1、在阿里云服务器搭建openv-p-n

openvpn服务器（centos7)：172.16.140.88
web服务器：172.16.200.153
配置安全组，允许外网访问openvpn服务器的tcp1194端口

#安装openvpn
[root@openvpn ~]# yum -y install openvpn

#安装证书管理工具
[root@openvpn ~]# yum -y install easy-rsa

#生成服务器配置文件
[root@openvpn ~]# cp /usr/share/doc/openvpn-2.4.11/sample/sample-config-files/server.conf /etc/openvpn/

#准备证书签发相关文件
[root@openvpn ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server

#准备签发证书相关变量的配置文件
[root@openvpn ~]# cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-server/3/vars

#修改给CA和OpenVPN服务器颁发的证书的有效期
[root@openvpn ~]# vim /etc/openvpn/easy-rsa-server/3/vars
#CA的证书有效期为1年，可以适当延长
set_var EASYRSA_CA_EXPIRE 36500
#服务器证书默认为825天，可适当加长
set_var EASYRSA_CERT_EXPIRE 3650

#初始化PKI和CA签发机构环境
[root@openvpn ~]# cd /etc/openvpn/easy-rsa-server/3/
#初始化数据，在当前目录下生成pki目录及相关文件
[root@openvpn 3]# ./easyrsa init-pki
#创建CA机构
[root@openvpn 3]# ./easyrsa build-ca nopass
回车将使用默认名证书名
#查看证书
[root@openvpn 3]# openssl x509 -in pki/ca.crt -noout -text

#创建服务器证书申请文件，其中server是文件前缀，完成后生成server.key和server.req
[root@openvpn 3]# ./easyrsa gen-req server nopass
Common Name (eg: your user, host, or server name) [server]:openvpn
#颁发服务端证书
#第一个server指类型，第二个server指server.req
[root@openvpn 3]# ./easyrsa sign server server
  Confirm request details: yes

#创建Diffie-Hellman密钥
[root@openvpn 3]# ./esayrsa gen-dh

#准备客户端证书环境
[root@openvpn 3]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-client
#准备签发证书相关变量的配置文件
[root@openvpn 3]# cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-client/3/vars
[root@openvpn 3]# cd /etc/openvpn/easy-rsa-client/3
#生成证书申请所需目录pki和文件
[root@openvpn 3]# ./easyrsa init-pki

#生成客户端用户的证书申请
[root@openvpn 3]# ./easyrsa gen-req user01
设置密码

#回到原来server目录，给客户端颁发证书
cd /etc/openvpn/easy-rsa-server/3
#将客户端证书请求文件复制到CA的工作目录
[root@openvpn 3]# ./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/user01.req user01
#修改给客户端颁发的证书的有效期
[root@openvpn 3]# vim vars
set_var EASYRSA_CERT_EXPIRE 180
#签发客户端证书
[root@openvpn 3]# ./easyrsa sign client user01

#将CA和服务器证书相关文件复制到服务器相应的目录
[root@openvpn 3]# mkdir /etc/openvpn/certs
[root@openvpn 3]# cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt /etc/openvpn/certs/
[root@openvpn 3]# cp /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt /etc/openvpn/certs/
[root@openvpn 3]# cp /etc/openvpn/easy-rsa-server/3/pki/private/server.key /etc/openvpn/certs/
[root@openvpn 3]# cp /etc/openvpn/easy-rsa-server/3/pki/dh.pem /etc/openvpn/certs/

#将客户端私钥于证书相关文件复制到服务器相关的目录
[root@openvpn 3]# mkdir /etc/openvpn/client/user01/
[root@openvpn 3]# find /etc/openvpn/ \( -name "user01.key" -o -name "user01.crt" -o -name ca.crt \) -exec cp {} /etc/openvpn/client/user01/ \

#修改服务器端配置文件
[root@openvpn 3]# vim /etc/openvpn/server.conf
#清空后使用以下配置：
port 1194
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
push "route 172.16.0.0 255.255.0.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 2048
user openvpn
group openvpn
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20

#准备日志相关目录
[root@openvpn 3]# mkdir /var/log/openvpn
[root@openvpn 3]# chown openvpn.openvpn /var/log/openvpn

#在服务器开启ip_forward转发功能
[root@openvpn 3]# echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
[root@openvpn 3]# sysctl -p
#添加SNAT规则
[root@openvpn 3]# echo 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE' >> /etc/rc.d/rc.local 
[root@openvpn 3]# chmod +x /etc/rc.d/rc.local
[root@openvpn 3]# /etc/rc.d/rc.local

