第九周作業
1、詳細描述一次加密通訊的過程,結合圖示最佳。
SSL協議基礎:
SSL協議位於TCP/IP協議與各種應用層協議之間,本身又分爲兩層:
①SSL記錄協議:建立在可靠傳輸層協議(TCP)之上,爲上層協議提供數據封裝、壓縮、加密等基本功能。
②SSL握手協議:在SSL記錄協議之上,用於實際數據傳輸前,通訊雙方進行身份認證、協商加密算法、交換加密密鑰等。
SSL協議通信過程:
①瀏覽器發送一個連接請求給服務器;服務器將自己的證書(包含服務器公鑰S_PuKey)、對稱加密算法種類及其他相關信息返回客戶端。
②客戶端瀏覽器檢查服務器傳送到CA證書是否由自己信賴的CA中心簽發。若是,執行第4步;否則,給客戶一個警告信息:詢問是否繼續訪問
③客戶端瀏覽器比較證書裏的信息,如證書有效期、服務器域名和公鑰S_PK,與服務器傳回的信息是否一致;如果一致,則瀏覽器完成對服務器的身份認證.
④服務器要求客戶端發送客戶端證書(包含客戶端公鑰C_PuKey)、支持的對稱加密方案及其他相關信息。收到後,服務器進行相同的身份認證,若沒有通過驗證,則拒絕連接;
⑤服務器根據客戶端瀏覽器發送到密碼種類,選擇一種加密程度最高的方案,用客戶端公鑰C_PubKey加密後通知到瀏覽器;
⑥客戶端通過私鑰C_prKey解密後,得知服務器選擇的加密方案,並選擇一個通話密鑰Key,接着用服務器公鑰S_PuKey加密後發送服務器;
⑦服務器接收到的瀏覽器傳送到消息,用私鑰S_PrKey解密,獲得通話密鑰key。
⑧接下來的數據傳輸都使用該對稱密鑰Key進行加密。
上面所述的是雙向認證SSL協議的具體通訊過程,服務器和用戶雙方必須都有證書。由此可見,SSL協議是通過非對稱密鑰機制保證雙方身份認證,並完成建立連接,在實際數據通信時通過對稱密鑰機制保障數據安全性。
2、描述創建私有CA的過程,以及爲客戶端發來的證書請求進行辦法證書。
第一步:在準備創建私有CA的主機上創建私有密鑰
[root@TESTSVR1 ~]# cd /etc/pki/CA [root@TESTSVR1 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ........................................................+++ .........................................................................................+++ e is 65537 (0x10001)
第二步:創建作爲CA主機所需要的文件
[root@TESTSVR1 CA]# touch {index.txt,serial}
[root@TESTSVR1 CA]# echo 01 > serial第三步:CA主機自身生成證書請求,也就是爲自己頒發證書
[root@TESTSVR1 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 7300 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:guangdong Locality Name (eg, city) [Default City]:guangzhou Organization Name (eg, company) [Default Company Ltd]:trans Organizational Unit Name (eg, section) []:si Common Name (eg, your name or your server's hostname) []:ca.trans.com Email Address []:[email protected]
第四步:要使用證書的主機生成頒發證書請求
[root@TESTSVR2 tmp]# mkdir ssl [root@TESTSVR2 tmp]# cd ssl [root@TESTSVR2 ssl]# (umask 077;openssl genrsa -out httpd.key 1024) Generating RSA private key, 1024 bit long modulus .++++++ ..++++++ e is 65537 (0x10001) [root@TESTSVR2 ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:guangdong Locality Name (eg, city) [Default City]:guangzhou Organization Name (eg, company) [Default Company Ltd]:trans Organizational Unit Name (eg, section) []:si Common Name (eg, your name or your server's hostname) []:web.trans.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@TESTSVR2 ssl]# ll 總用量 8 -rw-r--r--. 1 root root 700 10月 29 15:59 httpd.csr -rw-------. 1 root root 887 10月 29 15:57 httpd.key
第五步:將請求文件傳輸給CA所在主機;使用scp命令
[root@TESTSVR2 ssl]# scp httpd.csr [email protected]:/tmp/ The authenticity of host '192.168.2.41 (192.168.2.41)' can't be established. RSA key fingerprint is 82:b3:88:c4:e5:5a:99:79:0c:44:60:a3:ed:b1:3f:0b. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.2.41' (RSA) to the list of known hosts. [email protected]'s password: httpd.csr 100% 700 0.7KB/s 00:00
