1、CLIENT TASK
- 作为DNS服务器域名解析测试的客户端,安装nslookup、dig命令行工具;
- 作为网站访问测试的客户端,安装firefox浏览器,curl命令行测试工具;
- 作为SSH远程登录测试客户端,安装ssh命令行测试工具;
- 作为SAMBA测试的客户端,使用图形界面文件浏览器测试,并安装smbclient工具;
- 作为FTP测试的客户端,安装lftp命令行工具;
- 作为防火墙规则效果测试客户端,安装ping命令行工具;
- 截图的时候请使用上述提到的工具进行功能测试。
# 网络
[root@client ~]# ip a
...
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:1e:4c:0f brd ff:ff:ff:ff:ff:ff
inet 10.10.100.4/24 brd 10.10.100.255 scope global noprefixroute dynamic ens32
[root@client ~]# ip route
default via 10.10.100.254 dev ens32 proto static metric 100
10.10.100.0/24 dev ens32 proto kernel scope link src 10.10.100.4 metric 100
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
[root@client ~]# vim /etc/resolv.conf
# Generated by NetworkManager
search sdskills
nameserver 172.16.100.201
# DNS服务器域名解析,本域任意域名
[root@client ~]# mount -t auto -o loop /dev/sr0 /mnt/
[root@client ~]# vi /etc/yum.repos.d/a.repo
[a]
baseurl=file:///mnt
gpgcheck=0
[root@client ~]# yum install -y bind-utils
[root@client ~]# nslookup
> sdskills
Server: 172.16.100.201
Address: 172.16.100.201#53
Name: sdskills
Address: 172.16.100.201
> Server01.sdskills
Server: 172.16.100.201
Address: 172.16.100.201#53
Name: Server01.sdskills
Address: 172.16.100.201
> www.sdskills
Server: 172.16.100.201
Address: 172.16.100.201#53
Name: www.sdskills
Address: 172.16.100.201
> web.sdskills
Server: 172.16.100.201
Address: 172.16.100.201#53
Name: web.sdskills
Address: 172.16.100.254
> ftp.sdskills
Server: 172.16.100.201
Address: 172.16.100.201#53
Name: ftp.sdskills
Address: 172.16.100.202
> mail.sdskills
Server: 172.16.100.201
Address: 172.16.100.201#53
Name: mail.sdskills
Address: 172.16.100.202
> asadasd.sdskills
Server: 172.16.100.201
Address: 172.16.100.201#53
Name: asadasd.sdskills
Address: 172.16.100.201
# 当遇到无法解析的域名的时候,向skills申请更高的域名解析,在server04上面搭建了根域服务器,所有未知域名解析统一解析为Rserver所连接的Internet的ip地址或这Rserver.sdskills
[root@server01 ~]# nslookup
> a.b.c
Server: 172.16.100.201
Address: 172.16.100.201#53
Non-authoritative answer:
Name: a.b.c
Address: 172.16.100.254
Name: a.b.c
Address: 192.168.10.2
# 反向
> 172.16.100.201
201.100.16.172.in-addr.arpa name = sdskills.
201.100.16.172.in-addr.arpa name = www.sdskills.
201.100.16.172.in-addr.arpa name = Server01.sdskills.
> 172.16.100.254
254.100.16.172.in-addr.arpa name = web.sdskills.
> 172.16.100.202
202.100.16.172.in-addr.arpa name = mail.s=dskills.
202.100.16.172.in-addr.arpa name = ftp.sdskills.
