Q:
1、简述DNS服务,并搭建DNS服务器,实现主从,子域授权
2、简述HTTP服务,并实现基于用户的访问控制,虚拟主机,https
A:
1、简述DNS服务,并搭建DNS服务器,实现主从,子域授权
DNS提供域名解析服务,FQDN(Fully Qualified Domain Name)
解析过程
本地查询DNS
迭代查询
- ip --> FQDN 反向解析
- FQDN --> ip 正向解析
解析答案
├──肯定答案
├──权威答案
└──非权威答案
└──否定答案
主DNS服务器:维护域数据库,可读写
从DNS服务器:备份域数据库,只读
serial,数据库改变时序列号增加
refresh,多久查询域数据库版本
retry,同步失败时,多久重新同步
expire,主服务器失效时,多久停止服务
区域传送:
├──全量传送:axfr,整个数据库
└──增量传送:lxfr,变化的数据
配置主从DNS
主服务器
[root@localhost ~]# tail -8 /etc/named.rfc1912.zones
zone "superb.com" IN {
type master;
file "superb.com.zone";
};
zone "168.192.in-addr.arpa" IN {
type master;
file "192.168.zone";
};
[root@localhost ~]# cat /var/named/superb.com.zone /var/named/192.168.zone
@ IN SOA superb.com. dnsadmin.superb.com. (
2019040403
1H
10M
1W
1D
)
IN NS ns1
IN NS ns2
ns1 IN A 192.168.0.103
ns2 IN A 192.168.0.102
@ IN SOA ns1.superb.com. admin.local.domain (
2019040403
2H
10M
1W
1D
)
IN NS ns1.superb.com.
103.0 IN PTR ns1.superb.com.
102.0 IN PTR ns2.superb.com.
从服务器
[root@slave ~]# tail -10 /etc/named.rfc1912.zones
zone "superb.com" IN {
type slave;
file "slaves/superb.com.zone";
masters { 192.168.0.103; };
};
zone "168.192.in-addr.arpa" IN {
type slave;
file "slaves/192.168.zone";
masters { 192.168.0.103; };
};
出现问题(主机不可达)
[root@slave ~]# systemctl status named -l
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2019-04-04 00:30:59 EDT; 2h 21min ago
Process: 7328 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 7325 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 7330 (named)
CGroup: /system.slice/named.service
└─7330 /usr/sbin/named -u named -c /etc/named.conf
Apr 04 02:52:35 slave.local.domain named[7330]: automatic empty zone: 9.E.F.IP6.ARPA
Apr 04 02:52:35 slave.local.domain named[7330]: automatic empty zone: A.E.F.IP6.ARPA
Apr 04 02:52:35 slave.local.domain named[7330]: automatic empty zone: B.E.F.IP6.ARPA
Apr 04 02:52:35 slave.local.domain named[7330]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Apr 04 02:52:35 slave.local.domain named[7330]: reloading configuration succeeded
Apr 04 02:52:35 slave.local.domain named[7330]: reloading zones succeeded
Apr 04 02:52:35 slave.local.domain named[7330]: zone 168.192.in-addr.arpa/IN: refresh: skipping zone transfer as master 192.168.0.103#53 (source 0.0.0.0#0) is unreachable (cached)
Apr 04 02:52:35 slave.local.domain named[7330]: all zones loaded
Apr 04 02:52:35 slave.local.domain named[7330]: running
Apr 04 02:52:35 slave.local.domain named[7330]: zone superb.com/IN: refresh: skipping zone transfer as master 192.168.0.103#53 (source 0.0.0.0#0) is unreachable (cached)
解决方法在主服务器的配置文件
/etc/named.conf中加入allow-transfer { slave.server.ip.address; };
[root@slave ~]# dig -x 192.168.0.103 @192.168.0.102
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> -x 192.168.0.103 @192.168.0.102
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6721
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;103.0.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
103.0.168.192.in-addr.arpa. 86400 IN PTR ns1.superb.com.
;; AUTHORITY SECTION:
168.192.in-addr.arpa. 86400 IN NS ns1.superb.com.
;; ADDITIONAL SECTION:
ns1.superb.com. 86400 IN A 192.168.0.103
;; Query time: 0 msec
;; SERVER: 192.168.0.102#53(192.168.0.102)
;; WHEN: Thu Apr 04 03:15:20 EDT 2019
;; MSG SIZE rcvd: 113
[root@slave ~]# dig -t axfr superb.com @192.168.0.102
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> -t axfr superb.com @192.168.0.102
;; global options: +cmd
superb.com. 86400 IN SOA superb.com. dnsadmin.superb.com. 2019040403 3600 600 604800 86400
superb.com. 86400 IN NS ns1.superb.com.
superb.com. 86400 IN NS ns2.superb.com.
