1、詳細描述一次加密通訊的過程,結合圖示最佳。
SSL協議基礎: SSL協議位於TCP/IP協議與各種應用層協議之間,本身又分爲兩層: 1)SSL記錄協議:建立在可靠傳輸層協議(TCP)之上,爲上層協議提供數據封裝、壓縮、加密等基本功能。 2)SSL握手協議:在SSL記錄協議之上,用於實際數據傳輸前,通訊雙方進行身份認證、協商加密算法、交換加密密鑰等。 SSL協議通信過程: 1)瀏覽器發送一個連接請求給服務器;服務器將自己的證書(包含服務器公鑰S_PuKey)、對稱加密算法種類及其他相關信息返回客戶端。 2)客戶端瀏覽器檢查服務器傳送到CA證書是否由自己信賴的CA中心簽發。若是,執行第4步;否則,給客戶一個警告信息:詢問是否繼續訪問 3)客戶端瀏覽器比較證書裏的信息,如證書有效期、服務器域名和公鑰S_PK,與服務器傳回的信息是否一致;如果一致,則瀏覽器完成對服務器的身份認證 4)服務器要求客戶端發送客戶端證書(包含客戶端公鑰C_PuKey)、支持的對稱加密方案及其他相關信息。收到後,服務器進行相同的身份認證,若沒有通過驗證,則拒絕連接; 5)服務器根據客戶端瀏覽器發送到密碼種類,選擇一種加密程度最高的方案,用客戶端公鑰C_PubKey加密後通知到瀏覽器; 6)客戶端通過私鑰C_prKey解密後,得知服務器選擇的加密方案,並選擇一個通話密鑰Key,接着用服務器公鑰S_PuKey加密後發送服務器; 7)服務器接收到的瀏覽器傳送到消息,用私鑰S_PrKey解密,獲得通話密鑰key。 8)接下來的數據傳輸都使用該對稱密鑰Key進行加密。 上面所述的是雙向認證SSL協議的具體通訊過程,服務器和用戶雙方必須都有證書。由此可見,SSL協議是通過非對稱密鑰機制保證雙方身份認證,並完成建立連接,在實際數據通信 時通過對稱密鑰機制保障數據安全性。
2、描述創建私有CA的過程,以及爲客戶端發來的證書請求進行辦法證書。
配置文件:/etc/pki/tls/openssl.cnf 1)創建所需要的文件 [root@localhost ~]# cd /etc/pki/CA [root@localhost CA]# touch index.txt [root@localhost CA]# echo 01 > serial 2)CA自簽證書 [root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) [root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -days 7300 -out cacert.pem -new:生成新證書籤署請求; -x509:專用於CA生成自簽證書; -key:生成請求時用到的私鑰文件; -days n:證書的有效期限; -out /PATH/TO/SOMECERTFILE:證書的保存路徑 3)發證 (a)客戶端生成證書請求 [root@localhost ~]# mkdir /etc/httpd/ssl [root@localhost ~]# (umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key 2048) [root@localhost ~]# cd /etc/httpd/ssl/ [root@localhost ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr (b)把請求文件傳輸給CA [root@Client ssl]# scp httpd.csr 192.168.11.161:/tmp/ (c)CA簽署證書,並將證書發還給請求者 [root@localhost CA]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365 [root@localhost CA]# scp /etc/pki/CA/certs/httpd.crt 192.168.11.162:/etc/httpd/ssl/
3、搭建一套DNS服務器,負責解析magedu.com域名(自行設定主機名及IP)
(1)、能夠對一些主機名進行正向解析和逆向解析;
(2)、對子域cdn.magedu.com進行子域授權,子域負責解析對應子域中的主機名;
(3)、爲了保證DNS服務系統的高可用性,請設計一套方案,並寫出詳細的實施過程
[root@localhost ~]# yum -y install bind
常用的配置文件有:
/etc/named.conf #主配置文件
/etc/named.rfc1912.zones #區域配置文件
/etc/rc.d/init.d/named #啓動腳本
/var/named #存放區域數據文件
[root@localhost ~]# vim /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
// dnssec-enable yes;
// dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
listen-on port 53 { any; }; 表示監聽本地IP的53端口,允許所用地址訪問本地53端口
allow-query { any; }; 允許所有地址查詢
recursion yes; 是否遞歸,如果是no那麼這臺DNS服務器將不會遞歸解析,yes或註釋掉不寫,表是允許,默認是允許的
include "/etc/named.rfc1912.zones"; 加載區域配置文件
正向和反向區域解析
[root@localhost ~]# vim /etc/named.rfc1912.zones
在配置文件的末尾添加正向和反向配置
zone "magedu.com" IN {
type master;
file "magedu.com.zone";
allow-transfer { 192.168.11.165; };
};
zone "11.168.192.in-addr.arpa" IN {
type master;
file "11.168.192.zone";
allow-transfer { 192.168.11.165; };
};
allow-transfer { 192.168.11.165; };表示只允許192.168.11.165這個主機同步數據,也就是作它的輔助DNS,多個IP用“;”隔開;
編輯正向解析的zone文件
[root@localhost ~]# vim /var/named/magedu.com.zone
$TTL 86400
$ORIGIN magedu.com.
