此篇爲2018國賽專題第三篇,現將設計到的技術以及實現分享給各位。若有不妥或者需要改善之處請聯繫博主。
環境說明:
雲平臺:RG-JCOS 操作系統:Centos7
樣題C卷服務網絡Topo:
樣題C卷系統Topo:
A網卡信息及主機名:
B網卡信息及主機名:
[root@b ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether fa:16:3e:2c:d2:b1 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.33/24 brd 192.168.1.255 scope global dynamic eth0
valid_lft 84087sec preferred_lft 84087sec
inet6 fe80::f816:3eff:fe2c:d2b1/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether fa:16:3e:95:53:a9 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.33/24 brd 192.168.2.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fe95:53a9/64 scope link
valid_lft forever preferred_lft forever
A創建軟RAID要求如下:
1:建立RAID5,使用全部空間
2:驅動器號爲D
查看新加的三塊盤:
硬盤聯機:
初始化硬盤:
新建RAID5卷:
添加三塊盤並使用全部空間:
設置驅動器號:
轉換爲動態磁盤:
B創建LVM物理卷要求如下:
1:卷組名爲datastore,PE大小爲16M
2:邏輯卷名爲ftp_data屬於datastore,大小爲10G
3:格式化爲XFS,通過UUID實現自動掛載
配置本地YUM源:
創建本地掛載目錄及備份文件目錄:
[root@a ~]# mkdir /mnt/cdrom
[root@a ~]# mkdir /opt/copy
鏡像掛載至本地掛載目錄:
[root@a ~]# mount /root/CentOS-7-x86_64-DVD-1511.iso /mnt/cdrom/
mount: /dev/loop0 寫保護,將以只讀方式掛載
備份YUM源文件及創建本地YUM源配置文件:
[root@a ~]# mv /etc/yum.repos.d/* /opt/copy/
[root@a ~]# vim /etc/yum.repos.d/dvd.repo
[dvd]
name=dvd
baseurl=file:///mnt/cdrom
測試:
[root@a ~]# yum repolist
已加載插件:fastestmirror
dvd | 3.6 kB 00:00:00
(1/2): dvd/group_gz | 155 kB 00:00:00
(2/2): dvd/primary_db | 2.8 MB 00:00:00
Determining fastest mirrors
源標識 源名稱 狀態
dvd dvd 3,723
repolist: 3,723
查看雲硬盤:
[root@b ~]# fdisk -l |grep vdb
磁盤 /dev/vdb:16.1 GB, 16106127360 字節,31457280 個扇區
創建分區:
[root@b ~]# fdisk /dev/vdb
歡迎使用 fdisk (util-linux 2.23.2)。
更改將停留在內存中,直到您決定將更改寫入磁盤。
使用寫入命令前請三思。
Device does not contain a recognized partition table
使用磁盤標識符 0x1d7f54d1 創建新的 DOS 磁盤標籤。
命令(輸入 m 獲取幫助):n
Partition type:
p primary (0 primary, 0 extended, 4 free)
e extended
Select (default p): p
分區號 (1-4,默認 1):
起始 扇區 (2048-31457279,默認爲 2048):
將使用默認值 2048
Last 扇區, +扇區 or +size{K,M,G} (2048-31457279,默認爲 31457279):
將使用默認值 31457279
分區 1 已設置爲 Linux 類型,大小設爲 15 GiB
命令(輸入 m 獲取幫助):w
The partition table has been altered!
Calling ioctl() to re-read partition table.
正在同步磁盤。
初始化爲物理卷:
[root@b ~]# pvcreate /dev/vdb1
Physical volume "/dev/vdb1" successfully created
創建卷組:
[root@b ~]# vgcreate -s 16M datastore /dev/vdb1
Volume group "datastore" successfully created
創建邏輯卷:
[root@b ~]# lvcreate -L 10G datastore -n ftp_data
Logical volume "ftp_data" created.