ns1.superb.com. 86400 IN A 192.168.0.103
ns2.superb.com. 86400 IN A 192.168.0.102
superb.com. 86400 IN SOA superb.com. dnsadmin.superb.com. 2019040403 3600 600 604800 86400
;; Query time: 0 msec
;; SERVER: 192.168.0.102#53(192.168.0.102)
;; WHEN: Thu Apr 04 03:15:40 EDT 2019
;; XFR size: 6 records (messages 1, bytes 177)
配置子域
主服务器
[root@localhost ~]# cat /var/named/superb.com.zone
@ IN SOA superb.com. dnsadmin.superb.com. (
2019040403
1H
10M
1W
1D
)
IN NS ns1
IN NS ns.sub
ns1 IN A 192.168.0.103
ns.sub IN A 192.168.0.102
子域服务器
[root@slave ~]# tail -4 /etc/named.rfc1912.zones
zone "sub.superb.com" IN {
type master;
file "sub.superb.com.zone";
};
[root@slave ~]# cat /var/named/sub.superb.com.zone
@ IN SOA ns1.sub.superb.com. admin.sub.superb.com (
2019040401
2H
10M
1W
1D
)
IN NS ns1
ns1 IN A 192.168.0.102
www IN A 192.168.0.111
区域转发
[root@slave ~]# tail -9 /etc/named.rfc1912.zones
zone "sub.superb.com" IN {
type master;
file "sub.superb.com.zone";
};
zone "superb.com" IN {
type forward;
forward only;
forwarders { 192.168.0.103; };
};
[root@slave ~]# rndc flush
[root@slave ~]# dig -t A ns1.superb.com @192.168.0.102
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> -t A ns1.superb.com @192.168.0.102
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35142
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns1.superb.com. IN A
;; ANSWER SECTION:
ns1.superb.com. 86400 IN A 192.168.0.103
;; AUTHORITY SECTION:
superb.com. 86400 IN NS ns.sub.superb.com.
superb.com. 86400 IN NS ns1.superb.com.
;; ADDITIONAL SECTION:
ns.sub.superb.com. 86400 IN A 192.168.0.102
;; Query time: 1 msec
;; SERVER: 192.168.0.102#53(192.168.0.102)
;; WHEN: Thu Apr 04 04:21:37 EDT 2019
;; MSG SIZE rcvd: 110
全局转发在/etc/named.conf定义
options {
...
forward only;
forwarders { ip.add.re.ss };
...
};
主服务器查询子域
[root@localhost ~]# dig -t A www.sub.superb.com @192.168.0.103
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> -t A www.sub.superb.com @192.168.0.103
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44318
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.sub.superb.com. IN A
;; ANSWER SECTION:
www.sub.superb.com. 86400 IN A 192.168.0.111
;; AUTHORITY SECTION:
sub.superb.com. 86400 IN NS ns1.sub.superb.com.
;; ADDITIONAL SECTION:
ns1.sub.superb.com. 86400 IN A 192.168.0.102
;; Query time: 1 msec
;; SERVER: 192.168.0.103#53(192.168.0.103)
;; WHEN: Thu Apr 04 04:36:00 EDT 2019
;; MSG SIZE rcvd: 97
2、简述HTTP服务,并实现基于用户的访问控制,虚拟主机,https
超文本传输协议(HTTP)是一种应用协议用于分布式,协作,超媒体信息系统。HTTP是万维网数据通信的基础,其中超文本文档包括用户可以轻松访问的其他资源的超链接,例如通过鼠标点击或通过在Web浏览器中点击屏幕。开发HTTP是为了促进超文本和万维网。
HTTP会话是一系列网络请求 - 响应事务。HTTP客户端通过建立到服务器上特定端口的传输控制协议(TCP)连接来启动请求(通常是端口80,有时是端口8080)。侦听该端口的HTTP服务器等待客户端的请求消息。收到请求后,服务器返回状态行,例如“HTTP / 1.1 200 OK”,以及自己的消息。此消息的正文通常是请求的资源,但也可能返回错误消息或其他信息。
HTTP是无状态协议。无状态协议不要求HTTP服务器在多个请求期间保留有关每个用户的信息或状态。
HTTP状态代码主要分为五组,以便更好地解释客户端和服务器之间的请求和响应,如下所示:
- 信息化
1XX - 成功
2XX - 重定向
3XX - 客户端错误
4XX - 服务器错误
5XX
基于用户的访问控制
添加用户和密码
[root@localhost ~]# htpasswd -cb /var/www/html/passwd admin pw4admin
Adding password for user admin
定义安全域
[root@localhost ~]# cat /etc/httpd/conf.d/authorize.conf
<Directory "/var/www/html/images">
Options Indexes
AllowOverride None
AuthType Basic
AuthName "images folder"
AuthUserFile "/var/www/html/passwd"
Require valid-user
</Directory>
[root@localhost ~]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
Syntax OK
[root@localhost ~]# systemctl restart httpd.service
[root@localhost ~]# curl http://192.168.0.103/images
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
虚拟主机
[root@localhost ~]# cat /etc/httpd/conf.d/virtual.conf
<virtualhost 192.168.0.104:80>
ServerName images
DocumentRoot "/var/www/html/images"
</virtualhost>
[root@localhost ~]# ip add add 192.168.0.104/24 dev ens33
[root@localhost ~]# ip add show dev ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:ae:46:bc brd ff:ff:ff:ff:ff:ff
inet 192.168.0.103/24 brd 192.168.0.255 scope global noprefixroute dynamic ens33
valid_lft 4088sec preferred_lft 4088sec
inet 192.168.0.104/24 scope global secondary ens33
valid_lft forever preferred_lft forever
inet6 fe80::e537:3c3b:9ce6:ce37/64 scope link noprefixroute
valid_lft forever preferred_lft forever
https
