此篇为2018国赛专题第三篇,现将设计到的技术以及实现分享给各位。若有不妥或者需要改善之处请联系博主。
联系方式为(VX:Yvresse_ai)
环境说明:
云平台:RG-JCOS 操作系统:Centos7
样题C卷服务网络Topo:
样题C卷系统Topo:
A网卡信息及主机名:
B网卡信息及主机名:
[root@b ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether fa:16:3e:2c:d2:b1 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.33/24 brd 192.168.1.255 scope global dynamic eth0
valid_lft 84087sec preferred_lft 84087sec
inet6 fe80::f816:3eff:fe2c:d2b1/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether fa:16:3e:95:53:a9 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.33/24 brd 192.168.2.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fe95:53a9/64 scope link
valid_lft forever preferred_lft forever
A创建软RAID要求如下:
1:建立RAID5,使用全部空间
2:驱动器号为D
查看新加的三块盘:
硬盘联机:
初始化硬盘:
新建RAID5卷:
添加三块盘并使用全部空间:
设置驱动器号:
转换为动态磁盘:
B创建LVM物理卷要求如下:
1:卷组名为datastore,PE大小为16M
2:逻辑卷名为ftp_data属于datastore,大小为10G
3:格式化为XFS,通过UUID实现自动挂载
配置本地YUM源:
创建本地挂载目录及备份文件目录:
[root@a ~]# mkdir /mnt/cdrom
[root@a ~]# mkdir /opt/copy
镜像挂载至本地挂载目录:
[root@a ~]# mount /root/CentOS-7-x86_64-DVD-1511.iso /mnt/cdrom/
mount: /dev/loop0 写保护,将以只读方式挂载
备份YUM源文件及创建本地YUM源配置文件:
[root@a ~]# mv /etc/yum.repos.d/* /opt/copy/
[root@a ~]# vim /etc/yum.repos.d/dvd.repo
[dvd]
name=dvd
baseurl=file:///mnt/cdrom
测试:
[root@a ~]# yum repolist
已加载插件:fastestmirror
dvd | 3.6 kB 00:00:00
(1/2): dvd/group_gz | 155 kB 00:00:00
(2/2): dvd/primary_db | 2.8 MB 00:00:00
Determining fastest mirrors
源标识 源名称 状态
dvd dvd 3,723
repolist: 3,723
查看云硬盘:
[root@b ~]# fdisk -l |grep vdb
磁盘 /dev/vdb:16.1 GB, 16106127360 字节,31457280 个扇区
创建分区:
[root@b ~]# fdisk /dev/vdb
欢迎使用 fdisk (util-linux 2.23.2)。
更改将停留在内存中,直到您决定将更改写入磁盘。
使用写入命令前请三思。
Device does not contain a recognized partition table
使用磁盘标识符 0x1d7f54d1 创建新的 DOS 磁盘标签。
命令(输入 m 获取帮助):n
Partition type:
p primary (0 primary, 0 extended, 4 free)
e extended
Select (default p): p
分区号 (1-4,默认 1):
起始 扇区 (2048-31457279,默认为 2048):
将使用默认值 2048
Last 扇区, +扇区 or +size{K,M,G} (2048-31457279,默认为 31457279):
将使用默认值 31457279
分区 1 已设置为 Linux 类型,大小设为 15 GiB
命令(输入 m 获取帮助):w
The partition table has been altered!
Calling ioctl() to re-read partition table.
正在同步磁盘。
初始化为物理卷:
[root@b ~]# pvcreate /dev/vdb1
Physical volume "/dev/vdb1" successfully created
创建卷组:
[root@b ~]# vgcreate -s 16M datastore /dev/vdb1
Volume group "datastore" successfully created
创建逻辑卷:
[root@b ~]# lvcreate -L 10G datastore -n ftp_data
Logical volume "ftp_data" created.
