第九周作业
2016-10-30 01:47
375 查看
第九周作业1、详细描述一次加密通讯的过程,结合图示最佳。SSL协议基础:SSL协议位于TCP/IP协议与各种应用层协议之间,本身又分为两层:①SSL记录协议:建立在可靠传输层协议(TCP)之上,为上层协议提供数据封装、压缩、加密等基本功能。②SSL握手协议:在SSL记录协议之上,用于实际数据传输前,通讯双方进行身份认证、协商加密算法、交换加密密钥等。SSL协议通信过程:①浏览器发送一个连接请求给服务器;服务器将自己的证书(包含服务器公钥S_PuKey)、对称加密算法种类及其他相关信息返回客户端。②客户端浏览器检查服务器传送到CA证书是否由自己信赖的CA中心签发。若是,执行第4步;否则,给客户一个警告信息:询问是否继续访问③客户端浏览器比较证书里的信息,如证书有效期、服务器域名和公钥S_PK,与服务器传回的信息是否一致;如果一致,则浏览器完成对服务器的身份认证.④服务器要求客户端发送客户端证书(包含客户端公钥C_PuKey)、支持的对称加密方案及其他相关信息。收到后,服务器进行相同的身份认证,若没有通过验证,则拒绝连接;⑤服务器根据客户端浏览器发送到密码种类,选择一种加密程度最高的方案,用客户端公钥C_PubKey加密后通知到浏览器;⑥客户端通过私钥C_prKey解密后,得知服务器选择的加密方案,并选择一个通话密钥Key,接着用服务器公钥S_PuKey加密后发送服务器;⑦服务器接收到的浏览器传送到消息,用私钥S_PrKey解密,获得通话密钥key。⑧接下来的数据传输都使用该对称密钥Key进行加密。上面所述的是双向认证SSL协议的具体通讯过程,服务器和用户双方必须都有证书。由此可见,SSL协议是通过非对称密钥机制保证双方身份认证,并完成建立连接,在实际数据通信时通过对称密钥机制保障数据安全性。2、描述创建私有CA的过程,以及为客户端发来的证书请求进行办法证书。第一步:在准备创建私有CA的主机上创建私有密钥
[root@TESTSVR1 ~]# cd /etc/pki/CA [root@TESTSVR1 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ........................................................+++ .........................................................................................+++ e is 65537 (0x10001)第二步:创建作为CA主机所需要的文件
[root@TESTSVR1 CA]# touch {index.txt,serial}
[root@TESTSVR1 CA]# echo 01 > serial第三步:CA主机自身生成证书请求,也就是为自己颁发证书[root@TESTSVR1 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 7300 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:guangdong Locality Name (eg, city) [Default City]:guangzhou Organization Name (eg, company) [Default Company Ltd]:trans Organizational Unit Name (eg, section) []:si Common Name (eg, your name or your server's hostname) []:ca.trans.com Email Address []:admin@trans.com第四步:要使用证书的主机生成颁发证书请求
[root@TESTSVR2 tmp]# mkdir ssl [root@TESTSVR2 tmp]# cd ssl [root@TESTSVR2 ssl]# (umask 077;openssl genrsa -out httpd.key 1024) Generating RSA private key, 1024 bit long modulus .++++++ ..++++++ e is 65537 (0x10001) [root@TESTSVR2 ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:guangdong Locality Name (eg, city) [Default City]:guangzhou Organization Name (eg, company) [Default Company Ltd]:trans Organizational Unit Name (eg, section) []:si Common Name (eg, your name or your server's hostname) []:web.trans.com Email Address []:admin@trans.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@TESTSVR2 ssl]# ll 总用量 8 -rw-r--r--. 1 root root 700 10月 29 15:59 httpd.csr -rw-------. 1 root root 887 10月 29 15:57 httpd.key第五步:将请求文件传输给CA所在主机;使用scp命令
[root@TESTSVR2 ssl]# scp httpd.csr root@192.168.2.41:/tmp/ The authenticity of host '192.168.2.41 (192.168.2.41)' can't be established. RSA key fingerprint is 82:b3:88:c4:e5:5a:99:79:0c:44:60:a3:ed:b1:3f:0b. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.2.41' (RSA) to the list of known hosts. root@192.168.2.41's password: httpd.csr 100% 700 0.7KB/s 00:00第六步:CA所在主机签署证书,回应证书请求
