new SMB password: Added user ubuntu. #编辑配置文件 ####################################### [root@localhost ~]# vim /etc/samba/smb.conf [global] hosts allow = 172.16. [shared] [shared] comment = my samba path = /data #共享路径 write list = +develop #允许develop组写入 public = no #不允许匿名访问 writable = no #不允许其他用户写入 #启动服务 ######################################### [root@localhost ~]# service nmb start 启动 NMB 服务: [确定] [root@localhost ~]# service smb start 启动 SMB 服务: [确定] ##连接samba共享存储: [root@localhost ~]# smbclient //172.16.200.200/shared -U centos Enter centos's password: Domain=[MAGEEDU] OS=[Unix] Server=[Samba 3.6.23-36.el6_8] smb: \>
9、搭建一套文件vsftp文件共享服务,共享目录为/ftproot,要求:(描述完整的过程)
1)基于虚拟用户的访问形式;
2)匿名用户只允许下载,不允许上传;
3)禁锢所有的用户于其家目录当中;
4)限制最大并发连接数为200:;
5)匿名用户的最大传输速率512KB/s
6)虚拟用户的账号存储在mysql数据库当中。
7)数据库通过NFS进行共享。
安装nfs mysql vsftpd
[root@localhost ~]#yum install nfs-utils rpcbind mariadb-server vsftpd
配置NFS
[root@localhost ~]#vim /etc/exports
/nfs *(rw,sync,no_root_squash)
[root@localhost ~]# systemctl start rpcbind
[root@localhost ~]# systemctl start nfs
[root@localhost ~]# showmount -e 127.0.0.1
Export list for 127.0.0.1:
/ftproot *
配置mysql
[root@localhost ~]# vim /etc/my.cnf
[mysqld]
datadir=/ftproot
[root@localhost ~]# mkdir /ftproot
[root@localhost ~]# chown mysql.mysql -R /ftproot/
[root@localhost ~]# systemctl start mariadb
[root@localhost ~]# mysql
MariaDB [(none)]> create database vsftpd;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant select on vsftpd.* to vsftpd@'%' identified by 'magedu';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> use vsftpd;
Database changed
MariaDB [vsftpd]> create table users (id int AUTO_INCREMENT NOT NULL,name char(30) binary NOT NULL,password char(50) binary NOT NULL,primary key(id));
Query OK, 0 rows affected (0.04 sec)
MariaDB [vsftpd]> insert into users(name,password) values('magedu',password('magedu'));
Query OK, 1 row affected (0.03 sec)
MariaDB [vsftpd]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
配置vsftp
[root@localhost ~]#vim /etc/pam.d/vsftpd.m
auth required /lib64/security/pam_mysql.so user=vsftpd passwd=magedu host=172.20.200.200 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required /lib64/security/pam_mysql.so user=vsftpd passwd=magedu host=172.20.200.200 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
[root@localhost ~]# useradd -s /sbin/nologin -d /ftproot/ vsftpuser
[root@localhost ~]# chmod go+rx /ftproot
[root@localhost ~]# vim /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
anon_upload_enable=NO
anon_mkdir_write_enable=NO
chroot_local_user=YES
pam_service_name=vsftpd.m
max_clients=200
anon_max_rate=524288
guest_enable=YES
guest_username=vsftpuser
