此篇爲2018年國賽第四篇,現將涉及到的技術以及實現分享給各位。若有不妥或者需要改善之處請聯繫博主。
聯繫方式爲(VX:Yvresse_ai)
環境說明:
雲平臺:RG-JCOS 操作系統:Centos7
樣題D卷服務網絡Topo:
樣題D卷系統Topo:
A網卡信息:
B網卡及主機名:
[root@b ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether fa:16:3e:4f:bd:ff brd ff:ff:ff:ff:ff:ff
inet 192.168.1.33/24 brd 192.168.1.255 scope global dynamic eth0
valid_lft 86299sec preferred_lft 86299sec
inet6 fe80::f816:3eff:fe4f:bdff/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether fa:16:3e:20:e3:ef brd ff:ff:ff:ff:ff:ff
inet 192.168.2.33/24 brd 192.168.2.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fe20:e3ef/64 scope link
valid_lft forever preferred_lft forever
根據上面的Topo我們可以看出A其中涉及到了CA,那也就不得不提及到AD域,所以在完成Topo實現內容之前,應該先將AD域安裝
安裝AD域:
現在環境已經準備完成。
A創建鏡像卷要求如下:
1:新建鏡像卷,使用全部空間
2:驅動器號爲D
B創建LVM物理卷要求如下:
1:卷組名爲datastore,PE大小爲16M
2:邏輯卷名爲ftp_data屬於datastore,大小爲10G
3:格式化爲XFS,通過UUID實現自動掛載
配置本地YUM源:
創建本地掛載目錄及備份文件目錄:
[root@b ~]# mkdir /mnt/cdrom
[root@b ~]# mkdir /opt/copy
鏡像掛載至本地掛載目錄:
[root@b ~]# mount /root/CentOS-7-x86_64-DVD-1511.iso /mnt/cdrom/
mount: /dev/loop0 寫保護,將以只讀方式掛載
備份YUM源文件及創建本地YUM源配置文件:
[root@b ~]# mv /etc/yum.repos.d/* /opt/copy/
[root@b ~]# vim /etc/yum.repos.d/dvd.repo
[dvd]
name=dvd
baseurl=file:///mnt/cdrom
測試:
[root@b ~]# yum repolist
已加載插件:fastestmirror
dvd | 3.6 kB 00:00:00
(1/2): dvd/group_gz | 155 kB 00:00:00
(2/2): dvd/primary_db | 2.8 MB 00:00:00
Determining fastest mirrors
源標識 源名稱 狀態
dvd dvd 3,723
repolist: 3,723
查看雲硬盤:
[root@b ~]# fdisk -l |grep vdb
磁盤 /dev/vdb:16.1 GB, 16106127360 字節,31457280 個扇區
創建分區:
[root@b ~]# fdisk /dev/vdb
歡迎使用 fdisk (util-linux 2.23.2)。
更改將停留在內存中,直到您決定將更改寫入磁盤。
使用寫入命令前請三思。
Device does not contain a recognized partition table
使用磁盤標識符 0x1d7f54d1 創建新的 DOS 磁盤標籤。
命令(輸入 m 獲取幫助):n
Partition type:
p primary (0 primary, 0 extended, 4 free)
e extended
Select (default p): p
分區號 (1-4,默認 1):
起始 扇區 (2048-31457279,默認爲 2048):
將使用默認值 2048
Last 扇區, +扇區 or +size{K,M,G} (2048-31457279,默認爲 31457279):
將使用默認值 31457279
分區 1 已設置爲 Linux 類型,大小設爲 15 GiB
命令(輸入 m 獲取幫助):w
The partition table has been altered!
Calling ioctl() to re-read partition table.
正在同步磁盤。
初始化爲物理卷:
[root@b ~]# pvcreate /dev/vdb1
Physical volume "/dev/vdb1" successfully created
創建卷組:
[root@b ~]# vgcreate -s 16M datastore /dev/vdb1
Volume group "datastore" successfully created
創建邏輯卷:
[root@b ~]# lvcreate -L 10G datastore -n web_data
Logical volume "web_data" created.