@ IN SOA ns1.magedu.com. admin.magedu.com. (
2016092101
1H
5M
7D
1D )
IN NS ns1
IN NS ns2
IN MX 10 mx1
IN MX 20 mx2
IN A 192.168.11.164
ns1 IN A 192.168.11.164
ns2 IN A 192.168.11.165
mx1 IN A 192.168.11.166
mx2 IN A 192.168.11.167
www IN A 192.168.11.164
www IN A 192.168.11.165
ftp IN CNAME www
反向解析zone文件
[root@localhost ~]# vim /var/named/11.168.192.zone
$TTL 86400
$ORIGIN 1.168.192.in-addr.arpa.
@ IN SOA ns1.magedu.com. admin.magedu.com. (
2016092101
1H
5M
7D
1D )
IN NS ns1.magedu.com.
IN NS ns2.magedu.com.
64 IN PTR ns1.magedu.com.
65 IN PTR ns2.magedu.com.
66 IN PTR mx1.magedu.com.
67 IN PTR mx2.magedu.com.
64 IN PTR www.magedu.com.
65 IN PTR www.magedu.com.
[root@localhost ~]# service named start
正向解析:
[root@localhost ~]# dig @192.168.11.164 www.magedu.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> @192.168.11.161 www.magedu.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54957
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.magedu.com. IN A
;; ANSWER SECTION:
www.magedu.com. 86400 IN A 192.168.11.164
www.magedu.com. 86400 IN A 192.168.11.165
;; AUTHORITY SECTION:
magedu.com. 86400 IN NS ns1.magedu.com.
magedu.com. 86400 IN NS ns2.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 86400 IN A 192.168.11.164
ns2.magedu.com. 86400 IN A 192.168.11.165
;; Query time: 0 msec
;; SERVER: 192.168.11.161#53(192.168.11.164)
;; WHEN: Sat Oct 22 21:15:11 2016
;; MSG SIZE rcvd: 132
反向解析
[root@localhost ~]# dig -x 192.168.11.164 @192.168.11.164
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -x 192.168.11.164
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23623
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;64.1.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
64.1.168.192.in-addr.arpa. 86400 IN PTR ns1.magedu.com.
;; AUTHORITY SECTION:
1.168.192.in-addr.arpa. 86400 IN NS ns2.magedu.com.
1.168.192.in-addr.arpa. 86400 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 86400 IN A 192.168.11.164
ns2.magedu.com. 86400 IN A 192.168.11.165
;; Query time: 0 msec
;; SERVER: 192.168.11.164#53(192.168.11.164)
;; WHEN: Sat Oct 22 21:56:14 2016
;; MSG SIZE rcvd: 135
配置主從同步
[root@localhost ~]# vim /etc/named.rfc1912.zones
在末尾添加
zone "magedu.com" IN {
type slave;
masters { 192.168.11.164; };
file "slaves/magedu.com.zone";
allow-transfer { none; };
};
zone "11.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.11.164; };
file "slaves/11.168.192.zone";
allow-transfer { none; };
};
批定type類型爲slave,並指定主服務器爲192.168.11.64
[root@localhost ~]# service named start
服務啓動後,會在/var/named/slaves/自動添加magedu.com.zone和11.168.192.zone文件
[root@localhost ~]# ll /var/named/slaves/
總用量 8
-rw-r--r-- 1 named named 436 10月 22 22:13 11.168.192.zone
-rw-r--r-- 1 named named 502 10月 22 22:13 magedu.com.zone
子域授權
新增一臺IP爲192.168.1.61的服務器爲子域
在父域的區域文件中添加NS和A記錄
[root@Server ~]# vim /var/named/magedu.com.zone
添加
cdn IN NS ns1.cdn.magedu.com.
ns1.cdn IN A 192.168.11.161
[root@localhost ~]# yum -y install bind
[root@localhost ~]# scp 192.168.11.164:/etc/named.conf /etc/
[root@localhost ~]# vim /etc/named.rfc1912.zones
在末尾添加
zone "cdn.magedu.com" IN {
type master;
file "cdn.magedu.com.zone";
};
zone "magedu.com" IN {
type forward;
forward only;
forwarders { 192.168.11.164; };
};
[root@localhost ~]# vim /var/named/cdn.magedu.com.zone
$TTL 86400
@ IN SOA ns.cdn.magedu.com. admin.cdn.magedu.com. (
2016092201
2H
5M
7D
12H )
IN NS ns.cdn.magedu.com.