第六步:CA所在主機簽署證書,迴應證書請求
[root@TESTSVR1 CA]# openssl ca -in /tmp/httpd.csr -out certs/web.trans.com.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Oct 29 08:05:06 2016 GMT Not After : Oct 29 08:05:06 2017 GMT Subject: countryName = cn stateOrProvinceName = guangzhou organizationName = trans organizationalUnitName = si commonName = web.trans.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: EF:50:FF:9C:6F:BC:23:04:6B:B7:AA:67:46:BD:42:34:B5:B5:4B:31 X509v3 Authority Key Identifier: keyid:49:5C:E2:87:2E:39:1B:C8:0E:DF:6E:39:4E:68:E4:01:2E:F4:C4:4B Certificate is to be certified until Oct 29 08:05:06 2017 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
第七步:CA所在的主機將簽署完成的證書,發送回請求主機
[root@TESTSVR1 CA]# scp certs/web.trans.com.crt 192.168.2.42:/tmp/ssl/ The authenticity of host '192.168.2.42 (192.168.2.42)' can't be established. RSA key fingerprint is a2:e7:82:94:f3:5d:47:10:27:12:b5:17:f2:e8:06:09. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.2.42' (RSA) to the list of known hosts. [email protected]'s password: web.trans.com.crt 100% 3850 3.8KB/s 00:00
3、搭建一套DNS服務器,負責解析magedu.com域名(自行設定主機名及IP)
(1)、能夠對一些主機名進行正向解析和逆向解析;
(2)、對子域cdn.magedu.com進行子域授權,子域負責解析對應子域中的主機名;
(3)、爲了保證DNS服務系統的高可用性,請設計一套方案,並寫出詳細的實施過程
(1)能夠對一些主機名進行正向解析和逆向解析
①安裝bind
[root@TESTSVR3 ~]# yum install bind
②修改主配置文件
[root@TESTSVR3 ~]# vim /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; }; //修改監聽所有地址上的53端口
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; //修改允許來自所有地址的查詢請求
recursion yes;
dnssec-enable no; //關閉dnssec相關功能
dnssec-validation no; //關閉dnssec相關功能
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
③添加正反向解析區域
[root@TESTSVR3 ~]# vim /etc/named.rfc1912.zones
在配置文件的最後添加如下兩行配置,分別是正向和反向的配置。
zone "magedu.com." IN {
type master;
file "magedu.com.zone";
allow-transfer { 192.168.2.44; };
}; //正向解析區域
zone "2.168.192.in-addr.arpa" IN {
type master;
file "2.168.192.zone";
allow-transfer { 192.168.2.44; };
}; //反向解析區域
④配置正向區域文件
[root@TESTSVR3 ~]# vim /var/named/magedu.com.zone $TTL 1D $ORIGIN magedu.com. @ IN SOA ns1.magedu.com. admin.magedu.com.( 2016102901 1H 5M 7D 12H ) IN NS ns IN NS ns2 //輔助DNS使用 IN MX 10 mx1 ns1 IN A 192.168.2.43 ns2 IN A 192.168.2.44 //輔助DNS使用 mx1 IN A 192.168.2.43 www IN A 192.168.2.43 ftp IN CNAME www
⑤配置反向區域文件
[root@TESTSVR3 ~]# vim /var/named/2.168.192.zone $TTL 86400 $ORIGIN 2.168.192.in-addr.arpa. @ IN SOA ns1.magedu.com. admin.magedu.com. ( 2016102601 1H 5M 7D 12H ) IN NS ns1.magedu.com. @ IN NS ns2.magedu.com. //輔助DNS使用 43 IN PTR ns1.magedu.com. 44 IN PTR ns2.magedu.com. //輔助DNS使用 43 IN PTR www.magedu.com. 43 IN PTR mx1.magedu.com.
