Linux作业9
1、詳細描述一次加密通訊的過程,結合圖示最佳。
?以Bob和Alice安全通訊為例:
????Bob<--------->Alice
? ?1. Bob要和Alice安全通信首先要取得對方的公鑰,即對方的證書,并驗證證書的合法性。驗證過程和內(nèi)容:
????1)、用CA的公鑰(雙方已知)解密對方證書中CA的簽名;能解密說明證書來原可靠;
????2)、用證書中標記的“簽名算法”來計算證書的相關信息,并將散列計算的結果與證書“發(fā)行者簽名”解密的結果(證書特征碼)進行比較,如果一致說明證書完整性可靠;
????3)、檢查證書的有效期限是否在合法范圍內(nèi),防止證書過期;
????4)、驗證證書的“主體名稱”和預通信的人是否對應;
????5)、檢查證書是否被吊銷;
????以上驗證成功則說明對方證書可靠,并信任該證書。
? ?2. 取得對方證書(即公鑰)后進行如下操作:
????加密:
????1)、Bob對明文數(shù)據(jù)進行散列計算,提取出數(shù)據(jù)指紋(特征碼,也叫信息摘要);
????2)、Bob使用自己的私鑰對該數(shù)據(jù)指紋進行加密,生成數(shù)字簽名,并將該數(shù)字簽名附加在明文數(shù)據(jù)之后;
????3)、Bob使用一個一次性的對稱加密算法密鑰對明文和數(shù)字簽名進行加密,生成密文;
????4)、Bob再使用Alice的公鑰對對稱加密算法的密鑰進行加密,生成數(shù)字信封;
????5)、Bob將密文和數(shù)字信封打包發(fā)送給Alice;
????解密:
????1)、Alice收到數(shù)據(jù)(密文+數(shù)字信封)后,使用自己的私鑰解密數(shù)字信封,得到對稱加密算法的密鑰;
????2)、使用對稱加密密鑰解密密文,得到明文數(shù)據(jù)和數(shù)字簽名。保證了數(shù)據(jù)的私密性;
????3)、使用Bob的公鑰解密數(shù)字簽名,得到明文的數(shù)據(jù)指紋(特征碼)。如果能解出,說明數(shù)據(jù)為Bob發(fā)送,保證了數(shù)據(jù)的不可否認性;
????4)、Alice使用同樣的散列算法對明文計算得出數(shù)據(jù)指紋(特征碼),并與Bob計算的數(shù)據(jù)指紋進行比對,如果一致,說明數(shù)據(jù)沒有被篡改。保證的數(shù)據(jù)的完整性;
???
2、描述創(chuàng)建私有CA的過程,以及為客戶端發(fā)來的證書請求進行辦法證書。
????應用服務器如果使用證書需向RA(證書注冊機構)提出申請,RA對申請人信息進行核驗,核驗成功后由CA進行簽署并生成證書。為了保證CA簽署的證書可信,CA在簽署客戶證書前需要先生成自簽證書,客戶端會使用CA的證書來驗證CA所簽署的證書。
????證書頒發(fā)過程:
???????? 1)、申請方向RA遞交證書申請;
???????? 2)、RA會要求申請人遞交自己的公鑰和其它相關信息;
???????? 3)、RA核驗該申請方的真實信息;
????? ? 4)、核驗通過后,RA會將請求轉(zhuǎn)交給CA進行簽署。由CA對這些信息進行散列,并用自己的私鑰對散列結果進行加密,生成數(shù)字簽名;
???????? 5)、將申請方的信息和數(shù)字簽名一起封裝到證書內(nèi),頒發(fā)給申請方;
????證書申請及簽署實例(使用自建CA簽署證書時CA和RA可合并):?
????1) ?構建私有CA:
????????(1) 檢查安裝openssl;??????
????????(2) 根據(jù)openssl的配置文件(/etc/pki/tls/openssl.cnf)創(chuàng)建所需要的文件;
?????? ?(3) 自簽證書:
????2) 為客戶端簽發(fā)證書:
????????(1) 客戶端提交證書簽署請求:
????????(2) 將證書簽署請求發(fā)給RA(此處RA與CA一致)
#?scp?/etc/httpd/ssl/httpd.csr?root@192.168.1.71:/tmp????????(3) CA簽署請求:
????????(4) 將證書發(fā)送給請求客戶端:
????#?scp?/etc/pki/CA/certs/httpd.crt?root@192.168.1.61:/etc/httpd/ssl/3、搭建一套DNS服務器,負責解析magedu.com域名(自行設定主機名及IP)??
(1)、能夠?qū)σ恍┲鳈C名進行正向解析和逆向解析;
(2)、對子域cdn.magedu.com進行子域授權,子域負責解析對應子域中的主機名;
(3)、為了保證DNS服務系統(tǒng)的高可用性,請設計一套方案,并寫出詳細的實施過程
????環(huán)境說明:
????????magedu.com主ns服務器IP:192.168.1.71?
????????magedu.com輔助ns服務器:192.168.1.72
????????cdn.magedu.com子域ns服務器:192.168.1.61???????
