magedu.com-网络班第四期-29-张健华-第六次作业
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了magedu.com-网络班第四期-29-张健华-第六次作业相关的知识,希望对你有一定的参考价值。
本周作业内容:
1、详细描述一次加密通讯的过程,结合图示最佳。
一、client_hello
客户端发起请求,以明文传输请求信息,包含版本信息,加密套件候选列表,压缩算法候选列表,随机数,扩展字段等信息,相关信息如下:
支持的最高TSL协议版本version,从低到高依次 SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2,当前基本不再使用低于 TLSv1 的版本
客户端支持的加密套件 cipher suites 列表, 每个加密套件对应前面 TLS 原理中的四个功能的组合:认证算法 Au (身份验证)、密钥交换算法 KeyExchange(密钥协商)、对称加密算法 Enc (信息加密)和信息摘要 Mac(完整性校验)
支持的压缩算法 compression methods 列表,用于后续的信息压缩传输
随机数 random_C,用于后续的密钥的生成
二、server_hello+server_certificate+sever_hello_done
server_hello, 服务端返回协商的信息结果,包括选择使用的协议版本 version,选择的加密套件 cipher suite,选择的压缩算法 compression method、随机数 random_S 等,其中随机数用于后续的密钥协商
server_certificates, 服务器端配置对应的证书链,用于身份验证与密钥交换
server_hello_done,通知客户端 server_hello 信息发送结束
三、证书校验
客户端验证证书的合法性,如果验证通过才会进行后续通信,否则根据错误情况不同做出提示和操作,合法性验证包括如下:
[证书链]的可信性 trusted certificate path
证书是否吊销 revocation,有两类方式离线 CRL 与在线 OCSP,不同的客户端行为会不同
有效期 expiry date,证书是否在有效时间范围
域名 domain,核查证书域名是否与当前的访问域名匹配,匹配规则后续分析
四、client_key_exchange+change_cipher_spec+encrypted_handshake_message
client_key_exchange,合法性验证通过之后,客户端计算产生随机数字 Pre-master,并用证书公钥加密,发送给服务器
此时客户端已经获取全部的计算协商密钥需要的信息:两个明文随机数 random_C 和 random_S 与自己计算产生的 Pre-master,计算得到协商密钥
enc_key=Fuc(random_C, random_S, Pre-Master)
change_cipher_spec,客户端通知服务器后续的通信都采用协商的通信密钥和加密算法进行加密通信
encrypted_handshake_message,结合之前所有通信参数的 hash 值与其它相关信息生成一段数据,采用协商密钥 session secret 与算法进行加密,然后发送给服务器用于数据与握手验证
五、change_cipher_spec+encrypted_handshake_message
服务器用私钥解密加密的 Pre-master 数据,基于之前交换的两个明文随机数 random_C 和 random_S,计算得到协商密钥:enc_key=Fuc(random_C, random_S, Pre-Master)
计算之前所有接收信息的 hash 值,然后解密客户端发送的 encrypted_handshake_message,验证数据和密钥正确性
change_cipher_spec, 验证通过之后,服务器同样发送 change_cipher_spec 以告知客户端后续的通信都采用协商的密钥与算法进行加密通信
encrypted_handshake_message, 服务器也结合所有当前的通信参数信息生成一段数据并采用协商密钥 session secret 与算法加密并发送到客户端
六、握手结束
客户端计算所有接收信息的 hash 值,并采用协商密钥解密 encrypted_handshake_message,验证服务器发送的数据和密钥,验证通过则握手完成
七、加密通信
开始使用协商密钥与算法进行加密通信
2、描述创建私有CA的过程,以及为客户端发来的证书请求进行办法证书。
[[email protected]8 ~]# cd /etc/pki/CA ###在CA主机 node8 上创建CA时所需要的文件
[[email protected] CA]# ls
certs crl newcerts private
[[email protected] CA]# touch index.txt
[[email protected] CA]# echo 01 > serial
[[email protected] CA]# ls
certs crl index.txt newcerts private serial
[[email protected] CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) ###创建私钥文件
Generating RSA private key, 2048 bit long modulus
...............................................+++
...........+++
e is 65537 (0x10001)
[[email protected] CA]# ls -l private/
total 4
-rw------- 1 root root 1675 Mar 24 00:05 cakey.pem
[[email protected] CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem ###CA主机生成证书请求,自己为自己颁发证书
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Magedu Ltd
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server‘s hostname) []:ca.magedu.com
Email Address []:[email protected]
[[email protected] ~]# cd /etc/httpd ###需要使用证书的主机 node6 上生成私钥文件
[[email protected] httpd]# mkdir ssl
[[email protected] httpd]# cd ssl
[[email protected] ssl]# (umask 077;openssl genrsa -out httpd.key 2048) ###生成私钥文件
Generating RSA private key, 2048 bit long modulus
..+++
.............................................................................+++
e is 65537 (0x10001)
[[email protected] ssl]# ls
httpd.key
[[email protected] ssl]# openssl req -new -key httpd.key -days 365 -out http.csr ###生成CA请求
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Magedu Ltd
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server‘s hostname) []:node6.magedu.com
Email Address []:[email protected]
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[[email protected] ssl]# scp http.csr [email protected]:/tmp/ ###向CA主机发送请求请求
[email protected]‘s password:
http.csr 100% 1066 1.0KB/s 00:00
[[email protected] tmp]# openssl req -new -key httpd.key -days 365 -out http.csr ###CA签署证书
Error opening Private Key httpd.key
139911856179016:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen(‘httpd.key‘,‘r‘)
139911856179016:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load Private Key
[[email protected] tmp]# openssl ca -in /tmp/http.csr -out /tmp/crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 24 07:24:23 2017 GMT
Not After : Mar 24 07:24:23 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = Magedu Ltd
organizationalUnitName = Ops
commonName = node6.magedu.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
84:4B:9D:5A:39:8B:78:B8:1D:FE:35:01:5C:91:38:41:87:47:C2:E5
X509v3 Authority Key Identifier:
keyid:C3:E6:6E:C1:1D:21:CF:B7:23:CE:95:1C:F0:CB:3D:06:E1:67:65:16
Certificate is to be certified until Mar 24 07:24:23 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[[email protected] tmp]# scp /tmp/crt 192.168.1.60:/etc/httpd/ssl ###CA将签署过的证书发回发送请求的主机
[email protected]‘s password:
crt 100% 4652 4.5KB/s 00:00
[[email protected] ssl]# ll ###CA签署的证书已经生成
total 16
-rw-r--r-- 1 root root 4652 Mar 24 00:26 crt
-rw-r--r-- 1 root root 1066 Mar 24 00:18 http.csr
-rw------- 1 root root 1679 Mar 24 00:16 httpd.key
[[email protected] CA]# cat index.txt ###查看证书的索引文件
V180324072423Z01unknown/C=CN/ST=Beijing/O=Magedu Ltd/OU=Ops/CN=node6.magedu.com/[email protected]
3、搭建一套DNS服务器,负责解析magedu.com域名(自行设定主机名及IP)
(1)、能够对一些主机名进行正向解析和逆向解析;
(2)、对子域cdn.magedu.com进行子域授权,子域负责解析对应子域中的主机名;
(3)、为了保证DNS服务系统的高可用性,请设计一套方案,并写出详细的实施过程
[[email protected] ~]# yum install bind ###安装dns服务器命令,命令可加-y选项
Loaded plugins: fastestmirror, refresh-packagekit, security
Setting up Install Process
.
.
.
Total download size: 5.0 M
Is this ok [y/N]: y ###手动输入y,同意安装
Downloading Packages:
(1/3): bind-9.8.2-0.47.rc1.el6_8.4.x86_64.rpm | 4.0 MB 00:04
(2/3): bind-libs-9.8.2-0.47.rc1.el6_8.4.x86_64.rpm | 890 kB 00:00
(3/3): bind-utils-9.8.2-0.47.rc1.el6_8.4.x86_64.rpm | 187 kB 00:00
--------------------------------------------------------------------------------
.
.
.
Installed:
bind.x86_64 32:9.8.2-0.47.rc1.el6_8.4
Dependency Updated:
bind-libs.x86_64 32:9.8.2-0.47.rc1.el6_8.4
bind-utils.x86_64 32:9.8.2-0.47.rc1.el6_8.4
Complete! ###完成安装
[[email protected] ~]#rpm -ql bind | less ###rpm -q获得软件包相关搜索的信息,在-q子选项中l查看指定的程序包安装后生成的所有文件
/etc/NetworkManager/dispatcher.d/13-named
/etc/logrotate.d/named
/etc/named
/etc/named.conf ###主配置文件
/etc/named.iscdlv.key
/etc/named.rfc1912.zones ###区域配置文件
/etc/named.root.key
/etc/portreserve/named
/etc/rc.d/init.d/named ###启动脚本
/etc/rndc.conf
/etc/rndc.key
/etc/sysconfig/named ###脚本的配置文件
.
/usr/sbin/named ###主程序
.