IN MX 10 mx1.cdn.magedu.com.
IN A 192.168.11.61
ns IN A 192.168.11.161
mx1 IN A 192.168.11.161
www IN A 192.168.11.161
測試
1)子域測試
[root@localhost ~]# dig @192.168.11.161 www.cdn.magedu.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> @192.168.11.165 www.cdn.magedu.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33720
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.cdn.magedu.com. IN A
;; ANSWER SECTION:
www.cdn.magedu.com. 86400 IN A 192.168.11.161
;; AUTHORITY SECTION:
cdn.magedu.com. 86400 IN NS ns.cdn.magedu.com.
;; ADDITIONAL SECTION:
ns.cdn.magedu.com. 86400 IN A 192.168.11.161
;; Query time: 0 msec
;; SERVER: 192.168.11.165#53(192.168.11.161)
;; WHEN: Sat Oct 22 22:16:44 2016
;; MSG SIZE rcvd: 85
2)父域測試
[root@localhost ~]# dig -t www.magedu.com
;; Warning, ignoring invalid type www.magedu.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t www.magedu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27354
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518239 IN NS b.root-servers.net.
. 518239 IN NS i.root-servers.net.
. 518239 IN NS j.root-servers.net.
. 518239 IN NS k.root-servers.net.
. 518239 IN NS l.root-servers.net.
. 518239 IN NS e.root-servers.net.
. 518239 IN NS h.root-servers.net.
. 518239 IN NS f.root-servers.net.
. 518239 IN NS c.root-servers.net.
. 518239 IN NS m.root-servers.net.
. 518239 IN NS d.root-servers.net.
. 518239 IN NS a.root-servers.net.
. 518239 IN NS g.root-servers.net.
;; Query time: 0 msec
;; SERVER: 192.168.1.61 #53(192.168.11.165)
;; WHEN: Sat Oct 22 22:18:26 2016
;; MSG SIZE rcvd: 2284、請描述一次完整的http請求處理過程;
(1) 建立或處理連接:接收客戶端的請求,建立連接,或是拒絕其請求 (2) 接收請求: 接收來自於網絡的請求報文中對某資源的一次請求的過程時,web服務器也分幾種模型對併發請求進行響應: a. 單進程I/O結構:啓動一個進程處理用戶請求,而且一次只處理一個;多個請求被串行響應;實質就是排隊機制,第一個用戶的請求處理完再處理第二個,其它排隊等待。這種方式串行執行,效率不高。 b. 多進程I/O結構:並行啓動多個進程,每個進程響應一個請求; c. 複用I/O結構:一個進程響應n個請求; d. 多線程模型:一個進程生成N個線程,每個線程響應一個用戶請求; e. 複用的多進程I/O結構:啓動多個(m)進程,每個進程響應n個請求;此模式實質上爲事件驅動:event-driven,效率最高。 (3) 處理請求:對請求報文進行解析,並獲取請求的資源及請求方法等相關信息 (4) 訪問資源:獲取請求報文中請求的資源 (5) 拿到需要的資源之後,就會構建響應報文,準備向用戶回覆 (6) 發送響應報文,回覆請求 (7) 記錄日誌:對每個請求資源,詳細記錄訪問日誌信息,以便於以後的安全審查或數據分析。 以上就是一次完整的http請求的處理過程。
5、httpd所支持的處理模型有哪些,他們的分別使用於哪些環境。
httpd所支持的事務處理模型主要有: prefork worker event 他們分別使用於以下場景:、 prefork: 多進程模型,每個進程負責響應一個請求。prefork模型在工作時,由一個主進程負責生成n個子進程,即工作進程。每個工作進程 響應一個用戶請求,即使當前沒有用戶請求,它亦會預先生成多個空閒進程,隨時等待請求連接,這樣的好處是,服務器不用等到請求到達時, 纔去臨時建立進程,縮短了進程創建的時間。提高連接效率。但受限於linux的特性,工作進程數上限爲1024個,如超出該數量,服務器性能會急劇降低。 因而,prefork模型的最大併發連接數量最大爲1024。由於每個工作進程相對獨立,就算崩潰了,也不會對其它進程有明顯影響。所以,該模型的特點是穩定可靠, 適合於併發量適中而又追求穩定的用戶使用。 worker:多線程模型,每個線程響應一個請求。worker模型在工作時,也有一個主進程負責生成多個子進程,同時每個子進程負責生個多個線程,每個線程響應一個用戶 請求。同理,worker模型也會預先創建一些空閒線程來等待用戶連接。併發連接數,如果生成進程數爲m,線程爲n,則併發數可達到m*n個。但由於在linux中,原生不支持 線程,且進程本身就足夠輕量化,與線程的區別不是十分巨大,因而,worker模型在linux環境中的實際性能表現與prefork相差無幾。 event:事件驅動模型,每個線程響應n個用戶請求。event模型工作時,由主進程生成m個子進程,每個單獨的子進程可響應n個用戶請求。因而,event的併發數量可達到m*n 個,同時,因爲event的子進程爲一對多,節省了大量CPU進程間切換上下文的時間,也沒有了linux系統的1024個進程限制,所以,event模型是三種模型中效率最高的一種。 可以實破c10k的限制(即併發數1w),對海量併發的系統特別適用。
6、建立httpd服務器(基於編譯的方式進行),要求:
提供兩個基於名稱的虛擬主機:
(a)www1.stuX.com,頁面文件目錄爲/web/vhosts/www1;錯誤日誌爲/var/log/httpd/www1.err,訪問日誌爲/var/log/httpd/www1.access;
(b)www2.stuX.com,頁面文件目錄爲/web/vhosts/www2;錯誤日誌爲/var/log/httpd/www2.err,訪問日誌爲/var/log/httpd/www2.access;
(c)爲兩個虛擬主機建立各自的主頁文件index.html,內容分別爲其對應的主機名;
