說明:
1、以下每個服務要求服務器重啓後依然有效;
2、yum服務通過http://172.16.0.1/yum提供;
3、要求selinux處於permissive狀態;
4、本地網絡爲172.16.X.0/16,測試網絡爲192.168.0.0/24;
5、每位同學的IP地址爲172.16.X.1, 子網掩碼爲255.255.0.0,網關爲172.16.0.1,DNS服務器爲172.16.0.1,主機名爲stuX.magedu.com,其中X爲你的座位號;
編輯/etc/yum.repos.d/ftp.repo
[Server]
name=Server
baseurl=ftp://172.16.0.1/pub/Server
enable=1
gpgcheck=0
[VT]
name=VT
baseurl=ftp://172.16.0.1/pub/VT
enable=1
gpgcheck=0
[ClusterStorage]
name=ClusterStorage
baseurl=ftp://172.16.0.1/pub/ClusterStorage
enable=1
gpgcheck=0
[Cluster]
name=Cluster
baseurl=ftp://172.16.0.1/pub/Cluster
enable=1
gpgcheck=0
編輯 /etc/selinux/config
SELINUX=permissive
編輯 vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
HWADDR=00:0C:29:78:86:77
IPADDR=172.16.16.1
NETMASK=255.255.0.0
ONBOOT=yes
編輯/etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=stu16.magedu.com
GATEWAY=172.16.0.1
編輯/etc/resolv.conf
nameserver 172.16.16.1
search localdomain
1、主機名稱解析服務器配置,要求:
1)建立DNS服務器,負責解析的域爲magedu.com;
2)要求將MX記錄指向mail.magedu.com,且對應A記錄爲本機IP;
3)要求將NS記錄指向ns.magedu.com,且對應A記錄爲本機IP;
4)建立www1,www2,proxy等A記錄指向本機IP;爲mail主機建立別名記錄pop3和imaps;
5)爲所有A記錄建立PTR記錄;
6)magedu.com區域僅允許172.16.0.0/16網絡中的主機做區域傳送;對應的反向區域不允許任何主機做區域傳送;
7)爲正向區域建立子域委派,兩個子域爲tech.magedu.com和fin.magedu.com,子域服務器地址爲172.16.x.5;(僅給出實現授權的記錄即可)
8)將example.com域的所有請求轉發至172.16.0.1進行解析;
9)此DNS服務拒絕192.168.1.0/24網絡內的任何主機使用;
yum install bind97
yum install bind97-devel
iptables -t filter -A INPUT -s 192.168.1.0/24 -p tcp --dport 25 -j REJECT
mkdir /etc/sysconfig/iptables
iptables-save > /etc/sysconfig/iptables
編輯/etc/named.conf
options{
directory "/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "magedu.com" IN {
type master;
file "magedu.com.zone";
allow-transfer { 172.16.0.0/16; };
};
zone "16.172.in-addr.arpa" IN {
type master;
file "172.16.zone";
allow-transfer { none;};
};
zone "example.com" IN {
type forward;
forward only ;
forwarders { 172.16.0.1; };
};
編輯 /var/named/magedu.com.zone
$TTL 86400
$ORIGIN magedu.com.
@ IN SOA mail.magedu.com. admin.magedu.com.(
2012111001
1H
2M
7D
1D )
IN NS mail
IN NS www1
IN NS www2
IN MX 10 mail
IN NS proxy
pop3 IN CNAME mail
imaps IN CNAME mail
mail IN A 172.16.16.1
www1 IN A 172.16.16.1
www2 IN A 172.16.16.1
proxy IN A 172.16.16.1
tech.magedu.com. IN NS mail.tech.magedu.com.
mail.tech.magedu.com. IN A 172.16.16.5
fin.magedu.com. IN NS mail.fin.magedu.com.
mail.fin.magedu.com. IN A 172.16.16.5
編輯/var/named/172.16.zone
$TTL 86400
$ORIGIN 16.172.in-addr.arpa.
@ IN SOA mail.magedu.com admin.magedu.com (
2012111101
2H
10M
11D
1D )
IN NS mail.magedu.com.
IN NS www1.magedu.com.
IN NS www2.magedu.com.
IN NS proxy.magedu.com.