# SSH测试
[root@client ~]# useradd -u 6666 -m -s /bin/bash Chinaskills23
[root@client ~]# su - Chinaskills23
[Chinaskills23@client ~]$ ssh-keygen -t rsa
# 或者ssh-keygen,ssh-copy-id root@ip地址
[Chinaskills23@client ~]$ cat id_rsa.pub > authorized_keys
[Chinaskills23@client ~]$ scp -r -P 3033 root@172.16.100.201:/root/.ssh/
[Chinaskills23@client ~]$ ssh -p 3033 root@172.16.100.201
*********************************
ChinaSkills 2022–CSK
Module C Linux
>>server01<<
>>CentOS Linux release 7.9.2009 (Core)<<
>> Sat Jun 10 21:29:44 CST 2023 <<
*********************************
[root@server01 ~]#
# ftp测试
[root@client ~]# yum install -y lftp
[root@client ~]# lftp -u webadmin,Chinaskills23 ftp.sdskills
lftp webadmin@ftp.sdskills:~> ls
lftp webadmin@ftp.sdskills:/> quote pwd
257 "/"
lftp webadmin@ftp.sdskills:~> put test.doc
put: Access failed: 550 Permission denied. (test.doc)
lftp webadmin@ftp.sdskills:/> put test.docx
put: Access failed: 550 Permission denied. (test.docx)
lftp webadmin@ftp.sdskills:/> put test.xlsx
put: Access failed: 550 Permission denied. (test.xlsx)
lftp webadmin@ftp.sdskills:/> put test.txt
lftp webadmin@ftp.sdskills:/>
lftp webadmin@ftp.sdskills:/> ls
-rw-r--r-- 1 1001 1001 0 Jun 22 13:21 test.txt
# 客户端打开第三个窗口显示无法登录
[root@client ~]# lftp -u webadmin,Chinaskills23 ftp.sdskills
lftp webadmin@ftp.sdskills:~> ls
`ls' at 0 [Delaying before reconnect: 29]
# 限制速度
lftp webadmin@ftp.sdskills:~> put test
`test' at 1671968 (1%) 97.6K/s eta:17m [Sending data/TLS]
2、RSERVER TASK
零、设置登录界面信息
[root@rserver ~]# vim /etc/profile.d/login.sh
#%-ns,n是缩进的大小,值越大,缩进越大,如没有%-ns,则没有缩进
#####Centos的
#uname -snrvm
printf "*********************************\n"
printf "%-2s ChinaSkills 2022–CSK\n"
printf "%-8s Module C Linux\n"
printf "\n"
printf "%-11s >>`hostname -s`<<\n"
printf ">>`cat /etc/system-release`<<\n"
printf ">> `date` <<\n"
printf "*********************************\n"
# 在ssh远程登录时,不记录最后一次登录日志
[root@rserver ~]# vim /etc/ssh/sshd_config
...
PrintMotd no
PrintLastLog no
# Uos的系统关闭本地控制台登录日志信息这样
root@Server04:~# vim /etc/pam.d/login
91行注释掉#session optional pam_lastlog.so
[root@rserver ~]# systemctl restart sshd
# 若删除本地登录最后一次登录日志则,第一次登录的时候无记录,但第二次登录的时候有记录
[root@rserver ~]# rm -rvf /var/log/lastlog
欢迎信息的显示顺序是
1、/etc/issue(登录前显示,只在本地显示)
# 清空/etc/issue内容,可以让本地登录的时候界面更加简洁
[root@rserver ~]# echo '' > /etc/issue
2、/etc/motd(登录后显示)常用于通告信息,如计划关机时间的警告等,登陆后的提示信息,Uos系统需要删除此文件
缺点是,现在许多用户登录系统时选择自动进入图形界面,所以这些信息往往看不到
3、/etc/profile(登陆后显示)
4、/etc/profile.d/ (登录后显示)
5、在sshd_config配置文件中定义,首先任意创建文件,然后在配置文件中写上文件的绝对路径
[root@rserver ~]# echo '这是测试' >> /etc/test
[root@rserver ~]# vim /etc/ssh/sshd_config
Banner /etc/test
[root@rserver ~]# systemctl restart sshd
一、NETWORK
请根据基本配置信息配置服务器的主机名,网卡IP地址配置、域名等。
# 关闭防火墙selinux
[root@rserver ~]# systemctl stop firewalld
[root@rserver ~]# systemctl disable firewalld
[root@rserver ~]# setenforce 0
[root@rserver ~]# hostnamectl set-hostname rserver
[root@rserver ~]# vi /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.100.254 Rserver.sdskills Rserver
192.168.10.2 Rserver.skills Rserver
[root@rserver ~]# hostname
rserver
[root@rserver ~]# hostname -f
Rserver.skills
[root@rserver ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens32
...