#启用安全增强功能
[root@openvpn 3]# openvpn --genkey --secret /etc/openvpn/certs/ta.key
[root@openvpn 3]# vim /etc/openvpn/server.conf
添加：tls-auth /etc/openvpn/certs/ta.key 0 #客户端为1，服务器端为0
#将ta.key复制到用户证书目录中
[root@openvpn 3]# cp /etc/openvpn/certs/ta.key /etc/openvpn/client/user01/

#启动OpenVPN服务
[root@openvpn 3]# systemctl enable --now openvpn@server

#生成客户端文件，文件后缀必须为.ovpn
[root@openvpn 3]# vim /etc/openvpn/client/user01/client.ovpn
client
dev tun
proto tcp
remote <openvpn服务器的公网IP>
resolv-retry infinite
nobind
#persist-key
#persist-tun
ca ca.crt
cert user01.crt
key user01.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
compress lz4-v2

#官网客户端下载地址：
#https://openvpn.net/community-downloads/](https://openvpn.net/community-downloads/
#将客户端文件打包后给到用户
[root@openvpn 3]# cd /etc/openvpn/client/user01/
[root@openvpn user01]# tar cf /root/user01.tar ./

安装配置后客户端成功访问后端web服务器

image.png

2、通过编译、二进制安装MySQL5.7

二进制安装mysql5.7：

#安装相关包
[root@centos01 ~]# yum  -y install libaio numactl-libs

#创建用户和组
[root@centos01 ~]# groupadd mysql
[root@centos01 ~]# useradd -r -g mysql -s /bin/false mysql

#创建数据目录
[root@centos01 local]#  mkdir -pv /data/mysql && chown -R mysql.mysql /data/mysql

#下载安装包
[root@centos01 ~]# wget https://cdn.mysql.com/archives/mysql-5.7/mysql-5.7.36-linux-glibc2.12-x86_64.tar.gz
[root@centos01 ~]# tar xf mysql-5.7.36-linux-glibc2.12-x86_64.tar.gz -C /usr/local/
[root@centos01 ~]# cd /usr/local/
[root@centos01 local]# mv mysql-5.7.36-linux-glibc2.12-x86_64/ mysql
[root@centos01 local]# chown -R mysql.mysql /usr/local/mysql/

#添加环境变量
[root@centos01 local]# echo 'PATH=/usr/local/mysql/bin:$PATH' > /etc/profile.d/mysql.sh
[root@centos01 local]# . /etc/profile.d/mysql.sh

#准备配置文件
[root@centos01 local]# cp /etc/my.cnf{,.bak}
[root@centos01 local]# cat > /etc/my.cnf <<EOF
[mysqld]
datadir=/data/mysql
skip_name_resolve=1
socket=/data/mysql/mysql.sock
log-error=/data/mysql/mysql.log
pid-file=/data/mysql/mysql.pid
[client] 
socket=/data/mysql/mysql.sock
EOF

#生成 root 空密码
[root@centos01 local]# mysqld --initialize-insecure --user=mysql --datadir=/data/mysql

#准备服务脚本和启动
[root@centos01 local]# cp /usr/local/mysql/support-files/mysql.server /etc/init.d/mysqld
[root@centos01 local]# chkconfig --add mysqld
[root@centos01 local]# service mysqld start

#修改root口令
[root@centos01 local]# mysqladmin -uroot password 123456

#连接mysql
[root@centos01 local]# mysql -uroot -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.36 MySQL Community Server (GPL)

Copyright (c) 2000, 2021, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

编译安装mysql5.7:

#安装依赖包
[root@centos01 ~]# yum -y install gcc gcc-c++ cmake bison bison-devel zlib-devel libcurl-devel libarchive-devel boost-devel ncurses-devel gnutls-devel libxml2-devel openssl-devel libevent-devel libaio-devel perl-Data-Dumper

#创建mysql用户
[root@centos01 ~]# useradd -r -s /sbin/nologin -d /data/mysql mysql

#创建数据库目录
[root@centos01 ~]# mkdir /data/mysql
[root@centos01 ~]# chown mysql.mysql /data/mysql

#下载并解压源码包
[root@centos01 ~]# wget https://cdn.mysql.com/archives/mysql-5.7/mysql-5.7.36.tar.gz
[root@centos01 ~]# tar xf mysql-5.7.36.tar.gz -C /usr/local/src/

#下载boost库
[root@centos01 ~]# wget http://downloads.sourceforge.net/project/boost/boost/1.59.0/boost_1_59_0.tar.gz
[root@centos01 ~]# tar xf boost_1_59_0.tar.gz -C /usr/local/