(d)通過www1.stuX.com/server-status輸出httpd工作狀態相關信息,且只允許提供帳號密碼才能訪問(status:status);
編譯安裝httpd
首先編譯apr apache portable runtime,
[root@www LAMP]# cd apr-1.5.2/
[root@www apr-1.5.2]# ./configure –prefix=/usr/local/apr
[root@www apr-1.5.2]# make && make install
然後編譯apr-util
[root@www LAMP]# cd apr-util-1.5.4/
[root@www apr-util-1.5.4]# ./configure –prefix=/usr/local/apr-util –with-apr=/usr/local/apr
[root@www apr-util-1.5.4]# make && make install
開始編譯httpd2.4.16
[root@www LAMP]# cd httpd-2.4.16/
[root@www httpd-2.4.16]# groupadd -r apache
[root@www httpd-2.4.16]# useradd -r -g apache apache
##mpm選擇prefork方式,編譯安裝
[root@www httpd-2.4.16]# ./configure –prefix=/usr/local/apache –sysconf=/etc/httpd24 –enable-so –enable-ssl –enable-cgi –enable-rewrite –with-zlib –with-pcre –with-apr=/usr/local/apr –with-apr-util=/usr/local/apr-util/ –enable-modules=most –enable-mpms-shared=all –with-mpm=prefork
[root@www httpd-2.4.16]# make && make install
##關閉selinux
[root@www bin]# setenforce 0
[root@www bin]# getenforce
Permissive
##關閉防火牆
[root@www selinux]# systemctl stop firewalld.service
[root@www selinux]# systemctl disable firewalld.service
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
[root@www selinux]#
##將apache的bin加入PATH變量中
[root@www profile.d]# vim /etc/profile.d/httpd.sh
PATH=$PATH:/usr/local/apache/bin
##輸出頭文件
[root@www apache]# ln -sv /usr/local/apache/include/ /usr/include/apache
a/usr/include/apachea -> a/usr/local/apache/include/a
[root@www apache]#
##檢查幫助文件
[root@www etc]# vim man_db.conf
MANDB_MAP /usr/local/apache/man
##啓動apache
[root@www httpd]# apachectl start
[root@www httpd]# ss -ntlp | grep :80
LISTEN 0 128 :::80 :::* users:(("httpd",pid=26283,fd=4),("httpd",pid=26282,fd=4),("httpd",pid=26281,fd=4),("httpd",pid=26280,fd=4))
##配置網站,添加兩個虛擬主機
[root@www httpd]# vim /etc/httpd/httpd.conf
##禁用主站的目錄
#DocumentRoot "/usr/local/apache/htdocs"
##啓用虛擬主機
# Virtual hosts
Include /etc/httpd/extra/httpd-vhosts.conf
##測試配置
[root@www httpd]# httpd -t
AH00112: Warning: DocumentRoot [/web/vhosts/www1] does not exist
AH00112: Warning: DocumentRoot [/web/vhosts/www2] does not exist
(2)No such file or directory: AH02291: Cannot access directory '/var/log/httpd/' for error log of vhost defined at /etc/httpd/extra/httpd-vhosts.conf:48
(2)No such file or directory: AH02291: Cannot access directory '/var/log/httpd/' for error log of vhost defined at /etc/httpd/extra/httpd-vhosts.conf:41
AH00014: Configuration check failed
[root@www httpd]#
##建好相應的目錄
[root@www httpd]# mkdir -pv /web/vhosts/{www1,www2}
mkdir: created directory a/weba
mkdir: created directory a/web/vhostsa
mkdir: created directory a/web/vhosts/www1a
mkdir: created directory a/web/vhosts/www2
[root@www httpd]# mkdir /var/log/httpd -pv
mkdir: created directory a/var/log/httpda
##編輯httpd.conf主配置文件,添加兩個虛擬主機目錄的訪問權限
[root@www httpd]# vim /etc/httpd/httpd.conf
###############################
<Directory "/web/vhosts/www1">
options none
allowoverride none
Require all granted
</Directory>
<Directory "/web/vhosts/www2">
options none
allowoverride none
Require all granted
</Directory>
###############################
##編輯httpd-vhosts.conf文件,添加以下內容
[root@www extra]# vim /etc/httpd/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/web/vhosts/www1"