BOOTPROTO=static
...
ONBOOT=yes
IPADDR=172.16.100.254
PREFIX=25
[root@rserver ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens33
...
BOOTPROTO=static
...
ONBOOT=yes
IPADDR=192.168.10.2
PREFIX=28
[root@rserver ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens34
...
BOOTPROTO=static
...
ONBOOT=yes
IPADDR=10.10.100.254
PREFIX=24
二、squid
安装squid服务,开启路由转发,为当前实验环境提供路由功能。
1、代理服务器概述
代理上网(传统代理,透明代理)
网站静态页面缓存加速(反向代理)
2、代理的工作机制
代替客户机向网站请求数据,从而隐藏用户的真实IP地址
将获得的网页数据(静态web元素)保存到缓存中并发送给客户机,以便下次请求相同的数据时快速响应
3、代理的类型
传统代理:适用于Internet,需明确指定服务端
透明代理: 客户机不需指定代理服务器的地址和端口,而是通过默认路由、防火墙策略将Web访问重定向给代理服务器处理
反向代理:如果 Squid 反向代理服务器中缓存了该请求的资源,则将该请求的资源直接返回给客户端;否则反向代理服务器将向后台的 WEB 服务器请求资源,然后将请求的应答返回给客户端,同时也将该应答缓存在本地,供下一个请求者使用
4、安装squid
# Centos
[root@rserver ~]# yum install -y vim squid
# UOS
apt-get install squid
5、配置squid
注释掉所有的http_access
...
#http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
#http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
#http_access allow localhost manager
#http_access deny manager
...
dns_v4_first on # 若不添加则查看日志文件,全是503,代理不成功
http_access allow all # 修改访问权限,默认拒绝所有,修改为允许所有IP
6、启动服务
# 检查配置文件
[root@rserver ~]# squid -k parse
# 重新加载配置文件
[root@rserver ~]# squid -k reconfigure
[root@rserver ~]# systemctl enable --now squid
7、查看端口号
[root@rserver ~]# ss -ntulp |grep squid
udp UNCONN 0 0 *:46870 *:* users:(("squid",pid=10492,fd=8))
udp UNCONN 0 0 [::]:53336 [::]:* users:(("squid",pid=10492,fd=6))
tcp LISTEN 0 128 [::]:3128 [::]:* users:(("squid",pid=10492,fd=11))
四、DHCP
- 为客户端分配IP范围是10.10.100.1-10.10.100.50;
- DNS:按照实际需求配置DNS服务器地址选项;
- GATEWAY:按照实际需求配置网关地址选项。
# 安装
[root@rserver ~]# yum install -y dhcp
[root@rserver ~]# cp -rvf /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcpd.conf
[root@rserver ~]# vim /etc/dhcp/dhcpd.conf
default-lease-time 3600;
max-lease-time 7200;
log-facility local7;
# A slightly different configuration for an internal subnet.
subnet 10.10.100.0 netmask 255.255.255.0 {
range 10.10.100.1 10.10.100.50;
option domain-name-servers 172.16.100.201;
option domain-name "sdskills";
option routers 10.10.100.254;
}
[root@rserver ~]# systemctl enable --now dhcpd
# 查看服务端分发的租约
[root@rserver CA]# cat /var/lib/dhcpd/dhcpd.leases
# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-4.2.5
lease 10.10.100.3 {
starts 0 2023/06/04 08:08:15;
ends 0 2023/06/04 08:18:15;
tstp 0 2023/06/04 08:18:15;
cltt 0 2023/06/04 08:08:15;
binding state free;
hardware ethernet 00:0c:29:1e:4c:0f;
}
server-duid "\000\001\000\001,\016\301\027\000\014)+<\305";
lease 10.10.100.3 {
starts 0 2023/06/04 08:51:17;
ends 0 2023/06/04 09:51:17;
cltt 0 2023/06/04 08:51:17;
binding state active;
next binding state free;
rewind binding state free;
hardware ethernet 00:0c:29:1e:4c:0f;
client-hostname "client";
}
# 查看客户端获得的租约
[root@client ~]# cat /var/lib/dhclient/dhclient.leases
lease {
interface "ens32";
fixed-address 10.10.100.3;
option subnet-mask 255.255.255.0;
option routers 10.10.100.254;
option dhcp-lease-time 600;
option dhcp-message-type 5;
option domain-name-servers 192.168.10.4;
option dhcp-server-identifier 10.10.100.254;
option domain-name "skills";
renew 0 2023/06/04 05:01:22;
rebind 0 2023/06/04 05:05:08;
expire 0 2023/06/04 05:06:23;
}
...`
五、SSH
- 安装SSH
- 仅允许client客户端进行ssh访问,其余所有主机的请求都应该拒绝;
- 配置client只能在Chinaskills23用户环境下可以免秘钥登录,端口号为2022,并且拥有root控制权限。
[root@rserver ~]# vim /etc/hosts.deny
sshd:ALL:Deny
[root@rserver ~]# vim /etc/hosts.allow
sshd:10.10.100.3:Allow
[root@rserver ~]# vim /etc/ssh/sshd_config
...