#编译安装
#如果出错，执行rm -f CMakeCache.txt
[root@centos01 ~]# cd /usr/local/src/mysql-5.7.36/
cmake . \
-DCMAKE_INSTALL_PREFIX=/apps/mysql \
-DMYSQL_DATADIR=/data/mysql/ \
-DSYSCONFDIR=/etc/ \
-DMYSQL_USER=mysql \
-DWITH_INNOBASE_STORAGE_ENGINE=1 \
-DWITH_ARCHIVE_STORAGE_ENGINE=1 \
-DWITH_BLACKHOLE_STORAGE_ENGINE=1 \
-DWITH_PARTITION_STORAGE_ENGINE=1 \
-DWITH_FEDERATED_STORAGE_ENGINE=1 \
-DWITH_DEBUG=0 \
-DWITH_SSL=system \
-DWITH_ZLIB=system \
-DWITH_LIBWRAP=0 \
-DENABLED_LOCAL_INFILE=1 \
-DMYSQL_UNIX_ADDR=/data/mysql/mysql.sock \
-DDEFAULT_CHARSET=utf8mb4 \
-DDEFAULT_COLLATION=utf8mb4_general_ci \
-DDOWNLOAD_BOOST=1 \
-DWITH_BOOST=/usr/local/boost_1_59_0

[root@centos01 ~]# make -j 12 && make install

#修改环境变量
[root@centos01 mysql-5.7.36]# echo 'PATH=/apps/mysql/bin:$PATH' > /etc/profile.d/mysql.sh
[root@centos01 mysql-5.7.36]# . /etc/profile.d/mysql.sh

#生成数据库文件
[root@centos01 mysql-5.7.36]# cd /apps/mysql/
[root@centos01 mysql-5.7.36]# mysqld --initialize-insecure --user=mysql --datadir=/data/mysql/

#准备配置文件
[root@centos01 mysql-5.7.36]# vi /etc/my.cnf
[mysqld]
datadir=/data/mysql
skip_name_resolve=1
socket=/data/mysql/mysql.sock
log-error=/data/mysql/mysql.log
pid-file=/data/mysql/mysql.pid
character-set-server=utf8mb4
[client]
socket=/data/mysql/mysql.sock
[mysql]
default-character-set=utf8mb4

#准备启动脚本，并启动服务
[root@centos01 mysql-5.7.36]# cp /apps/mysql/support-files/mysql.server /etc/init.d/mysqld
[root@centos01 mysql-5.7.36]# chkconfig --add mysqld
[root@centos01 mysql-5.7.36]# service mysqld start
Starting MySQL.Logging to '/data/mysql/mysql.log'.
 SUCCESS!

#进行安全初始化
[root@centos01 mysql-5.7.36]# mysql_secure_installation 

Securing the MySQL server deployment.

Connecting to MySQL using a blank password.

VALIDATE PASSWORD PLUGIN can be used to test passwords
and improve security. It checks the strength of password
and allows the users to set only those passwords which are
secure enough. Would you like to setup VALIDATE PASSWORD plugin?

Press y|Y for Yes, any other key for No: y

There are three levels of password validation policy:

LOW    Length >= 8
MEDIUM Length >= 8, numeric, mixed case, and special characters
STRONG Length >= 8, numeric, mixed case, special characters and dictionary                  file

Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 2
Please set the password for root here.

New password: 

Re-enter new password: 

Estimated strength of the password: 100 
Do you wish to continue with the password provided?(Press y|Y for Yes, any other key for No) : y
By default, a MySQL installation has an anonymous user,
allowing anyone to log into MySQL without having to have
a user account created for them. This is intended only for
testing, and to make the installation go a bit smoother.
You should remove them before moving into a production
environment.

Remove anonymous users? (Press y|Y for Yes, any other key for No) : y
Success.


Normally, root should only be allowed to connect from
'localhost'. This ensures that someone cannot guess at
the root password from the network.

Disallow root login remotely? (Press y|Y for Yes, any other key for No) : y
Success.

By default, MySQL comes with a database named 'test' that
anyone can access. This is also intended only for testing,
and should be removed before moving into a production
environment.


Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y
 - Dropping test database...
Success.

 - Removing privileges on test database...
Success.

Reloading the privilege tables will ensure that all changes
made so far will take effect immediately.

Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y
Success.

All done! 

#测试连接mysql
[root@centos01 mysql-5.7.36]# mysql -uroot -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.7.36 Source distribution

Copyright (c) 2000, 2021, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

3、二进制安装mariadb10.4

#配置yum仓库
[root@centos01 ~]# vi /etc/yum.repos.d/MariaDB.repo
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.4/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

#安装mariadb
[root@centos01 ~]# yum -y install MariaDB-server

#启动mariadb
[root@centos01 ~]# systemctl start --now mariadb

#登录修改密码
[root@logstash1 ~]# mysql
MariaDB [(none)]> alter user 'root'@'localhost' identified by '123456';

#安全设置
[root@centos01 ~]# mysql_secure_installation