1.16 IN PTR mail.magedu.com.
1.16 IN PTR www1.magedu.com.
1.16 IN PTR www2.magedu.com.
1.16 IN PTR proxy.magedu.com.
啓動fservice named start
2、建立httpd服務器(基於編譯的方式進行),要求:
1)提供兩個基於名稱的虛擬主機:
(a)www1.magedu.com,頁面文件目錄爲/web/vhosts/www1;錯誤日誌爲/var/log/httpd/www1.err,訪問日誌爲/var/log/httpd/www1.access;
(b)www2.magedu.com,頁面文件目錄爲/web/vhosts/www2;錯誤日誌爲/var/log/httpd/www2.err,訪問日誌爲/var/log/httpd/www2.access;
(c)爲兩個虛擬主機建立各自的主頁文件index.html,內容分別爲其對應的主機名;
(d)通過www1.magedu.com/server-status輸出httpd工作狀態相關信息,且只允許提供帳號密碼才能訪問(status:status);
2)www1主機僅允許172.16.0.0/16網絡中的客戶機訪問;www2主機可以被所有主機訪問;
ftp://172.16.0.1/pub/Sources/new_lamp
apr-1.4.6.tar.bz2
apr-devel-1.4.6-1.i386.rpm
apr-util-1.4.1.tar.bz2
apr-util-devel-1.4.1-1.i386.rpm
# yum install pcre-devel
# tar xf httpd-2.4.3.tar.bz2
# cd httpd-2.4.3
# ./configure --prefix=/usr/local/apache --sysconfdir=/etc/httpd --enable-so --enable-ssl --enable-cgi --enable-rewrite --with-zlib --with-pcre --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util --enable-mpms-shared=all --with-mpm=event
# make && make install
vim /etc/rc.d/init.d/httpd
#!/bin/bash
#
# httpd Startup script for the Apache HTTP Server
#
# chkconfig: - 85 15
# description: Apache is a World Wide Web server. It is used to serve \
# HTML files and CGI.
# processname: httpd
# config: /etc/httpd/conf/httpd.conf
# config: /etc/sysconfig/httpd
# pidfile: /var/run/httpd.pid
# Source function library.
. /etc/rc.d/init.d/functions
if [ -f /etc/sysconfig/httpd ]; then
. /etc/sysconfig/httpd
fi
# Start httpd in the C locale by default.
HTTPD_LANG=${HTTPD_LANG-"C"}
# This will prevent initlog from swallowing up a pass-phrase prompt if
# mod_ssl needs a pass-phrase from the user.
INITLOG_ARGS=""
# Set HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server
# with the thread-based "worker" MPM; BE WARNED that some modules may not
# work correctly with a thread-based MPM; notably PHP will refuse to start.
# Path to the apachectl script, server binary, and short-form for messages.
apachectl=/usr/local/apache/bin/apachectl
httpd=${HTTPD-/usr/local/apache/bin/httpd}
prog=httpd
pidfile=${PIDFILE-/usr/local/apache/logs/httpd.pid}
lockfile=${LOCKFILE-/var/lock/subsys/httpd}
RETVAL=0
start() {
echo -n $"Starting $prog: "
LANG=$HTTPD_LANG daemon --pidfile=${pidfile} $httpd $OPTIONS
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch ${lockfile}
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
killproc -p ${pidfile} -d 10 $httpd
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile}
}
reload() {
echo -n $"Reloading $prog: "
if ! LANG=$HTTPD_LANG $httpd $OPTIONS -t >&/dev/null; then
RETVAL=$?
echo $"not reloading due to configuration syntax error"
failure $"not reloading $httpd due to configuration syntax error"
else
killproc -p ${pidfile} $httpd -HUP
RETVAL=$?
fi
echo
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status -p ${pidfile} $httpd
RETVAL=$?
;;
restart)
stop
start
;;
condrestart)
if [ -f ${pidfile} ] ; then
stop
start
fi
;;
reload)
reload
;;
graceful|help|configtest|fullstatus)
$apachectl $@
RETVAL=$?
;;
*)
echo $"Usage: $prog {start|stop|restart|condrestart|reload|status|fullstatus|graceful|help|configtest}"
exit 1
esac
exit $RETVAL
而後爲此腳本賦予執行權限:
# chmod +x /etc/rc.d/init.d/httpd
# chkconfig --add httpd
將命令加入大系統的PATH環境當中,因爲我的apache是安裝在/usr/local/下所以我的bin可執行程序也是要到這個目錄下面去找的。
vim /etc/profile.d/httpd.sh
PATH=$PATH:/usr/local/apache/bin
export PATH
讓其立即生效:source /etc/profile.d/httpd.sh
在主配置文件/etc/httpd/httpd.conf註釋掉以下行
#<Directory />
# AllowOverride none
# Require all denied
#</Directory>
#DocumentRoot "/usr/local/apache/htdocs"
並且在主配置文件當中將這行的註釋取消掉
Include /etc/httpd/extra/httpd-vhosts.conf
在虛擬主機配置文件/etc/httpd/extra/httpd-vhosts.conf當中定義
<VirtualHost *:80>
ServerName "www1.magedu.com"
DocumentRoot "/web/vhosts/www1"
ErrorLog "/var/log/httpd/www1.err"
CustomLog "/var/log/httpd/www1.access" common
<Location /server-status>
SetHandler server-status
AllowOverride Authconfig
AuthType Basic
AuthName "Limit..."