格式化为XFS格式:
[root@b ~]# mkfs.xfs /dev/datastore/ftp_data
meta-data=/dev/datastore/ftp_data isize=256 agcount=4, agsize=655360 blks
= sectsz=512 attr=2, projid32bit=1
= crc=0 finobt=0
data = bsize=4096 blocks=2621440, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=0
log =internal log bsize=4096 blocks=2560, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
查看UUID:
[root@b ~]# blkid |grep ftp
/dev/mapper/datastore-ftp_data: UUID="7a6e09bf-8fe7-4f66-86f6-5cdd82ffb380" TYPE="xfs"
实现自动挂载:
[root@b ~]# vim /etc/fstab
#
# /etc/fstab
# Created by anaconda on Thu Sep 22 17:50:17 2016
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root / xfs defaults 0 0
UUID=41f7a291-c7de-4694-a5ee-1e6313ff9f44 /boot xfs defaults 0 0
/dev/mapper/centos-swap swap swap defaults 0 0
UUID=7a6e09bf-8fe7-4f66-86f6-5cdd82ffb380 /data/ftp_data xfs defaults 0 0
创建挂载目录并挂载:
[root@b ~]# mkdir -p /data/ftp_data
[root@b ~]# mount /dev/mapper/datastore-ftp_data /data/ftp_data/
[root@b ~]# mount |grep ftp
/dev/mapper/datastore-ftp_data on /data/ftp_data type xfs (rw,relatime,attr2,inode64,noquota)
A配置DNS服务要求如下:
1:ftp.rj.com解析到B
2:www.rj.com解析到A
3:建立反向解析实现www,和ftp的反向解析
4:建立B为从服务器,允许192.168.2.33进行区域传送
A安装DNS服务:
新建正向区域:
新建主机解析:
测试:
B配置从DNS服务器:
下载安装bind
[root@b ~]# yum install bind* -y > /dev/null
测试启动:
[root@b ~]# systemctl restart named
[root@b ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
备份配置文件:
[root@b ~]# cp /etc/named.conf /opt/copy/
修改配置文件设置从DNS:
[root@b ~]# cat /etc/named.conf |grep -v ^# |grep -v ^%
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "rj.com" {
type slave;
masters { 192.168.2.22; };
file "slaves/rj.com.zone";
};
zone "0.16.172.in-addr.arpa" {
type slave;
masters { 192.168.2.22; };
file "slaves/0.16.172.in-addr.arpa";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
A设置区域传送:
查看从服务器区域传送文件:
[root@b ~]# ls /var/named/slaves/
0.16.172.in-addr.arpa rj.com.zone
测试从服务器:
配置Web服务要求如下:
1:站点名称rj.com
2:站点目录为D:\webdata
3:配置https,由Bopenssl提供证书
4:设置做大连接数为1000,链接超时60s.带宽1000kb/s
5:使用W3C记录日志,时间节点为每天,当地时间为日志文件名
安装IIS管理器:
添加IIS站点:
IIS站点IP测试:
B使用openssl配置证书:
[root@b ~]# openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
..............................++++++
.......++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
[root@b ~]# ls
ca.key CentOS-7-x86_64-DVD-1511.iso
[root@b ~]# openssl rsa -in ca.key -out ca_decrypted.key
Enter pass phrase for ca.key:
writing RSA key
[root@b ~]# ls
ca_decrypted.key ca.key CentOS-7-x86_64-DVD-1511.iso
[root@b ~]# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:tj
State or Province Name (full name) []:tj
Locality Name (eg, city) [Default City]:tj
Organization Name (eg, company) [Default Company Ltd]:tj
Organizational Unit Name (eg, section) []:tj
Common Name (eg, your name or your server's hostname) []:www.rj.com
Email Address []:
[root@b ~]# ls
ca.crt ca_decrypted.key ca.key CentOS-7-x86_64-DVD-1511.iso
[root@b ~]# openssl genrsa -des3 -out www.rj.com.pem 1024
Generating RSA private key, 1024 bit long modulus
.........++++++
.................................................................................++++++
e is 65537 (0x10001)
Enter pass phrase for www.rj.com.pem:
Verifying - Enter pass phrase for www.rj.com.pem:
[root@b ~]# ls
ca.crt ca_decrypted.key ca.key CentOS-7-x86_64-DVD-1511.iso www.rj.com.pem
[root@b ~]# openssl rsa -in www.rj.com.pem -out www.rj.com.key
Enter pass phrase for www.rj.com.pem:
writing RSA key
[root@b ~]# ls
ca.crt ca_decrypted.key ca.key CentOS-7-x86_64-DVD-1511.iso www.rj.com.key www.rj.com.pem
[root@b ~]# openssl req -new -key www.rj.com.pem -out www.rj.com.csr
Enter pass phrase for www.rj.com.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:tj
State or Province Name (full name) []:tj
Locality Name (eg, city) [Default City]:tj
Organization Name (eg, company) [Default Company Ltd]:tj
Organizational Unit Name (eg, section) []:tj
Common Name (eg, your name or your server's hostname) []:www.rj.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@b ~]# touch /etc/pki/CA/index.txt
[root@b ~]# echo "01" > /etc/pki/CA/serial
[root@b ~]# openssl ca -policy policy_anything -days 365 -cert ca.crt -keyfile ca.key -in www.rj.com.csr -out www.rj.com.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
▽ Not Before: Apr 23 10:48:15 2019 GMT
Not After : Apr 22 10:48:15 2020 GMT
Subject:
countryName = tj
stateOrProvinceName = tj
localityName = tj
organizationName = tj
organizationalUnitName = tj
commonName = www.rj.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
14:C9:CB:0C:7A:E3:01:DE:79:8E:54:E7:CE:C3:18:DF:33:A7:E4:61
X509v3 Authority Key Identifier:
keyid:78:58:77:77:6A:0B:59:7D:FD:FF:9B:4E:02:9C:1E:D3:93:C0:7B:7C
Certificate is to be certified until Apr 22 10:48:15 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@b ~]# openssl pkcs12 -export -out www.rj.com.pfx -inkey www.rj.com.key -in www.rj.com.crt
Enter Export Password:
Verifying - Enter Export Password:
安装vsftp将www.rj.com.pfx共享给Windows:
[root@b ~]# yum install vsftpd* -y > /dev/null
[root@b ~]# systemctl resstart vsftpd
Unknown operation 'resstart'.
[root@b ~]# systemctl restart vsftpd
[root@b ~]# cp www.rj.com.pfx /var/ftp/pub/
Windows查看共享并下载到本地:
导入证书:
绑定HTTPS:
测试:
关于信任此证书可自行导入本地信任。
设置网站最大连接数及超时和带宽:
生成日志:
B配置FTP可参考B卷FTP设置(完全一样)
B卷(链接)
至此C卷服务器部分已完,本人认为HTTPS还是有问题的,但是确实也不知道有什么好的办法了,若有知道的朋友,请联系我。