格式化爲XFS格式:
[root@b ~]# mkfs.xfs /dev/datastore/ftp_data
meta-data=/dev/datastore/ftp_data isize=256 agcount=4, agsize=655360 blks
= sectsz=512 attr=2, projid32bit=1
= crc=0 finobt=0
data = bsize=4096 blocks=2621440, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=0
log =internal log bsize=4096 blocks=2560, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
查看UUID:
[root@b ~]# blkid |grep ftp
/dev/mapper/datastore-ftp_data: UUID="7a6e09bf-8fe7-4f66-86f6-5cdd82ffb380" TYPE="xfs"
實現自動掛載:
[root@b ~]# vim /etc/fstab
#
# /etc/fstab
# Created by anaconda on Thu Sep 22 17:50:17 2016
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root / xfs defaults 0 0
UUID=41f7a291-c7de-4694-a5ee-1e6313ff9f44 /boot xfs defaults 0 0
/dev/mapper/centos-swap swap swap defaults 0 0
UUID=7a6e09bf-8fe7-4f66-86f6-5cdd82ffb380 /data/ftp_data xfs defaults 0 0
創建掛載目錄並掛載:
[root@b ~]# mkdir -p /data/ftp_data
[root@b ~]# mount /dev/mapper/datastore-ftp_data /data/ftp_data/
[root@b ~]# mount |grep ftp
/dev/mapper/datastore-ftp_data on /data/ftp_data type xfs (rw,relatime,attr2,inode64,noquota)
A配置DNS服務要求如下:
1:ftp.rj.com解析到B
2:www.rj.com解析到A
3:建立反向解析實現www,和ftp的反向解析
4:建立B爲從服務器,允許192.168.2.33進行區域傳送
A安裝DNS服務:
新建正向區域:
新建主機解析:
測試:
B配置從DNS服務器:
下載安裝bind
[root@b ~]# yum install bind* -y > /dev/null
測試啓動:
[root@b ~]# systemctl restart named
[root@b ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
備份配置文件:
[root@b ~]# cp /etc/named.conf /opt/copy/
修改配置文件設置從DNS:
[root@b ~]# cat /etc/named.conf |grep -v ^# |grep -v ^%
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "rj.com" {
type slave;
masters { 192.168.2.22; };
file "slaves/rj.com.zone";
};
zone "0.16.172.in-addr.arpa" {
type slave;
masters { 192.168.2.22; };
file "slaves/0.16.172.in-addr.arpa";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
A設置區域傳送:
查看從服務器區域傳送文件:
[root@b ~]# ls /var/named/slaves/
0.16.172.in-addr.arpa rj.com.zone
測試從服務器:
配置Web服務要求如下:
1:站點名稱rj.com
2:站點目錄爲D:\webdata
3:配置https,由Bopenssl提供證書
4:設置做大連接數爲1000,鏈接超時60s.帶寬1000kb/s
5:使用W3C記錄日誌,時間節點爲每天,當地時間爲日誌文件名
安裝IIS管理器:
添加IIS站點:
IIS站點IP測試:
B使用openssl配置證書:
[root@b ~]# openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
..............................++++++
.......++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
[root@b ~]# ls
ca.key CentOS-7-x86_64-DVD-1511.iso
[root@b ~]# openssl rsa -in ca.key -out ca_decrypted.key
Enter pass phrase for ca.key:
writing RSA key
[root@b ~]# ls
ca_decrypted.key ca.key CentOS-7-x86_64-DVD-1511.iso
[root@b ~]# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:tj
State or Province Name (full name) []:tj
Locality Name (eg, city) [Default City]:tj
Organization Name (eg, company) [Default Company Ltd]:tj
Organizational Unit Name (eg, section) []:tj
Common Name (eg, your name or your server's hostname) []:www.rj.com
Email Address []:
[root@b ~]# ls
ca.crt ca_decrypted.key ca.key CentOS-7-x86_64-DVD-1511.iso
[root@b ~]# openssl genrsa -des3 -out www.rj.com.pem 1024
Generating RSA private key, 1024 bit long modulus
.........++++++
.................................................................................++++++
e is 65537 (0x10001)
Enter pass phrase for www.rj.com.pem:
Verifying - Enter pass phrase for www.rj.com.pem:
[root@b ~]# ls
ca.crt ca_decrypted.key ca.key CentOS-7-x86_64-DVD-1511.iso www.rj.com.pem
[root@b ~]# openssl rsa -in www.rj.com.pem -out www.rj.com.key
Enter pass phrase for www.rj.com.pem:
writing RSA key
[root@b ~]# ls
ca.crt ca_decrypted.key ca.key CentOS-7-x86_64-DVD-1511.iso www.rj.com.key www.rj.com.pem
[root@b ~]# openssl req -new -key www.rj.com.pem -out www.rj.com.csr
Enter pass phrase for www.rj.com.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:tj
State or Province Name (full name) []:tj
Locality Name (eg, city) [Default City]:tj
Organization Name (eg, company) [Default Company Ltd]:tj
Organizational Unit Name (eg, section) []:tj
Common Name (eg, your name or your server's hostname) []:www.rj.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@b ~]# touch /etc/pki/CA/index.txt
[root@b ~]# echo "01" > /etc/pki/CA/serial
[root@b ~]# openssl ca -policy policy_anything -days 365 -cert ca.crt -keyfile ca.key -in www.rj.com.csr -out www.rj.com.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
▽ Not Before: Apr 23 10:48:15 2019 GMT
Not After : Apr 22 10:48:15 2020 GMT
Subject:
countryName = tj
stateOrProvinceName = tj
localityName = tj
organizationName = tj
organizationalUnitName = tj
commonName = www.rj.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
14:C9:CB:0C:7A:E3:01:DE:79:8E:54:E7:CE:C3:18:DF:33:A7:E4:61
X509v3 Authority Key Identifier:
keyid:78:58:77:77:6A:0B:59:7D:FD:FF:9B:4E:02:9C:1E:D3:93:C0:7B:7C
Certificate is to be certified until Apr 22 10:48:15 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@b ~]# openssl pkcs12 -export -out www.rj.com.pfx -inkey www.rj.com.key -in www.rj.com.crt
Enter Export Password:
Verifying - Enter Export Password:
安裝vsftp將www.rj.com.pfx共享給Windows:
[root@b ~]# yum install vsftpd* -y > /dev/null
[root@b ~]# systemctl resstart vsftpd
Unknown operation 'resstart'.
[root@b ~]# systemctl restart vsftpd
[root@b ~]# cp www.rj.com.pfx /var/ftp/pub/
Windows查看共享並下載到本地:
導入證書:
綁定HTTPS:
測試:
關於信任此證書可自行導入本地信任。
設置網站最大連接數及超時和帶寬:
生成日誌:
B配置FTP可參考B卷FTP設置(完全一樣)
B卷(鏈接)
至此C卷服務器部分已完,本人認爲HTTPS還是有問題的,但是確實也不知道有什麼好的辦法了,若有知道的朋友,請聯繫我。