AuthUserFile "/etc/httpd/user"
Require valid-user
</Location>
<Directory /web/vhosts/www1>
Require ip 172.16.0.1/16
Require all denied
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName "www2.magedu.com"
DocumentRoot "/web/vhosts/www2"
ErrorLog "/var/log/httpd/www2.err"
CustomLog "/var/log/httpd/www2.access" common
<Directory /web/vhosts/www2>
Require all granted
</Directory>
</VirtualHost>
提供虛擬主機的的網頁,提供錯誤日誌存放的地方
mkdir /web/vhosts/www1 -pv
mkdir /web/vhosts/www2 -pv
vim /web/vhosts/www1 index.html
www1.magedu.com
vim /web/vhosts/www2 index.html
www2.magedu.com
mkdir /var/log/httpd/www2.access -pv
mkdir /var/log/httpd/www2.err -pv
mkdir /var/log/httpd/www1.access -pv
mkdir /var/log/httpd/www1.err -pv
service httpd restart
mkdir /etc/httpd/user
爲查看apache的狀態信息提供用戶密碼!用戶是htuser密碼是redhat
htpasswd -c -m /etc/httpd/user htuser
此時訪問這個主頁的http://www1.magedu.com/server-status則需要輸入用戶名和密碼
3、建立nginx服務器,要求:
yum install pcre
yum install pcre-devel
ftp://172.16.0.1 /pub/Sources/nginx> get nginx-1.2.3.tar.gz
tar xf nginx-1.2.3.tar.gz
cd nginx-1.2.3
./configure \
--prefix=/usr \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx/nginx.pid \
--lock-path=/var/lock/nginx.lock \
--user=nginx \
--group=nginx \
--with-http_ssl_module \
--with-http_flv_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--http-client-body-temp-path=/var/tmp/nginx/client/ \
--http-proxy-temp-path=/var/tmp/nginx/proxy/ \
--http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ \
--http-uwsgi-temp-path=/var/tmp/nginx/uwsgi \
--http-scgi-temp-path=/var/tmp/nginx/scgi \
--with-pcre=/usr
# make && make install
注意因爲最開始httpd這個服務已經佔據了80端口,而nginx默認的端口又是80端口,所以此時要先停掉httpd這個服務。
service httpd stop
爲nginx提供SysV init腳本:
新建文件/etc/rc.d/init.d/nginx,內容如下:
#!/bin/sh
#
# nginx - this script starts and stops the nginx daemon
#
# chkconfig: - 85 15
# description: Nginx is an HTTP(S) server, HTTP(S) reverse \
# proxy and IMAP/POP3 proxy server
# processname: nginx
# config: /etc/nginx/nginx.conf
# config: /etc/sysconfig/nginx
# pidfile: /var/run/nginx.pid
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0
nginx="/usr/sbin/nginx"
prog=$(basename $nginx)
NGINX_CONF_FILE="/etc/nginx/nginx.conf"
[ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx
lockfile=/var/lock/subsys/nginx
make_dirs() {
# make required directories
user=`nginx -V 2>&1 | grep "configure arguments:" | sed 's/[^*]*--user=\([^ ]*\).*/\1/g' -`
options=`$nginx -V 2>&1 | grep 'configure arguments:'`
for opt in $options; do
if [ `echo $opt | grep '.*-temp-path'` ]; then
value=`echo $opt | cut -d "=" -f 2`
if [ ! -d "$value" ]; then
# echo "creating" $value
mkdir -p $value && chown -R $user $value
fi
fi
done
}
start() {
[ -x $nginx ] || exit 5
[ -f $NGINX_CONF_FILE ] || exit 6
make_dirs
echo -n $"Starting $prog: "
daemon $nginx -c $NGINX_CONF_FILE
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n $"Stopping $prog: "
killproc $prog -QUIT
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}
restart() {
configtest || return $?