[root@TESTSVR1 CA]# openssl ca -in /tmp/httpd.csr -out certs/web.trans.com.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Oct 29 08:05:06 2016 GMT Not After : Oct 29 08:05:06 2017 GMT Subject: countryName = cn stateOrProvinceName = guangzhou organizationName = trans organizationalUnitName = si commonName = web.trans.com emailAddress = admin@trans.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: EF:50:FF:9C:6F:BC:23:04:6B:B7:AA:67:46:BD:42:34:B5:B5:4B:31 X509v3 Authority Key Identifier: keyid:49:5C:E2:87:2E:39:1B:C8:0E:DF:6E:39:4E:68:E4:01:2E:F4:C4:4B Certificate is to be certified until Oct 29 08:05:06 2017 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated第七步:CA所在的主机将签署完成的证书,发送回请求主机
[root@TESTSVR1 CA]# scp certs/web.trans.com.crt 192.168.2.42:/tmp/ssl/ The authenticity of host '192.168.2.42 (192.168.2.42)' can't be established. RSA key fingerprint is a2:e7:82:94:f3:5d:47:10:27:12:b5:17:f2:e8:06:09. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.2.42' (RSA) to the list of known hosts. root@192.168.2.42's password: web.trans.com.crt 100% 3850 3.8KB/s 00:003、搭建一套DNS服务器,负责解析magedu.com域名(自行设定主机名及IP)(1)、能够对一些主机名进行正向解析和逆向解析;(2)、对子域cdn.magedu.com进行子域授权,子域负责解析对应子域中的主机名;(3)、为了保证DNS服务系统的高可用性,请设计一套方案,并写出详细的实施过程(1)能够对一些主机名进行正向解析和逆向解析①安装bind
[root@TESTSVR3 ~]# yum install bind②修改主配置文件
[root@TESTSVR3 ~]# vim /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; }; //修改监听所有地址上的53端口
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; //修改允许来自所有地址的查询请求
recursion yes;
dnssec-enable no; //关闭dnssec相关功能
dnssec-validation no; //关闭dnssec相关功能
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";③添加正反向解析区域[root@TESTSVR3 ~]# vim /etc/named.rfc1912.zones在配置文件的最后添加如下两行配置,分别是正向和反向的配置。
zone "magedu.com." IN {
type master;
file "magedu.com.zone";
allow-transfer { 192.168.2.44; };
}; //正向解析区域
zone "2.168.192.in-addr.arpa" IN {
type master;
file "2.168.192.zone";
allow-transfer { 192.168.2.44; };
}; //反向解析区域④配置正向区域文件[root@TESTSVR3 ~]# vim /var/named/magedu.com.zone $TTL 1D $ORIGIN magedu.com. @ IN SOA ns1.magedu.com. admin.magedu.com.( 2016102901 1H 5M 7D 12H ) IN NS ns IN NS ns2 //辅助DNS使用 IN MX 10 mx1 ns1 IN A 192.168.2.43 ns2 IN A 192.168.2.44 //辅助DNS使用 mx1 IN A 192.168.2.43 www IN A 192.168.2.43 ftp IN CNAME www⑤配置反向区域文件
[root@TESTSVR3 ~]# vim /var/named/2.168.192.zone $TTL 86400 $ORIGIN 2.168.192.in-addr.arpa. @ IN SOA ns1.magedu.com. admin.magedu.com. ( 2016102601 1H 5M 7D 12H ) IN NS ns1.magedu.com. @ IN NS ns2.magedu.com. //辅助DNS使用 43 IN PTR ns1.magedu.com. 44 IN PTR ns2.magedu.com. //辅助DNS使用 43 IN PTR www.magedu.com. 43 IN PTR mx1.magedu.com.⑥检查正反向区域文件
