1、简述DNS服务,并搭建DNS服务器,实现主从,子域授权。
DNS:domain name system,域名系统。一般指的是Internet 上的一项服务,即域名解析服务,具体来说就是提供网站域名与对应IP 地址相互转换的一项服务。它分为两种,正向解析:将给定的网站域名转化为对应IP 地址;反向解析:将IP地址转化为对应的网站域名。
DNS的查询方式
DNS的查询方式有两种,分别为递归查询和迭代查询。通常递归查询这种方式用于PC机与本地DNS服务器之间的查询,而迭代查询则多用于DNS服务器之间的查询。
DNS工作原理:
第一步:客户机提出域名解析请求,并将该请求发送给本地的域名服务器。
第二步:当本地的域名服务器收到请求后,就先查询本地的缓存,如果有该纪录项,则本地的域名服务器就直接把查询的结果返回。
第三步:如果本地的缓存中没有该纪录,则本地域名服务器就直接把请求发给根域名服务器,然后根域名服务器再返回给本地域名服务器一个所查询域(根的子域) 的主域名服务器的地址。
第四步:本地服务器再向上一步返回的域名服务器发送请求,然后接受请求的服务器查询自己的缓存,如果没有该纪录,则返回相关的下级的域名服务器的地址。
第五步:重复第四步,直到找到正确的纪录。
第六步:本地域名服务器把返回的结果保存到缓存,以备下一次使用,同时还将结果返回给客户机。
主域搭建:
[root@localhost httpd]# yum install bind
[root@localhost httpd]# vim /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 192.168.0.104; };
allow-query { any; };
}
[root@localhost httpd]# vim /etc/named.rfc1912.zones
zone "dnstest.com" IN {
type master;
file "dnstest.com.zone";
};
[root@localhost httpd]# vim /var/named/dnstest.com.zone
$TTL 3600
$ORIGIN dnstest.com.
@ IN SOA dns1.dnstest.com. admin.dnstest.com. (
2019090101
1H
10M
3D
1D )
IN NS dns1
IN NS dns2
dns1 IN A 192.168.0.104
dns2 IN A 192.168.0.114
www IN A 192.168.0.104
web IN CNAME www
[root@localhost httpd]# named-checkconf /etc/named.conf
[root@localhost httpd]# chown :named /var/named/dnstest.com.zone
[root@localhost httpd]# chmod o= /var/named/dnstest.com.zone
[root@localhost httpd]# vim /etc/hosts
192.168.0.104 dns1.dnstest.com
[root@localhost httpd]# vim /etc/resolv.conf
nameserver 192.168.0.104
[root@localhost httpd]# systemctl restart named
[root@localhost httpd]# dig -t A www.dnstest.com
从域搭建:
[root@www ~]# yum install bind
[root@www ~]# vim /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 192.168.0.114; };
allow-query { any; };
}
[root@www ~]# vim /etc/named.rfc1912.zones
zone "dnstest.com" IN {
type slave;
file "slaves/dnstest.com.zone";
masters { 192.168.0.104; };
};
[root@localhost httpd]# named-checkconf /etc/named.conf
[root@localhost httpd]# vim /etc/resolv.conf
nameserver 192.168.0.114
[root@www ~]# systemctl restart named
[root@www ~]# dig -t A www.dnstest.com
子域搭建:
[root@www ~]# yum install bind
[root@www ~]# vim /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 192.168.0.108; };
forward only;
forwarders { 192.168.0.104; };
allow-query { any; };
[root@www ~]# vim /etc/named.rfc1912.zones
zone "sub.dnstest.com" IN {
type master;
file "sub.dnstest.com.zone";
};
[root@www ~ ]# vim /var/named/sub.dnstest.com.zone
TL 3600
$ORIGIN sub.dnstest.com.
@ IN SOA dns1.sub.dnstest.com. admin.sub.dnstest.com. (
2019090101
1H
10M
3D
1D )
IN NS dns1
dns1 IN A 192.168.0.108
www IN A 192.168.0.108
web IN CNAME www
[root@www ~ ]# chmod o= /var/named/sub.dnstest.com.zone
[root@www ~ ]# chgrp named /var/named/sub.dnstest.com.zone
[root@localhost httpd]# vim /var/named/dnstest.com.zone ## 在主域上修改区域配置文件
$TTL 3600
$ORIGIN dnstest.com.