stop
sleep 1
start
}
reload() {
configtest || return $?
echo -n $"Reloading $prog: "
killproc $nginx -HUP
RETVAL=$?
echo
}
force_reload() {
restart
}
configtest() {
$nginx -t -c $NGINX_CONF_FILE
}
rh_status() {
status $prog
}
rh_status_q() {
rh_status >/dev/null 2>&1
}
case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart|configtest)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
exit 2
esac
而後爲此腳本賦予執行權限:
# chmod +x /etc/rc.d/init.d/nginx
添加至服務管理列表,並讓其開機自動啓動:
# chkconfig --add nginx
# chkconfig nginx on
啓動服務確認nginx是正常工作的
service nginx start
添加虛擬主機:vim /etc/nginx/nginx.com【一個server就是一個虛擬主機】
server {
listen 8080;
server_name www1.magedu.com;
access_log /var/log/nginx/www1.access;
error_log /var/log/nginx/www1.err;
location / {
root www/htdocs/www1;
index index.html;
}
location /server-status {
stub_status on;
auth_basic "please input username-password";
auth_basic_user_file "/etc/nginx/user";
}
}
server {
listen 8080;
server_name www2.magedu.com;
access_log /var/log/nginx/www2.access;
error_log /var/log/nginx/www2.err;
location / {
root www/htdocs/www2/;
index index.html;
allow 172.16.0.0/16;
deny all;
}
}
建立網頁文件,和日誌文件存放的目錄
mkdir /usr/www/htdocs/www1
vim /usr/www/htdocs/www1/index.html
hello nginx www1
mkdir /usr/www/htdocs/www2
vim /usr/www/htdocs/www2/index.html
hello nginx www2
mkdir /var/log/nginx
重啓服務即可
service nginx restart
爲狀態信息輸出提供用戶名nguser和密碼nguser
【注意nginx自身是沒有可以提供用戶和加密密碼的工具的,
所以這裏我們借用httpd的命令所以要事先安裝好httpd呵
用完後可以將其卸載】
mkdir /etc/nginx/user
htpasswd -c -m /etc/nginx/user nguser(輸入此條命令後會讓用戶鍵入密碼)
iptables -t filter -A OUTPUT -s 172.16.16.1 -p tcp --sport 8080 -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -d 172.16.16.1 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables-save > /etc/sysconfig/iptables
1)通過8080端口提供服務;爲nginx提供sysv服務控制腳本;
2)提供兩個基於名稱的虛擬主機(都通過8080端口提供服務):
(a)www1.magedu.com:8080,頁面文件目錄爲/www/htdocs/www1;錯誤日誌爲/var/log/nginx/www1.err,訪問日誌爲/var/log/nginx/www1.access;
(b)www2.magedu.com:8080,頁面文件目錄爲/www/htdocs/www2;錯誤日誌爲/var/log/nginx/www2.err,訪問日誌爲/var/log/nginx/www2.access;
3)www2主機僅允許172.16.0.0/16網絡中的主機訪問;
4)通過www1.magedu.com:8080/server-status輸出nginx工作狀態相關信息,且只允許提供帳號密碼才能訪問(status:status);
5)本機的8080端口僅允許已經建立的連接請求出站,僅允許新請求和已建立連接的請求入站;
4、爲第2題中的第2個虛擬主機提供https服務,使得用戶可以通過https安全的訪問此web站點;
(1)要求使用證書認證,證書中要求使用的國家(CN)、州(Henan)、城市(Zhengzhou)和組織(MageEdu);
(2)設置部門爲TECH,主機名爲www2.magedu.com,郵件爲[email protected];
(3)此服務禁止來自於192.168.1.0/24網絡中的主機訪問;
vim /etc/pki/tls/openssl.conf
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Henan
localityName = Locality Name (eg, city)
localityName_default = Zhengzhou
0.organizationName = Organization Name (eg, company)
0.organizationName_default = MageEdu
organizationalUnitName_default = TECH
[注意:在填寫common_name這項時給誰頒發證書填寫誰]
給CA頒發的時候填寫local.magedu.com
給httpd頒發的時候填寫www2.magedu.com
cd /etc/pki/CA
(umask 077;openssl genrsa 2048 > private/cakey.pem)
openssl req -new -x509 -days 3650 -key private/cakey.pem -out cacert.pem
mkdir certs newcerts crl
touch index.txt
