说明:
1、以下每个服务要求服务器重启后依然有效;
2、yum服务通过http://172.16.0.1/yum提供;
3、要求selinux处于permissive状态;
4、本地网络为172.16.X.0/16,测试网络为192.168.0.0/24;
5、每位同学的IP地址为172.16.X.1, 子网掩码为255.255.0.0,网关为172.16.0.1,DNS服务器为172.16.0.1,主机名为stuX.magedu.com,其中X为你的座位号;
编辑/etc/yum.repos.d/ftp.repo
[Server]
name=Server
baseurl=ftp://172.16.0.1/pub/Server
enable=1
gpgcheck=0
[VT]
name=VT
baseurl=ftp://172.16.0.1/pub/VT
enable=1
gpgcheck=0
[ClusterStorage]
name=ClusterStorage
baseurl=ftp://172.16.0.1/pub/ClusterStorage
enable=1
gpgcheck=0
[Cluster]
name=Cluster
baseurl=ftp://172.16.0.1/pub/Cluster
enable=1
gpgcheck=0
编辑 /etc/selinux/config
SELINUX=permissive
编辑 vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
HWADDR=00:0C:29:78:86:77
IPADDR=172.16.16.1
NETMASK=255.255.0.0
ONBOOT=yes
编辑/etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=stu16.magedu.com
GATEWAY=172.16.0.1
编辑/etc/resolv.conf
nameserver 172.16.16.1
search localdomain
1、主机名称解析服务器配置,要求:
1)建立DNS服务器,负责解析的域为magedu.com;
2)要求将MX记录指向mail.magedu.com,且对应A记录为本机IP;
3)要求将NS记录指向ns.magedu.com,且对应A记录为本机IP;
4)建立www1,www2,proxy等A记录指向本机IP;为mail主机建立别名记录pop3和imaps;
5)为所有A记录建立PTR记录;
6)magedu.com区域仅允许172.16.0.0/16网络中的主机做区域传送;对应的反向区域不允许任何主机做区域传送;
7)为正向区域建立子域委派,两个子域为tech.magedu.com和fin.magedu.com,子域服务器地址为172.16.x.5;(仅给出实现授权的记录即可)
8)将example.com域的所有请求转发至172.16.0.1进行解析;
9)此DNS服务拒绝192.168.1.0/24网络内的任何主机使用;
yum install bind97
yum install bind97-devel
iptables -t filter -A INPUT -s 192.168.1.0/24 -p tcp --dport 25 -j REJECT
mkdir /etc/sysconfig/iptables
iptables-save > /etc/sysconfig/iptables
编辑/etc/named.conf
options{
directory "/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "magedu.com" IN {
type master;
file "magedu.com.zone";
allow-transfer { 172.16.0.0/16; };
};
zone "16.172.in-addr.arpa" IN {
type master;
file "172.16.zone";
allow-transfer { none;};
};
zone "example.com" IN {
type forward;
forward only ;
forwarders { 172.16.0.1; };
};
编辑 /var/named/magedu.com.zone
$TTL 86400
$ORIGIN magedu.com.
@ IN SOA mail.magedu.com. admin.magedu.com.(
2012111001
1H
2M
7D
1D )
IN NS mail
IN NS www1
IN NS www2
IN MX 10 mail
IN NS proxy
pop3 IN CNAME mail
imaps IN CNAME mail
mail IN A 172.16.16.1
www1 IN A 172.16.16.1
www2 IN A 172.16.16.1
proxy IN A 172.16.16.1
tech.magedu.com. IN NS mail.tech.magedu.com.
mail.tech.magedu.com. IN A 172.16.16.5
fin.magedu.com. IN NS mail.fin.magedu.com.
mail.fin.magedu.com. IN A 172.16.16.5
编辑/var/named/172.16.zone
$TTL 86400
$ORIGIN 16.172.in-addr.arpa.
@ IN SOA mail.magedu.com admin.magedu.com (
2012111101
2H
10M
11D
1D )
IN NS mail.magedu.com.
IN NS www1.magedu.com.
IN NS www2.magedu.com.
IN NS proxy.magedu.com.