ServerName www1.stuX.com
ErrorLog "/var/log/httpd/www1.err"
CustomLog "/var/log/httpd/www1.access" common
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "/web/vhosts/www2"
ServerName www2.stuX.com
ErrorLog "/var/log/httpd/www2.err"
CustomLog "/var/log/httpd/www2.cacess" common
</VirtualHost>
[root@www httpd]#
[root@www httpd]# httpd -t
Syntax OK
##重啓服務
[root@www httpd]# apachectl stop
[root@www httpd]# apachectl start
[root@www httpd]#
##構建網站主頁文件
[root@www www2]# vim /web/vhosts/www1/index.html
<h1>www1.stuX.com</h1>
[root@www www2]# vim /web/vhosts/www2/index.html
<h1>www2.stuX.com</h1>
##在其它電腦訪問這臺主機,檢驗網站能否正常工作
[root@www httpd]# curl http://www1.stuX.com
<h1>www1.stuX.com</h1>
[root@www httpd]# curl http://www2.stuX.com
<h1>www2.stuX.com</h1>
[root@www httpd]#
##構建Server-Status設置
##在www1.stuX.com裏,增加server-status的設置,具體內容如下:
<VirtualHost *:80>
DocumentRoot "/web/vhosts/www1"
ServerName www1.stuX.com
ErrorLog "/var/log/httpd/www1.err"
CustomLog "/var/log/httpd/www1.access" common
<Location /server-status>
SetHandler server-status
AuthType Basic
AuthName "Server-Status"
AuthUserFile "/etc/httpd/.htpasswd"
Require valid-user
</Location>
</VirtualHost>
##生成.htpasswd密碼驗證文件
[root@www httpd]# htpasswd -c -m .htpasswd status
New password:
Re-type new password:
Adding password for user status
##重啓服務後訪問驗證7、爲第6題中的第2個虛擬主機提供https服務,使得用戶可以通過https安全的訪問此web站點;
(1)要求使用證書認證,證書中要求使用的國家(CN)、州(HA)、城市(ZZ)和組織(MageEdu);
(2)設置部門爲Ops,主機名爲www2.stuX.com,郵件爲[email protected];
##演示目的,CA與Web在同一主機上
[root@www CA]# touch index.txt
[root@www CA]# echo 01 > serial
[root@www CA]#
[root@www CA]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
………………………………………+++
…………………………………………………………………………………………………+++
e is 65537 (0x10001)
[root@www CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.epm -days 7300 -out /etc/pki/CA/cacert.pem
Error opening Private Key /etc/pki/CA/private/cakey.epm
140239236687776:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/CA/private/cakey.epm','r')
140239236687776:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load Private Key
[root@www CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
—–
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HA
Locality Name (eg, city) [Default City]:ZZ
Organization Name (eg, company) [Default Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:ca.stuX.com
Email Address []:[email protected]
[root@www CA]#
[root@www CA]# cd /etc/httpd/
[root@www httpd]# mkdir ssl
[root@www httpd]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
……………………………………………………………………………………………………………………………………………………………………………+++
………………………………………………………………………………………………………………………………+++
e is 65537 (0x10001)
[root@www httpd]# openssl req -new -key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
—–
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HA
Locality Name (eg, city) [Default City]:ZZ
Organization Name (eg, company) [Default Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www2.stuX.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@www httpd]#
[root@www httpd]# openssl ca -in /etc/httpd/ssl/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 23 10:01:20 2016 GMT
Not After : Oct 23 10:01:20 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = HA
organizationName = MageEdu