/var/log/named.log ###日志文件
/var/named ###解析库文件
/var/named/data
[[email protected] named]# ls ###在/var/named 区域解析库
data
dynamic
named.ca ###全球根服务器
named.empty
named.localhost
named.loopback
slaves
[[email protected] named]# service named start ###启动named程序服务
Generating /etc/rndc.key: [ OK ]
Starting named: [ OK ]
[[email protected] named]# vim /etc/named.conf ###主配置
options { ###主配置:options {}
// listen-on port 53 { 127.0.0.1; }; ###行首//表示注销本行,表示监听所有地址
// listen-on-v6 port 53 { ::1; }; ###在C和C++下行首//表示注销本行
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// allow-query { localhost; }; ###本行localhost表示仅允许本机来访问,可以修改为any表示所有人能访问
recursion yes;
// dnssec-enable yes; ###DNS安全认证的机制
// dnssec-validation yes; ###DNS安全认证的机制
/* Path to ISC DLV key */
// bindkeys-file "/etc/named.iscdlv.key";
//
// managed-keys-directory "/var/named/dynamic";
};
[[email protected] named]# vim /etc/named.rfc1912.zones ###区域解析库
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "magedu.com" IN { ###创建magedun.com解析库
type master; ###类型为主
file "magedu.com.zone";
};
[[email protected] named]# cd /var/named ###
[[email protected] named]# vim magedu.com.zone ###创建magedu.com.zone并设置
$TTL 86400 ### 缓存有效期86400秒=1天
@ IN SOA ns1.magedu.com. admin.magedu.com ( ###4列为主DNS服务器名称,5列为管理员邮箱
2017020801 ###序列号
1H ###刷新时间
5M ###重置时间
7D ###过期时间7天
1D ) ###否定答案时间1天
IN NS ns1.magedu.com.
IN NS NS2.magedu.com.
IN MX 10 MX1
IN MX 20 mx2
ns1 IN A 192.168.1.156
ns2 IN A 192.168.1.159
mx1 IN A 192.168.1.13
mx2 IN A 192.168.1.14
www IN A 192.168.1.156
ftp IN CNAME www
[[email protected] named]# named-checkconf ###检查主配置文件是否有语法错误
[[email protected] named]# named-checkzone "magedu.com" /var/named/magedu.com.zone
zone magedu.com/IN: loaded serial 4133585741
OK
###检测域名magedu.com和区域解析库文件有没有语法错误
[[email protected] named]# pwd
/var/named
[[email protected] named]# ll
-rw-r--r--. 1 root root 619 Feb 7 22:15 magedu.com.zone
[[email protected] named]# id named
uid=25(named) gid=25(named) groups=25(named)
[[email protected] named]# chmod 640 magedu.com.zone ###修改属组只读,其他用户无权限
[[email protected] named]# ll
-rw-r-----. 1 root root 619 Feb 7 22:15 magedu.com.zone
[[email protected] named]# chown :named magedu.com.zone ###修改属组为named,这样named程序能访问
-rw-r-----. 1 root named 619 Feb 7 22:15 magedu.com.zone
[[email protected] named]# service named restart ###重启named服务
Stopping named: . [ OK ]
Starting named: [ OK ]
[[email protected] named]# rndc status ###显示详细信息
version: 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4
CPUs found: 1
worker threads: 1
number of zones: 20
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
[[email protected] named]# service named reload ###让named重读配置
Reloading named: [ OK ]
[[email protected] named]# dig -t A www.magedu.com @192.168.1.156 ###让本机测试
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> -t A www.magedu.com @192.168.1.156
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64435
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.magedu.com.INA
;; ANSWER SECTION:
www.magedu.com.86400INA192.168.1.156
;; AUTHORITY SECTION:
magedu.com.86400INNSns1.magedu.com.
magedu.com.86400INNSNS2.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com.86400INA192.168.1.156
NS2.magedu.com.86400INA192.168.1.12
;; Query time: 30 msec
;; SERVER: 192.168.1.175#53(192.168.1.156)
;; WHEN: Tue Feb 7 23:27:25 2017
;; MSG SIZE rcvd: 116
[[email protected] named]# vim /etc/named.rfc1912.zones ###增加反向区域解析库
zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.zone";
};
[[email protected] named]# vim 192.168.1.zone ###配置反向解析
$TTL 86400
$ORIGIN 1.168.192.in-addr.arpa. ###arpa后的.必不可少
@ IN SOA ns1.magedu.com. admin.magedu.com. ( :wq ###com后的.必不可少
2017020801
1H
5M
7D
1D )
IN NS ns1.magedu.com. ###com后的.必不可少
IN NS ns2.magedu.com. ###com后的.必不可少
156 IN PTR ns1.magedu.com. ###com后的.必不可少
156 IN PTR www.magedu.com. ###com后的.必不可少
12 IN PTR nx1.magedu.com. ###com后的.必不可少
12 IN PTR www.magedu.com. ###com后的.必不可少
13 IN PTR nx2.magedu.com. ###com后的.必不可少
[[email protected] named]# chmod 640 192.168.1.zone
[[email protected] named]# chown :named 192.168.1.zone
[[email protected] named]# named-checkzone "1.168.192. in-addr.arpa" 192.168.1.zone
zone 1.168.192.in-addr.arpa/IN: loaded serial 2017020801
OK
[[email protected] named]# named-checkconf ###检测主配置文件是否有错
[[email protected] named]# service named reload
Reloading named: [ OK ]
[[email protected] named]# host -t PTR 192.168.1.156 192.168.1.156 ###测试
Using domain server:
Name: 192.168.1.156
Address: 192.168.1.156#53
Aliases:
175.1.168.192.in-addr.arpa domain name pointer www.magedu.com.
175.1.168.192.in-addr.arpa domain name pointer ns1.magedu.com.
[[email protected] named]# dig -x 192.168.1.12 @192.168.1.156 ###测试反向解析
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> -x 192.168.1.12 @192.168.1.156
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51564
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;12.1.168.192.in-addr.arpa.INPTR
;; ANSWER SECTION:
12.1.168.192.in-addr.arpa. 86400 INPTRnx1.magedu.com. ###反向解析
12.1.168.192.in-addr.arpa. 86400 INPTRwww.magedu.com. ###反向解析
;; AUTHORITY SECTION:
1.168.192.in-addr.arpa.86400INNSns1.magedu.com.
1.168.192.in-addr.arpa.86400INNSns2.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com.86400INA192.168.1.156
ns2.magedu.com.86400INA192.168.1.12
;; Query time: 0 msec
;; SERVER: 192.168.1.175#53(192.168.1.156)
;; WHEN: Wed Feb 8 00:53:27 2017
;; MSG SIZE rcvd: 157
[[email protected] slaves]# service iptables stop ###Linux防火墙(Iptables)关闭 即时生效,重启后失效
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
[[email protected] ~]# yum install bind -y
.
.
.
Dependency Updated:
bind-libs.x86_64 32:9.8.2-0.47.rc1.el6_8.4
bind-utils.x86_64 32:9.8.2-0.47.rc1.el6_8.4
Complete!
[[email protected] ~]# vim /etc/named.conf ###修改配置
options {
listen-on port 53 { 192.168.1.156; 127.0.0.1; }; ###增加192.168.1.156;
// listen-on-v6 port 53 { ::1; }; ###注销本行
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; ###修改any
recursion yes;
// dnssec-enable yes; ###注销本行
// dnssec-validation yes; ###注销本行
/* Path to ISC DLV key */
// bindkeys-file "/etc/named.iscdlv.key"; ###注销本行
//
// managed-keys-directory "/var/named/dynamic"; ###注销本行
};
[[email protected] ~]# vim /etc/named.rfc1912.zones ###增加
zone "magedu.com" IN {
type slave;
masters { 192.168.1.156; };
file "slaves/magedu.com.zone";
};
[[email protected] slaves]# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 3 192.168.1.159:53 *:*
[[email protected] slaves]# ss -unl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 0 0 192.168.1.159:53 *:*
[[email protected] slaves]# dig -t axfr magedu.com @192.168.1.159
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> -t axfr magedu.com @192.168.1.159
;; global options: +cmd
magedu.com.86400INSOAns1.magedu.com. admin.magedu.com.magedu.com. 20170208 3600 300 604800 86400
magedu.com.86400INMX10 MX1.magedu.com.
magedu.com.86400INMX20 mx2.magedu.com.
magedu.com.86400INNSns1.magedu.com.
magedu.com.86400INNSns2.magedu.com.
ftp.magedu.com.86400INCNAMEwww.magedu.com.
mx1.magedu.com.86400INA192.168.1.13
mx2.magedu.com.86400INA192.168.1.14
ns1.magedu.com.86400INA192.168.1.156
ns2.magedu.com.86400INA192.168.1.159
www.magedu.com.86400INA192.168.1.156
magedu.com.86400INSOAns1.magedu.com. admin.magedu.com.magedu.com. 20170208 3600 300 604800 86400
;; Query time: 21 msec
;; SERVER: 192.168.1.159#53(192.168.1.159)
;; WHEN: Thu Feb 9 23:47:46 2017
;; XFR size: 12 records (messages 1, bytes 299)
[[email protected] slaves]# rndc reload
server reload successful
[[email protected] slaves]# service named reload
Reloading named: [ OK ]
[[email protected] ~]# cd /var/named/slaves
[[email protected] slaves]#ls
magedu.com.zone
[[email protected] slaves]# cat magedu.com.zone
$ORIGIN .
$TTL 86400; 1 day
magedu.comIN SOAns1.magedu.com. admin.magedu.com.magedu.com. (
20170208 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NSns1.magedu.com.
NSns2.magedu.com.
MX10 MX1.magedu.com.
MX20 mx2.magedu.com.
$ORIGIN magedu.com.
ftpCNAMEwww
mx1A192.168.1.13
mx2A192.168.1.14
ns1A192.168.1.156
ns2A192.168.1.159
wwwA192.168.1.156
[[email protected] ~]# vim /etc/named.conf ###配置父域服务器主配置文件
options {
// listen-on port 53 { 192.168.1.156; 127.0.0.1; }; ###注销本行
// listen-on-v6 port 53 { ::1; }; ###注销本行
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable no; ###修改dnssec-enable no
dnssec-validation no; ###dnssec-validation no
/* Path to ISC DLV key */
// bindkeys-file "/etc/named.iscdlv.key"; ###注销本行
//
// managed-keys-directory "/var/named/dynamic"; ###注销本行
};
[[email protected] ~]# vim /etc/named.rfc1912.zones ###增加区域解析库文件
zone "magedu.com" IN {
type master;
file "magedu.com.zone";
};
[[email protected] ~]# cd /var/named
[[email protected] named]# vim magedu.com.zone
$ORIGIN magedu.com.
.
@ IN SOA ns1.magedu.com. admin.magedu.com. (
20170208
1H
5M
7D
1D )
IN NS ns1
IN NS ns2
IN MX 10 MX1
IN MX 20 mx2
ns1 IN A 192.168.1.156
ns2 IN A 192.168.1.160
www IN A 192.168.1.156
* IN A 192.168.1.156
cdn IN NS ns1.cdn ####增加子域
cdn IN NS ns2.cdn ####增加子域
ns1.cdn IN A 192.168.1.156 ####增加子域
ns2.cdn IN A 192.168.1.160 ####增加子域
[[email protected] named]# chmod 640 magedu.com.zone ###修改属组只读,其他用户无权限
[[email protected] named]# ll
-rw-r-----. 1 root root 619 Feb 7 22:15 magedu.com.zone
[[email protected] named]# chown :named magedu.com.zone ###修改属组为named,这样named程序能访问
-rw-r-----. 1 root named 619 Feb 7 22:15 magedu.com.zone
[[email protected] named]# service named reload
Reloading named: [ OK ]
[[email protected] named]# dig -t A www.magedu.com @192.168.1.156 ###测试父域
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> -t A www.magedu.com @192.168.1.156
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52751
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.magedu.com.INA
;; ANSWER SECTION:
www.magedu.com.86400INA192.168.1.156
;; AUTHORITY SECTION:
magedu.com.86400INNSns2.magedu.com.
magedu.com.86400INNSns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com.86400INA192.168.1.156
ns2.magedu.com.86400INA192.168.1.160
;; Query time: 3 msec
;; SERVER: 192.168.1.156#53(192.168.1.156)
;; WHEN: Fri Feb 10 01:09:42 2017
;; MSG SIZE rcvd: 116
[[email protected] ~]# vim /etc/named.conf ###配置子域服务器
options {
// listen-on port 53 { 192.168.1.156; 127.0.0.1; 192.168.1.159; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
// dnssec-enable yes;
// dnssec-validation yes;
/* Path to ISC DLV key */
// bindkeys-file "/etc/named.iscdlv.key";
//
// managed-keys-directory "/var/named/dynamic";
};
[[email protected] named]# service named restart
Stopping named: . [ OK ]
Starting named: [ OK ]
[[email protected] named]# vim /etc/named.rfc1912.zones ###配置区域文件增加
zone "cdn.magedu.com" IN {
type master;
file "cdn.magedu.com.zone";
};
[[email protected] ~]# cd /var/named
[[email protected] named]# vim cdn.magedu.com.zone
$TTL 1d
$ORIGIN cdn.magedu.com.
@ IN SOA ns1.cdn.magedu.com. admin.cdn.magedu.com. (
20170208
1H
5M
7D
1D )
IN NS ns1
IN NS ns2
ns1 IN A 192.168.1.159
ns2 IN A 192.168.1.160
www IN A 192.168.1.160
* IN A 192.168.1.160
~
~
[[email protected] named]# chmod 640 cdn.magedu.com.zone ###修改属组只读,其他用户无权限
[[email protected] named]# ll
-rw-r-----. 1 root root 619 Feb 7 22:15 cdn.magedu.com.zone
[[email protected] named]# chown :named cdn.magedu.com.zone ###修改属组为named,这样named程序能访问
-rw-r-----. 1 root named 619 Feb 7 22:15 cdn.magedu.com.zone
[[email protected] named]# service named restart
Stopping named: [ OK ]
Starting named: [ OK ]
[[email protected] named]# dig -t A www.cdn.magedu.com @192.168.1.159 ###测试子域服务是否正常
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> -t A www.cdn.magedu.com @192.168.1.159
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7327
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.cdn.magedu.com.INA
;; ANSWER SECTION:
www.cdn.magedu.com.86400INA192.168.1.160
;; AUTHORITY SECTION:
cdn.magedu.com.86400INNSns1.cdn.magedu.com.
cdn.magedu.com.86400INNSns2.cdn.magedu.com.
;; ADDITIONAL SECTION:
ns1.cdn.magedu.com.86400INA192.168.1.159
ns2.cdn.magedu.com.86400INA192.168.1.160
;; Query time: 0 msec
;; SERVER: 192.168.1.159#53(192.168.1.159)
;; WHEN: Fri Feb 10 01:22:48 2017
;; MSG SIZE rcvd: 120
[[email protected] named]# dig -t NS cdn.magedu.com @192.168.1.156 +norecurse ####在父域中解析+norecurse不进行递归请求
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> -t NS cdn.magedu.com @192.168.1.156 +norecurse
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26678
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;cdn.magedu.com.INNS
;; AUTHORITY SECTION:
cdn.magedu.com.86400INNSns1.cdn.magedu.com.
cdn.magedu.com.86400INNSns2.cdn.magedu.com.
;; ADDITIONAL SECTION:
ns1.cdn.magedu.com.86400INA192.168.1.156
ns2.cdn.magedu.com.86400INA192.168.1.160
;; Query time: 0 msec
;; SERVER: 192.168.1.156#53(192.168.1.156)
;; WHEN: Fri Feb 10 01:39:48 2017
;; MSG SIZE rcvd: 100
[[email protected] named]# vim /etc/named.conf ###在父域中配置转发服务器
options {
// listen-on port 53 { 192.168.1.156; 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
forward first; ###定义全局转发
forwarders { 210.22.84.3; }; ###定义转发服务器地址
dnssec-enable no; ###设置为dnssec-enable no
dnssec-validation no; ###设置为dnssec-validation no
/* Path to ISC DLV key */
// bindkeys-file "/etc/named.iscdlv.key";
//
// managed-keys-directory "/var/named/dynamic";
};
[[email protected] named]# service named restart
Stopping named: [ OK ]
Starting named: [ OK ]
[[email protected] named]# dig -t A www.baidu.com @192.168.1.156 ###测试转发服务器
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> -t A www.baidu.com @192.168.1.156
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44891
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 13, ADDITIONAL: 0
;; QUESTION SECTION:
;www.baidu.com.INA
;; ANSWER SECTION:
www.baidu.com.830INCNAMEwww.a.shifen.com.
www.a.shifen.com.94INA61.135.169.125
www.a.shifen.com.94INA61.135.169.121
;; AUTHORITY SECTION:
.172084INNSb.root-servers.net.
.172084INNSm.root-servers.net.
.172084INNSh.root-servers.net.
.172084INNSa.root-servers.net.
.172084INNSk.root-servers.net.
.172084INNSf.root-servers.net.
.172084INNSe.root-servers.net.
.172084INNSj.root-servers.net.
.172084INNSl.root-servers.net.
.172084INNSi.root-servers.net.
.172084INNSd.root-servers.net.
.172084INNSc.root-servers.net.
.172084INNSg.root-servers.net.
;; Query time: 470 msec
;; SERVER: 192.168.1.156#53(192.168.1.156)
;; WHEN: Mon Feb 13 20:48:31 2017
;; MSG SIZE rcvd: 301
[[email protected] named]#vim /etc/named.rfc1912.zones ###增加子域区域解析库的转发机制
zone "magedu.com" IN {
type forward;
forward only;
forwarders { 192.168.1.156; };
};
[[email protected] named]# service named restart
Stopping named: . [ OK ]
Starting named: [ OK ]
[[email protected] named]# rndc flush ###清除dns缓存
[[email protected] named]# dig -t A www.magedu.com @192.168.1.159 ###测试本机
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> -t A www.magedu.com @192.168.1.159
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60596
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.magedu.com.INA
;; ANSWER SECTION:
www.magedu.com.86400INA192.168.1.156
;; AUTHORITY SECTION:
magedu.com.86400INNSns2.magedu.com.
magedu.com.86400INNSns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com.86400INA192.168.1.156
ns2.magedu.com.86400INA192.168.1.160
;; Query time: 3 msec
;; SERVER: 192.168.1.159#53(192.168.1.159)
;; WHEN: Mon Feb 13 21:23:16 2017
;; MSG SIZE rcvd: 116
[[email protected] named]# dig -t A www.baidu.com @192.168.1.159 ###测试baidu.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> -t A www.baidu.com @192.168.1.159
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53453
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 5
;; QUESTION SECTION:
;www.baidu.com.INA
;; ANSWER SECTION:
www.baidu.com.1200INCNAMEwww.a.shifen.com.
www.a.shifen.com.300INA111.206.223.205
www.a.shifen.com.300INA111.206.223.206
;; AUTHORITY SECTION:
a.shifen.com.1200INNSns4.a.shifen.com.
a.shifen.com.1200INNSns1.a.shifen.com.
a.shifen.com.1200INNSns5.a.shifen.com.
a.shifen.com.1200INNSns2.a.shifen.com.
a.shifen.com.1200INNSns3.a.shifen.com.
;; ADDITIONAL SECTION:
ns1.a.shifen.com.1200INA61.135.165.224
ns2.a.shifen.com.1200INA180.149.133.241
ns5.a.shifen.com.1200INA119.75.222.17
ns4.a.shifen.com.1200INA115.239.210.176
ns3.a.shifen.com.1200INA61.135.162.215
;; Query time: 1841 msec
;; SERVER: 192.168.1.159#53(192.168.1.159)
;; WHEN: Mon Feb 13 21:31:17 2017
;; MSG SIZE rcvd: 260
[[email protected] named]# vim /etc/named.conf ###在主配置中增加访问控制选项
acl slaves {
192.168.1.156; 127.0.0.1;
};
[[email protected] named]# dig -t AXFR magedu.com @192.168.1.156 ###测试本机成功
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> -t AXFR magedu.com @192.168.1.156
;; global options: +cmd
magedu.com.86400INSOAns1.magedu.com. admin.magedu.com. 20170208 3600 300 604800 86400
magedu.com.86400INNSns1.magedu.com.
magedu.com.86400INNSns2.magedu.com.
magedu.com.86400INMX10 MX1.magedu.com.
magedu.com.86400INMX20 mx2.magedu.com.
*.magedu.com.86400INA192.168.1.156
ftp.magedu.com.86400INCNAMEwww.magedu.com.
mx1.magedu.com.86400INA192.168.1.13
mx2.magedu.com.86400INA192.168.1.14
ns1.magedu.com.86400INA192.168.1.156
ns2.magedu.com.86400INA192.168.1.160
cdn.magedu.com.86400INNSns1.cdn.magedu.com.
cdn.magedu.com.86400INNSns2.cdn.magedu.com.
ns1.cdn.magedu.com.86400INA192.168.1.156
www.magedu.com.86400INA192.168.1.156
magedu.com.86400INSOAns1.magedu.com. admin.magedu.com. 20170208 3600 300 604800 86400
;; Query time: 21 msec
;; SERVER: 192.168.1.156#53(192.168.1.156)
;; WHEN: Tue Feb 14 00:20:35 2017
;; XFR size: 16 records (messages 1, bytes 362)
[[email protected] named]# dig -t AXFR magedu.com @192.168.1.159 ###测试其他地址失败
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> -t AXFR magedu.com @192.168.1.159
;; global options: +cmd
; Transfer failed.
4、请描述一次完整的http请求处理过程;
(1) 建立或处理连接:接收请求或拒绝请求
(2) 接收请求:
接收来自于网络的请求报文中对某资源的一次请求的过程;
并发访问响应模型(Web I/O):
单进程I/O结构:启动一个进程处理用户请求,而且一次只处理一个;多个请求被串行响应;
多进程I/O结构:并行启动多个进程,每个进程响应一个请求;
复用I/O结构:一个进程响应n个请求;
多线程模型:一个进程生成N个线程,每个线程响应一个用户请求;
事件驱动:event-driven
复用的多进程I/O结构:启动多个(m)进程,每个进程响应n个请求;
(3) 处理请求:对请求报文进行解析,并获取请求的资源及请求方法等相关信息
元数据:请求报文首部
<method:请求方法> <URL:> <VERSION:>
Host: www.magedu.com 请求的主机名称
Connection:这次请求的链接方式
(4) 访问资源:获取请求报文中请求的资源
web服务器,即存放了web资源的服务器,负责向请求者提供对方请求的静态资源,或动态运行后生成的资源;这些资源放置于本地文件系统某路径下,此路径通常称为DocRoot
文档根:/var/www/html/
images/1.jpg
示例 http://www.magedu.com/images/1.jpg路径映射为/var/www/html/images/1.jpg
web服务器资源路径映射方式:
(a) docroot
(b) alias
(c) 虚拟主机docroot
(d) 用户家目录docroot
(5) 构建响应报文
资源的MIME类型:
显式分类
魔法分类
协商分类
URL重定向:web服务构建的响应并非客户端请求的资源,而是资源另外一个访问路径;
(6) 发送响应报文
(7) 记录日志
5、httpd所支持的处理模型有哪些,他们的分别使用于哪些环境。
(1)prefork:多进程模型,每个进程响应一个请求;
一个主进程:负责生成n个子进程,子进程也称为工作进程,每个子进程处理一个用户请求;
即便没有用户请求,也会预先生成多个空闲进程,随时等待请求到达;
最大不会超过1024个;
(2)worker:多线程模型,每个线程响应一个请求;
一个主进程:生成多个子进程,每个子进程负责生个多个线程,每个线程响应一个请求;
(3)event:事件驱动模型,每个线程响应n个请求;
一个主进程:生成m个子进程,每个进程直接n个请求;
6、建立httpd服务器(基于编译的方式进行),要求:
提供两个基于名称的虚拟主机:
(a)www1.stuX.com,页面文件目录为/web/vhosts/www1;错误日志为/var/log/httpd/www1.err,访问日志为/var/log/httpd/www1.access;
(b)www2.stuX.com,页面文件目录为/web/vhosts/www2;错误日志为/var/log/httpd/www2.err,访问日志为/var/log/httpd/www2.access;
(c)为两个虚拟主机建立各自的主页文件index.html,内容分别为其对应的主机名;
(d)通过www1.stuX.com/server-status输出httpd工作状态相关信息,且只允许提供帐号密码才能访问(status:status);
[[email protected] ~]# rpm -ql httpd ###安装生成文件
[[email protected] ~]# rpm -qc httpd ###安装生成配置文件
/etc/httpd/conf.d/welcome.conf ###/etc/httpd/conf.d/为主配置文件提供辅助
/etc/httpd/conf/httpd.conf ###主配置文件 ,/etc/httpd/系统程序根目录
/etc/rc.d/init.d/httpd ###服务脚本
/etc/sysconfig/httpd ###服务脚本的配置文件
/var/www/error/HTTP_NOT_FOUND.html.var ###提供报错网页
/var/www/error/HTTP_BAD_GATEWAY.html.var ###提供报错网页
[[email protected] ~]# rpm -ql httpd |grep bin ###主程序文件有3个
/usr/sbin/httpd
/usr/sbin/httpd.event
/usr/sbin/httpd.worker
/var/log/httpd ###日志文件
access_log ###访问日志
error_log ###错误日志
[[email protected] conf]# yum install httpd -y ###按装httpd服务
Loaded plugins: fastestmirror, refresh-packagekit, security
Setting up Install Process
Loading mirror speeds from cached hostfile
.
.
.
Updated:
httpd.x86_64 0:2.2.15-56.el6.centos.3
Dependency Updated:
httpd-tools.x86_64 0:2.2.15-56.el6.centos.3
Complete!
[[email protected] conf]#cd /etc/httpd/conf
[[email protected] conf]#vim httpd.conf ###修改监听端口
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, in addition to the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#
#Listen 12.34.56.78:80
Listen 80
Listen 192.168.1.173:80 ###修改监听本机80端口
[[email protected] conf]# service httpd start ###启动httpd服务
Starting httpd: httpd: Could not reliably determine the server‘s fully qualified domain name, using localhost.localdomain for ServerName
[ OK ]
[[email protected] conf]# telnet 192.168.1.173 80 ###测试服务
Trying 192.168.1.173...
Connected to 192.168.1.173.
Escape character is ‘^]‘.
^
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p>^ to / not supported.<br />
</p>
<hr>
<address>Apache/2.2.15 (CentOS) Server at localhost.localdomain Port 80</address>
</body></html>
Connection closed by foreign host.
[[email protected] conf]# ps aux |grep httpd ###查看httpd启动使用的模块
root 4233 0.0 0.3 184356 3856 ? Ss 22:46 0:00 /usr/sbin/httpd
apache 4236 0.0 0.3 184488 3084 ? S 22:46 0:00 /usr/sbin/httpd
apache 4237 0.0 0.2 184488 2520 ? S 22:46 0:00 /usr/sbin/httpd
apache 4238 0.0 0.2 184488 2512 ? S 22:46 0:00 /usr/sbin/httpd
apache 4239 0.0 0.2 184488 2512 ? S 22:46 0:00 /usr/sbin/httpd
apache 4240 0.0 0.2 184488 2512 ? S 22:46 0:00 /usr/sbin/httpd
apache 4241 0.0 0.2 184488 2512 ? S 22:46 0:00 /usr/sbin/httpd
apache 4242 0.0 0.2 184488 2512 ? S 22:46 0:00 /usr/sbin/httpd
apache 4243 0.0 0.2 184488 2512 ? S 22:46 0:00 /usr/sbin/httpd
root 4338 0.0 0.0 103252 840 pts/0 S+ 22:59 0:00 grep httpd
[[email protected] conf]# httpd -l ###查看静态编译的模块
Compiled in modules: ###
core.c ###核心莫块
prefork.c ###启动类型为prefork
http_core.c ###httpd功能模块
mod_so.c ###支持模块装卸载功能
[[email protected] conf]# httpd -M ###查看静态编译的模块和动态装载的模块
[[email protected] conf]# vim /etc/sysconfig/httpd ###修改配置启动worker模块
# Configuration file for the httpd service.
#
# The default processing model (MPM) is the process-based
# ‘prefork‘ model. A thread-based model, ‘worker‘, is also
# available, but does not work with some modules (such as php).
# The service must be stopped before changing this variable.
#
#HTTPD=/usr/sbin/httpd.worker
HTTPD=/usr/sbin/httpd.worker ###是脚本默认配置启用worker模块
#
[[email protected] conf]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: httpd.worker: Could not reliably determine the server‘s fully qualified domain name, using localhost.localdomain for ServerName
[ OK ]
[[email protected] conf]# ps aux |grep httpd ###查看httpd启动使用的模块为worker
root 4443 0.0 0.4 184564 4076 ? Ss 23:11 0:00 /usr/sbin/httpd.worker
apache 4446 0.0 0.5 528824 5392 ? Sl 23:11 0:00 /usr/sbin/httpd.worker
apache 4448 0.0 0.5 528824 5380 ? Sl 23:11 0:00 /usr/sbin/httpd.worker
apache 4449 0.0 0.5 528824 5388 ? Sl 23:11 0:00 /usr/sbin/httpd.worker
root 4559 0.0 0.0 103252 840 pts/0 S+ 23:11 0:00 grep httpd
[[email protected] conf]# service iptables stop ###iptables关闭服务
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
[[email protected] conf]# setenforce 0 ###关闭selinux
[[email protected] conf]# cd ~
[[email protected] ~]# mkdir /www/htdocs -pv
mkdir: created directory `/www‘
mkdir: created directory `/www/htdocs‘
[[email protected] ~]# vim /www/htdocs/index.html ###编辑个测试页面
test page
[[email protected] ~]# vim /etc/httpd/conf/httpd.conf ###编辑主配置文件修改路径
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
#DocumentRoot "/var/www/html"
DocumentRoot "/www/htdocs" ###编辑主配置文件修改路径
[[email protected] ~]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: httpd.worker: Could not reliably determine the server‘s fully qualified domain name, using localhost.localdomain for ServerName
[ OK ]
[[email protected] ~]# vim /etc/httpd/conf/httpd.conf ###编辑主配置文件修改路径
#
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "/www/htdocs"> ###编辑路径为/www/htdocs
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.2/mod/core.html#options
# for more information.
#
Options -Indexes FollowSymLinks ###Indexes索引功能默认开启,建议关闭在Indexes前加“-”
[[email protected] ~]# cd /www/htdocs/
[[email protected] htdocs]# ls
index.html
[[email protected] htdocs]# mv index.html test.html
[[email protected] htdocs]# cp /etc/fstab fstab.html
[[email protected] htdocs]# ls /etc/httpd/conf.d/
mod_dnssd.conf README welcome.conf
[[email protected] htdocs]# mv /etc/httpd/conf.d/welcome.conf{,.bak}
[[email protected] htdocs]# !se
service httpd restart
Stopping httpd: [ OK ]
Starting httpd: httpd.worker: Could not reliably determine the server‘s fully qualified domain name, using localhost.localdomain for ServerName
[ OK ]
[[email protected] ~]# vim /etc/httpd/conf/httpd.conf ###编辑主配置文件
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.2/mod/core.html#options
# for more information.
#
Options None ###修改FollowSymLinks 为None,不允许跟踪符号链接文件
[[email protected] ~]# vim /etc/httpd/conf/httpd.conf ###编辑主配置文件做访问控制
#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all ###允许所有主机访问
[[email protected] ~]# vim /etc/httpd/conf/httpd.conf ###编辑主配置文件日志设定
#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host‘s errors will be logged there and not here.
#
ErrorLog logs/error_log
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
[[email protected] htdocs]# tail /var/log/httpd/access_log ###查看日志
192.168.1.191 - - [16/Feb/2017:18:16:37 -0800] "GET / HTTP/1.1" 403 281 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
[[email protected] htdocs]# vim /etc/httpd/conf/httpd.conf ###编辑主配置文件网页别名
# Aliases: Add here as many aliases as you need (with no limit). The format is
# Alias fakename realname
#
# Note that if you include a trailing / on fakename then the server will
# require it to be present in the URL. So "/icons" isn‘t aliased in this
# example, only "/icons/". If the fakename is slash-terminated, then the
# realname must also be slash terminated, and if the fakename omits the
# trailing slash, the realname must also omit it.
#
# We include the /icons/ alias for FancyIndexed directory listings. If you
# do not use FancyIndexing, you may comment this out.
#
Alias /icons/ "/var/www/icons/"
Alias /bbs/ "/forum/" ###别名设置把/bbs/替换为/forum/
[[email protected] htdocs]# vim /etc/httpd/conf/httpd.conf ###编辑主配置文件
<Directory "/www/htdocs/admin">
Options None
AllowOverride None
AuthType Basic ###认证方式Basic
AuthName "admin private"
AuthUserFile "/etc/httpd/conf.d/.htpasswd" ###用户帐号文件
Require valid-user ###允许所有用户访问
</Directory>
[[email protected] htdocs]# htpasswd -c -m /etc/httpd/conf.d/.htpasswd tom ###提供账号和密码存储 -c首次创建文件
New password:
Re-type new password:
Adding password for user tom
[[email protected] htdocs]# htpasswd -m /etc/httpd/conf.d/.htpasswd jerry ###使用md5加密用户密码
New password:
Re-type new password:
Adding password for user jerry
[[email protected] htdocs]# tail /etc/httpd/conf.d/.htpasswd ###
tom:$apr1$1v8JvrvI$efJgvcFucqCUeFoV/HlEN/
jerry:$apr1$3Dra68QB$abLxY3gMIG7RebtPBs35B/
[[email protected] htdocs]# vim /etc/httpd/conf/httpd.conf
<Directory "/www/htdocs/admin">
Options None
AllowOverride None
AuthType Basic
AuthName "admin private"
AuthUserFile "/etc/httpd/conf.d/.htpasswd"
Require user jerry ###指明只有jerry能登陆
# Require valid-user
</Directory>
[[email protected] htdocs]# service httpd reload ###重读配置文件
Reloading httpd:
[[email protected] htdocs]# vim /etc/httpd/conf/httpd.conf
<Directory "/www/htdocs/admin">
Options None
AllowOverride None
AuthType Basic
AuthName "admin private"
AuthUserFile "/etc/httpd/conf.d/.htpasswd"
AuthGroupFile "/etc/httpd/conf.d/.htgroup" ###配置组文件
Require group webadmin ###指明webadmin组能访问
# Require valid-user
</Directory>
[[email protected] htdocs]# vim /etc/httpd/conf/httpd.conf
#DocumentRoot "/www/htdocs"
<VirtualHost 192.168.1.191:80>
ServerName web1.magedu.com
DocumentRoot "/vhosts/web1/htdocs"
</VirtualHost>
<VirtualHost 192.168.1.10:80>
ServerName web2.magedu.com
DocumentRoot "/vhosts/web2/htdocs"
</VirtualHost>
[[email protected] htdocs]# service httpd configtest ###测试语法错误 或者httpd -t简写
Warning: DocumentRoot [/vhosts/web1/htdocs] does not exist
Warning: DocumentRoot [/vhosts/web2/htdocs] does not exist
httpd.worker: Could not reliably determine the server‘s fully qualified domain name, using localhost.localdomain for ServerName
Syntax OK
[[email protected] htdocs]# cd ~
[[email protected] ~]# mkdir -pv /vhosts/{web1,web2,web3,web4}/htdocs ###创建报错的文件
mkdir: created directory `/vhosts‘
mkdir: created directory `/vhosts/web1‘
mkdir: created directory `/vhosts/web1/htdocs‘
mkdir: created directory `/vhosts/web2‘
mkdir: created directory `/vhosts/web2/htdocs‘
mkdir: created directory `/vhosts/web3‘
mkdir: created directory `/vhosts/web3/htdocs‘
mkdir: created directory `/vhosts/web4‘
mkdir: created directory `/vhosts/web4/htdocs‘
[[email protected] ~]# vim /vhosts/web1/htdocs/index.html
page at web1
[[email protected] ~]# vim /vhosts/web2/htdocs/index.html
page at web2
[[email protected] ~]# httpd -t
httpd: Could not reliably determine the server‘s fully qualified domain name, using localhost.localdomain for ServerName
Syntax OK
[[email protected] ~]# ip addr add 192.168.1.10/16 dev eth0 ###为虚拟机添加第二个网址
[[email protected] ~]# ip addr list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:d9:ac:68 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.191/24 brd 192.168.1.255 scope global eth0
inet 192.168.1.10/16 scope global eth0
inet6 fe80::20c:29ff:fed9:ac68/64 scope link
valid_lft forever preferred_lft forever
3: pan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN
link/ether 6a:5d:05:41:b8:0d brd ff:ff:ff:ff:ff:ff
[[email protected] ~]# service httpd reload ###重读配置文件
Reloading httpd:
[[email protected] htdocs]# vim /etc/httpd/conf/httpd.conf ###配置基于端口的访问控制
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, in addition to the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#
#Listen 12.34.56.78:80
Listen 80
Listen 8080 ###修改监听所有8080端口
<VirtualHost 192.168.1.10:8080> ###修改web3端口8080
ServerName web3.magedu.com
DocumentRoot "/vhosts/web3/htdocs"
</VirtualHost>
[[email protected] ~]# vim /vhosts/web3/htdocs/index.html
page at web3
[[email protected] ~]# service httpd reload ###重读配置文件
Reloading httpd:
[[email protected] htdocs]# vim /etc/httpd/conf/httpd.conf
#
# Use name-based virtual hosting.
#
NameVirtualHost 192.168.1.191:80 ###修改主机名
<VirtualHost 192.168.1.191:80>
ServerName web1.magedu.com
DocumentRoot "/vhosts/web1/htdocs"
</VirtualHost>
<VirtualHost 192.168.1.191:80>
ServerName web2.magedu.com
DocumentRoot "/vhosts/web2/htdocs"
</VirtualHost>
<VirtualHost 192.168.1.191:80>
ServerName web3.magedu.com
DocumentRoot "/vhosts/web3/htdocs"
</VirtualHost>
[[email protected] htdocs]# vim /etc/httpd/conf/httpd.conf
<VirtualHost 192.168.1.191:80>
ServerName web1.magedu.com
DocumentRoot "/vhosts/web1/htdocs"
CustomLog logs/web1_access_log combined ###设置专用日志,日志格式combined
</VirtualHost>
[[email protected] ~]# vim /etc/hosts ###设置本机解析
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.191 web1.magedu.com web2.magedu.com web3.magedu.com
[[email protected] ~]# curl http://web1.magedu.com ###测试
page at web1
[[email protected] ~]# curl http://web2.magedu.com ###
page at web2
[[email protected] ~]# curl http://web3.magedu.com ###
page at web3
[[email protected] htdocs]# vim /etc/httpd/conf/httpd.conf
# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
# Change the ".example.com" to match your domain to enable.
#
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 192.168.1.191 ###内置的status页面让本机192.168.1.191访问
</Location>
# ExtendedStatus controls whether Apache will generate "full" status
# information (ExtendedStatus On) or just basic information (ExtendedStatus
# Off) when the "server-status" handler is called. The default is Off.
#
ExtendedStatus On ###提供更详细的信息
[[email protected] htdocs]# vim /etc/httpd/conf/httpd.conf ###使用mod_deflate模块压缩页面优化传输速度
LoadModule deflate_module modules/mod_deflate.so ###启用莫块
SetOutputFilter DEFLATE
# mod_deflate configuration
# Restrict compression to these MIME types
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/css
# Level of compression (Highest 9 - Lowest 1)
DeflateCompressionLevel 9
# Netscape 4.x has some problems.
BrowserMatch ^Mozilla/4 gzip-only-text/html
# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4\.0[678] no-gzip
# MSIE masquerades as Netscape, but it is fine
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
[[email protected] ~]# httpd -t ###测试是否有语法错误
httpd: Could not reliably determine the server‘s fully qualified domain name, using localhost.localdomain for ServerName
Syntax OK
[[email protected] ~]# httpd -M |grep deflate
httpd: Could not reliably determine the server‘s fully qualified domain name, using localhost.localdomain for ServerName
deflate_module (shared)
Syntax OK
[[email protected] ~]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: httpd.worker: Could not reliably determine the server‘s fully qualified domain name, using localhost.localdomain for ServerName
[ OK ]
[[email protected] ~]# cd /etc/pki/CA ###在主机192.168.1.162上生成CA证书服务器
[[email protected] CA]# ls
certs crl newcerts private
[[email protected] CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) ###配置证书服务
Generating RSA private key, 2048 bit long modulus
..........................................................+++
..........................................................+++
e is 65537 (0x10001)
[[email protected] CA]# ll
total 16
drwxr-xr-x. 2 root root 4096 Oct 15 2014 certs
drwxr-xr-x. 2 root root 4096 Oct 15 2014 crl
drwxr-xr-x. 2 root root 4096 Oct 15 2014 newcerts
drwx------. 2 root root 4096 Feb 19 22:06 private
[[email protected] CA]# ll private/
total 4
-rw-------. 1 root root 1675 Feb 19 22:06 cakey.pem
[[email protected] CA]# touch index.txt ###创建
[[email protected] CA]# echo 01 >serial ###输入
[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 7300 ###配置
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Benjing
Organization Name (eg, company) [Default Company Ltd]:MageEdu Ltd
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server‘s hostname) []:ca.magedu.com
Email Address []:[email protected]
[[email protected] CA]# ll ###查看
total 24
-rw-r--r--. 1 root root 1432 Feb 19 22:11 cacert.pem
drwxr-xr-x. 2 root root 4096 Oct 15 2014 certs
drwxr-xr-x. 2 root root 4096 Oct 15 2014 crl
-rw-r--r--. 1 root root 0 Feb 19 22:08 index.txt
drwxr-xr-x. 2 root root 4096 Oct 15 2014 newcerts
drwx------. 2 root root 4096 Feb 19 22:06 private
-rw-r--r--. 1 root root 3 Feb 19 22:08 serial
[[email protected] ~]# (umask 077;openssl genrsa -out httpd.key 1024) ###在主机192.168.1.191添加客户端CA
Generating RSA private key, 1024 bit long modulus
....................................................................++++++
....++++++
e is 65537 (0x10001)
[[email protected] ~]# ll
total 68
-rw-------. 1 root root 2674 Feb 7 03:16 anaconda-ks.cfg
-rw-------. 1 root root 887 Feb 19 22:16 httpd.key
-rw-r--r--. 1 root root 41433 Feb 7 03:16 install.log
-rw-r--r--. 1 root root 9154 Feb 7 03:14 install.log.syslog
[[email protected] ~]# cd /etc/httpd
[[email protected] httpd]# ls
conf conf.d logs modules run
[[email protected] httpd]# cd ssl/
-bash: cd: ssl/: No such file or directory
[[email protected] httpd]# mkdir ssl
[[email protected] httpd]# cd ssl
[[email protected] ssl]# (umask 077;openssl genrsa -out httpd.key 1024) ###配置
Generating RSA private key, 1024 bit long modulus
....................++++++
......++++++
e is 65537 (0x10001)
[[email protected] ssl]# ll
total 4
-rw-------. 1 root root 887 Feb 19 22:17 httpd.key
[[email protected] ssl]# openssl req -new -key httpd.key -out httpd.csr ###配置
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:MageEdu Ltd
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server‘s hostname) []:web1.magedu.com
Email Address []:[email protected]
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []: ###密码为空
An optional company name []: ###密码为空
[[email protected] ssl]# ll
total 8
-rw-r--r--. 1 root root 712 Feb 19 22:33 httpd.csr
-rw-------. 1 root root 887 Feb 19 22:17 httpd.key
[[email protected] ssl]# scp httpd.csr [email protected]:/tmp/ ###传送信息去CA服务器
The authenticity of host ‘192.168.1.162 (192.168.1.162)‘ can‘t be established.
RSA key fingerprint is 8c:59:ee:24:7b:03:af:8d:23:5f:2e:81:89:a0:07:38.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.1.162‘ (RSA) to the list of known hosts.
[email protected]‘s password:
Permission denied, please try again.
[email protected]‘s password: ###输入服务器密码
httpd.csr 100% 712 0.7KB/s 00:00
[[email protected] ssl]#
[[email protected] CA]# openssl ca -in /tmp/httpd.csr -out certs/web1.magedu.com.crt -days 365 ###在主机192.168.1.162上配置
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 20 07:06:47 2017 GMT
Not After : Feb 20 07:06:47 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = MageEdu Ltd
organizationalUnitName = Ops
commonName = web1.magedu.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
30:C0:E8:6B:54:31:C6:39:29:DA:C3:CD:E8:3E:74:0D:D9:67:E5:BE
X509v3 Authority Key Identifier:
keyid:67:46:99:85:11:0E:9D:09:64:D8:9D:35:C8:E3:4D:DE:60:47:EE:2D
Certificate is to be certified until Feb 20 07:06:47 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[[email protected] CA]# ls
cacert.pem crl index.txt.attr newcerts serial
certs index.txt index.txt.old private serial.old
[[email protected] CA]# ls newcerts/
01.pem
[[email protected] CA]# ls certs/
web1.magedu.com.crt
[[email protected] CA]# scp certs/web1.magedu.com.crt 192.168.1.191:/etc/httpd/ssl/ ###传送给客户端
The authenticity of host ‘192.168.1.191 (192.168.1.191)‘ can‘t be established.
RSA key fingerprint is 77:45:3b:cc:50:44:35:f8:ca:98:2e:e6:6e:c1:76:0e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.1.191‘ (RSA) to the list of known hosts.
[email protected]‘s password: ###需要输入客服端主机密码
web1.magedu.com.crt 100% 3892 3.8KB/s 00:00
[[email protected] CA]#
[[email protected] ssl]# ll ###在主机192.168.1.191上
total 12
-rw-r--r--. 1 root root 712 Feb 19 22:33 httpd.csr
-rw-------. 1 root root 887 Feb 19 22:17 httpd.key
-rw-r--r--. 1 root root 3892 Feb 19 23:14 web1.magedu.com.crt
[[email protected] ssl]# httpd -M | grep ssl
httpd: Could not reliably determine the server‘s fully qualified domain name, using localhost.localdomain for ServerName
Syntax OK
[[email protected] ssl]# yum install mod_ssl -y
Installed:
mod_ssl.x86_64 1:2.2.15-56.el6.centos.3
Complete!
[[email protected] ssl]# httpd -M | grep ssl
httpd: Could not reliably determine the server‘s fully qualified domain name, using localhost.localdomain for ServerName
ssl_module (shared)
Syntax OK
[[email protected] ssl]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
/usr/lib64/httpd/modules/mod_ssl.so
/var/cache/mod_ssl
/var/cache/mod_ssl/scache.dir
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem
[[email protected] ssl]# cd ../conf.d/
[[email protected] conf.d]# pwd
/etc/httpd/conf.d
[[email protected] conf.d]# ls
mod_dnssd.conf README ssl.conf welcome.conf.bak
[[email protected] conf.d]# cp ssl.conf{,.bak}
[[email protected] conf.d]# vim ssl.conf
##
## SSL Virtual Host Context
##
<VirtualHost *:443>
# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/web1/htdocs"
ServerName web1.magedu.com
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!RC4+RSA:+HIGH:+MEDIUM:+LOW
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/httpd/ssl/web1.magedu.com.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you‘ve both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
[[email protected] ~]# openssl s_client -connect 192.168.1.191:443 -CAfile /etc/pki/CA/cacert.pem ###在192.168.1.162主机上测试
CONNECTED(00000003)
depth=1 C = CN, ST = Beijing, L = Benjing, O = MageEdu Ltd, OU = Ops, CN = ca.magedu.com, emailAddress = [email protected]
verify return:1
depth=0 C = CN, ST = Beijing, O = MageEdu Ltd, OU = Ops, CN = web1.magedu.com, emailAddress = [email protected]
verify return:1
---
GET / HTTP/1.1 ###请求协议
Host: web1.magedu.com
HTTP/1.1 400 Bad Request ###请求主机
Date: Mon, 20 Feb 2017 07:55:01 GMT
Server: Apache/2.2.15 (CentOS)
Vary: Accept-Encoding
Content-Length: 308
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.2.15 (CentOS) Server at web1.magedu.com Port 443</address>
</body></html>
closed
[[email protected] conf.d]# ab -c 100 -n 10000 http://192.168.1.181/ ####压力测试-n: 总的请求数-c:模拟的并发数
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking 192.168.1.181 (be patient)
Completed 1000 requests
Completed 2000 requests
Completed 3000 requests
Completed 4000 requests
Completed 5000 requests
Completed 6000 requests
Completed 7000 requests
Completed 8000 requests
Completed 9000 requests
Completed 10000 requests
Finished 10000 requests
Server Software: Apache/2.2.15
Server Hostname: 192.168.1.181
Server Port: 80
Document Path: /
Document Length: 277 bytes
Concurrency Level: 100
Time taken for tests: 2.039 seconds
Complete requests: 10000
Failed requests: 0
Write errors: 0
Non-2xx responses: 10026
Total transferred: 4812480 bytes
HTML transferred: 2777202 bytes
Requests per second: 4905.37 [#/sec] (mean)
Time per request: 20.386 [ms] (mean)
Time per request: 0.204 [ms] (mean, across all concurrent requests)
Transfer rate: 2305.37 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 7 3.6 8 29
Processing: 6 12 3.2 12 27
Waiting: 1 9 1.8 9 26
Total: 17 20 2.7 19 47
Percentage of the requests served within a certain time (ms)
50% 19
66% 20
75% 20
80% 21
90% 22
95% 23
98% 26
99% 34
100% 47 (longest request)
7、为第6题中的第2个虚拟主机提供https服务,使得用户可以通过https安全的访问此web站点;
(1)要求使用证书认证,证书中要求使用的国家(CN)、州(HA)、城市(ZZ)和组织(MageEdu);
(2)设置部门为cdn,主机名为www2.stuX.com,邮件为[email protected];
8、建立samba共享,共享目录为/data,要求:(描述完整的过程)
1)共享名为shared,工作组为magedu;
2)添加组develop,添加用户gentoo,centos和ubuntu,其中gentoo和centos以develop为附加组,ubuntu不属于develop组;密码均为用户名;
3)添加samba用户gentoo,centos和ubuntu,密码均为“mageedu”;
4)此samba共享shared仅允许develop组具有写权限,其他用户只能以只读方式访问;
5)此samba共享服务仅允许来自于172.16.0.0/16网络的主机访问;
[[email protected] ~]# yum -y install samba
[[email protected] ~]# rpm -ql samba |less
/etc/samba/smb.conf ###主配置文件
/etc/rc.d/init.d/nmb ###启动脚本
/etc/rc.d/init.d/smb ###启动脚本
[[email protected] ~]# service nmb start;service sm start
Starting NMB services: [ OK ]
Starting SMB services: [ OK ]
[[email protected] ~]# netstat -tunl
[[email protected] samba]# groupadd develop
[[email protected] samba]# useradd -g develop centos
[[email protected] samba]# useradd -g develop gentoo
[[email protected] samba]# useradd ubuntu
[[email protected] samba]# passwd gentoo
[[email protected] samba]# passwd centos
[[email protected] samba]# passwd ubuntu
[[email protected] samba]# smbpasswd -a gentoo
[[email protected] samba]# smbpasswd -a centos
[[email protected] samba]# smbpasswd -a ubuntu
[[email protected] samba]# vim smb.conf
# Hosts Allow/Hosts Deny lets you restrict who can connect, and you can
# specifiy it as a per share option as well
#
workgroup = magedu
[shared]
path = /data
guest ok = no ###来宾禁用
writable = no ###禁止写权限
write list = +develop ###添加写用户组
自定义共享
[shared_name]
path = /path/to/share_directory
comment = Comment string
guest ok = {yes|no}
public = {yes|no}
writable = {yes|no}
read only ={yes|no}
write list = +GROUP_NAME
smbpasswd:
-a Sys-user:为系统添加samba用户
-d : 禁用
-e : 启用
-x : 删除
[[email protected] samba]# testparm ###测试语法是否有错误
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[shared]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
[global]
workgroup = MAGEDU
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
client signing = required
idmap config * : backend = tdb
hosts allow = 192.168.0.0/24
cups options = raw
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
print ok = Yes
browseable = No
[shared]
path = /data
write list = +develop
read only = No
guest ok = No
[[email protected] samba]#setfacl -m g:develop:rwx /data ###对本地目录添加组权限
[[email protected] samba]# service nmb restart;service smb restart
Shutting down NMB services: [ OK ]
Starting NMB services: [ OK ]
Shutting down SMB services: [ OK ]
Starting SMB services: [ OK ]
[[email protected] ~]# smbclient //192.168.1.20/shared -U centos ###在samba客户机上测试
Enter centos‘s password:
Domain=[MAGEDU] OS=[Unix] Server=[Samba 3.6.23-36.el6_8]
smb: \>
smb: \> ls
. D 0 Mon Mar 27 01:36:36 2017
.. DR 0 Mon Mar 27 01:30:54 2017
test.txt 0 Mon Mar 27 01:36:36 2017
39127 blocks of size 2097152. 35626 blocks available
smb: \> lcd /etc/
smb: \> put issue ###上传成功
putting file issue as \issue (9.2 kb/s) (average 9.2 kb/s)
smb: \> ls
. D 0 Tue Mar 28 00:15:47 2017
.. DR 0 Mon Mar 27 01:30:54 2017
test.txt 0 Mon Mar 27 01:36:36 2017
issue A 47 Tue Mar 28 00:15:47 2017
39127 blocks of size 2097152. 35626 blocks available
smb: \> quit
[[email protected] ~]# smbclient //192.168.1.20/shared -U gentoo
Enter gentoo‘s password:
Domain=[MAGEDU] OS=[Unix] Server=[Samba 3.6.23-36.el6_8]
smb: \> ls
. D 0 Tue Mar 28 00:23:27 2017
.. DR 0 Mon Mar 27 01:30:54 2017
test.txt 0 Mon Mar 27 01:36:36 2017
issue A 47 Tue Mar 28 00:15:47 2017
39127 blocks of size 2097152. 35626 blocks available
smb: \> lcd /etc/
smb: \> put passwd ###上传成功
putting file passwd as \passwd (464.5 kb/s) (average 464.5 kb/s)
[[email protected] ~]# smbclient //192.168.1.20/shared -U ubuntu
Enter ubuntu‘s password:
Domain=[MAGEDU] OS=[Unix] Server=[Samba 3.6.23-36.el6_8]
smb: \> ls
. D 0 Tue Mar 28 00:23:27 2017
.. DR 0 Mon Mar 27 01:30:54 2017
test.txt 0 Mon Mar 27 01:36:36 2017
issue A 47 Tue Mar 28 00:15:47 2017
39127 blocks of size 2097152. 35626 blocks available
smb: \> lcd /etc/
smb: \> put passwd ###上传失败
NT_STATUS_ACCESS_DENIED opening remote file \passwd
smb: \> ls
. D 0 Tue Mar 28 00:23:27 2017
.. DR 0 Mon Mar 27 01:30:54 2017
test.txt 0 Mon Mar 27 01:36:36 2017
issue A 47 Tue Mar 28 00:15:47 2017
39127 blocks of size 2097152. 35626 blocks available
smb: \> ^C
9、搭建一套文件vsftp文件共享服务,共享目录为/ftproot,要求:(描述完整的过程)
1)基于虚拟用户的访问形式;
2)匿名用户只允许下载,不允许上传;
3)禁锢所有的用户于其家目录当中;
4)限制最大并发连接数为200:;
5)匿名用户的最大传输速率512KB/s
6)虚拟用户的账号存储在mysql数据库当中。
7)数据库通过NFS进行共享。
[[email protected] ~]# yum -y install vsftpd
[[email protected] ~]# rpm -ql vsftpd | less
/etc/pam.d/vsftpd ###用户认证
/etc/rc.d/init.d/vsftpd ###服务脚本
/etc/vsftpd ###配置文件目录
/etc/vsftpd/ftpusers
/etc/vsftpd/user_list
/usr/sbin/vsftpd ###主程序
/var/ftp ###匿名用户共享资源位置
[[email protected] ~]# yum install finger
[[email protected] ~]# service vsftpd start
Starting vsftpd for vsftpd: [ OK ]
[[email protected] ~]# ss -tnlp
[[email protected] ~]# yum install ftp -y ###在客户机上安装ftp客户端
Connected to 192.168.1.20 (192.168.1.20).
220 (vsFTPd 2.2.2)
Name (192.168.1.20:root): zjh2
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,1,20,180,9).
150 Here comes the directory listing.
drwxr-xr-x 2 500 500 4096 Mar 10 02:07 Desktop
drwxr-xr-x 2 500 500 4096 Mar 10 02:07 Documents
drwxr-xr-x 2 500 500 4096 Mar 10 02:07 Downloads
drwxr-xr-x 2 500 500 4096 Mar 10 02:07 Music
drwxr-xr-x 2 500 500 4096 Mar 10 02:07 Pictures
drwxr-xr-x 2 500 500 4096 Mar 10 02:07 Public
drwxr-xr-x 2 500 500 4096 Mar 10 02:07 Templates
drwxr-xr-x 2 500 500 4096 Mar 10 02:07 Videos
226 Directory send OK.
[[email protected] ~]# cd /etc/vsftpd
[[email protected] vsftpd]# vim vsftpd.conf
anonymous_enable=YES ###启用匿名用户
anon_upload_enable=NO ###匿名用户无法上传
anon_mkdir_write_enable=NO ###匿名用户无法创建目录
anon_ohter_write_enable=YES ###匿名用户无法删除
local_enable=YES ###系统用户
write_enable=YES ###本地用户写权限
local_umask=022 ###本地用户上传文件权限
chroot_local_user=YES ###锁定所有ftp本地用户于家目录
chroot_list_enable=YES ###锁定文件中指定ftp本地用户于家目录
#chroot_list_file=/etc/vsftpd/chroot_list ###锁定的配置文件,需要手动创建
xferlog_enable=YES ###启动日志
xferlog_std_format=YES ###日志格式
#xferlog_file=/var/log/xferlog ###日志文件
#chown_uploads=YES ###改变上传文件属主
#chown_username=whoever ###改变上传文件属主
#ftpd_banner=Welcome to blah FTP service. ###开机显示信息
pam_service_name=vsftpd
userlist_enable=YES ###用户控制
userlist_deny=NO ###黑名单|白名单
/etc/vsftpd/user_list ###控制文件路径
tcp_wrappers=YES
max_client=200 ###最大并发连接数
max_per_ip ###每个ip同时发起并发请求
anon_max_ip=512 ###匿名最大传输速率
local_max_ip ###本地最大传输速率
[[email protected] vsftpd]# cd /var/ftp
[[email protected] ftp]# ls
pub
[[email protected] ftp]# mkdir upload
[[email protected] ftp]# setfacl -m u:ftp:rwx upload/
[[email protected] ftp]# getfacl upload/
# file: upload/
# owner: root
# group: root
user::rwx
user:ftp:rwx
group::r-x
mask::rwx
other::r-x
[[email protected] ftp]# service vsftpd reload
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[[email protected] ftp]# cd /etc/vsftpd/
[[email protected] vsftpd]# ls
ftpusers user_list vsftpd.conf vsftpd.conf.bak vsftpd_conf_migrate.sh
[[email protected] vsftpd]# vim ftpusers ###黑名单
[[email protected] vsftpd]#yum install pam_mysql ###安装mysql模块
[[email protected] ~]# rpm -ql pam_mysql ####
/lib64/security/pam_mysql.so
/usr/share/doc/pam_mysql-0.7
/usr/share/doc/pam_mysql-0.7/COPYING
/usr/share/doc/pam_mysql-0.7/CREDITS
/usr/share/doc/pam_mysql-0.7/ChangeLog
/usr/share/doc/pam_mysql-0.7/NEWS
/usr/share/doc/pam_mysql-0.7/README
[[email protected] ~]# yum -y install mysql-server mysql-devel pam_mysql ###安装mysql
[[email protected] ~]# service mysqld start
[[email protected] ~]# mysql
mysql> CREATE DATABASE vsftpd; ###创建vsftpd表格
mysql> use vsftpd;
mysql> GRANT SELECT ON vsftpd.* TO [email protected]‘192.168.%.%‘ IDENTIFIED BY ‘mageedu‘ ; ###允许远程连接
mysql> FLUSH PRIVILEGES; ###刷新
mysql> Ctrl-C -- exit!
[[email protected] vsftpd]# mysql -uvsftp -h192.168.1.134 -p ###在vsftp服务器远程登录mysql
Enter password:
mysql> SHOW DATABASES;
+--------------------+
| Database |
+--------------------+
| information_schema |
| test |
| vsftpd |
+--------------------+
3 rows in set (0.01 sec)
mysql> Ctrl-C -- exit!
[[email protected] ~]# mysql ###在mysql服务器上创建表格,且创建新用户
mysql> CREATE TABLE users (
-> id INT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
-> name VARCHAR(50) BINARY NOT NULL,
-> password CHAR(48) BINARY NOT NULL );
Query OK, 0 rows affected (0.05 sec)
mysql> DESC users;
+----------+------------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+------------------+------+-----+---------+----------------+
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
| name | varchar(50) | NO | | NULL | |
| password | char(48) | NO | | NULL | |
+----------+------------------+------+-----+---------+----------------+
3 rows in set (0.00 sec)
mysql> INSERT INTO users (name,password) VALUES (‘tom‘,password(‘mageedu‘)),(‘jerry‘,password(‘mageedu‘));
Query OK, 2 rows affected (0.00 sec)
Records: 2 Duplicates: 0 Warnings: 0
mysql> SELECT * FROM users;
+----+-------+-------------------------------------------+
| id | name | password |
+----+-------+-------------------------------------------+
| 1 | tom | *9A94EE7D14C10908118B62D2DA88E6932E11E438 |
| 2 | jerry | *9A94EE7D14C10908118B62D2DA88E6932E11E438 |
+----+-------+-------------------------------------------+
2 rows in set (0.00 sec)
[[email protected] vsftpd]# cd /etc/pam.d/
[[email protected] pam.d]# vim vsftpd.mysql
auth required /lib/security/pam_mysql.so user=vsftpd passwd=magedu host=192.168.1.134 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=0
account required /lib/security/pam_mysql.so user=vsftpd passwd=magedu host=192.168.1.134 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=0
[[email protected] vsftpd]# vim vsftpd.conf
anonymous_enable=NO
pam_service_name=vsftpd.mysql
guest_enable=YES
guest_username=vuser
user_config_dir=/etc/vsftpd/vusers_config
[[email protected] vsftpd]# mkdir vusers
[[email protected] vsftpd]# cd vusers/
[[email protected] vusers]# vim tom
non_upload_enable=yes
anon_mkdir_write_enable=yes
anon_other_write_enable=yes
[[email protected] vusers]# vim jerry
non_upload_enable=no
anon_mkdir_write_enable=no
anon_other_write_enable=no
本文出自 “linux” 博客,请务必保留此出处http://zjh10512.blog.51cto.com/7682381/1912408
以上是关于magedu.com-网络班第四期-29-张健华-第六次作业的主要内容,如果未能解决你的问题,请参考以下文章
马哥2016全新Linux+Python高端运维班第四期-第五次作业
马哥2016全新Linux+Python高端运维班第四期-第六次作业