1.16 IN PTR mail.magedu.com.
1.16 IN PTR www1.magedu.com.
1.16 IN PTR www2.magedu.com.
1.16 IN PTR proxy.magedu.com.
启动fservice named start
2、建立httpd服务器(基于编译的方式进行),要求:
1)提供两个基于名称的虚拟主机:
(a)www1.magedu.com,页面文件目录为/web/vhosts/www1;错误日志为/var/log/httpd/www1.err,访问日志为/var/log/httpd/www1.access;
(b)www2.magedu.com,页面文件目录为/web/vhosts/www2;错误日志为/var/log/httpd/www2.err,访问日志为/var/log/httpd/www2.access;
(c)为两个虚拟主机建立各自的主页文件index.html,内容分别为其对应的主机名;
(d)通过www1.magedu.com/server-status输出httpd工作状态相关信息,且只允许提供帐号密码才能访问(status:status);
2)www1主机仅允许172.16.0.0/16网络中的客户机访问;www2主机可以被所有主机访问;
ftp://172.16.0.1/pub/Sources/new_lamp
apr-1.4.6.tar.bz2
apr-devel-1.4.6-1.i386.rpm
apr-util-1.4.1.tar.bz2
apr-util-devel-1.4.1-1.i386.rpm
# yum install pcre-devel
# tar xf httpd-2.4.3.tar.bz2
# cd httpd-2.4.3
# ./configure --prefix=/usr/local/apache --sysconfdir=/etc/httpd --enable-so --enable-ssl --enable-cgi --enable-rewrite --with-zlib --with-pcre --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util --enable-mpms-shared=all --with-mpm=event
# make && make install
vim /etc/rc.d/init.d/httpd
#!/bin/bash
#
# httpd Startup script for the Apache HTTP Server
#
# chkconfig: - 85 15
# description: Apache is a World Wide Web server. It is used to serve \
#
HTML files and CGI.
# processname: httpd
# config: /etc/httpd/conf/httpd.conf
# config: /etc/sysconfig/httpd
# pidfile: /var/run/httpd.pid
# Source function library.
. /etc/rc.d/init.d/functions
if [ -f /etc/sysconfig/httpd ]; then
. /etc/sysconfig/httpd
fi
# Start httpd in the C locale by default.
HTTPD_LANG=${HTTPD_LANG-"C"}
# This will prevent initlog from swallowing up a pass-phrase prompt if
# mod_ssl needs a pass-phrase from the user.
INITLOG_ARGS=""
# Set HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server
# with the thread-based "worker" MPM; BE WARNED that some modules may not
# work correctly with a thread-based MPM; notably PHP will refuse to start.
# Path to the apachectl script, server binary, and short-form for messages.
apachectl=/usr/local/apache/bin/apachectl
httpd=${HTTPD-/usr/local/apache/bin/httpd}
prog=httpd
pidfile=${PIDFILE-/usr/local/apache/logs/httpd.pid}
lockfile=${LOCKFILE-/var/lock/subsys/httpd}
RETVAL=0
start() {
echo -n $"Starting $prog: "
LANG=$HTTPD_LANG daemon --pidfile=${pidfile} $httpd $OPTIONS
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch ${lockfile}
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
killproc -p ${pidfile} -d 10 $httpd
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile}
}
reload() {
echo -n $"Reloading $prog: "
if ! LANG=$HTTPD_LANG $httpd $OPTIONS -t >&/dev/null; then
RETVAL=$?
echo $"not reloading due to configuration syntax error"
failure $"not reloading $httpd due to configuration syntax error"
else
killproc -p ${pidfile} $httpd -HUP
RETVAL=$?
fi
echo
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status -p ${pidfile} $httpd
RETVAL=$?
;;
restart)
stop
start
;;
condrestart)
if [ -f ${pidfile} ] ; then
stop
start
fi
;;
reload)
reload
;;
graceful|help|configtest|fullstatus)
$apachectl $@
RETVAL=$?