organizationalUnitName = Ops
commonName = www2.stuX.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AB:81:27:C8:00:58:44:0E:56:5C:AD:2D:10:4F:5C:0B:02:29:A8:BB
X509v3 Authority Key Identifier:
keyid:37:98:CA:7C:F9:75:5B:5A:40:4F:95:28:7B:7D:BB:25:BB:26:FC:5B
Certificate is to be certified until Oct 23 10:01:20 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@www httpd]#
[root@www httpd]# ls /etc/pki/CA/certs/httpd.crt
/etc/pki/CA/certs/httpd.crt
[root@www httpd]# cp /etc/pki/CA/certs/httpd.crt /etc/httpd/ssl/
[root@www httpd]# ls /etc/httpd/ssl/
httpd.crt httpd.csr httpd.key
[root@www httpd]#
#<VirtualHost _default_:443>
<VirtualHost 192.168.11.125:443>
# General setup for the virtual host
#DocumentRoot "/usr/local/apache/htdocs"
#ServerName www.example.com:443
#ServerAdmin [email protected]
#ErrorLog "/usr/local/apache/logs/error_log"
#TransferLog "/usr/local/apache/logs/access_log"
DocumentRoot "/web/vhosts/www2"
ServerName www2.stuX.com:443
ErrorLog "/var/log/httpd/www2_ssl.err"
SSLCertificateFile "/etc/httpd/ssl/httpd.crt"
SSLCertificateKeyFile "/etc/httpd/ssl/httpd.key"
##啓用ssl模塊
LoadModule ssl_module modules/mod_ssl.so
6、在LAMP架構中,請分別以php編譯成httpd模塊形式和php以fpm工作爲獨立守護進程的方式來支持httpd,列出詳細的過程。
LAMP架構中php以模塊形式或以fpm模式,LAM都是不變的,因而本文重點關注php的安裝方法。
PHP以模塊方式運行:
安裝php ##解壓
[root@LAMP setup]# tar xf php-5.6.23.tar.bz2
##編譯
[root@localhost php-5.6.23]# ./configure –prefix=/usr/local/php –with-mysql=mysqlnd –with-openssl –with-mysqli=mysqlnd –enable-mbstring –with-freetype-dir –with-jpeg-dir –with-png-dir –with-zlib –with-libxml-dir=/usr/lib64 –enable-xml –enable-sockets –with-apxs2=/usr/local/apache/bin/apxs –with-mcrypt=/usr/local/libmcrypt –with-config-file-path=/etc –with-config-file-scan-dir=/etc/php.d –with-bz2 –enable-maintainer-zts
##php是以模塊方式運行,所以需要在編譯時指定apache的apxs2的目錄路徑 –with-apxs2=/usr/local/apache/bin/apxs
##copy配置文件到/etc目錄
## vim /etc/httpd/httpd.conf
##添加php網頁類型
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
##定位至DirectoryIndex index.html
修改爲:
DirectoryIndex index.php index.html
##重啓httpd服務
##安裝phpMyAdmin
##解壓phpMyAdmin-4.6.3-all-languages 到 htdoc目錄下,創建鏈接文件
[root@localhost htdocs]# ln -sv phpMyAdmin-4.6.3-all-languages pma
‘pma’ -> ‘phpMyAdmin-4.6.3-all-languages’
##訪問phpMyAdmin進行測試
##以fpm模式運行
##解壓
[root@LAMP setup]# tar xf php-5.6.23.tar.bz2
##編譯
[root@LAMP php-5.6.23]#./configure –prefix=/usr/local/php5 –with-mysql=mysqlnd –with-openssl –with-mysqli=mysqlnd –enable-mbstring –with-freetype-dir –with-jpeg-dir –with-png-dir –with-zlib –with-libxml-dir=/usr –enable-xml –enable-sockets –enable-fpm –with-mcrypt –with-config-file-path=/etc –with-config-file-scan-dir=/etc/php.d –with-bz2
##以fpm模式運行,使能fpm選項,–enable-fpm, –with-apxs2一項就不需要啓用了
[root@LAMP php-5.6.23]#make
[root@LAMP php-5.6.23]#make install
##copy配置文件到/etc目錄
[root@LAMP php-5.6.23]# cp php.ini-production /etc/php.ini
##php-fpm配置文件,取消pid的註釋
[root@LAMP etc]# cp /usr/local/php5/etc/php-fpm.conf.default /usr/local/php5/etc/php-fpm.conf
pid = /usr/local/php5/var/run/php-fpm.pid
##
[root@LAMP fpm]# cp php-fpm.service /lib/systemd/system/
##
[root@LAMP system]# systemctl enable php-fpm.service
Created symlink from /etc/systemd/system/multi-user.target.wants/php-fpm.service to /usr/lib/systemd/system/php-fpm.service.