Port 2022
[root@rserver ~]# systemctl restart sshd
[root@client ~]# useradd -u 6666 -m -s /bin/bash Chinaskills23
[root@client ~]# echo "Chinaskills23" | passwd --stdin Chinaskills23
[root@client ~]# su - Chinaskills23
[Chinaskills23@client ~]$ ssh-keygen
[Chinaskills23@client ~]$ ssh-copy-id -p 2022 root@10.10.100.254
[Chinaskills23@client ~]$ ssh -p 2022 root@10.10.100.254 # 免密登录
[Chinaskills23@client ~]$ crtl+D
六、CA(证书颁发机构)
- CA根证书路径/CA/cacert.pem;
- 签发数字证书,颁发者信息:
- 国家 = CN
- 单位 = Inc
- 组织机构 = www.skills
- 公用名 = Skill Global Root CA
- 创建用户组ldsgp,将zsuser、lsusr、wuusr添加到组内。
1、安装证书服务
[root@rserver ~]# yum -y install openssl*
2、配置根证书服务器
[root@rserver ~]# vim /etc/pki/tls/opensslf # 编辑openssl.conf配置文件
...
dir = /CA
...
certificate = $dir/cacert.pem
...
private_key = $dir/private/csk-ca.pem
[root@rserver CA]# mkdir -pv /CA # 创建目录
[root@rserver CA]# cp -prvf /etc/pki/CA/* /CA/ # 把etc/pki/CA/*目录下的所有目录或者文件复制到/csk-rootca目录里面
[root@rserver CA]# cd /CA
[root@rserver CA]# touch index.txt # 记录颁发证书的信息
[root@rserver CA]# echo 01 > serial # 记录证书编号
[root@rserver CA]# openssl genrsa -out private/csk-ca.pem 2048 # 生成私钥
3、签发自签名证书
[root@rserver CA]# openssl req -new -x509 -days 3650 -key private/csk-ca.pem -out cacert.pem
...
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:Inc
Organizational Unit Name (eg, section) []:www.skills
Common Name (eg, your name or your server's hostname) []:Skill Global Root CA
Email Address []:
4、查看根证书信息
[root@rserver CA]# openssl x509 -text -in cacert.pem -noout | grep Subject
Subject: C=CN, L=Default City, O=Inc, OU=www.skills, CN=Skill Global Root CA
Subject Public Key Info:
X509v3 Subject Key Identifier:
到此CA证书颁发机构就配置完成!!!!