[root@TESTSVR3 ~]# named-checkzone magedu.com /var/named/magedu.com.zone zone magedu.com/IN: loaded serial 2016102901 OK [root@TESTSVR3 ~]# named-checkzone 2.168.192.in-addr.arpa /var/named/2.168.192.zone zone 2.168.192.in-addr.arpa/IN: loaded serial 2016102601 OK⑦启动域名解析服务
[root@TESTSVR3 ~]# service named start 启动 named: [确定]⑧正向解析检查
[root@TESTSVR3 ~]# dig @192.168.2.43 www.magedu.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.2 <<>> @192.168.2.43 www.magedu.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46452 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.magedu.com. IN A ;; ANSWER SECTION: www.magedu.com. 86400 IN A 192.168.2.43 ;; AUTHORITY SECTION: magedu.com. 86400 IN NS ns2.magedu.com. magedu.com. 86400 IN NS ns1.magedu.com. ;; ADDITIONAL SECTION: ns1.magedu.com. 86400 IN A 192.168.2.43 ns2.magedu.com. 86400 IN A 192.168.2.44 ;; Query time: 1 msec ;; SERVER: 192.168.2.43#53(192.168.2.43) ;; WHEN: Sun Oct 30 05:59:03 2016 ;; MSG SIZE rcvd: 116⑨反向解析测试
[root@TESTSVR3 ~]# dig -x 192.168.2.43 @192.168.2.43 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.2 <<>> -x 192.168.2.43 @192.168.2.43 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65223 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;43.2.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 43.2.168.192.in-addr.arpa. 86400 IN PTR www.magedu.com. 43.2.168.192.in-addr.arpa. 86400 IN PTR mx1.magedu.com. 43.2.168.192.in-addr.arpa. 86400 IN PTR ns1.magedu.com. ;; AUTHORITY SECTION: 2.168.192.in-addr.arpa. 86400 IN NS ns2.magedu.com. 2.168.192.in-addr.arpa. 86400 IN NS ns1.magedu.com. ;; ADDITIONAL SECTION: ns1.magedu.com. 86400 IN A 192.168.2.43 ns2.magedu.com. 86400 IN A 192.168.2.44 ;; Query time: 1 msec ;; SERVER: 192.168.2.43#53(192.168.2.43) ;; WHEN: Sun Oct 30 06:00:22 2016 ;; MSG SIZE rcvd: 171(2)保证DNS服务系统的高可用性在正向解析库和反向解析库文件中添加辅助DNS服务器的信息,上述配置中已经标记出来了。辅DNS只需要创建区域文件,不需要创建区域数据文件,它的数据文件会从主服务器哪里同步过来。同步的数据在/var/named/slaves/目录中。编辑辅DNS服务器上的/etc/named.rfc1912.zones文件,最后面添加如下内容:
zone "magedu.com" IN {
type slave;
masters { 192.168.2.43; };
file "slaves/magedu.com.zone";
allow-transfer { none; };
};
zone "2.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.2.43; };
file "slaves/2.168.192.zone";
allow-transfer { none; };
};指定type类型为slave(辅助)类型,并指定主服务器master { 192.168.2.43; };,allow-transter { none; };表示该从服务器不允许其他主机再同步DNS的数据。然后named-checkconf检查语法错误,然后# service named start即可(3)子域授权父域的IP为192.168.2.43,父域的从IP是192.168.2.44,子域的IP为192.168.2.45①在父域的区域文件中添加NS和A记录[root@TESTSVR3 ~]# vim /var/named/magedu.com.zone cdn.magedu.com. IN NS ns.cdn.magedu.com. ns.cdn.magedu.com. IN A 192.168.2.45②现在开始配置子域的DNS
[root@TESTSVR5 ~]# vim /etc/named.rfc1912.zones
zone "cdn.magedu.com" IN {
type master;
file "cdn.magedu.com";
};
zone "magedu.com" IN {
type forward;
forward only;
forwarders { 192.168.2.43; };