[root@LAMP system]# systemctl enable php-fpm.service
##./php-fpm –nodaemonize –fpm-config /usr/local/php5/etc/php-fpm.conf
##更改httpd.conf配置文件,取消proxy_module及proxy_fcgi_module的註釋
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
##重啓httpd服務即可8、建立samba共享,共享目錄爲/data,要求:(描述完整的過程)
1)共享名爲shared,工作組爲magedu;
2)添加組develop,添加用戶gentoo,centos和ubuntu,其中gentoo和centos以develop爲附加組,ubuntu不屬於develop組;密碼均爲用戶名;
3)添加samba用戶gentoo,centos和ubuntu,密碼均爲“mageedu”;
4)此samba共享shared僅允許develop組具有寫權限,其他用戶只能以只讀方式訪問;
5)此samba共享服務僅允許來自於172.16.0.0/16網絡的主機訪問;
先添加用戶並創建密碼x'z
[root@localhost ~]# groupadd develop [root@localhost ~]# useradd -G develop gentoo [root@localhost ~]# useradd -G develop centos [root@localhost ~]# useradd ubuntu [root@localhost ~]# echo "gentoo" | passwd --stdin gentoo 更改用戶 gentoo 的密碼 。 passwd: 所有的身份驗證令牌已經成功更新。 [root@localhost ~]# echo "centos" | passwd --stdin centos 更改用戶 centos 的密碼 。 passwd: 所有的身份驗證令牌已經成功更新。 [root@localhost ~]# echo "ubuntu" | passwd --stdin ubuntu 更改用戶 ubuntu 的密碼 。 passwd: 所有的身份驗證令牌已經成功更新。 [root@localhost ~]# smbpasswd -a gentoo New SMB password: Retype new SMB password: Added user gentoo. [root@localhost ~]# smbpasswd -a centos New SMB password: Retype new SMB password: Added user centos. [root@localhost ~]# smbpasswd -a ubuntu New SMB password: Retype new SMB password: Added user ubuntu.
安裝samba服務
[root@localhost ~]# yum -y install samba samba-client
然後編輯/etc/samba/smb.conf
[root@localhost ~]# vim /etc/samba/smb.conf workgroup = mageedu hosts allow = 192.168.11.125 [shared] comment = smb path = /data guest = yes writable =no write list = +develop
然後使用service smb restart重啓服務
使用windows登錄,用有權限的用戶centos登錄,並創建一個文件
進入共享的/data文件夾,查看剛纔在windows系統上創建的文件,存在,說明沒有問題
[root@localhost ~]# cd /data [root@localhost data]# ll 總用量 0 -rwxr--r--. 1 centos centos 0 10月 23 17:34 centos_testfiles.txt
如果是使用linux訪問的話,使用命令
[root@localhost data]# smbclient //192.168.11.125/centos -U ubuntu Enter ubuntu's password: Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-35.el6_8] smb: \> put /etc/issue NT_STATUS_OBJECT_PATH_NOT_FOUND opening remote file \/etc/issue smb: \> ls . D 0 Sat Oct 23 17:30:22 2016 .. DR 0 Sat Oct 23 17:30:21 2016 centos_testfiles.txt A 0 Sat Oct 23 17:34:12 2016 57807 blocks of size 524288. 51165 blocks available
9、搭建一套文件vsftp文件共享服務,共享目錄爲/ftproot,要求:(描述完整的過程)
1)基於虛擬用戶的訪問形式;
2)匿名用戶只允許下載,不允許上傳;
3)禁錮所有的用戶於其家目錄當中;
4)限制最大併發連接數爲200:;
5)匿名用戶的最大傳輸速率512KB/s
6)虛擬用戶的賬號存儲在mysql數據庫當中。
7)數據庫通過NFS進行共享。
一、 數據庫nfs的共享 在192.168.11.125服務器上安裝nfs服務,設置共享目錄爲nfshare [root@localhost ~]# yum install nfs-utils-1.2.3-39.el6.x86_64.rpm [root@localhost ~]# mkdir /nfshare 創建mysql用戶,設置 /nfshare 的所屬主,所屬組爲mysql [root@localhost ~]# groupadd –g 505 mysql [root@localhost ~]# useradd –g 505 –u 505 –s /sbin/nologin –M mysql [root@localhost ~]# chown -R mysql.mysql /nfshare 配置nfs的共享配置文件/etc/exports,/nfshare共享給制定的服務器 /nfshare 192.168.11.124/255.255.255.0(no_root_squash,rw) 啓動nfs [root@localhost ~]# service nfs start 在192.168.194.128服務器上安裝mysql,創建目錄/mydata 用來掛載nfs共享目錄。 [root@localhost ~]# yum –y install –y mysql mysql-server mysql-devel 創建mysql用戶,設置 /mydata的所屬主,所屬組爲mysql [root@localhost ~]# groupadd –g 505 mysql [root@localhost ~]# useradd –g 505 –u 505 –s /sbin/nologin –M mysql [root@localhost ~]# chown -R mysql.mysql /mydata 掛載nfs共享目錄 [root@localhost ~]# mount 192.168.194.125:/nfshare /mydata 修改mysql的配置文件,制定datadir的位置爲/mydata [root@localhost ~]# vim /etc/my.cnf [mysqld] datadir=/mydata socket=/var/lib/mysql/mysql.sock user=mysql symbolic-links=0 [mysqld_safe] log-error=/var/log/mysqld.log pid-file=/mydata/mysqld.pid 初始化mysql [root@localhost ~]# mysql_install_db –datadir=/mydata 啓動mysql [root@localhost ~]# service mysqld start 二、 vsftp文件共享服務 在192.168.11.124服務器上 創建數據庫 mysql> create database vsftpd; 創建數據庫用戶,授權對vsftpd數據庫有查詢權限 mysql> grant select on vsftpd.* to [email protected] identified by 'magedu'; mysql> grant select on vsftpd.* to [email protected] identified by 'magedu'; mysql> flush privileges; 在vsftpd數據庫中創建表users mysql> use vsftpd Database changed mysql> create table users (id int AUTO_INCREMENT NOT NULL,name char(20) binary NOT NULL,password char(48) binary NOT NULL,primary key(id)); Query OK, 0 rows affected (0.03 sec) mysql> select * from users; Empty set (0.00 sec) 插入虛擬用戶名magedu1,密碼magedu mysql> insert into users(name,password) values('magedu1',password('magedu')); Query OK, 1 row affected (0.00 sec) mysql> select * from users; +----+---------+-------------------------------------------+ | id | name| password | +----+---------+-------------------------------------------+ | 1 | magedu1 | *6B8CCC83799A26CD19D7AD9AEEADBCD30D8A8664 | +----+---------+-------------------------------------------+ 1 row in set (0.00 sec) 安裝開發環境 [root@localhost ~]# yum -y groupinstall "Development Tools" "Server Platform Development" 安裝vsftp: yum -y install vsftpd pam-devel openssl-devel 安裝pam_mysql [root@localhost ~]# tar xf pam_mysql-0.7RC1.tar.gz [root@localhost ~]# cd pam_mysql-0.7RC1 [root@localhost pam_mysql-0.7RC1]# ./configure --with-mysql=/usr --with-openssl=/usr --with-pam=/usr --with-pam-mods-dir=/lib64/security [root@localhost pam_mysql-0.7RC1]# make && make install [root@localhost pam_mysql-0.7RC1]# ls /lib64/security 查看pm_msyql_so 模式是否安裝成功 建立pam認證所需文件 [root@localhost ~]# vim /etc/pam.d/vsftpd.mysql 添加如下兩行 auth required /lib64/security/pam_mysql.so user=vsftpd passwd=magedu host=192.168.11.124 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2 account required /lib64/security/pam_mysql.so user=vsftpd passwd=magedu host=192.168.11.124 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2 建立虛擬用戶映射的系統用戶及對應的目錄 [root@localhost ~]# useradd -s /sbin/nologin -d /ftproot vuser [root@localhost ~]# chmod go+rx /ftproot 修改ftp配置 [root@localhost ~]# vim /etc/vsftpd/vsftpd.conf anonymous_enable=YES #啓用匿名用戶訪問 local_enable=NO write_enable=NO dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES listen=YES download_enable=YES #允許下載 max_clients=50 #最大併發客戶端數目 anon_max_rate=512k #最大下載速率 pam_service_name=vsftpd userlist_enable=YES #針對系統用戶訪問的控制策略 tcp_wrappers=YES [root@centos pub]# ftp 127.0.0.1 Connected to 127.0.0.1 (127.0.0.1). 220 (vsFTPd 2.2.2) Name (127.0.0.1:root): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> mkdir test 550 Permission denied. ftp> mget index.html mget index.html? y 227 Entering Passive Mode (127,0,0,1,80,144). 150 Opening BINARY mode data connection for index.html (0 bytes). 226 Transfer complete. 重啓ftp 服務 service vsftpd restart 在192.168.11.125服務器上測試 [root@localhost ~]# ftp 192.168.11.124 Connected to 192.168.194.124 (192.168.11.124). 220 (vsFTPd 2.2.2) Name (192.168.11.124:root): magedu1 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. 匿名用戶vsftp的默認根目錄爲 /var/ftp/ 更多指令請man vsftpd.conf率