;;
*)
echo $"Usage: $prog {start|stop|restart|condrestart|reload|status|fullstatus|graceful|help|configtest}"
exit 1
esac
exit $RETVAL
而后为此脚本赋予执行权限:
# chmod +x /etc/rc.d/init.d/httpd
# chkconfig --add httpd
将命令加入大系统的PATH环境当中,因为我的apache是安装在/usr/local/下所以我的bin可执行程序也是要到这个目录下面去找的。
vim /etc/profile.d/httpd.sh
PATH=$PATH:/usr/local/apache/bin
export PATH
让其立即生效:source /etc/profile.d/httpd.sh
在主配置文件/etc/httpd/httpd.conf注释掉以下行
#<Directory />
# AllowOverride none
# Require all denied
#</Directory>
#DocumentRoot "/usr/local/apache/htdocs"
并且在主配置文件当中将这行的注释取消掉
Include /etc/httpd/extra/httpd-vhosts.conf
在虚拟主机配置文件/etc/httpd/extra/httpd-vhosts.conf当中定义
<VirtualHost *:80>
ServerName "www1.magedu.com"
DocumentRoot "/web/vhosts/www1"
ErrorLog "/var/log/httpd/www1.err"
CustomLog "/var/log/httpd/www1.access" common
<Location /server-status>
SetHandler server-status
AllowOverride Authconfig
AuthType Basic
AuthName "Limit..."
AuthUserFile "/etc/httpd/user"
Require valid-user
</Location>
<Directory /web/vhosts/www1>
Require ip 172.16.0.1/16
Require all denied
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName "www2.magedu.com"
DocumentRoot "/web/vhosts/www2"
ErrorLog "/var/log/httpd/www2.err"
CustomLog "/var/log/httpd/www2.access" common
<Directory /web/vhosts/www2>
Require all granted
</Directory>
</VirtualHost>
提供虚拟主机的的网页,提供错误日志存放的地方
mkdir /web/vhosts/www1 -pv
mkdir /web/vhosts/www2 -pv
vim /web/vhosts/www1 index.html
www1.magedu.com
vim /web/vhosts/www2 index.html
www2.magedu.com
mkdir /var/log/httpd/www2.access -pv
mkdir /var/log/httpd/www2.err -pv
mkdir /var/log/httpd/www1.access -pv
mkdir /var/log/httpd/www1.err -pv
service httpd restart
mkdir /etc/httpd/user
为查看apache的状态信息提供用户密码!用户是htuser密码是redhat
htpasswd -c -m /etc/httpd/user htuser
此时访问这个主页的http://www1.magedu.com/server-status则需要输入用户名和密码
3、建立nginx服务器,要求:
yum install pcre
yum install pcre-devel
ftp://172.16.0.1 /pub/Sources/nginx> get nginx-1.2.3.tar.gz
tar xf nginx-1.2.3.tar.gz
cd nginx-1.2.3
./configure \
--prefix=/usr \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx/nginx.pid \
--lock-path=/var/lock/nginx.lock \
--user=nginx \
--group=nginx \
--with-http_ssl_module \
--with-http_flv_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--http-client-body-temp-path=/var/tmp/nginx/client/ \
--http-proxy-temp-path=/var/tmp/nginx/proxy/ \
--http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ \
--http-uwsgi-temp-path=/var/tmp/nginx/uwsgi \
--http-scgi-temp-path=/var/tmp/nginx/scgi \
--with-pcre=/usr
# make && make install
注意因为最开始httpd这个服务已经占据了80端口,而nginx默认的端口又是80端口,所以此时要先停掉httpd这个服务。
service httpd stop
为nginx提供SysV init脚本:
新建文件/etc/rc.d/init.d/nginx,内容如下:
#!/bin/sh
#
# nginx - this script starts and stops the nginx daemon
#
# chkconfig: - 85 15
# description: Nginx is an HTTP(S) server, HTTP(S) reverse \
# proxy and IMAP/POP3 proxy server
# processname: nginx
# config: /etc/nginx/nginx.conf
# config: /etc/sysconfig/nginx
# pidfile: /var/run/nginx.pid
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0
nginx="/usr/sbin/nginx"
prog=$(basename $nginx)
NGINX_CONF_FILE="/etc/nginx/nginx.conf"
[ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx
lockfile=/var/lock/subsys/nginx
make_dirs() {
# make required directories
user=`nginx -V 2>&1 | grep "configure arguments:" | sed 's/[^*]*--user=\([^ ]*\).*/\1/g' -`
options=`$nginx -V 2>&1 | grep 'configure arguments:'`
for opt in $options; do
if [ `echo $opt | grep '.*-temp-path'` ]; then
value=`echo $opt | cut -d "=" -f 2`
if [ ! -d "$value" ]; then
# echo "creating" $value
mkdir -p $value && chown -R $user $value
fi
fi
done
}
start() {
[ -x $nginx ] || exit 5
[ -f $NGINX_CONF_FILE ] || exit 6
make_dirs
echo -n $"Starting $prog: "
daemon $nginx -c $NGINX_CONF_FILE
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n $"Stopping $prog: "
killproc $prog -QUIT
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}
restart() {
configtest || return $?