⑥檢查正反向區域文件
[root@TESTSVR3 ~]# named-checkzone magedu.com /var/named/magedu.com.zone zone magedu.com/IN: loaded serial 2016102901 OK [root@TESTSVR3 ~]# named-checkzone 2.168.192.in-addr.arpa /var/named/2.168.192.zone zone 2.168.192.in-addr.arpa/IN: loaded serial 2016102601 OK
⑦啓動域名解析服務
[root@TESTSVR3 ~]# service named start 啓動 named: [確定]
⑧正向解析檢查
[root@TESTSVR3 ~]# dig @192.168.2.43 www.magedu.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.2 <<>> @192.168.2.43 www.magedu.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46452 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.magedu.com. IN A ;; ANSWER SECTION: www.magedu.com. 86400 IN A 192.168.2.43 ;; AUTHORITY SECTION: magedu.com. 86400 IN NS ns2.magedu.com. magedu.com. 86400 IN NS ns1.magedu.com. ;; ADDITIONAL SECTION: ns1.magedu.com. 86400 IN A 192.168.2.43 ns2.magedu.com. 86400 IN A 192.168.2.44 ;; Query time: 1 msec ;; SERVER: 192.168.2.43#53(192.168.2.43) ;; WHEN: Sun Oct 30 05:59:03 2016 ;; MSG SIZE rcvd: 116
⑨反向解析測試
[root@TESTSVR3 ~]# dig -x 192.168.2.43 @192.168.2.43 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.2 <<>> -x 192.168.2.43 @192.168.2.43 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65223 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;43.2.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 43.2.168.192.in-addr.arpa. 86400 IN PTR www.magedu.com. 43.2.168.192.in-addr.arpa. 86400 IN PTR mx1.magedu.com. 43.2.168.192.in-addr.arpa. 86400 IN PTR ns1.magedu.com. ;; AUTHORITY SECTION: 2.168.192.in-addr.arpa. 86400 IN NS ns2.magedu.com. 2.168.192.in-addr.arpa. 86400 IN NS ns1.magedu.com. ;; ADDITIONAL SECTION: ns1.magedu.com. 86400 IN A 192.168.2.43 ns2.magedu.com. 86400 IN A 192.168.2.44 ;; Query time: 1 msec ;; SERVER: 192.168.2.43#53(192.168.2.43) ;; WHEN: Sun Oct 30 06:00:22 2016 ;; MSG SIZE rcvd: 171
(2)保證DNS服務系統的高可用性
在正向解析庫和反向解析庫文件中添加輔助DNS服務器的信息,上述配置中已經標記出來了。輔DNS只需要創建區域文件,不需要創建區域數據文件,它的數據文件會從主服務器哪裏同步過來。同步的數據在/var/named/slaves/目錄中。
編輯輔DNS服務器上的/etc/named.rfc1912.zones文件,最後面添加如下內容:
zone "magedu.com" IN {
type slave;
masters { 192.168.2.43; };
file "slaves/magedu.com.zone";
allow-transfer { none; };
};
zone "2.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.2.43; };
file "slaves/2.168.192.zone";
allow-transfer { none; };
};指定type類型爲slave(輔助)類型,並指定主服務器master { 192.168.2.43; };,allow-transter { none; };表示該從服務器不允許其他主機再同步DNS的數據。然後named-checkconf檢查語法錯誤,然後# service named start即可
(3)子域授權
父域的IP爲192.168.2.43,父域的從IP是192.168.2.44,子域的IP爲192.168.2.45
①在父域的區域文件中添加NS和A記錄
[root@TESTSVR3 ~]# vim /var/named/magedu.com.zone cdn.magedu.com. IN NS ns.cdn.magedu.com. ns.cdn.magedu.com. IN A 192.168.2.45
②現在開始配置子域的DNS
[root@TESTSVR5 ~]# vim /etc/named.rfc1912.zones
zone "cdn.magedu.com" IN {
type master;