};③编辑子域的服务器上区域文件[root@TESTSVR5 ~]# vim /var/named/cdn.magedu.com.zone $TTL 86400 @ IN SOA ns.cdn.magedu.com. admin.cdn.magedu.com.( 2016102901 2H 5M 7D 12H ) IN NS ns.cdn.magedu.com. IN MX 10 mx1.cdn.magedu.com. ns.cdn.magedu.com. IN A 192.168.2.45 mx1.cdn.magedu.com. IN A 192.168.2.45 www IN A 192.168.2.45检查语法,然后reload服务即可4、请描述一次完整的http请求处理过程;①向根域名服务器请求解析域名,然后根服务器返回相应的IP信息;②用户的Web浏览器向服务器端的80端口通过三次握手建立TCP连接;③建立完TCP连接后发送HTTP请求,请求的格式包括请求方法、URL和协议版本号,方法有GET、HEAD、POST、PUT、DELETE、OPTIONS、TRACE,如:起始行:如 GET / HTTP/1.0 (请求的方法 请求的URL 请求所使用的协议)头部信息:User-Agent Host等成对出现的值主体④服务器向客户端相应http的头信息,客户端收到后确认,然后http服务器发送数据;⑤浏览器接收到数据后,解析数据并通过浏览器把画面呈现给用户;⑥数据传送完成后,四次断开TCP连接;5、httpd所支持的处理模型有哪些,他们的分别使用于哪些环境。httpd所支持的事务处理模型主要有:prefork、worker、eventprefork:多进程模型,每个进程响应一个请求。一个主进程:负责生成n个子进程,子进程也称为工作进程,每个子进程处理一个用户请求;即便没有用户请求,也会预先生成多个空闲进程, 随时等待请求到达;最大不会超过1024个;worker:多线程模型,每个线程响应一个请求;一个主进程:生成多个子进程,每个子进程负责生个多个线程,每个线程响应一个请求;event:事件驱动模型,每个线程响应n个请求;一个主进程:生成m个子进程,每个子进程直接响应n个请求;适合的场景:perfork:它适合于没有线程安全库,需要避免线程兼容性问题的系统;worker:适合内存占用量比较小,适合高流量的http服务器。缺点是假如一个线程崩溃,整个进程就会连同其任何线程一起死掉;prefork方式速度要稍高于worker,然而它需要的cpu和memory资源也稍多于woker。6、建立httpd服务器(基于编译的方式进行),要求:提供两个基于名称的虚拟主机:(a)www1.stuX.com,页面文件目录为/web/vhosts/www1;错误日志为/var/log/httpd/www1.err,访问日志为/var/log/httpd/www1.access;(b)www2.stuX.com,页面文件目录为/web/vhosts/www2;错误日志为/var/log/httpd/www2.err,访问日志为/var/log/httpd/www2.access;(c)为两个虚拟主机建立各自的主页文件index.html,内容分别为其对应的主机名;(d)通过www1.stuX.com/server-status输出httpd工作状态相关信息,且只允许提供帐号密码才能访问(status:status);一、编译安装httpd①编译安装apr
[root@TESTSVR6 apr-1.5.1]# ./configure --prefix=/usr/local/apr [root@TESTSVR6 apr-1.5.1]#make && make install②编译安装apr-util
[root@TESTSVR6 ]# cd apr-util-1.5.4 [root@TESTSVR6 apr-util-1.5.4]# ./configure --with-apr=/usr/local/apr --prefix=/usr/local/apr-util [root@TESTSVR6 apr-util-1.5.4]# make && make install③编译安装htppd
[root@TESTSVR6 ]# cd httpd-2.4.23 [root@TESTSVR6 httpd-2.4.23]# ./configure --prefix=/usr/local/apache --enable-so --enable-ssl --enable-cgi --enable-rewrite --with-zlib --with-pcre --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util/ --enable-modules=most --enable-mpms-shared=all --with-mpm=prefork [root@TESTSVR6 httpd-2.4.23]# make && make install二、创建站点①创建站点目录
[root@TESTSVR6 httpd-2.4.23]# mkdir -pv /web/vhosts/{www1,www2}/
mkdir: 已创建目录 "/web"
mkdir: 已创建目录 "/web/vhosts"
mkdir: 已创建目录 "/web/vhosts/www1/"
mkdir: 已创建目录 "/web/vhosts/www2/"②创建站点文件[root@TESTSVR6 httpd-2.4.23]# echo "www1.stuX.com" > /web/vhosts/www1/index.html [root@TESTSVR6 httpd-2.4.23]# echo "www2.stuX.com" > /web/vhosts/www2/index.html三、创建虚拟主机①编译主配置文件
[root@TESTSVR6 httpd-2.4.23]# vim /usr/local/apache/conf/httpd.conf #DocumentRoot "/usr/local/apache/htdocs" Include conf/extra/httpd-vhosts.conf②编译虚拟主机文件