????主域名稱服務器(192.168.1.71):
????????bind主配置文件(/etc/named.conf)如下:
????????編輯/etc/named.rfc1912.zones,添加以下區(qū)域:
zone?"1.168.192.in-addr.arpa"?IN?{type?master;file?"192.168.1.zone"; allow-update?{?none;?}; };zone?"magedu.com"?IN?{type?master;file?"magedu.com.zone";allow-query?{?any;?};allow-transfer?{?slaves;?};????????????//接受“slaves”傳輸請求allow-update?{?none;?}; };????添加區(qū)域資源記錄:
????????正向資源記錄:
????????反向資源記錄:
????輔助名稱服務器(192.168.1.72):
????????/etc/named.conf:
????????/etc/named.rfc1912.zones添加以下部分:
zone?"magedu.com"?IN?{type?slave;masters?{?192.168.1.71;?};file?"slaves/magedu.com.zone"; }; zone?"1.168.192.in-addr.arpa"?IN?{type?slave;masters?{?192.168.1.71;?};file?"slaves/192.168.1.zone"; };????cdn.magedu.com子域服務器(192.168.1.61):
????????/etc/named.conf:
options?{ listen-on?port?53?{?127.0.0.1;?192.168.1.61;?}; //listen-on-v6?port?53?{?::1;?}; directory?"/var/named"; allow-query?????{?any;?}; recursion?yes;forward?first;????????????????//定義全局轉(zhuǎn)發(fā)服務器,當主服務器不予遞歸時再將請求轉(zhuǎn)發(fā)至根域服務器forwarders?{?192.168.1.71;?}; }; logging?{channel?default_debug?{file?"data/named.run";severity?dynamic;}; }; zone?"."?IN?{ type?hint; file?"named.ca"; }; include?"/etc/named.rfc1912.zones";????????/etc/named.rfc1912.zones
zone?"cdn.magedu.com"?IN?{type?master;file?"cdn.magedu.com.zone";allow-update?{?none;?}; }; //zone?"magedu.com"?IN?{????????????//定義區(qū)域轉(zhuǎn)發(fā)服務器,與全局轉(zhuǎn)發(fā)選其一。區(qū)域轉(zhuǎn)發(fā)只轉(zhuǎn)發(fā)magedu.com域的請求 //????type?forward; //????forward?only; //????forwarders?{?192.168.1.71;?192.168.1.72;?}; //};????????/var/named/cdn.magedu.com.zone:
$TTL?1D $ORIGIN?cdn.magedu.com. @???????IN??????SOA?????ns.cdn.magedu.com.??????admin.cdn.magedu.com.???(20161030011H5M7D1D?)IN??????NS??????nsIN??????MX??10??mx ns??????IN??????A???????192.168.1.61 mx??????IN??????A???????192.168.1.101 www?????IN??????A???????192.168.1.110 *???????IN??????A???????192.168.1.111重啟named服務后驗證:
????主域服務器測試正反解析:
????測試輔助服務器正反解析:
????測試子域服務器:
4、請描述一次完整的http請求處理過程;
http請求處理過程:????
????1) 客戶端遞歸請求服務器網(wǎng)站域名,DNS服務器解析到結果后返回給客戶端;
????2) 客戶端使用IP地址向http服務器發(fā)起TCP三次握手;
????3) 客戶端封裝http報文,并向http服務器發(fā)起請求;
????4) http服務器解析請求,獲取URL中指定資源,構建響應報文并封裝為http響應報文返回給客戶端;
????5) 客戶端收到http響應報文后由瀏覽器負責解析并渲染呈現(xiàn)給用戶,并記錄日志。完成一個http事務。在此過程中http返回的響應報文有可能引用了多個服務器資源,若服務器沒有啟用“KeepAlived”則每個資源的獲取都需要一個tcp三次握手和四次斷開過程。
5、httpd所支持的處理模型有哪些,他們的分別使用于哪些環(huán)境。
httpd支持以下三種處理模型(MPM):
? ? prefork: 多進程模型。一個主進程負責生成多個工作進程,每個工作進程處理一個用戶請求;即使沒有用戶請求也會預先生成多個工作進程,以便隨時響應用戶請求,默認8個,最大不會超過1024個;特點是工作穩(wěn)定,進程間獨立工作,某個進程掛起不會影響其它進程。用于請求量不大,但穩(wěn)定性要求較高的環(huán)境;
? ? worker: 多線程模型。一個主進程負責生成多個子進程(m,默認4個),每個子進程負責生成多個線程(n),由線程處理用戶請求,同時可接受m×n個http請求。由于linux中進程的輕量化設計,進程與線程的效率無太大差別,所以工作效率與profork也沒有太大差異,但一個工作進程中的多個線程共享一個內(nèi)存數(shù)據(jù)區(qū),某個線程故障會影響到同進程下的其它線程,故穩(wěn)定性不如prefork;
? ? event: 事件驅(qū)動模型。一個主進程負責生成多個工作進程(m),每個進程基于epoll事件通知機制直接響應多個用戶請求(n)。同時可響應m*n個用戶>請求,httpd2.4中可用于生產(chǎn)。
6、建立httpd服務器(基于編譯的方式進行),要求:
提供兩個基于名稱的虛擬主機:
(a)www1.stuX.com,頁面文件目錄為/web/vhosts/www1;錯誤日志為/var/log/httpd/www1.err,訪問日志為/var/log/httpd/www1.access;
(b)www2.stuX.com,頁面文件目錄為/web/vhosts/www2;錯誤日志為/var/log/httpd/www2.err,訪問日志為/var/log/httpd/www2.access;
(c)為兩個虛擬主機建立各自的主頁文件index.html,內(nèi)容分別為其對應的主機名;
(d)通過www1.stuX.com/server-status輸出httpd工作狀態(tài)相關信息,且只允許提供帳號密碼才能訪問(status:status);
在RHEL6上編譯安裝httpd2.4
(1) 環(huán)境準備:
httpd的運行依賴于apr1.4+和apr-util1.4(apr和apr-util(apr-util為apr的工具組件)相當于httpd的虛擬機)。httpd2.4依賴1.4版以上的apr和apr-util,而RHEL6默認安裝的apr和apr-utils版本為1.3.9,為了不影響其他程序?qū)pr-1.3.9的依賴,需單獨編譯安裝apr和apr-util1.4以上版。
1).編譯安裝apr-1.5.2和apr-util-1.5.4:
[root@C1?~]#?tar?xf?/tmp/httpd/apr-1.5.2.tar.bz2?-C?/usr/local/src/ [root@C1?~]#?cd?/usr/local/src/apr-1.5.2/ [root@C1?apr-1.5.2]#?./configure?--prefix=/usr/local/apr-1.5.2 [root@C1?apr-1.5.2]#?make?&&?make?install[root@C1?httpd]#?tar?xf?apr-util-1.5.4.tar.bz2?-C?/usr/local/src/ [root@C1?httpd]#?cd?/usr/local/src/apr-util-1.5.4/ [root@C1?apr-util-1.5.4]#?./configure?--prefix=/usr/local/apr-util-1.5.4?--with-apr=/usr/local/apr-1.5.2/ [root@C1?apr-util-1.5.4]#?make?&&?make?install#創(chuàng)建apr和apr-util的鏈接文件,以便后期引用:
[root@C1?~]#?ln?-s?/usr/local/apr-1.5.2/?/usr/local/apr [root@C1?~]#?ln?-s?/usr/local/apr-util-1.5.4/?/usr/local/apr-util2).安裝PCRE(Perl Compatible Regular Expressions)的開發(fā)庫:
[root@C1?~]#?yum?install?-y?pcre-devel3).創(chuàng)建apache系統(tǒng)用戶:
(2) 編譯安裝httpd-2.4:
1).安裝httpd程序:
[root@C1?httpd]#?tar?xv?httpd-2.4.23.tar.bz2?-C?/usr/local/src/ [root@C1?httpd]#?cd?/usr/local/src/httpd-2.4.23/ [root@C1?httpd-2.4.23]#?./configure?--prefix=/usr/local/httpd24?--sysconf=/etc/httpd24?--enable-ssl?--enable-cgi?--enable-rewrite?--with-zlib?--with-pcre?--with-apr=/usr/local/apr?--with-apr-util=/usr/local/apr-util?--enable-so?--enable-modules=most?--enable-mpms-shared=all?--with-mpm=prefork#選項說明:
--prefix=/usr/local/httpd24:指定httpd的安裝路徑;
--sysconf=/etc/httpd24:指定httpd的配置文件路徑,為了不與系統(tǒng)上已安裝的httpd2.2相沖突,需另指一個目錄;
--enable-ssl:啟用SSL功能
--enable-cgi:啟用cgi機制;
--enable-rewrite:啟用URL重寫機制;
--with-zlib:當使用compress壓縮機制時,需加載壓縮算所使用的壓縮庫;
--with-pcre:啟用PCRE庫。通常在使用URL重寫或過濾時會用到。注意:在使用該選項編譯httpd前需事先安裝pcre-devel;
--with-apr=/usr/local/apr:指定apr的安裝路徑;
--with-apr-util=/usr/local/apr-util/:指定apr-util的安裝路徑;
--enable-so:啟用動態(tài)模塊加載機制;
--enable-modules=most:指定要編譯的模塊。可用選項:"all" | "most" | "few" | "none" | "reallyall";
--enable-mpms-shared=all:httpd支持DSO(共享模塊編譯機制),此處將編譯所有支持的MPM模塊。可用選項:"all" | "most" | "few" | "reallyall"
--with-mpm=prefork:指定httpd默認使用的MPM處理模塊。MPM={event|worker|prefork|winnt}
[root@C1?httpd-2.4.23]#?make?&&?make?install2).將httpd-2.4的程序目錄添加到PATH環(huán)境變量中:
3).啟動httpd-2.4:
#注意:啟動前要確保80/tcp端口沒有被占用。
[root@C1?httpd-2.4.23]#?apachectl?start#測試httpd-2.4是否成功啟動:
[root@C1?httpd-2.4.23]#?ss?-taln?|?grep?:80 0??????128???????????????????????????:::80???????????????????????????:::* [root@C1?httpd-2.4.23]#?ps?aux?|?grep?httpd root??????4415??0.0??0.3???4500??1828??????????Ss???16:59???0:00?/usr/local/httpd24/bin/httpd?-k?start daemon????4416??0.0??0.2???4500??1228??????????S????16:59???0:00?/usr/local/httpd24/bin/httpd?-k?start daemon????4417??0.0??0.2???4500??1228??????????S????16:59???0:00?/usr/local/httpd24/bin/httpd?-k?start daemon????4418??0.0??0.2???4500??1228??????????S????16:59???0:00?/usr/local/httpd24/bin/httpd?-k?start daemon????4419??0.0??0.2???4500??1228??????????S????16:59???0:00?/usr/local/httpd24/bin/httpd?-k?start daemon????4420??0.0??0.2???4500??1228??????????S????16:59???0:00?/usr/local/httpd24/bin/httpd?-k?start root??????4443??0.0??0.1???4328???724?pts/0????S+???17:02???0:00?grep?httpd(3) 配置httpd服務器
1) 創(chuàng)建數(shù)據(jù)目錄,并準備測試頁面:
[root@C1?extra]#?mkdir?-vp?/web/vhosts/www{1,2} mkdir:?created?directory?`/web' mkdir:?created?directory?`/web/vhosts' mkdir:?created?directory?`/web/vhosts/www1' mkdir:?created?directory?`/web/vhosts/www2' [root@C1?extra]#?echo?"The?vhost1?site."?>?/web/vhosts/www1/index.html [root@C1?extra]#?echo?"The?vhost2?site."?>?/web/vhosts/www2/index.html2) 編輯httpd-2.4的配置文件:
/etc/httpd24/httpd.conf:
/etc/httpd24/extra/httpd-vhosts.conf:
[root@C1?~]#?egrep?-v?'^#|^$'?/etc/httpd24/extra/httpd-vhosts.conf<VirtualHost?*:80>ServerName?www1.stuX.comDocumentRoot?"/web/vhosts/www1"#定義www1虛擬主機的數(shù)據(jù)目錄ErrorLog?"/web/vhosts/www1.err"#定義錯誤日志文件CustomLog?"/web/vhosts/www1.access"?common#定義訪問日志文件<Location?/server-status>#定義"www1.stuX.com/server-status"SetHandler?server-statusAuthType?Basic#認證類型為BasicAuthName?"Administrator?Private."#認證時的提示信息AuthBasicProvider?file#認證方式AuthUserFile?"/etc/httpd24/extra/.htpasswd"#認證文件,用于存儲用戶名和密碼<RequireAll>Require?valid-user#允許賬號文件中的所有用戶登錄訪問</RequireAll></Location> </VirtualHost> <VirtualHost?*:80>ServerName?www2.stuX.comDocumentRoot?"/web/vhosts/www2"ErrorLog?"/web/vhosts/www2.err"CustomLog?"/web/vhosts/www2.access"?common </VirtualHost>3) 配置用戶認證:
添加認證用戶:
[root@C1?~]#?cd?/etc/httpd24/extra/ [root@C1?extra]#?htpasswd?-c?-s?-b?.htpasswd?yinkai?yinkaipass Adding?password?for?user?yinkai選項說明:
-c: 創(chuàng)建用戶文件,只在第一次使用
-s: 強制使用SHA加密用戶密碼
-b: 從命令行讀取用戶密碼
測試:
[root@C1?httpd24]#?ps?aux?|?grep?httpd#檢查httpd是否以apache用戶成功啟動 root??????4415??0.0??0.4???4500??2148??????????Ss???16:59???0:00?/usr/local/httpd24/bin/httpd?-k?start apache????4495??0.0??0.2???4500??1232??????????S????17:18???0:00?/usr/local/httpd24/bin/httpd?-k?start apache????4496??0.0??0.2???4500??1232??????????S????17:18???0:00?/usr/local/httpd24/bin/httpd?-k?start apache????4497??0.0??0.2???4500??1232??????????S????17:18???0:00?/usr/local/httpd24/bin/httpd?-k?start apache????4498??0.0??0.2???4500??1232??????????S????17:18???0:00?/usr/local/httpd24/bin/httpd?-k?start apache????4499??0.0??0.2???4500??1232??????????S????17:18???0:00?/usr/local/httpd24/bin/httpd?-k?start root??????4501??0.0??0.1???4328???720?pts/0????S+???17:18???0:00?grep?httpd7、為第6題中的第2個虛擬主機提供https服務,使得用戶可以通過https安全的訪問此web站點;
(1)要求使用證書認證,證書中要求使用的國家(CN)、州(HA)、城市(ZZ)和組織(MageEdu);
(2)設置部門為Ops,主機名為www2.stuX.com,郵件為admin@stuX.com;
1. 創(chuàng)建私有CA服務器
?(1) 根據(jù)openssl配置文件(/etc/pki/tls/openssl.cnf)準備CA服務器環(huán)境:
[root@C1?~]#?cd?/etc/pki/CA/?//切換到CA根目錄 [root@C1?CA]#?touch?index.txt?//創(chuàng)建證書數(shù)據(jù)庫索引文件 [root@C1?CA]#?echo?01?>?serial?//設置當前證書(第一個)序列號?(2) 生成CA的私鑰
[root@C1?CA]#?(umask?077;?openssl?genrsa?-out?/etc/pki/CA/private/cakey.pem?2048)? Generating?RSA?private?key,?2048?bit?long?modulus ......+++ ..........................................+++ e?is?65537?(0x10001)?(3) 生成CA自簽證書
[root@C1?CA]#?openssl?req?-new?-x509?-key?/etc/pki/CA/private/cakey.pem?-days?3650?-out?/etc/pki/CA/cacert.pem? You?are?about?to?be?asked?to?enter?information?that?will?be?incorporated into?your?certificate?request. What?you?are?about?to?enter?is?what?is?called?a?Distinguished?Name?or?a?DN. There?are?quite?a?few?fields?but?you?can?leave?some?blank For?some?fields?there?will?be?a?default?value, If?you?enter?'.',?the?field?will?be?left?blank. ----- Country?Name?(2?letter?code)?[XX]:CN State?or?Province?Name?(full?name)?[]:HA Locality?Name?(eg,?city)?[Default?City]:ZZ Organization?Name?(eg,?company)?[Default?Company?Ltd]:MageEdu Organizational?Unit?Name?(eg,?section)?[]:Ops Common?Name?(eg,?your?name?or?your?server's?hostname)?[]:ca.stuX.com Email?Address?[]:admin@stuX.com?(4) 檢查CA自簽證書內(nèi)容:
[root@C1?CA]#?openssl?x509?-in?/etc/pki/CA/cacert.pem?-noout?-subject subject=?/C=CN/ST=HA/L=ZZ/O=MageEdu/OU=Ops/CN=ca.stuX.com/emailAddress=admin@stuX.com2. http服務器申請簽署證書
?(1) 客戶端生成證書簽署請求:
[root@C1?~]#?mkdir?/etc/httpd24/ssl [root@C1?~]#?cd?/etc/httpd24/ssl [root@C1?ssl]#?(umask?077;?openssl?genrsa?-out?httpd.key?2048) Generating?RSA?private?key,?2048?bit?long?modulus .................................................................................................................................................................................................................................................................................................................+++ ...........+++ e?is?65537?(0x10001) [root@C1?ssl]#?openssl?req?-new?-key?httpd.key?-days?3650?-out?httpd.csr You?are?about?to?be?asked?to?enter?information?that?will?be?incorporated into?your?certificate?request. What?you?are?about?to?enter?is?what?is?called?a?Distinguished?Name?or?a?DN. There?are?quite?a?few?fields?but?you?can?leave?some?blank For?some?fields?there?will?be?a?default?value, If?you?enter?'.',?the?field?will?be?left?blank. ----- Country?Name?(2?letter?code)?[XX]:CN State?or?Province?Name?(full?name)?[]:HA Locality?Name?(eg,?city)?[Default?City]:ZZ Organization?Name?(eg,?company)?[Default?Company?Ltd]:MageEdu Organizational?Unit?Name?(eg,?section)?[]:Ops Common?Name?(eg,?your?name?or?your?server's?hostname)?[]:www2.stuX.com Email?Address?[]:admin@stuX.com Please?enter?the?following?'extra'?attributes to?be?sent?with?your?certificate?request A?challenge?password?[]: An?optional?company?name?[]:?(2) 將證書簽署請求發(fā)送給CA(RA):