stop
sleep 1
start
}
reload() {
configtest || return $?
echo -n $"Reloading $prog: "
killproc $nginx -HUP
RETVAL=$?
echo
}
force_reload() {
restart
}
configtest() {
$nginx -t -c $NGINX_CONF_FILE
}
rh_status() {
status $prog
}
rh_status_q() {
rh_status >/dev/null 2>&1
}
case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart|configtest)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
exit 2
esac
而后为此脚本赋予执行权限:
# chmod +x /etc/rc.d/init.d/nginx
添加至服务管理列表,并让其开机自动启动:
# chkconfig --add nginx
# chkconfig nginx on
启动服务确认nginx是正常工作的
service nginx start
添加虚拟主机:vim /etc/nginx/nginx.com【一个server就是一个虚拟主机】
server {
listen 8080;
server_name www1.magedu.com;
access_log /var/log/nginx/www1.access;
error_log /var/log/nginx/www1.err;
location / {
root www/htdocs/www1;
index index.html;
}
location /server-status {
stub_status on;
auth_basic "please input username-password";
auth_basic_user_file "/etc/nginx/user";
}
}
server {
listen 8080;
server_name www2.magedu.com;
access_log /var/log/nginx/www2.access;
error_log /var/log/nginx/www2.err;
location / {
root www/htdocs/www2/;
index index.html;
allow 172.16.0.0/16;
deny all;
}
}
建立网页文件,和日志文件存放的目录
mkdir /usr/www/htdocs/www1
vim /usr/www/htdocs/www1/index.html
hello nginx www1
mkdir /usr/www/htdocs/www2
vim /usr/www/htdocs/www2/index.html
hello nginx www2
mkdir /var/log/nginx
重启服务即可
service nginx restart
为状态信息输出提供用户名nguser和密码nguser
【注意nginx自身是没有可以提供用户和加密密码的工具的,
所以这里我们借用httpd的命令所以要事先安装好httpd呵
用完后可以将其卸载】
mkdir /etc/nginx/user
htpasswd -c -m /etc/nginx/user nguser(输入此条命令后会让用户键入密码)
iptables -t filter -A OUTPUT -s 172.16.16.1 -p tcp --sport 8080 -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -d 172.16.16.1 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables-save > /etc/sysconfig/iptables
1)通过8080端口提供服务;为nginx提供sysv服务控制脚本;
2)提供两个基于名称的虚拟主机(都通过8080端口提供服务):
(a)www1.magedu.com:8080,页面文件目录为/www/htdocs/www1;错误日志为/var/log/nginx/www1.err,访问日志为/var/log/nginx/www1.access;
(b)www2.magedu.com:8080,页面文件目录为/www/htdocs/www2;错误日志为/var/log/nginx/www2.err,访问日志为/var/log/nginx/www2.access;
3)www2主机仅允许172.16.0.0/16网络中的主机访问;
4)通过www1.magedu.com:8080/server-status输出nginx工作状态相关信息,且只允许提供帐号密码才能访问(status:status);
5)本机的8080端口仅允许已经建立的连接请求出站,仅允许新请求和已建立连接的请求入站;
4、为第2题中的第2个虚拟主机提供https服务,使得用户可以通过https安全的访问此web站点;
(1)要求使用证书认证,证书中要求使用的国家(CN)、州(Henan)、城市(Zhengzhou)和组织(MageEdu);
(3)此服务禁止来自于192.168.1.0/24网络中的主机访问;
vim /etc/pki/tls/openssl.conf
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Henan
localityName = Locality Name (eg, city)
localityName_default = Zhengzhou
0.organizationName = Organization Name (eg, company)
0.organizationName_default = MageEdu
organizationalUnitName_default = TECH
[注意:在填写common_name这项时给谁颁发证书填写谁]
给CA颁发的时候填写local.magedu.com
给httpd颁发的时候填写www2.magedu.com
cd /etc/pki/CA
(umask 077;openssl genrsa 2048 > private/cakey.pem)
openssl req -new -x509 -days 3650 -key private/cakey.pem -out cacert.pem
mkdir certs newcerts crl
touch index.txt
echo 01 > serial