file "cdn.magedu.com";
};
zone "magedu.com" IN {
type forward;
forward only;
forwarders { 192.168.2.43; };
};③編輯子域的服務器上區域文件
[root@TESTSVR5 ~]# vim /var/named/cdn.magedu.com.zone $TTL 86400 @ IN SOA ns.cdn.magedu.com. admin.cdn.magedu.com.( 2016102901 2H 5M 7D 12H ) IN NS ns.cdn.magedu.com. IN MX 10 mx1.cdn.magedu.com. ns.cdn.magedu.com. IN A 192.168.2.45 mx1.cdn.magedu.com. IN A 192.168.2.45 www IN A 192.168.2.45
檢查語法,然後reload服務即可
4、請描述一次完整的http請求處理過程;
①向根域名服務器請求解析域名,然後根服務器返回相應的IP信息;
②用戶的Web瀏覽器向服務器端的80端口通過三次握手建立TCP連接;
③建立完TCP連接後發送HTTP請求,請求的格式包括請求方法、URL和協議版本號,方法有GET、HEAD、POST、PUT、DELETE、OPTIONS、TRACE,如:
起始行:如 GET / HTTP/1.0 (請求的方法 請求的URL 請求所使用的協議)
頭部信息:User-Agent Host等成對出現的值
主體
④服務器向客戶端相應http的頭信息,客戶端收到後確認,然後http服務器發送數據;
⑤瀏覽器接收到數據後,解析數據並通過瀏覽器把畫面呈現給用戶;
⑥數據傳送完成後,四次斷開TCP連接;
5、httpd所支持的處理模型有哪些,他們的分別使用於哪些環境。
httpd所支持的事務處理模型主要有:prefork、worker、event
prefork:多進程模型,每個進程響應一個請求。一個主進程:負責生成n個子進程,子進程也稱爲工作進程,每個子進程處理一個用戶請求;即便沒有用戶請求,也會預先生成多個空閒進程, 隨時等待請求到達;最大不會超過1024個;
worker:多線程模型,每個線程響應一個請求;一個主進程:生成多個子進程,每個子進程負責生個多個線程,每個線程響應一個請求;
event:事件驅動模型,每個線程響應n個請求;一個主進程:生成m個子進程,每個子進程直接響應n個請求;
適合的場景:
perfork:它適合於沒有線程安全庫,需要避免線程兼容性問題的系統;
worker:適合內存佔用量比較小,適合高流量的http服務器。缺點是假如一個線程崩潰,整個進程就會連同其任何線程一起死掉;prefork方式速度要稍高於worker,然而它需要的cpu和memory資源也稍多於woker。
6、建立httpd服務器(基於編譯的方式進行),要求:
提供兩個基於名稱的虛擬主機:
(a)www1.stuX.com,頁面文件目錄爲/web/vhosts/www1;錯誤日誌爲/var/log/httpd/www1.err,訪問日誌爲/var/log/httpd/www1.access;
(b)www2.stuX.com,頁面文件目錄爲/web/vhosts/www2;錯誤日誌爲/var/log/httpd/www2.err,訪問日誌爲/var/log/httpd/www2.access;
(c)爲兩個虛擬主機建立各自的主頁文件index.html,內容分別爲其對應的主機名;
(d)通過www1.stuX.com/server-status輸出httpd工作狀態相關信息,且只允許提供帳號密碼才能訪問(status:status);
一、編譯安裝httpd
①編譯安裝apr
[root@TESTSVR6 apr-1.5.1]# ./configure --prefix=/usr/local/apr [root@TESTSVR6 apr-1.5.1]#make && make install
②編譯安裝apr-util
[root@TESTSVR6 ]# cd apr-util-1.5.4 [root@TESTSVR6 apr-util-1.5.4]# ./configure --with-apr=/usr/local/apr --prefix=/usr/local/apr-util [root@TESTSVR6 apr-util-1.5.4]# make && make install
③編譯安裝htppd
[root@TESTSVR6 ]# cd httpd-2.4.23 [root@TESTSVR6 httpd-2.4.23]# ./configure --prefix=/usr/local/apache --enable-so --enable-ssl --enable-cgi --enable-rewrite --with-zlib --with-pcre --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util/ --enable-modules=most --enable-mpms-shared=all --with-mpm=prefork [root@TESTSVR6 httpd-2.4.23]# make && make install
二、創建站點
①創建站點目錄
[root@TESTSVR6 httpd-2.4.23]# mkdir -pv /web/vhosts/{www1,www2}/
mkdir: 已創建目錄 "/web"
mkdir: 已創建目錄 "/web/vhosts"
mkdir: 已創建目錄 "/web/vhosts/www1/"
mkdir: 已創建目錄 "/web/vhosts/www2/"②創建站點文件
[root@TESTSVR6 httpd-2.4.23]# echo "www1.stuX.com" > /web/vhosts/www1/index.html [root@TESTSVR6 httpd-2.4.23]# echo "www2.stuX.com" > /web/vhosts/www2/index.html
三、創建虛擬主機
①編譯主配置文件