[root@TESTSVR6 httpd-2.4.23]# vim /usr/local/apache/conf/extra/httpd-vhosts.conf <VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com DocumentRoot "/web/vhosts/www1" ServerName www1.stuX.com # ServerAlias www.dummy-host.example.com ErrorLog "/var/log/httpd/www1.err" CustomLog "/var/log/httpd/www1.access" common <Directory "/web/vhosts/www1"> options none allowoverride none Require all granted </Directory> </VirtualHost> <VirtualHost *:80> # ServerAdmin webmaster@dummy-host2.example.com DocumentRoot "/web/vhosts/www2" ServerName www2.stuX.com ErrorLog "/var/log/httpd/www2.err" CustomLog "/var/log/httpd/www2.access" common <Directory "/web/vhosts/www2"> options none allowoverride none Require all granted </Directory> </VirtualHost>③创建status监控页面并添加认证功能
[root@TESTSVR6 apache]# vim /usr/local/apache/conf/extra/httpd-vhosts.conf <VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com DocumentRoot "/web/vhosts/www1" ServerName www1.stuX.com # ServerAlias www.dummy-host.example.com ErrorLog "/var/log/httpd/www1.err" CustomLog "/var/log/httpd/www1.access" common <location /server-status> SetHandler server-status AuthType Basic AuthName "Server-Status" AuthUserFile "/usr/local/apache/.htpasswd" Require valid-user </location> <Directory "/web/vhosts/www1"> options none allowoverride none Require all granted </Directory> </VirtualHost>④创建虚拟用户
[root@TESTSVR6 ]#htpasswd -c -m /usr/local/apache/.htpasswd status⑤重启并测试
[root@TESTSVR6]# /usr/local/apache/bin/apachectl restart[root@TESTSVR6 apache]# curl www1.stuX.comwww1.stuX.com[root@TESTSVR6 apache]# curl www2.stuX.comwww2.stuX.com7、为第6题中的第2个虚拟主机提供https服务,使得用户可以通过https安全的访问此web站点;(1)要求使用证书认证,证书中要求使用的国家(CN)、州(HA)、城市(ZZ)和组织(MageEdu);(2)设置部门为Ops,主机名为www2.stuX.com,邮件为admin@stuX.com;第一步:在准备创建私有CA的主机上创建私有密钥
[root@TESTSVR1 ~]# cd /etc/pki/CA [root@TESTSVR1 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ........................................................+++ .........................................................................................+++ e is 65537 (0x10001)第二步:创建作为CA主机所需要的文件
[root@TESTSVR1 CA]# touch {index.txt,serial}
[root@TESTSVR1 CA]# echo 01 > serial第三步:CA主机自身生成证书请求,也就是为自己颁发证书[root@TESTSVR1 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:HALocality Name (eg, city) [Default City]:ZZOrganization Name (eg, company) [Default Company Ltd]:MageEduOrganizational Unit Name (eg, section) []:OpsCommon Name (eg, your name or your server's hostname) []:www2.stux.comEmail Address []:admin@stux.com第四步:要使用证书的主机生成颁发证书请求