[root@C1?ssl]#?scp?httpd.csr?root@192.168.1.97:/tmp?(3) CA為http服務器簽署證書:
[root@C1?CA]#?openssl?ca?-in?/tmp/httpd.csr?-days?3650?-out?/etc/pki/CA/certs/httpd.crt Using?configuration?from?/etc/pki/tls/openssl.cnf Check?that?the?request?matches?the?signature Signature?ok Certificate?Details:Serial?Number:?1?(0x1)ValidityNot?Before:?Nov?17?09:22:25?2016?GMTNot?After?:?Nov?15?09:22:25?2026?GMTSubject:countryName???????????????=?CNstateOrProvinceName???????=?HAorganizationName??????????=?MageEduorganizationalUnitName????=?OpscommonName????????????????=?www2.stuX.comemailAddress??????????????=?admin@stuX.comX509v3?extensions:X509v3?Basic?Constraints:CA:FALSENetscape?Comment:OpenSSL?Generated?CertificateX509v3?Subject?Key?Identifier:BD:64:23:20:D3:3B:79:0C:C4:2B:AB:F4:47:84:6F:54:38:78:68:5BX509v3?Authority?Key?Identifier:keyid:C1:CA:83:F5:FA:CC:BA:15:CE:BC:D2:A1:13:1D:6F:17:5F:C9:59:0C Certificate?is?to?be?certified?until?Nov?15?09:22:25?2026?GMT?(3650?days) Sign?the?certificate??[y/n]:y 1?out?of?1?certificate?requests?certified,?commit??[y/n]y Write?out?database?with?1?new?entries Data?Base?Updated?(4) 檢查http服務器證書,并將該證書傳遞給http服務器:
[root@C1?CA]#?openssl?x509?-in?/etc/pki/CA/certs/httpd.crt?-noout?-subject subject=?/C=CN/ST=HA/O=MageEdu/OU=Ops/CN=www2.stuX.com/emailAddress=admin@stuX.com [root@C1?CA]#?scp?/etc/pki/CA/certs/httpd.crt?root@192.168.1.83:/etc/httpd24/ssl/#重啟名虛擬主機的證書和私鑰文件,以便后期引用:
[root@C1?~]#?cd?/etc/httpd24/ssl/ [root@C1?ssl]#?mv?httpd.crt?www2.stuX.com.crt [root@C1?ssl]#?mv?httpd.key?www2.stuX.com.key3. 配置http服務器使用證書使之支持https
?(1) 為httpd安裝mod_ssl模塊:
[root@C1?~]#?yum?install?-y?mod_ssl?(2)檢查httpd主配置文件/etc/httpd24/httpd.conf是否存在并啟用以下條目:
LoadModule?ssl_module?modules/mod_ssl.so? LoadModule?socache_shmcb_module?modules/mod_socache_shmcb.so? Include?/etc/httpd24/extra/httpd-ssl.conf?(3) 修改ssl相關的配置文件/etc/httpd24/extra/httpd-ssl.conf:
[root@C1?extra]#?egrep?-v?'^#|^$'?httpd-ssl.conf Listen?443 SSLCipherSuite?HIGH:MEDIUM:!MD5:!RC4 SSLProxyCipherSuite?HIGH:MEDIUM:!MD5:!RC4 SSLHonorCipherOrder?on SSLProtocol?all?-SSLv3 SSLProxyProtocol?all?-SSLv3 SSLPassPhraseDialog??builtin SSLSessionCache????????"shmcb:/usr/local/httpd24/logs/ssl_scache(512000)" SSLSessionCacheTimeout??300 <VirtualHost?*:443>#定義基于443端口的虛擬主機 DocumentRoot?"/web/vhosts/www2" ServerName?www2.stuX.com:443 ServerAdmin?you@example.com ErrorLog?"/web/vhosts/www2.err" TransferLog?"/web/vhosts/www2.access" SSLEngine?on SSLCertificateFile?"/etc/httpd24/ssl/www2.stuX.com.crt"#指定www2.stuX.com.crt虛擬主機的證書文件 SSLCertificateKeyFile?"/etc/httpd24/ssl/www2.stuX.com.key"#指定www2.stuX.com.crt虛擬主機的私鑰文件 <FilesMatch?"\.(cgi|shtml|phtml|php)$">SSLOptions?+StdEnvVars </FilesMatch> <Directory?"/usr/local/httpd24/cgi-bin">SSLOptions?+StdEnvVars </Directory> BrowserMatch?"MSIE?[2-5]"?\nokeepalive?ssl-unclean-shutdown?\downgrade-1.0?force-response-1.0 CustomLog?"/usr/local/httpd24/logs/ssl_request_log"?\"%t?%h?%{SSL_PROTOCOL}x?%{SSL_CIPHER}x?\"%r\"?%b" </VirtualHost>?(4) 在虛擬主機相關的配置文件/etc/httpd24/extra/httpd-vhosts.conf中注釋掉80端口的www2.stuX.com主機。可選:
#<VirtualHost?*:80> #????ServerName?www2.stuX.com #????DocumentRoot?"/web/vhosts/www2" #????ErrorLog?"/web/vhosts/www2.err" #????CustomLog?"/web/vhosts/www2.access"?common #</VirtualHost>4. 檢查配置文件,重啟服務并檢查443端口:
[root@C1?~]#?httpd?-t Syntax?OK [root@C1?~]#?apachectl?restart [root@C1?~]#?ss?-tanl?|?grep?:443 0??????128???????????????????????????:::443??????????????????????????:::*5. 測試:
8、建立samba共享,共享目錄為/data,要求:(描述完整的過程)
1)共享名為shared,工作組為magedu;
2)添加組develop,添加用戶gentoo,centos和ubuntu,其中gentoo和centos以develop為附加組,ubuntu不屬于develop組;密碼均為用戶名;
3)添加samba用戶gentoo,centos和ubuntu,密碼均為“mageedu”;
4)此samba共享shared僅允許develop組具有寫權限,其他用戶只能以只讀方式訪問;
5)此samba共享服務僅允許來自于172.16.0.0/16網(wǎng)絡的主機訪問;
安裝samba服務器程序、samba客戶端工具和公共庫:
[root@C1?~]#?yum?install?-y?samba?samba-common?samba-client添加系統(tǒng)用戶和組:
創(chuàng)建共享目錄并編輯權限:
[root@C1?~]#?mkdir?-v?/data mkdir:?created?directory?‘/data’ [root@C1?~]#?setfacl?-m?g:develop:rwx?/data/ [root@C1?~]#?getfacl?/data/ getfacl:?Removing?leading?'/'?from?absolute?path?names #?file:?data/ #?owner:?root #?group:?root user::rwx group::r-x group:develop:rwx mask::rwx other::r-x添加samba用戶:
[root@C1?~]#?smbpasswd?-a?gentoo New?SMB?password: Retype?new?SMB?password: Added?user?gentoo. [root@C1?~]#?smbpasswd?-a?centos New?SMB?password: Retype?new?SMB?password: Added?user?centos. [root@C1?~]#?smbpasswd?-a?ubuntu New?SMB?password: Retype?new?SMB?password: Added?user?ubuntu. [root@C1?~]#?pdbedit?-L//列出所有的samba用戶 gentoo:1039: ubuntu:1041: centos:1040:修改samba配置文件創(chuàng)建編輯共享:
[root@C1?~]#?cp?-p?/etc/samba/smb.conf{,.bak} [root@C1?~]#?cp?-p?/etc/samba/smb.conf{,.bak} [global] workgroup?=?magedu server?string?=?Samba?Server?Version?%v netbios?name?=?MYSERVER hosts?allow?=?192.168.1.0/24#環(huán)境所限,此處代替172.16.0.0/16網(wǎng)絡 log?file?=?/var/log/samba/log.%m max?log?size?=?50 security?=?user passdb?backend?=?tdbsam load?printers?=?yes cups?options?=?raw [homes] comment?=?Home?Directories browseable?=?no writable?=?yes [shared] comment?=?develop's?directory path?=?/data guest?ok?=?yes writable?=?yes write?list?=?+develop測試samba配置文件是否有語法錯誤:
[root@C1?~]#?testparm? Load?smb?config?files?from?/etc/samba/smb.conf rlimit_max:?increasing?rlimit_max?(1024)?to?minimum?Windows?limit?(16384) Processing?section?"[homes]" Processing?section?"[shared]" Loaded?services?file?OK. Server?role:?ROLE_STANDALONE Press?enter?to?see?a?dump?of?your?service?definitions [global] workgroup?=?MAGEDU netbios?name?=?MYSERVER server?string?=?Samba?Server?Version?%v log?file?=?/var/log/samba/log.%m max?log?size?=?50 idmap?config?*?:?backend?=?tdb hosts?allow?=?192.168.1.0/24 cups?options?=?raw [homes] comment?=?Home?Directories read?only?=?No browseable?=?No [shared] comment?=?develop's?directory path?=?/data write?list?=?+develop read?only?=?No guest?ok?=?Yes啟動并檢查smb服務:
[root@C1?~]#?systemctl?start?smb.service [root@C1?~]#?systemctl?start?nmb.service [root@C1?~]#?ss?-tnlap?|?grep?smb LISTEN?????0??????50???????????*:139??????????????????????*:*???????????????????users:(("smbd",pid=2259,fd=34)) LISTEN?????0??????50???????????*:445??????????????????????*:*???????????????????users:(("smbd",pid=2259,fd=33)) LISTEN?????0??????50??????????:::139?????????????????????:::*???????????????????users:(("smbd",pid=2259,fd=32)) LISTEN?????0??????50??????????:::445?????????????????????:::*???????????????????users:(("smbd",pid=2259,fd=31))驗證:
[root@C1?~]#?smbclient?-L?192.168.1.71?-U?centos Enter?centos's?password:? Domain=[MAGEDU]?OS=[Unix]?Server=[Samba?4.1.1] Sharename???????Type??????Comment ---------???????----??????------- IPC$????????????IPC???????IPC?Service?(Samba?Server?Version?4.1.1) shared??????????Disk??????develop's?directory centos??????????Disk??????Home?Directories Domain=[MAGEDU]?OS=[Unix]?Server=[Samba?4.1.1] Server???????????????Comment ---------????????????------- MYSERVER?????????????Samba?Server?Version?4.1.1 Workgroup????????????Master ---------????????????------- MAGEDU???????????????MYSERVER WORKGROUP????????????YINKAI-NB-X230 從Windows登陸\\192.168.1.71,并創(chuàng)建測試文件: [root@C1?tmp]#?ll?/data/ total?0 -rwxr--r--?1?centos?centos?0?11月?16?22:05?centos.txt -rwxr--r--?1?gentoo?gentoo?0?11月?16?22:05?gentoo.txt9、搭建一套文件vsftp文件共享服務,共享目錄為/ftproot,要求:(描述完整的過程)
1)基于虛擬用戶的訪問形式;
2)匿名用戶只允許下載,不允許上傳;
3)禁錮所有的用戶于其家目錄當中;
4)限制最大并發(fā)連接數(shù)為200:;
5)匿名用戶的最大傳輸速率512KB/s
6)虛擬用戶的賬號存儲在mysql數(shù)據(jù)庫當中。
7)數(shù)據(jù)庫通過NFS進行共享。
環(huán)境說明:
FTP服務器:192.168.1.71
Mariadb服務器:192.168.1.71
NFS服務器:192.168.1.72
1. 在192.168.1.72上搭建NFS服務器
?(1). 創(chuàng)建nfs目錄,用戶實際存儲數(shù)據(jù):
[root@C2?~]#?mkdir?-vp?/shared/nfs mkdir:?created?directory?`/shared' mkdir:?created?directory?`/shared/nfs' [root@C2?~]#?useradd?-r?-M?-s?/sbin/nologin?mysql [root@C2?~]#?chown?-R?mysql.mysql?/shared/nfs/?(2). 修改nfs配置文件,定義導出目錄:?