@ IN SOA dns1.dnstest.com. admin.dnstest.com. (
2019090101
1H
10M
3D
1D )
IN NS dns1
IN NS dns2
dns1 IN A 192.168.0.104
dns2 IN A 192.168.0.114
www IN A 192.168.0.104
web IN CNAME www
sub IN NS dns1.sub.dnstest.com.
dns1.sub IN A 192.168.0.108
[root@www ~ ]# systemctl restart named
[root@www ~ ]# dig -t A www.sub.dnstest.com
[root@www ~ ]# dig -t A www.sub.dnstest.com
[root@www ~ ]# dig -t A www..dnstest.com
2、简述HTTP服务,并实现基于用户的访问控制,虚拟主机,https。
HTTP(超文本传输协议):是一种用于分布式、协作式和超媒体信息系统的应用层协议,是万维网的数据通信的基础。HTTP是基于TCP/IP通信协议来传递数据(HTML 文件, 图片文件, 查询结果等)。
原理:
HTTP 是基于 TCP/IP 协议的应用层协议。它不涉及数据包传输,主要规定了客户端和服务器之间的通信格式,默认使用80端口。
执行流程:
客户端(浏览器)通过url 发送请求;tcp/ip 把ip 加到数据中传输到以太网中;经过tcp3次握手后建立tcp连接;服务器响应客户端。
HTTP 特点:
1.支持客户/服务器模式。
2.简单快速:客户向服务器请求服务时,只需传送请求方法和路径。请求方法常用的有GET、HEAD、POST。每种方法规定了客户与服务器联系的类型不同。由于HTTP协议简单,使得HTTP服务器的程序规模小,因而通信速度很快。
3.灵活:HTTP允许传输任意类型的数据对象。正在传输的类型由Content-Type加以标记。
4.无连接:无连接的含义是限制每次连接只处理一个请求。服务器处理完客户的请求,并收到客户的应答后,即断开连接。采用这种方式可以节省传输时间。
5.无状态:HTTP协议是无状态协议。无状态是指协议对于事务处理没有记忆能力。缺少状态意味着如果后续处理需要前面的信息,则它必须重传,这样可能导致每次连接传送的数据量增大。另一方面,在服务器不需要先前信息时它的应答就较快。
虚拟主机实现:
[root@localhost ~]# yum -y install httpd
[root@localhost ~]# mkdir /data/web/http/apache-test
[root@localhost ~]# vim /data/web/http/apache-test/index.html ##编辑主页内容
<h1>this is test</h1>
vm-master
httpd-2.4.6
[root@localhost ~]#vim /etc/httpd/conf.d/apache-test.conf ##编辑虚拟主机配置文件
<VirtualHost 192.168.0.104:80>
DocumentRoot "/data/web/http/apache-test"
ServerName www.master-test.co
<Directory "/data/web/http/apache-test">
Options None
AllowOverride None
Require all granted
</Directory>
CustomLog "logs/apache-test_access_log" combined
CustomLog "logs/apache-test_error_log" combined
</VirtualHost>
[root@localhost ~]# httpd -t
[root@localhost ~]# vim /etc/hosts
192.168.0.104 www.master-test.co
[root@localhost ~]# mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.bak ##将欢迎页备份,使自建的主页显示生效
[root@localhost ~]# /usr/sbin/httpd -k stop
[root@localhost ~]# /usr/sbin/httpd -k start
用户的访问控制实现:
[root@localhost httpd]# htpasswd -c -b -m /etc/httpd/conf.d/.htpasswd meigui meigui
##第一次需要用 -c 生成 .htpasswd 文件
Adding password for user meigui
[root@localhost httpd]# htpasswd -b -m /etc/httpd/conf.d/.htpasswd moli moli
Adding password for user moli
[root@localhost httpd]# htpasswd -b -m /etc/httpd/conf.d/.htpasswd yujinxiang yujinxiang
Adding password for user yujinxiang
[root@localhost httpd]# mkdir /data/web/http/apache-test/admin
[root@localhost httpd]# vim /data/web/http/apache-test/admin/index.html ##编辑 admin 的主页
this is admin user area
1 2 3
[root@localhost httpd]# vim /etc/httpd/conf.d/admin.conf ##编辑 admin 的配置文件
<Directory " /data/web/http/apache-test/admin">
AllowOverride None
Options None
AuthType basic
AuthName "Admin Area, please enter username and password."
AuthUserFile "/etc/httpd/conf.d/.htpasswd"
Require user meigui moli
</Directory>
[root@localhost httpd]# httpd -t ##检查语法错误
[root@localhost ~]# /usr/sbin/httpd -k stop
[root@localhost ~]# /usr/sbin/httpd -k start
在浏览器输入: http://192.168.0.104/admin
https实现:
[root@localhost ouyang]# httpd -M | grep ssl ##确保openssl已安装,因为要使用openssl生成自签名证书
配置CA服务器:
初始化CA服务,创建所需要的文件:
[root@localhost ~]# cd /etc/pki/CA/
[root@localhost CA]# touch index.txt serial ## 创建索引文件
[root@localhost CA]# echo 01 > serial ## 创建序列号文件
CA自签证书:
[root@localhost CA]# ( umask 077;openssl genrsa -out private/cakey.pem 2048) ##生成私钥
Generating RSA private key, 2048 bit long modulus
..........................+++
.........................+++
e is 65537 (0x10001)
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 ## 使用私钥生成签名证书
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:wuhan
Locality Name (eg, city) [Default City]:wuhan
Organization Name (eg, company) [Default Company Ltd]:royal
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.slave-test.co
Email Address []:
申请证书(实现https服务器):
创建一个存放证书的目录:
[root@localhost ouyang]# cd /etc/httpd
[root@localhost httpd]# mkdir ssl
[root@localhost httpd]# ( umask 077;openssl genrsa -out httpd_key.pem 1024) ##生成秘钥
Generating RSA private key, 1024 bit long modulus
................................++++++
..............++++++
e is 65537 (0x10001)
[root@localhost httpd]# openssl req -new -key httpd_key.pem -out httpd_csr.pem ##生成请求文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:wuhan
Locality Name (eg, city) [Default City]:wuhan
Organization Name (eg, company) [Default Company Ltd]:royal
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:www.master-test.co
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost httpd]# scp httpd_csr.pem root@192.168.0.108:/tmp/ ##把生成的文件发送到CA服务器
root@192.168.0.108's password:
httpd_csr.pem 100% 651 309.2KB/s 00:00
CA服务器:
[root@localhost CA]# openssl ca -in /tmp/httpd_csr.pem -out certs/httpd_crt.pem ##签署证书
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 1 03:40:49 2019 GMT
Not After : Aug 31 03:40:49 2020 GMT
Subject:
countryName = cn
stateOrProvinceName = wuhan
organizationName = royal
organizationalUnitName = it
commonName = www.master-test.co
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B0:A5:3A:AD:67:8E:87:23:73:F1:6D:08:A1:28:98:A2:09:DF:74:E5
X509v3 Authority Key Identifier:
keyid:B6:6D:EA:3C:91:07:10:E5:DA:F2:08:CC:04:AA:15:98:44:57:A6:91
Certificate is to be certified until Aug 31 03:40:49 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost CA]# scp certs/httpd_crt.pem root@192.168.0.104:/etc/httpd/ssl ##将生成的crt传回https服务器
root@192.168.0.104's password:
httpd_crt.pem 100% 3700 2.0MB/s 00:00
https服务器:
[root@localhost httpd]# cp ./httpd_key.pem ./ssl/httpd_key.pem
[root@localhost CA]# vim /etc/httpd/conf.d/ssl.conf ##编辑修改ssl.conf
<VirtualHost _default_:443>
SSLCertificateFile /etc/httpd/ssl/httpd_crt.pem ##证书位置
SSLCertificateKeyFile /etc/httpd/ssl/httpd_key.pem ##私钥位置
DocumentRoot "/data/web/ilinux"
ServerName www.master-test.co:443
<Directory "/data/web/ilinux">
Options None
AllowOverride None
Require all granted
</Directory>
[root@localhost ~]# httpd -t ##检查配置文件语法错误
[root@localhost ~]# /usr/sbin/httpd -k stop
[root@localhost ~]# /usr/sbin/httpd -k start
在浏览器导入CA证书