mkdir ssl
cd /etc/httpd/ssl
(umask 077; openssl genrsa 1024 > httpd.key)
openssl req -new -key httpd.key -out httpd.csr
openssl ca -in httpd.csr -out httpd.crt -days 365
编辑主配置文件/etc/httpd/httpd.com启用以下两行
Include /etc/httpd/extra/httpd-ssl.conf
LoadModule ssl_module modules/mod_ssl.so
编辑辅助配置文件/etc/httpd/extra/httpd-ssl.conf修改如下几行
<VirtualHost _default_:443>
DocumentRoot "/web/vhosts/www2"
ServerName www2.magedu.com:443
ErrorLog "/var/log/httpd/www2.err"
TransferLog "/var/log/httpd/www2.access"
SSLCertificateFile "/etc/httpd/ssl/httpd.crt"
SSLCertificateKeyFile "/etc/httpd/ssl/httpd.key"
iptables -t filter -A INPUT -s 192.168.1.0/24 -p tcp --dport 443 -j DROP
iptables-save > /etc/sysconfig/iptables
5、为第2题中的第1个虚拟主机提供php+mysql的功能,要求:
(1)通过在原有主页中添加phpinfo()测试页表明启用php成功;
(2)将mysql的root用户密码设置为"123456"(引号中的内容);
(3)通过http://www1.magedu.com/pma提供本机mysql服务的web管理接口phpMyAdmin;
(4)本机上的mysql服务仅允许来自本地的请求通过;
tar xf mysql-5.5.28-linux2.6-i686.tar.gz -C /usr/local
cd /usr/local/
ln -sv mysql-5.5.28-linux2.6-i686 mysql
cd mysql
chown -R root:mysql .
scripts/mysql_install_db --user=mysql --datadir=/mydata/data
cd /usr/local/mysql
cp support-files/my-large.cnf
/etc/my.cnf
修改配置文件 /etc/my.cnf
thread_concurrency= 2
datadir = /mydata/data
cd /usr/local/mysql
cp support-files/mysql.server /etc/rc.d/init.d/mysqld
chmod +x /etc/rc.d/init.d/mysqld
chkconfig --add mysqld
chkconfig mysqld on
ln -sv /usr/local/mysql/include /usr/include/mysql
echo '/usr/local/mysql/lib' > /etc/ld.so.conf.d/mysql.conf
ldconfig -v
echo "export PATH=$PATH:/usr/local/mysql/bin" > /etc/profile.d/mysql.sh
source /etc/profile.d/mysql.sh
lftp 172.16.0.1:/pub/Sources/new_lamp
php-5.4.8.tar.bz2
ftp://pub/Sources/nginx
cd /root(我是在root目录下调用的)
rpm -ivh libmcrypt-2.5.7-5.el5.i386.rpm
rpm -ivh libmcrypt-devel-2.5.7-5.el5.i386.rpm
rpm -ivh mhash-0.9.2-6.el5.i386.rpm
rpm -ivh mhash-devel-0.9.2-6.el5.i386.rpm
rpm -ivh mcrypt-2.6.8-1.el5.i386.rpm
tar xf php-5.4.8.tar.bz2
cd php-5.4.8
./configure --prefix=/usr/local/php --with-mysql=/usr/local/mysql --with-openssl --with-mysqli=/usr/local/mysql/bin/mysql_config --enable-mbstring --with-freetype-dir --with-jpeg-dir --with-png-dir --with-zlib --with-libxml-dir=/usr --enable-xml --enable-sockets --with-apxs2=/usr/local/apache/bin/apxs --with-mcrypt --with-config-file-path=/etc --with-config-file-scan-dir=/etc/php.d --with-bz2
make && make install
cp php.ini-production /etc/php.ini
编辑文件/etc/httpd/httpd.conf,添加以下内容
DirectoryIndex index.php index.html(这条内容是原来就有的只需要加index.php)
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
cd /web/vhosts/www1
vim index.php
<?php
phpinfo();
?>
lftp 172.16.0.1:/pub/Sources/new_lamp>
phpMyAdmin-3.5.1-all-languages.tar.bz2
mkdir /web/vhosts/www1/pma
cd /web/vhosts/www1/pma
tar xf /root/phpMyAdmin-3.5.1-all-languages.tar.bz2
mv phpMyAdmin-3.5.1-all-languages/* ./
mysql
create database mydb;
grant all on mydb.* to root@'localhost' identified by '123456';
flush privileges;