格式化爲XFS格式:
[root@b ~]# mkfs.xfs /dev/datastore/web_data
meta-data=/dev/datastore/web_data isize=256 agcount=4, agsize=655360 blks
= sectsz=512 attr=2, projid32bit=1
= crc=0 finobt=0
data = bsize=4096 blocks=2621440, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=0
log =internal log bsize=4096 blocks=2560, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
查看UUID:
[root@b ~]# blkid |grep web
/dev/mapper/datastore-web_data: UUID="7a6e09bf-8fe7-4f66-86f6-5cdd82ffb380" TYPE="xfs"
實現自動掛載:
[root@b ~]# vim /etc/fstab
#
# /etc/fstab
# Created by anaconda on Thu Sep 22 17:50:17 2016
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root / xfs defaults 0 0
UUID=41f7a291-c7de-4694-a5ee-1e6313ff9f44 /boot xfs defaults 0 0
/dev/mapper/centos-swap swap swap defaults 0 0
UUID=7a6e09bf-8fe7-4f66-86f6-5cdd82ffb380 /data/web_data xfs defaults 0 0
創建掛載目錄並掛載:
[root@b ~]# mkdir -p /data/web_data
[root@b ~]# mount /dev/mapper/datastore-web_data /data/web_data/
[root@b ~]# mount |grep web
/dev/mapper/datastore-web_data on /data/web_data type xfs (rw,relatime,attr2,inode64,noquota)
B配置DNS服務器要求如下:
1:將ftp.rj.com解析到A
2:將www.rj.com解析到B
3:建立www.rj.com,ftp.rj.com的反向解析
4:允許主機B在192.168.2.22進行區域傳送
5:B作爲A的從DNS服務器
B安裝bind並測試啓動:
[root@b ~]# yum install bind* -y > /dev/null
[root@b ~]# systemctl restart named
備份配置文件:
[root@b ~]# cp /etc/named.conf /opt/copy/
按照要求修改配置文件:
[root@b ~]# vim /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "rj.com"{
type master;
file "rj.com.zone";
allow-transfer { 192.168.2.22; };
};
zone "0.16.172.in-addr.arpa"{
type master;
file "0.16.172.in-addr.arpa.zone";
allow-transfer { 192.168.2.22; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
備份區域數據文件並配置:
[root@b ~]# cp /var/named/named.localhost /var/named/rj.com.zone
[root@b ~]# cp /var/named/named.localhost /var/named/0.16.172.in-addr.arpa.zone
$TTL 1D
@ IN SOA rj.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS a
IN NS b
a IN A 172.16.0.138
b IN A 172.16.0.137
www IN A 172.16.0.138
ftp IN A 172.16.0.137
$TTL 1D
@ IN SOA 0.16.172.in-addr.arpa. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS a.rj.com.
IN NS b.rj.com.
138 IN PTR b.rj.com.
137 IN PTR a.rj.com.
138 IN PTR www.rj.com.
137 IN PTR ftp.rj.com.
修改屬主:
[root@b ~]# chown named /var/named/rj.com.zone
[root@b ~]# chown named /var/named/0.16.172.in-addr.arpa.zone
重啓服務並測試:
[root@b ~]# systemctl restart named
[root@b ~]# nslookup www.rj.com
Server: 172.16.0.138
Address: 172.16.0.138#53
Name: www.rj.com
Address: 172.16.0.138
[root@b ~]# nslookup 172.16.0.138
Server: 172.16.0.138
Address: 172.16.0.138#53
138.0.16.172.in-addr.arpa name = b.rj.com.
138.0.16.172.in-addr.arpa name = www.rj.com.
A配置DNS從服務器:
測試從DNS:
[root@b ~]# nslookup www.rj.com
Server: 172.16.0.137
Address: 172.16.0.137#53
Name: www.rj.com
Address: 172.16.0.138
[root@b ~]# nslookup ftp.rj.com
Server: 172.16.0.137
Address: 172.16.0.137#53
Name: ftp.rj.com
Address: 172.16.0.137
[root@b ~]# nslookup 172.16.0.137
Server: 172.16.0.137
Address: 172.16.0.137#53
137.0.16.172.in-addr.arpa name = ftp.rj.com.
137.0.16.172.in-addr.arpa name = a.rj.com.
[root@b ~]# nslookup 172.16.0.138
Server: 172.16.0.137
Address: 172.16.0.137#53
138.0.16.172.in-addr.arpa name = b.rj.com.
138.0.16.172.in-addr.arpa name = www.rj.com.