[root@TESTSVR6 httpd-2.4.23]# vim /usr/local/apache/conf/httpd.conf #DocumentRoot "/usr/local/apache/htdocs" Include conf/extra/httpd-vhosts.conf
②編譯虛擬主機文件
[root@TESTSVR6 httpd-2.4.23]# vim /usr/local/apache/conf/extra/httpd-vhosts.conf <VirtualHost *:80> # ServerAdmin [email protected] DocumentRoot "/web/vhosts/www1" ServerName www1.stuX.com # ServerAlias www.dummy-host.example.com ErrorLog "/var/log/httpd/www1.err" CustomLog "/var/log/httpd/www1.access" common <Directory "/web/vhosts/www1"> options none allowoverride none Require all granted </Directory> </VirtualHost> <VirtualHost *:80> # ServerAdmin [email protected] DocumentRoot "/web/vhosts/www2" ServerName www2.stuX.com ErrorLog "/var/log/httpd/www2.err" CustomLog "/var/log/httpd/www2.access" common <Directory "/web/vhosts/www2"> options none allowoverride none Require all granted </Directory> </VirtualHost>
③創建status監控頁面並添加認證功能
[root@TESTSVR6 apache]# vim /usr/local/apache/conf/extra/httpd-vhosts.conf <VirtualHost *:80> # ServerAdmin [email protected] DocumentRoot "/web/vhosts/www1" ServerName www1.stuX.com # ServerAlias www.dummy-host.example.com ErrorLog "/var/log/httpd/www1.err" CustomLog "/var/log/httpd/www1.access" common <location /server-status> SetHandler server-status AuthType Basic AuthName "Server-Status" AuthUserFile "/usr/local/apache/.htpasswd" Require valid-user </location> <Directory "/web/vhosts/www1"> options none allowoverride none Require all granted </Directory> </VirtualHost>
④創建虛擬用戶
[root@TESTSVR6 ]#htpasswd -c -m /usr/local/apache/.htpasswd status
⑤重啓並測試
[root@TESTSVR6]# /usr/local/apache/bin/apachectl restart [root@TESTSVR6 apache]# curl www1.stuX.com www1.stuX.com [root@TESTSVR6 apache]# curl www2.stuX.com www2.stuX.com
7、爲第6題中的第2個虛擬主機提供https服務,使得用戶可以通過https安全的訪問此web站點;
(1)要求使用證書認證,證書中要求使用的國家(CN)、州(HA)、城市(ZZ)和組織(MageEdu);
(2)設置部門爲Ops,主機名爲www2.stuX.com,郵件爲[email protected];
第一步:在準備創建私有CA的主機上創建私有密鑰
[root@TESTSVR1 ~]# cd /etc/pki/CA [root@TESTSVR1 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ........................................................+++ .........................................................................................+++ e is 65537 (0x10001)
第二步:創建作爲CA主機所需要的文件
[root@TESTSVR1 CA]# touch {index.txt,serial}
[root@TESTSVR1 CA]# echo 01 > serial第三步:CA主機自身生成證書請求,也就是爲自己頒發證書
[root@TESTSVR1 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HA Locality Name (eg, city) [Default City]:ZZ Organization Name (eg, company) [Default Company Ltd]:MageEdu Organizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server's hostname) []:www2.stux.com Email Address []:[email protected]
第四步:要使用證書的主機生成頒發證書請求