[root@C2?~]#?vim?/etc/exports /shared/nfs?????192.168.1.0/24(rw,no_root_squash)?(3). 啟動nfs服務:
[root@C2?~]#?systemctl?start?nfs.service [root@C2?~]#?ss?-tnlp?|?egrep?'2049|rpc' LISTEN?????0??????128??????????*:111??????????????????????*:*???????????????????users:(("rpcbind",pid=1645,fd=8)) LISTEN?????0??????128??????????*:20048????????????????????*:*???????????????????users:(("rpc.mountd",pid=2098,fd=8)) LISTEN?????0??????128??????????*:46620????????????????????*:*???????????????????users:(("rpc.statd",pid=1643,fd=9)) LISTEN?????0??????64???????????*:2049?????????????????????*:*?????????????????? LISTEN?????0??????128?????????:::37518???????????????????:::*???????????????????users:(("rpc.statd",pid=1643,fd=11)) LISTEN?????0??????128?????????:::111?????????????????????:::*???????????????????users:(("rpcbind",pid=1645,fd=11)) LISTEN?????0??????128?????????:::20048???????????????????:::*???????????????????users:(("rpc.mountd",pid=2098,fd=10)) LISTEN?????0??????64??????????:::2049????????????????????:::*2. 在192.168.1.71上搭建Mariadb服務器,并使用NFS作為存儲
?(1). 使用NFS文件系統(tǒng),并掛載為數(shù)據(jù)庫目錄:
[root@C1?~]#?showmount?-e?192.168.1.72?????????????????????#查看NFS服務器導出的目錄 Export?list?for?192.168.1.72: /shared/nfs?192.168.1.0/24 [root@C1?~]#?mkdir?/data?????????????#作為數(shù)據(jù)庫存儲目錄 [root@C1?~]#?mount?-t?nfs?192.168.1.72:/shared/nfs?/data/?(2). 安裝配置MariaDB:
[root@C2?~]#?id?mysql uid=992(mysql)?gid=989(mysql)?組=989(mysql) [root@C1?~]#?groupadd?-r?-g?989?mysql [root@C1?~]#?useradd?-r?-s?/sbin/nologin?-M?-u?992?-g?989?mysql??????????????????#與NFS服務器上的mysql用戶對應,以便標識? [root@C1?~]#?yum?install?-y?mariadb?mariadb-server [root@C1?~]#?cp?-p?/etc/my.cnf.d/server.cnf{,.bak} [root@C1?~]#?vim?/etc/my.cnf [mysqld] datadir=/data/mysql socket=/var/lib/mysql/mysql.sock symbolic-links=0 skip_name_resolve?=?on innodb_file_per_table?=?on character-set-server?=?utf8 [mysqld_safe] log-error=/var/log/mariadb/mariadb.log pid-file=/var/run/mariadb/mariadb.pid !includedir?/etc/my.cnf.d [root@C1?~]#?systemctl?start?mariadb.service??????????????????#啟動mariadb服務 [root@C1?~]#?ss?-tnl?|?grep?3306 LISTEN?????0??????50???????????*:3306?????????????????????*:*?? [root@C1?~]#?mysql_secure_installation??????????????#初始化MariaDB數(shù)據(jù)庫 [root@C1?~]#?mysql?-uroot?-p MariaDB?[(none)]>?SHOW?VARIABLES?LIKE?'%datadir%';???????????????//檢查數(shù)據(jù)文件的存儲路徑是否生效 +------------------------------+-----------------------------+ |?Variable_name?|?Value????????| +------------------------------+----------------------------+ |?datadir???????|?/data/mysql/?| +------------------------------+-----------------------------+ 1?row?in?set?(0.00?sec)3. 搭建FTP服務器
?(1).安裝vsftpd和pam_mysql:
[root@C1?~]#?yum?--enablerepo=epel?install?vsftpd?pam_mysql編譯安裝pam_mysql:
下載pam_mysql源文件:pam_mysql-0.7RC1.tar.gz
[root@C1?tmp]#?tar?xf?pam_mysql-0.7RC1.tar.gz??-C?/usr/local/src/ [root@C1?tmp]#?cd?/usr/local/src/pam_mysql-0.7RC1/ [root@C1?pam_mysql-0.7RC1]#?yum?install?-y?pam-devel.x86_64?mariadb-devel???????????#在編譯前確保已經(jīng)安裝了mariadb-devel、pam-devel.x86_64 [root@C1?pam_mysql-0.7RC1]#?./configure?--with-pam-mods-dir=/usr/lib64/???????????#手工指定pam模塊目錄 [root@C1?pam_mysql-0.7RC1]#?make?&&?make?install?(2). 創(chuàng)建虛擬用戶數(shù)據(jù)庫.表,插入用戶數(shù)據(jù),并授權查詢:
CREATE?DATABASE?vsftpd; GRANT?SELECT?ON?vsftpd.*?TO?'vsftpd'@'192.168.1.%'?IDENTIFIED?BY?'vsftpdpass'; GRANT?SELECT?ON?vsftpd.*?TO?'vsftpd'@'localhost'?IDENTIFIED?BY?'vsftpdpass'; GRANT?SELECT?ON?vsftpd.*?TO?'vsftpd'@'127.0.0.1'?IDENTIFIED?BY?'vsftpdpass'; FLUSH?PRIVILEGES; USE?vsftpd CREATE?TABLE?`users`?(`id`?int(11)?NOT?NULL?AUTO_INCREMENT,`name`?char(20)?CHARACTER?SET?utf8?COLLATE?utf8_bin?NOT?NULL,`password`?char(48)?CHARACTER?SET?utf8?COLLATE?utf8_bin?NOT?NULL,PRIMARY?KEY?(`id`) )?ENGINE=InnoDB?DEFAULT?CHARSET=utf8#添加虛擬用戶:
INSERT?INTO?users(name,password)?VALUES('yinkai',password('yinkaipass')),('chris',password('chrispass'));?(3). 配置vsftpd:
? 1) 建立pam認證所需文件:
[root@C1?~]#?vim?/etc/pam.d/vsftpd.mysql? auth?required?/usr/lib64/pam_mysql.so?user=vsftpd?passwd=vsftpdpass?host=localhost?db=vsftpd?table=users?usercolumn=name?passwdcolumn=password?crypt=2 account?required?/usr/lib64/pam_mysql.so?user=vsftpd?passwd=vsftpdpass?host=localhost?db=vsftpd?table=users?usercolumn=name?passwdcolumn=password?crypt=2? ?說明:auth行用于認證,檢查用戶名和密碼是否匹配;account行用于審查,檢查用戶是否在有效期限內(nèi)
? ?/usr/lib64/pam_mysql.so為pam_mysql的模塊;user=vsftpd(登陸mysql數(shù)據(jù)庫的用戶名) passwd=www.magedu.com(登陸mysql數(shù)據(jù)庫的密碼) host=localhost(mysql數(shù)據(jù)庫服務器主機) db=vsftpd(指定存儲用戶表的數(shù)據(jù)庫) table=users(指定表) usercolumn=name(登陸vsftpd用戶的用戶名字段) passwdcolumn=password(登陸vsftpd用戶的密碼字段) crypt=2(密碼使用MySQL PASSWORD()加密)
? 2) 建立虛擬用戶映射的系統(tǒng)用戶及對應的目錄
[root@C1?~]#?useradd?-s?/sbin/nologin?-d?/var/ftp/ftproot?vuser [root@C1?~]#?chmod?go+rx?/var/ftp/ftproot/ [root@C1?~]#?chmod?-w?/var/ftp/ftproot/????????#由于安全限制vsftpd不允許ftp用戶根目錄有寫權限,否則登陸FTP服務器時會報:500?OOPS:?vsftpd:?refusing?to?run?with?writable?root?inside?chroot() [root@C1?~]#?mkdir?/var/ftp/ftproot/test????????#創(chuàng)建一個可上傳數(shù)據(jù)的目錄 [root@C1?~]#?chown?-R?vuser.vuser?/var/ftp/ftproot/test? 3) 修改vsftpd的配置文件,使其使用mysql認證: ?
[root@C1?ftproot]#?egrep?-v?'^#|^$'?/etc/vsftpd/vsftpd.conf anonymous_enable=YES local_enable=YES write_enable=YES local_umask=022 anon_upload_enable=NO anon_mkdir_write_enable=NO anon_other_write_enable=NO dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_file=/var/log/xferlog xferlog_std_format=YES ftpd_banner=Welcome?to?blah?FTP?service. chroot_local_user=YES listen=NO listen_ipv6=YES pam_service_name=vsftpd.mysql????#連接到MySql認證虛擬用戶時用到的的pam配置文件 userlist_enable=YES userlist_deny=YES tcp_wrappers=YES max_clients=200 anon_max_rate=5120 guest_enable=YES????#啟用虛擬用戶認證 guest_username=vuser????#所有虛擬用戶都映射為vuser本地系統(tǒng)用戶 user_config_dir=/etc/vsftpd/vusers [root@C1?ftproot]#?cat?/etc/vsftpd/vusers/yinkai? anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES [root@C1?ftproot]#?cat?/etc/vsftpd/vusers/chris? anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES測試:
yinkai@yinkai-NB-X230?~?$?ftp?192.168.1.71 Connected?to?192.168.1.71. 220?Welcome?to?blah?FTP?service. Name?(192.168.1.71:yinkai):?chris??????#使用虛擬用戶登陸 331?Please?specify?the?password. Password: 230?Login?successful. Remote?system?type?is?UNIX. Using?binary?mode?to?transfer?files. ftp>?pwd 257?"/"????????????????#已禁錮用戶 ftp>?ls 200?PORT?command?successful.?Consider?using?PASV. 150?Here?comes?the?directory?listing. -rw-------????1?1000?????1000?????????1124?Nov?19?17:29?fstab drwxr-xr-x????1?1000?????1000????????????0?Nov?20?13:49?test 226?Directory?send?OK. ftp>?cd?test 250?Directory?successfully?changed. ftp>?lcd?/etc Local?directory?now?/etc ftp>?put?issue local:?issue?remote:?issue 200?PORT?command?successful.?Consider?using?PASV. 150?Ok?to?send?data. 226?Transfer?complete.??????????#虛擬用戶可上傳數(shù)據(jù) 27?bytes?sent?in?0.00?secs?(418.5?kB/s) ftp>?bye 221?Goodbye. yinkai@yinkai-NB-X230?~?$?ftp?192.168.1.71 Connected?to?192.168.1.71. 220?Welcome?to?blah?FTP?service. Name?(192.168.1.71:yinkai):?ftp???????#匿名用戶登陸 331?Please?specify?the?password. Password: 230?Login?successful. Remote?system?type?is?UNIX. Using?binary?mode?to?transfer?files. ftp>?pwd 257?"/"????????????#已禁錮匿名用戶 ftp>?ls 200?PORT?command?successful.?Consider?using?PASV. 150?Here?comes?the?directory?listing. dr-xr-xr-x????1?1000?????1000???????????98?Nov?20?13:44?ftproot drwxrwxr-x????1?0????????0??????????????14?Nov?19?16:47?pub -rw-r--r--????1?0????????0???????????????0?Nov?19?16:49?tf1 226?Directory?send?OK. ftp>?mkdit?testdir????????#匿名用戶不可寫 ?Invalid?command ftp>?get?tf1 local:?tf1?remote:?tf1 200?PORT?command?successful.?Consider?using?PASV. 150?Opening?BINARY?mode?data?connection?for?tf1?(0?bytes). 226?Transfer?complete. ftp>?bye 221?Goodbye.轉(zhuǎn)載于:https://blog.51cto.com/yinkai/1866019
總結
- 上一篇: 自定义jstl标签库
- 下一篇: linux 其他常用命令