A配置FTP站點要求如下:
1:站點名稱rjftp,物理路徑爲D:\ftpdata
2:允許匿名用戶和普通用戶tom登錄,匿名用戶對主目錄只有讀權限,tom對主目錄有讀寫權限,禁止上傳exe後綴的文件
3:設置FTP最大客戶端連接數爲100,設置無任何操作的超時時間爲5分鐘,設置數據連接的超時時間爲1分鐘。
A安裝IIS管理器以及FTP組件:
驗證:
[root@b ~]# ftp ftp.rj.com
Connected to ftp.rj.com (172.16.0.137).
220 Microsoft FTP Service
Name (ftp.rj.com:root): tom
331 Password required for tom.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
227 Entering Passive Mode (172,16,0,137,237,3).
125 Data connection already open; Transfer starting.
04-25-19 09:55PM <DIR> 11.txt
04-25-19 09:54PM <DIR> ceshi
226 Transfer complete.
ftp>
A配置CA證書服務器要求如下:
1:提供Web註冊方式,可接受CSR(證書請求文件)並簽發證書
2:加密服務提供程序爲“RSA#Microsoft Software Key Storage Providew”,密鑰字符長度爲“2048”
3:頒發的簽名證書的哈希算法爲“SHA256”
4:CA證書名稱:ca.rj.com
5:爲雲主機B的web服務提供證書,頒發的證書命名爲httpd.crt
安裝CA證書服務器:
B生成證書請求文件:
[root@b ~]#openssl genrsa -des3 -out www.rj.com.pem 1024
[root@b ~]#openssl rsa -in www.rj.com.pem -out www.rj.com.key
[root@b ~]#openssl req -new -key www.rj.com.pem -out www.rj.com.csr
通過FTP將證書請求文件上傳給A:
[root@b ~]# ftp ftp.rj.com
Connected to ftp.rj.com (172.16.0.137).
220 Microsoft FTP Service
Name (ftp.rj.com:root): tom
331 Password required for tom.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
227 Entering Passive Mode (172,16,0,137,194,46).
125 Data connection already open; Transfer starting.
04-25-19 09:55PM <DIR> 11.txt
04-25-19 11:07PM <DIR> ceshi
04-25-19 11:06PM 638 www.rj.com.csr
04-25-19 10:55PM 981 www.rj.com.key
226 Transfer complete.
ftp>
A通過證書請求文件生成證書:http://localhost/certsrv
B通過FTP獲取證書:
ftp> cd ceshi
250 CWD command successful.
ftp> ls
227 Entering Passive Mode (172,16,0,137,194,153).
125 Data connection already open; Transfer starting.
04-25-19 11:07PM 1682 certnew.cer
226 Transfer complete.
ftp> get certnew.cer
安裝HTTP並測試啓動:
[root@b ~]#yum install http* -y > /dev/null
[root@b ~]#systemctl restart httpd
[root@b ~]#systemctl enable httpd
備份配置文件:
[root@b ~]#cp /etc/httpd/conf/httpd.conf /opt/copy/
[root@b ~]#vim /etc/httpd/conf/httpd.conf
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults if commented: EnableMMAP On, EnableSendfile Off
#
#EnableMMAP off
EnableSendfile on
# Supplemental configuration
#
# Load config files in the "/etc/httpd/conf.d" directory, if any.
IncludeOptional conf.d/virtualhost.conf
配置虛擬主機配置文件:
[root@b ~]# vim /etc/httpd/conf.d/virtualhost.conf
<virtualhost *:80>
servername www.rj.com
documentroot "/data/web_data"
<directory "/data/web_data">
require all granted
</directory>
</virtualhost>
<virtualhost *:443>
servername www.rj.com
documentroot "/data/web_data"
sslengine on
sslcertificatefile /etc/httpd/ssl/http.crt
sslcertificatekeyfile /etc/httpd/ssl/http.key
<directory "/data/web_data">
require all granted
</directory>
</virtualhost>
將Windows CA拷貝的證書轉換爲.crt文件:
[root@b ~]#openssl x509 -inform PEM -in certnew.cer -out certnew.crt
移動到指定文件夾/etc/https/ssl並修改爲對應名稱:
[root@b ~]#cp www.rj.com.key /etc/httpd/ssl/http.key
[root@b ~]#cp certnew.crt /etc/httpd/ssl/http.crt
測試啓動HTTPD:
[root@b ~]# systemctl restart httpd
測試:
至此國賽D卷就此結束,若有問題請聯繫博主。