配置httpd支持https:
- 为服务器申请数字证书;
测试:通过私建CA发证书
(a) 创建私有CA
[root@localhost ~]# rpm -q --whatprovides /etc/pki/tls/openssl.cnf
openssl-libs-1.0.2k-16.el7.x86_64
[root@localhost ~]# rpm -qc openssl-libs
/etc/pki/tls/openssl.cnf
[root@localhost ~]# rpm -qc openssl
[root@localhost ~]#
openssl.cnf中关于CA的配置
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
创建CA私钥
[root@localhost ~]# ( umask 077 ; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096 )
Generating RSA private key, 4096 bit long modulus
..................++
...................................................................................++
e is 65537 (0x10001)
私有CA自签
[root@localhost ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:zhejiang
Locality Name (eg, city) [Default City]:hanghzou
Organization Name (eg, company) [Default Company Ltd]:superb
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:ca.superb.com
Email Address []:
(b) 在服务器创建证书签署请求
创建https服务器私钥
[root@localhost ~]# (umask 077;openssl genrsa -out /etc/httpd/conf.d/ssl/prikey.pem)
Generating RSA private key, 2048 bit long modulus
......................+++
......................................................................................+++
e is 65537 (0x10001)
生成CSR(certificate signing request)文件
[root@localhost ~]# openssl req -new -key /etc/httpd/conf.d/ssl/prikey.pem -out /etc/httpd/conf.d/ssl/https.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:zhejiang
Locality Name (eg, city) [Default City]:hangzhou
Organization Name (eg, company) [Default Company Ltd]:superb
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:www.superb.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
(c) CA签证
[root@localhost ~]# openssl ca -in /etc/httpd/conf.d/ssl/https.csr -out /etc/pki/CA/certs/https.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 10 06:23:31 2019 GMT
Not After : Apr 9 06:23:31 2020 GMT
Subject:
countryName = cn
stateOrProvinceName = zhejiang
organizationName = superb
organizationalUnitName = devops
commonName = www.superb.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
33:3D:5E:FB:46:11:06:74:89:6F:9E:9F:2C:3C:13:72:35:75:A3:2F
X509v3 Authority Key Identifier:
keyid:F4:7B:DA:BB:BC:84:C3:67:64:77:A8:14:87:69:8D:6B:93:07:FD:F9
Certificate is to be certified until Apr 9 06:23:31 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
- 配置httpd支持使用ssl,及使用的证书;
# yum -y install mod_ssl
配置文件:/etc/httpd/conf.d/ssl.conf
DocumentRoot
ServerName
SSLCertificateFile
SSLCertificateKeyFile
...
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/www/html"
ServerName www.superb.com:443
...
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/CA/certs/https.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/prikey.pem
...
- 测试基于https访问相应的主机;
openssl s_client [-connect host:port] [-cert filename] [-CApath directory] [-CAfile filename]
导入私有CA根证书后,显示证书missing又说san missing 😅
wiki SAN
重新在CA上颁发给https服务器证书
[root@localhost ~]# openssl req -new -key /etc/httpd/conf.d/ssl/prikey.pem -reqexts SAN \
> -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:*.superb.com")) \
> -out /etc/httpd/conf.d/ssl/https.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:zhejiang
Locality Name (eg, city) [Default City]:hangzhou
Organization Name (eg, company) [Default Company Ltd]:superb
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:www.superb.com
Email Address []:www@superb.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:none
[root@localhost ~]# openssl ca -in /etc/httpd/conf.d/ssl/https.csr -extensions SAN \
> -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:*.superb.com")) \
> -out /etc/pki/CA/certs/https.crt
Using configuration from /dev/fd/63
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 10 08:49:05 2019 GMT
Not After : Apr 9 08:49:05 2020 GMT
Subject:
countryName = cn
stateOrProvinceName = zhejiang
organizationName = superb
organizationalUnitName = devops
commonName = www.superb.com
emailAddress = www@superb.com
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:*.superb.com
Certificate is to be certified until Apr 9 08:49:05 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
参考
http://liaoph.com/openssl-san/
https://zhuanlan.zhihu.com/p/26646377