[root@www etc]# mkdir /etc/httpd/certs [root@www etc]# cd /etc/httpd/certs [root@www certs]# (umask 077;openssl genrsa -out httpd.key 2048) Generating RSA private key, 1024 bit long modulus .++++++ ..++++++ e is 65537 (0x10001) [root@www certs]# openssl req -new -key httpd.key -out httpd.csr -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HA Locality Name (eg, city) [Default City]:ZZ Organization Name (eg, company) [Default Company Ltd]:MageEdu Organizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server's hostname) []:www2.stux.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
第五步:配置httpd服務使用數字證書
[root@www certs]# ls httpd.csr httpd.key [root@www certs]# openssl ca -in httpd.csr-out httpd.crt -days 3650 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches thesignature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Oct 29 09:15:06 2016 GMT Not After : Oct 29 09:15:06 2017 GMT Subject: countryName = CN stateOrProvinceName = HA organizationName = MageEdu organizationalUnitName = Ops commonName =www2.stux.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 9A:84:73:63:C0:82:7F:45:21:9C:BA:2B:4C:FB:C3:87:7C:BA:63:58 X509v3 Authority Key Identifier: keyid:1C:57:C2:12:E4:D3:A6:4F:9A:7A:C6:53:7F:5B:7B:86:1E:75:0D:57 Certificate is to be certified until Oct 29 09:15:06 2017 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
第六步:配置https服務器加密傳輸
[root@www certs]# yum install mod_ssl -y [root@www ~]# rpm -qa mod_ssl mod_ssl-2.2.15-39.el6.centos.x86_64 [root@www conf.d]# ls mod_dnssd.conf README ssl.conf welcome.conf [root@www conf.d]#vim /etc/httpd/conf.d/ssl.conf LoadModule ssl_module modules/mod_ssl.so Listen 443 <VirtualHost 192.168.0.130:443> DocumentRoot"/web/vhosts/www2" ServerName www2.stuX.com:443 SSLEngineon SSLCertificateFile /etc/httpd/certs/httpd.crt SSLCertificateKeyFile /etc/httpd/certs/httpd.key </VirtualHost>
8、建立samba共享,共享目錄爲/data,要求:(描述完整的過程)
1)共享名爲shared,工作組爲magedu;
2)添加組develop,添加用戶gentoo,centos和ubuntu,其中gentoo和centos以develop爲附加組,ubuntu不屬於develop組;密碼均爲用戶名;
3)添加samba用戶gentoo,centos和ubuntu,密碼均爲“mageedu”;
4)此samba共享shared僅允許develop組具有寫權限,其他用戶只能以只讀方式訪問;
5)此samba共享服務僅允許來自於172.16.0.0/16網絡的主機訪問;
第一步:安裝samba服務
[root@TESTSVR7 ~]# yum -y install samba*
第二步:添加用戶並創建密碼
[root@TESTSVR7 ~]# groupadd develop [root@TESTSVR7 ~]# useradd -G develop gentoo [root@TESTSVR7 ~]# useradd -G develop centos [root@TESTSVR7 ~]# useradd ubuntu [root@TESTSVR7 ~]# echo "gentoo" | passwd --stdin gentoo [root@TESTSVR7 ~]# echo "centos" | passwd --stdin centos [root@TESTSVR7 ~]# echo "ubuntu" | passwd --stdin ubuntu [root@TESTSVR7 ~]# smbpasswd -a gentoo New SMB password: Retype new SMB password: Added user gentoo. [root@TESTSVR7 ~]# smbpasswd -a centos New SMB password: Retype new SMB password: Added user centos. [root@TESTSVR7 ~]# smbpasswd -a ubuntu New SMB password: Retype new SMB password: Added user ubuntu.