[root@www etc]# mkdir /etc/httpd/certs[root@www etc]# cd /etc/httpd/certs[root@www certs]# (umask 077;openssl genrsa -out httpd.key 2048)Generating RSA private key, 1024 bit long modulus.++++++..++++++e is 65537 (0x10001)[root@www certs]# openssl req -new -key httpd.key -out httpd.csr -days 3650You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:HALocality Name (eg, city) [Default City]:ZZOrganization Name (eg, company) [Default Company Ltd]:MageEduOrganizational Unit Name (eg, section) []:OpsCommon Name (eg, your name or your server's hostname) []:www2.stux.comEmail Address []:admin@stux.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:第五步:配置httpd服务使用数字证书
[root@www certs]# lshttpd.csr httpd.key[root@www certs]# openssl ca -in httpd.csr-out httpd.crt -days 3650Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches thesignatureSignature okCertificate Details:Serial Number: 1 (0x1)ValidityNot Before: Oct 29 09:15:06 2016 GMTNot After : Oct 29 09:15:06 2017 GMTSubject:countryName = CNstateOrProvinceName = HAorganizationName = MageEduorganizationalUnitName = OpscommonName =www2.stux.comemailAddress = admin@stux.comX509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:9A:84:73:63:C0:82:7F:45:21:9C:BA:2B:4C:FB:C3:87:7C:BA:63:58X509v3 Authority Key Identifier:keyid:1C:57:C2:12:E4:D3:A6:4F:9A:7A:C6:53:7F:5B:7B:86:1E:75:0D:57Certificate is to be certified until Oct 29 09:15:06 2017 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated第六步:配置https服务器加密传输
[root@www certs]# yum install mod_ssl -y[root@www ~]# rpm -qa mod_sslmod_ssl-2.2.15-39.el6.centos.x86_64[root@www conf.d]# lsmod_dnssd.conf README ssl.conf welcome.conf[root@www conf.d]#vim /etc/httpd/conf.d/ssl.confLoadModule ssl_module modules/mod_ssl.soListen 443<VirtualHost 192.168.0.130:443>DocumentRoot"/web/vhosts/www2"ServerName www2.stuX.com:443SSLEngineonSSLCertificateFile /etc/httpd/certs/httpd.crtSSLCertificateKeyFile /etc/httpd/certs/httpd.key</VirtualHost>8、建立samba共享,共享目录为/data,要求:(描述完整的过程)1)共享名为shared,工作组为magedu;2)添加组develop,添加用户gentoo,centos和ubuntu,其中gentoo和centos以develop为附加组,ubuntu不属于develop组;密码均为用户名;3)添加samba用户gentoo,centos和ubuntu,密码均为“mageedu”;4)此samba共享shared仅允许develop组具有写权限,其他用户只能以只读方式访问;5)此samba共享服务仅允许来自于172.16.0.0/16网络的主机访问;第一步:安装samba服务
[root@TESTSVR7 ~]# yum -y install samba*第二步:添加用户并创建密码
[root@TESTSVR7 ~]# groupadd develop[root@TESTSVR7 ~]# useradd -G develop gentoo[root@TESTSVR7 ~]# useradd -G develop centos[root@TESTSVR7 ~]# useradd ubuntu[root@TESTSVR7 ~]# echo "gentoo" | passwd --stdin gentoo[root@TESTSVR7 ~]# echo "centos" | passwd --stdin centos[root@TESTSVR7 ~]# echo "ubuntu" | passwd --stdin ubuntu[root@TESTSVR7 ~]# smbpasswd -a gentooNew SMB password:Retype new SMB password:Added user gentoo.[root@TESTSVR7 ~]# smbpasswd -a centosNew SMB password:Retype new SMB password:Added user centos.[root@TESTSVR7 ~]# smbpasswd -a ubuntuNew SMB password:Retype new SMB password:Added user ubuntu.第三步:编辑/etc/samba/smb.conf
workgroup = mageduhosts allow = 192.168.2[shared]comment = Haosmbpath = /dataguest = yeswritable = nowrite list = +develop使用service smb restart重启服务9、搭建一套文件vsftp文件共享服务,共享目录为/ftproot,要求:(描述完整的过程)1)基于虚拟用户的访问形式;2)匿名用户只允许下载,不允许上传;3)禁锢所有的用户于其家目录当中;4)限制最大并发连接数为200:;5)匿名用户的最大传输速率512KB/s6)虚拟用户的账号存储在mysql数据库当中。7)数据库通过NFS进行共享。第一步:安装所需要程序安装mysql和pam_mysql
[root@TESTSVR8 ~]# yum -y install vsftpd mysql-server mysql-devel pam_mysql第二部:创建虚拟用户账号①准备数据库及相关表首先请确保mysql服务已经正常启动。而后,按需要建立存储虚拟用户的数据库即可,这里将其创建为vsftpd数据库。
mysql> create database vsftpd;mysql> grant select on vsftpd.* to vsftpd@localhost identified by 'www.magedu.com';mysql> grant select on vsftpd.* to vsftpd@127.0.0.1 identified by 'www.magedu.com';mysql> flush privileges;mysql> use vsftpd;mysql> create table users (-> id int AUTO_INCREMENT NOT NULL,-> name char(20) binary NOT NULL,-> password char(48) binary NOT NULL,-> primary key(id)-> );②添加测试的虚拟用户根据需要添加所需要的用户,需要说明的是,这里将其密码为了安全起见应该使用PASSWORD函数加密后存储。
mysql> insert into users(name,password) values('tom',password('magedu'));mysql> insert into users(name,password) values('jerry',password('magedu'));第三步:配置vsftpd①建立pam认证所需文件[root@TESTSVR8 ~]#vi /etc/pam.d/vsftpd.mysql添加如下两行
auth required /lib/security/pam_mysql.so user=vsftpd passwd=www.magedu.com host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=0account required /lib/security/pam_mysql.so user=vsftpd passwd=www.magedu.com host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=0注意:由于mysql的安装方式不同,pam_mysql.so基于unix sock连接mysql服务器时可能会出问题,此时,建议授权一个可远程连接的mysql并访问vsftpd数据库的用户。②修改vsftpd的配置文件,使其适应mysql认证建立虚拟用户映射的系统用户及对应的目录
[root@TESTSVR8 ~]# useradd -s /sbin/nologin -d /var/ftproot vuser[root@TESTSVR8 ~]# chmod go+rx /var/ftproot请确保/etc/vsftpd.conf中已经启用了以下选项
anonymous_enable=YESlocal_enable=YESwrite_enable=YESanon_world_readable_only=YESanon_upload_enable=NOanon_mkdir_write_enable=NOanon_other_write_enable=NOchroot_local_user=YESchroot_local_user=YESlocal_root=/ftprootanon_root=/ftproot而后添加以下选项
guest_enable=YESguest_username=vuser并确保pam_service_name选项的值如下所示
pam_service_name=vsftpd.mysql第四步:启动vsftpd服务
[root@TESTSVR8 ~]# service vsftpd start[root@TESTSVR8 ~]# chkconfig vsftpd on第五步:配置虚拟用户具有不同的访问权限vsftpd可以在配置文件目录中为每个用户提供单独的配置文件以定义其ftp服务访问权限,每个虚拟用户的配置文件名同虚拟用户的用户名。配置文件目录可以是任意未使用目录,只需要在vsftpd.conf指定其路径及名称即可。①配置vsftpd为虚拟用户使用配置文件目录
[root@TESTSVR8 ~]# vim vsftpd.conf添加如下选项
user_config_dir=/etc/vsftpd/vusers_config②创建所需要目录,并为虚拟用户提供配置文件
[root@TESTSVR8 ~]# mkdir /etc/vsftpd/vusers_config/[root@TESTSVR8 ~]# cd /etc/vsftpd/vusers_config/[root@TESTSVR8 ~]# touch tom jerry③配置虚拟用户的访问权限虚拟用户对vsftpd服务的访问权限是通过匿名用户的相关指令进行的。比如,如果需要让tom用户具没有上传,删除文件的权限,可以修改/etc/vsftpd/vusers_config/tom文件,在里面添加如下选项即可。
anon_upload_enable=YESanon_mkdir_write_enable=YESanon_other_write_enable=YES
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 