echo 01 > serial
mkdir ssl
cd /etc/httpd/ssl
(umask 077; openssl genrsa 1024 > httpd.key)
openssl req -new -key httpd.key -out httpd.csr
openssl ca -in httpd.csr -out httpd.crt -days 365
編輯主配置文件/etc/httpd/httpd.com啓用以下兩行
Include /etc/httpd/extra/httpd-ssl.conf
LoadModule ssl_module modules/mod_ssl.so
編輯輔助配置文件/etc/httpd/extra/httpd-ssl.conf修改如下幾行
<VirtualHost _default_:443>
DocumentRoot "/web/vhosts/www2"
ServerName www2.magedu.com:443
ServerAdmin [email protected]
ErrorLog "/var/log/httpd/www2.err"
TransferLog "/var/log/httpd/www2.access"
SSLCertificateFile "/etc/httpd/ssl/httpd.crt"
SSLCertificateKeyFile "/etc/httpd/ssl/httpd.key"
iptables -t filter -A INPUT -s 192.168.1.0/24 -p tcp --dport 443 -j DROP
iptables-save > /etc/sysconfig/iptables
5、爲第2題中的第1個虛擬主機提供php+mysql的功能,要求:
(1)通過在原有主頁中添加phpinfo()測試頁表明啓用php成功;
(2)將mysql的root用戶密碼設置爲"123456"(引號中的內容);
(3)通過http://www1.magedu.com/pma提供本機mysql服務的web管理接口phpMyAdmin;
(4)本機上的mysql服務僅允許來自本地的請求通過;
tar xf mysql-5.5.28-linux2.6-i686.tar.gz -C /usr/local
cd /usr/local/
ln -sv mysql-5.5.28-linux2.6-i686 mysql
cd mysql
chown -R root:mysql .
scripts/mysql_install_db --user=mysql --datadir=/mydata/data
cd /usr/local/mysql
cp support-files/my-large.cnf /etc/my.cnf
修改配置文件 /etc/my.cnf
thread_concurrency= 2
datadir = /mydata/data
cd /usr/local/mysql
cp support-files/mysql.server /etc/rc.d/init.d/mysqld
chmod +x /etc/rc.d/init.d/mysqld
chkconfig --add mysqld
chkconfig mysqld on
ln -sv /usr/local/mysql/include /usr/include/mysql
echo '/usr/local/mysql/lib' > /etc/ld.so.conf.d/mysql.conf
ldconfig -v
echo "export PATH=$PATH:/usr/local/mysql/bin" > /etc/profile.d/mysql.sh
source /etc/profile.d/mysql.sh
lftp 172.16.0.1:/pub/Sources/new_lamp
php-5.4.8.tar.bz2
ftp://pub/Sources/nginx
cd /root(我是在root目錄下調用的)
rpm -ivh libmcrypt-2.5.7-5.el5.i386.rpm
rpm -ivh libmcrypt-devel-2.5.7-5.el5.i386.rpm
rpm -ivh mhash-0.9.2-6.el5.i386.rpm
rpm -ivh mhash-devel-0.9.2-6.el5.i386.rpm
rpm -ivh mcrypt-2.6.8-1.el5.i386.rpm
tar xf php-5.4.8.tar.bz2
cd php-5.4.8
./configure --prefix=/usr/local/php --with-mysql=/usr/local/mysql --with-openssl --with-mysqli=/usr/local/mysql/bin/mysql_config --enable-mbstring --with-freetype-dir --with-jpeg-dir --with-png-dir --with-zlib --with-libxml-dir=/usr --enable-xml --enable-sockets --with-apxs2=/usr/local/apache/bin/apxs --with-mcrypt --with-config-file-path=/etc --with-config-file-scan-dir=/etc/php.d --with-bz2
make && make install
cp php.ini-production /etc/php.ini
編輯文件/etc/httpd/httpd.conf,添加以下內容
DirectoryIndex index.php index.html(這條內容是原來就有的只需要加index.php)
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
cd /web/vhosts/www1
vim index.php
<?php
phpinfo();
?>
lftp 172.16.0.1:/pub/Sources/new_lamp>
phpMyAdmin-3.5.1-all-languages.tar.bz2
mkdir /web/vhosts/www1/pma
cd /web/vhosts/www1/pma
tar xf /root/phpMyAdmin-3.5.1-all-languages.tar.bz2
mv phpMyAdmin-3.5.1-all-languages/* ./
mysql
create database mydb;
grant all on mydb.* to root@'localhost' identified by '123456';
flush privileges;