扩展一些CA证书知识
CA证书后缀名代表的含义:
证书(Certificate) - *.cer *.crt
私钥(Private Key) - *.key
证书签名请求(Certificate signing request) - *.csr
证书吊销列表(Certificate Revocation List) - *.crl
dir----存放证书的目录
certs----存储签发的数字证书
database------记录颁发证书的信息(通常要创建index.txt文件)
serial-----记录证书的编号(创建serial文件,内容为01)
private----存放CA证书服务器的私钥
-new: 生成新证书签署请求
-x509: 专用于 CA 生成自签证书
-key: 生成请求时用到的私钥文件
-days n:证书的有效期限
-out: 证书的保存路径
5、创建用户组
[root@rserver CA]# groupadd ldsgp
# 也能使用usermod,gpasswd等
[root@rserver CA]# useradd -u 1001 -m -g ldsgp zsuser
[root@rserver CA]# useradd -u 1002 -m -g ldsgp lsusr
[root@rserver CA]# useradd -u 1003 -m -g ldsgp wuusr
[root@rserver CA]# echo "Chinaskills23" | passwd --stdin zsuser
Changing password for user zsuser.
passwd: all authentication tokens updated successfully.
[root@rserver CA]# echo "Chinaskills23" | passwd --stdin lsusr
Changing password for user lsusr.
passwd: all authentication tokens updated successfully.
[root@rserver CA]# echo "Chinaskills23" | passwd --stdin wuusr
Changing password for user wuusr.
passwd: all authentication tokens updated successfully.
[root@rserver CA]# id zsuser
uid=1001(zsuser) gid=1002(zsuser) groups=1001(ldsgp)
[root@rserver CA]# id lsusr
uid=1002(lsusr) gid=1003(lsusr) groups=1001(ldsgp)
[root@rserver CA]# id wuusr
uid=1003(wuusr) gid=1004(wuusr) groups=1001(ldsgp)
七、Web Proxy
- 安装Nginx组件;
- 配置文件名为proxy.conf,放置在/etc/nginx/conf.d/目录下;
- 为www.chinaskills配置代理前端,通过HTTPS的访问后端Web服务器;
- 后端服务器日志内容需要记录真实客户端的IP地址;
- 缓存后端Web服务器上的静态页面;
- 创建服务监控脚本:/shells/chkWeb.sh;
- 编写脚本监控公司的网站运行情况;
- 脚本可以在后台持续运行;
- 每隔3S检查一次网站的运行状态,如果发现异常尝试3次;
- 如果确定网站无法访问,则返回用户“网站正在维护中,请您稍后再试”的页面。
# 后端web服务器配置,必须配置,不然无法记录代理前端的ip地址
[root@server01 ~]# vim /etc/httpd/conf/httpd.conf
# 在%h后面添加%{x-real-ip}i
LogFormat "%h %{x-real-ip}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %{x-real-ip}i %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %{x-real-ip}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
[root@server01 ~]# vim /etc/httpd/conf.d/web.conf
<VirtualHost *:443>
DocumentRoot "/data/share/htdocs/skills"
ServerName rserver.sdskills
SSLEngine on
SSLCertificateFile /CA/cacert.pem
SSLCertificatekeyFile /CA/https.key
<Directory "/data/share/htdocs/skills">
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
[root@server01 ~]# systemctl restart httpd
# 若没有配置缓存后端web服务器上的静态页面,则每次刷新都会产生新的日志信息
[root@server01 ~]# tail -f /var/log/httpd/access_log
172.16.100.254 10.10.100.4 - zsuser [21/Jun/2023:22:08:21 +0800] "GET /staff.html HTTP/1.0" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
# 本机
# 缓存静态内容*可以改为location ~.*\.(gif|jpg|png|css|js)(.*)
[root@rserver ~]# vim /etc/nginx/conf.d/proxy.conf
proxy_cache_path /tmp/cache levels=1:2 keys_zone=web:500m;
server {
listen 80;
server_name web.sdskills;
return 301 https://web.sdskills;
}
server {
server_name web.sdskills;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/sdskills.crt; # 指定ssl证书和私钥的路径
ssl_certificate_key /etc/nginx/ssl/sdskills.key;
location ~.*\.* {
proxy_pass https://www.sdskills;
proxy_set_header x-real-ip $remote_addr;
proxy_cache web;
#add_header wall "this is cache web";
proxy_set_header Host $host;
proxy_cache_valid 200 302 301 24h;
proxy_cache_valid any 5m;
}
}
[root@rserver ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@rserver ~]# /sbin/nginx -s reload
[root@rserver ~发布者:admin,转转请注明出处:http://www.yc00.com/web/1754948966a5219626.html
评论列表(0条)