第三步:編輯/etc/samba/smb.conf
workgroup = magedu hosts allow = 192.168.2 [shared] comment = Haosmb path = /data guest = yes writable = no write list = +develop
使用service smb restart重啓服務
9、搭建一套文件vsftp文件共享服務,共享目錄爲/ftproot,要求:(描述完整的過程)
1)基於虛擬用戶的訪問形式;
2)匿名用戶只允許下載,不允許上傳;
3)禁錮所有的用戶於其家目錄當中;
4)限制最大併發連接數爲200:;
5)匿名用戶的最大傳輸速率512KB/s
6)虛擬用戶的賬號存儲在mysql數據庫當中。
7)數據庫通過NFS進行共享。
第一步:安裝所需要程序
安裝mysql和pam_mysql
[root@TESTSVR8 ~]# yum -y install vsftpd mysql-server mysql-devel pam_mysql
第二部:創建虛擬用戶賬號
①準備數據庫及相關表
首先請確保mysql服務已經正常啓動。而後,按需要建立存儲虛擬用戶的數據庫即可,這裏將其創建爲vsftpd數據庫。
mysql> create database vsftpd; mysql> grant select on vsftpd.* to vsftpd@localhost identified by 'www.magedu.com'; mysql> grant select on vsftpd.* to [email protected] identified by 'www.magedu.com'; mysql> flush privileges; mysql> use vsftpd; mysql> create table users ( -> id int AUTO_INCREMENT NOT NULL, -> name char(20) binary NOT NULL, -> password char(48) binary NOT NULL, -> primary key(id) -> );
②添加測試的虛擬用戶
根據需要添加所需要的用戶,需要說明的是,這裏將其密碼爲了安全起見應該使用PASSWORD函數加密後存儲。
mysql> insert into users(name,password) values('tom',password('magedu'));
mysql> insert into users(name,password) values('jerry',password('magedu'));第三步:配置vsftpd
①建立pam認證所需文件
[root@TESTSVR8 ~]#vi /etc/pam.d/vsftpd.mysql
添加如下兩行
auth required /lib/security/pam_mysql.so user=vsftpd passwd=www.magedu.com host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=0 account required /lib/security/pam_mysql.so user=vsftpd passwd=www.magedu.com host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=0
注意:由於mysql的安裝方式不同,pam_mysql.so基於unix sock連接mysql服務器時可能會出問題,此時,建議授權一個可遠程連接的mysql並訪問vsftpd數據庫的用戶。
②修改vsftpd的配置文件,使其適應mysql認證
建立虛擬用戶映射的系統用戶及對應的目錄
[root@TESTSVR8 ~]# useradd -s /sbin/nologin -d /var/ftproot vuser [root@TESTSVR8 ~]# chmod go+rx /var/ftproot
請確保/etc/vsftpd.conf中已經啓用了以下選項
anonymous_enable=YES local_enable=YES write_enable=YES anon_world_readable_only=YES anon_upload_enable=NO anon_mkdir_write_enable=NO anon_other_write_enable=NO chroot_local_user=YES chroot_local_user=YES local_root=/ftproot anon_root=/ftproot
而後添加以下選項
guest_enable=YES guest_username=vuser
並確保pam_service_name選項的值如下所示
pam_service_name=vsftpd.mysql
第四步:啓動vsftpd服務
[root@TESTSVR8 ~]# service vsftpd start [root@TESTSVR8 ~]# chkconfig vsftpd on
第五步:配置虛擬用戶具有不同的訪問權限
vsftpd可以在配置文件目錄中爲每個用戶提供單獨的配置文件以定義其ftp服務訪問權限,每個虛擬用戶的配置文件名同虛擬用戶的用戶名。配置文件目錄可以是任意未使用目錄,只需要在vsftpd.conf指定其路徑及名稱即可。
①配置vsftpd爲虛擬用戶使用配置文件目錄
[root@TESTSVR8 ~]# vim vsftpd.conf
添加如下選項
user_config_dir=/etc/vsftpd/vusers_config
②創建所需要目錄,併爲虛擬用戶提供配置文件
[root@TESTSVR8 ~]# mkdir /etc/vsftpd/vusers_config/ [root@TESTSVR8 ~]# cd /etc/vsftpd/vusers_config/ [root@TESTSVR8 ~]# touch tom jerry
③配置虛擬用戶的訪問權限
虛擬用戶對vsftpd服務的訪問權限是通過匿名用戶的相關指令進行的。比如,如果需要讓tom用戶具沒有上傳,刪除文件的權限,可以修改/etc/vsftpd/vusers_config/tom文件,
在裏面添加如下選項即可。
anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES