实验环境:
系统:rhel5.8 光盘yum源 IP: 172.16.35.2/16
DNS服务器:bind97-9.7.0-6.P2.el5_7.4
Web服务器:httpd-2.2.3-63.el5
加密程序: openssl-0.9.8e-22.el5
练习题目:
1、建立DNS服务器,同时为magedu.com, test.net, example.org三个域提供解析;要求,每个域内的www主机均指向本机唯一的IP;
2、建立httpd服务器,分别为www.magedu.com, www.test.net, www.example.org各提供一个虚拟主机,位置分别为:/vhosts/magedu, /vhosts/test, /vhosts/example;要求:
1)每个虚拟主机的要使用各自的错误日志和访问日志,日志文件名称以虚拟主机名称打头;三个虚拟主机的日志文件都位于/vhosts/logs目录中;
2)www.magedu.com虚拟主机仅允许来自172.16.0.0/16(除了172.16.100.0/24)的主机访问,且支持基于SSL的访问;
3)www.test.org虚拟主机仅允许提供了帐号和密码的请求者访问;
4)通过http://www.example.org/mail可以访问/web/mail目录中的网页,而且此目录允许执行CGI脚本。
代码如下:
- yum remove bind bind-libs bind-utils -y #删除默认安装版本
- yum install bind97 bind97-libs bind97-utils -y
- vim /etc/named.conf
- options {
- directory "/var/named";
- };
- zone "magedu.com" IN {
- type master;
- file "magedu.zone";
- };
- zone "test.net" IN {
- type master;
- file "test.zone";
- };
- zone "example.org" IN {
- type master;
- file "example.zone";
- };
- /*主配置完成,保存并退出*/
- vim /var/named/example.com
- $TTL 86400
- $ORIGIN example.org.
- @ IN SOA www.example.org. root.example.org. (
- 0 ; serial
- 1H ; refresh
- 5M ; retry
- 7D ; expire
- 1D ) ; minimum
- IN NS www
- IN MX 10 mail
- www IN A 172.16.35.2
- mail IN A 172.16.35.2
- /*example.org配置完成,保存并退出*/
- sed '[email protected]@test.net@' /var/named/example.zone > /var/named/test.zone
- sed '[email protected]@magedu.com@' /var/named/example.zone > /var/named/magedu.zone
- chown root.named /var/named/{example.zone,magedu.zone,test.zone}
- service named restart
第一题,域名解析完成。注意此题搭建的DNS仅符合题意,并无其他功能。
- mkdir -pv /vhosts/{magedu,test,example,logs}
- mkdir -pv /web/mail
- touch /etc/httpd/conf/htpasswd
- htpasswd -m /etc/httpd/conf/htpasswd mos #两次您自己的密码,题目2.3的测试所用用户
- yum install httpd mod_ssl -y
- sed -i 's@\(DocumentRoot[[:space:]]"/var/www/html"\)@#\1@g' /etc/httpd/conf/httpd.conf
- sed -i 's@^#\(NameVirtualHost.*80$\)@\1@g' /etc/httpd/conf/httpd.conf
- vim /etc/httpd/conf/httpd.conf
- <VirtualHost *:80>
- DocumentRoot /vhosts/magedu
- ServerName www.magedu.com
- ErrorLog /vhosts/logs/magedu-error_log
- CustomLog /vhosts/logs/magedu-access_log common
- <Directory "/vhosts/magedu">
- Order allow,deny
- deny from 172.16.100.0/24
- allow from 172.16.0.0/16
- </Directory>
- </VirtualHost>
- <VirtualHost *:80>
- DocumentRoot /vhosts/test
- ServerName www.test.net
- ErrorLog /vhosts/logs/test-error_log
- CustomLog /vhosts/logs/test-access_log common
- <Directory "/vhosts/test">
- AllowOverride AuthConfig
- Authtype Basic
- AuthName "Please Input your: Name and Password !"
- AuthUserFile "/etc/httpd/conf/htpasswd"
- Require valid-user
- </Directory>
- </VirtualHost>
- <VirtualHost *:80>
- DocumentRoot /vhosts/example
- ServerName www.example.org
- ErrorLog /vhosts/logs/example-error_log
- CustomLog /vhosts/logs/example-access_log common
- Alias /mail/ "/web/mail/"
- <Directory "/web/mail">
- Options +ExecCGI
- AddHandler cgi-script sh
- </Directory>
- </VirtualHost>
到此,第二题的,1、3、4已然完成,2题的SSL认证也马上提供代码
- #!/bin/bash
- #Author: MOS
- #Script name: serverCA.sh
- #Date & Time: 2012-10-16/23:05:35
- #Version: 1.0.1
- #Description:
- #
- Create(){
- Cnf='/etc/pki/tls/openssl.cnf'
- cp $Cnf $Cnf.`date +%F-%T`.bak
- sed -i "s@\(^dir.*=[[:space:]]\).*@\1/etc/pki/CA@g" $Cnf
- sed -i "s@\(^countryName_default.*=[[:space:]]\).*@\1CA@g" $Cnf
- sed -i "s@\(^stateOrProvinceName_default.*=[[:space:]]\).*@\1Henan@g" $Cnf
- sed -i "s@\(^localityName_default.*=[[:space:]]\).*@\1Zhengzhou@g" $Cnf
- sed -i "s@\(^0.organizationName_default.*=[[:space:]]\).*@\1MageEdu@g" $Cnf
- sed -i "s@^#\(organizationalUnitName_default\([[:space:]]\)=\)@\1 Tech@g" $Cnf
- Dir='/etc/pki/CA/'
- [ ! -d ${Dir}crl ] && mkdir -m 700 ${Dir}crl
- [ ! -d ${Dir}newcerts ] && mkdir -m 700 ${Dir}newcerts
- [ ! -d ${Dir}certs ] && mkdir -m 700 ${Dir}certs
- [ ! -f ${Dis}index.txt ] && touch ${Dir}index.txt
- [ ! -f ${Dis}serial ] && echo 01 > ${Dir}serial
- [ ! -d ${Dir}private ] && mkdir -m 700 ${Dir}private
- (umask 077; openssl genrsa -out ${Dir}private/cakey.pem 2048 &> /dev/null )
- read -p "Please input CA hostname [default:CA.magedu.com]: " Host
- Host=${Host:-CA.example.com}
- read -p "Please input CA Email [default]:[email protected] " Em
- Em=${Em:[email protected]}
- echo -e "\n\n\n\n\n${Host}\n${Em}\n"|openssl req -x509 -new -key ${Dir}private/cakey.pem -out ${Dir}cacert.pem -days 3650 &> /dev/null
- }
- Dir='/etc/pki/CA/'
- Date=`date +%F-%H:%M:%S`
- if [ -f /etc/pki/CA/private/cakey.pem ];then
- read -p "CA exist. Until next? y->oldfile move ${Dir}${Date}tmp; n-> Quit. [y|n] " Choice
- if [[ $Choice = y ]];then
- [ ! -d ${Dir}${Date}tmp ] && mkdir ${Dir}${Date}tmp
- mv ${Dir}* ${Dir}${Date}tmp/ &> /dev/null
- Create
- elif [[ $Choice == n ]];then
- exit 0
- else
- echo "Error input..."
- exit 1
- fi
- fi
- [ ! -f /etc/pki/CA/private/cakey.pem ] && Create
此脚本用于产生私有CA服务端,脚本执行时,若本机未配置过,则直接创建,中间会有两次询问,分别为CA主机名和管理员邮箱,可直接敲回车为默认值;若本机已有CA私有机构,则会进入选择判断,n为不创建,若y为创建且备份已有的。
下面创建http私钥及证书签署请求文件和修改ssl配置文件,代码如下:
- mkdir -v /etc/httpd/ssl
- cd /etc/httpd/ssl
- (umask 077; openssl genrsa 1024 > httpd.key)
- openssl req -new -key httpd.key -out httpd.csr
- openssl ca -in httpd.csr -out httpd.crt -days 365
- #注意签署此项时候,由于之前修改了/etc/pki/tls/openssl.cnf文件,因此,国家,省份,城市,公司,部门都不用填写,直接回车即可,但是 主机名一定要写 www.magedu.com ,然后邮箱随意些,加密存储直接回车跳过即可。
- #修改ssl配置文件如下行
- vim /etc/httpd/conf.d/ssl.conf
- DocumentRoot "/vhosts/magedu" #82行左右,开启修改为即可
- ServerName www.magedu.com:443 #监听此域名的443端口
- SSLCertificateFile /etc/httpd/ssl/httpd.crt #114行修改,定义刚才签署过的证书
- SSLCertificateKeyFile /etc/httpd/ssl/httpd.key #121行修改,定义服务器自身的私钥
- #保存退出
- server httpd restart
到此,题目已经全部完成,但是,还没有测试哦亲...如需测试,则执行如下命令:
- dns检查:
- dig -t A www.magedu.com @127.0.0.1
- dig -t A www.example.org @127.0.0.1
- dig -t A www.test.net @127.0.0.1
- 网页测试文件创建:
- echo 'www.magedu.com OK!' > /vhosts/magedu/index.html
- echo 'www.example.org OK!' > /vhosts/example/index.html
- echo 'www.test.net OK!' > /vhosts/test/index.html
- echo 'script.test OK!' > /web/mail/index.html
- echo -e '#!/bin/bash\ncat << EOF\nContent-Type: text/html\n\n<pre>\n`/bin/date`\n</hr>\nMy named is: `id -un`\nMy id is: `id -u`\n</hr>\nHostname: echo <h2> $HOSTNAME </h2>\n</pre>\nEOF' > /web/mail/test.sh
- chmod +x /web/mail/test.sh #创建2.4脚本测试文件,给予执行权限
- 测试https://www.magedu.com时,需要在测试机上,拿到CA的自签发公钥文件,位于cacert.pem,拿到后,改扩展名为 crt,然后倒入IE浏览器接口,笔者测试时,360浏览器貌似不行,但是谷歌和IE9皆正常..