摸底考察-Linux系统搭建WEB网站服务

摸底考察-LServer172.16.22.225/24pc172.16.22.x/24二.部署要求版本搭建服务环境服务端部署DHCP、DNS、WEB、CA服务客户端可访问与验证服务端所搭建服务三.达成目标客户端、服务端网络连通客户端自动从服务端获取172.16.22.X段的IP地址客户端可解析网站域名www.skills.com客户端可访问网站http://www.skills.com服务客户端

新手小白爱学Linux

3801人浏览 · 2022-03-18 17:57:00

新手小白爱学Linux · 2022-03-18 17:57:00 发布

一.训练拓扑

Server	172.16.22.225/24
pc	172.16.22.x/24

二.部署要求

版本搭建服务环境
服务端部署DHCP、DNS、WEB、CA服务
客户端可访问与验证服务端所搭建服务

三.达成目标

客户端、服务端网络连通
客户端自动从服务端获取172.16.22.X段的IP地址
客户端可解析网站域名www.skills.com
客户端可访问网站http://www.skills.com服务
客户端可访问网站https://www.skills.com服务

四.实现思路

分析部署要求，每个要求需要通过什么功能满足

DHCP实现思路

1.Server中安装DHCP配置IP172.16.22.225S实现地址池、给PC分配网段172.16.22.0/24
2.让PC获取IP地址，在Server上进行DHCP的配置，让PC自动获取地址

DNS实现思路

1.通过在Server中安装DNS，配置文件更改域名来实现正方向解析，在浏览器中输入www.skills.com域名，操作系统会先检查自己本地的hosts文件是否有这个网址映射关系，如果有，就先调用这个ip地址映射，完成域名解析

WEB实现思路，

1.WEB通过Apache服务器概述-安装，然后启动Apache，在浏览器界面查看测试

CA认证实现思路

1.CA首先要有一个根证书，然后用根证书来签发服务器证书和客户证书，一般理解：服务器证书和客户证书是平级关系。在SSL必须安装根证书和服务器证书来认证。
2.在生成证书之前，一般会有一个私钥，同时用私钥生成证书请求，再利用证书服务器的根证来签发证书，因此我们要在Server中生成证书私钥，其次给客户机颁发认证。

五.实现步骤

DHCP步骤

1、在CentOS7上安装DHCP软件包

yum -y install dhcp

2、配置/etc/dhcp/dhcpd.conf文件

[root@Server ~]# cat /etc/dhcp/dhcpd.conf 
#
# DHCP Server Configuration file.
#   see /usr/share/doc/dhcp*/dhcpd.conf.example
#   see dhcpd.conf(5) man page
#
subnet 172.16.0.0 netmask 255.255.0.0{
  range 172.16.22.50 172.16.22.253;
}

3、启动DHCP、systemctl start dhcpd

[root@Server ~]# systemctl start dhcpd
[root@Server ~]# systemctl status dhcpd
● dhcpd.service - DHCPv4 Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; disabled; vendor preset: disabled)
   Active: active (running) since 三 2022-03-16 23:55:05 CST; 1 day 14h ago
     Docs: man:dhcpd(8)
           man:dhcpd.conf(5)
 Main PID: 17476 (dhcpd)

4、客户机中检测地址分布情况查看IP、ip addr

[root@localhost ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:85:0f:04 brd ff:ff:ff:ff:ff:ff
    inet 172.16.22.51/16 brd 172.16.255.255 scope global noprefixroute dynamic ens192
       valid_lft 42618sec preferred_lft 42618sec

配置DNS

yum -y install bind* #安装
启动DNSsystemctl start named.service #启动DNS

1.查看named进程是否启动、ps -eaf | grep named

[root@Server ~]# ps -eaf | grep named
named     23643      1  0 3月17 ?       00:00:01 /usr/sbin/named -u named -c /etc/named.conf
root      26121  25816  0 14:34 pts/0    00:00:00 grep --color=auto named
[root@Server ~]#

2.查看监听53号端口进行检验、netstat -an | grep :53

[root@Server ~]# netstat -an | grep :53
tcp        0      0 172.16.22.225:53        0.0.0.0:*               LISTEN     
tcp6       0      0 ::1:53                  :::*                    LISTEN     
udp        0      0 172.16.22.225:53        0.0.0.0:*                          
udp6       0      0 ::1:53                  :::*                               
[root@Server ~]#

3、防火墙开放TCP和UDP的53号端口：iptables -I INPUT -p tcp --dport 53 -j ACCEPT iptables -I INPUT -p udp --dport 53 -j ACCEPT
4、DNS修改主配置文件/etc/named.conf

options {
	listen-on port 53 { 172.16.22.225; };
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	recursing-file  "/var/named/data/named.recursing";
	secroots-file   "/var/named/data/named.secroots";
	allow-query     { any; };

	/*

5、修改/etc/named.rfc1912.zones

zone "www.skills.com" IN {
        type master;
        file "www.skills.com.zone";
};
zone "22.16.172.in-addr.arpa" IN {
        type master;
        file "www.skills.com.local";
};

4、添加配置/var/named/www.skills.com.zone

[root@Server ~]# cat /var/named/www.skills.com.zone 
$TTL 1D
@	IN SOA	@ rname.invalid. (
					0	; serial
					1D	; refresh
					1H	; retry
					1W	; expire
					3H )	; minimum
	NS	@
	A	172.16.22.225
www	A	172.16.22.225

5、添加配置/var/named/www.skills.com.local

[root@Server ~]# cat /var/named/www.skills.com.local 
$TTL 1D
@	IN SOA	@ rname.invalid. (
					0	; serial
					1D	; refresh
					1H	; retry
					1W	; expire
					3H )	; minimum
	NS	@
	A	172.16.22.225
254	IN PTR 	www.skills.com

6、配置/etc/resolv.conf文件

[root@Server ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 172.16.22.225

7、启动DNS正反向测试

[root@Server ~]# nslookup www.skills.com
Server:		172.16.22.225
Address:	172.16.22.225#53

Name:	www.skills.com
Address: 172.16.22.225

[root@Server ~]#

搭建WEB

1、安装Apache软件作为Web服务器软件

yum install -y httpd*

2、启动HTTPD Apache systemctl start httpd

[root@Server ~]# systemctl start httpd
[root@Server ~]# systemctl status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since 四 2022-03-17 00:18:05 CST; 1 day 15h ago
     Docs: man:httpd(8)
           man:apachectl(8)
 Main PID: 17646 (httpd)
   Status: "Total requests: 2; Current requests/sec: 0; Current traffic:   0 B/sec"
   CGroup: /system.slice/httpd.service
           ├─17646 /usr/sbin/httpd -DFOREGROUND
           ├─17647 /usr/sbin/httpd -DFOREGROUND
           ├─17648 /usr/sbin/httpd -DFOREGROUND
           ├─17649 /usr/sbin/httpd -DFOREGROUND
           ├─17650 /usr/sbin/httpd -DFOREGROUND
           ├─17651 /usr/sbin/httpd -DFOREGROUND
           └─17652 /usr/sbin/httpd -DFOREGROUND

3月 17 00:18:05 localhost.localdomain systemd[1]: Stopped The Apache HTTP Server.
3月 17 00:18:05 localhost.localdomain systemd[1]: Starting The Apache HTTP Server...
3月 17 00:18:05 localhost.localdomain systemd[1]: Started The Apache HTTP Server.
[root@Server ~]#

web页面

在这里插入图片描述

客户端curl -iv 172.16.22.22

[root@localhost ~]# curl -iv 172.16.22.225
* About to connect() to 172.16.22.225 port 80 (#0)
*   Trying 172.16.22.225...
* Connected to 172.16.22.225 (172.16.22.225) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 172.16.22.225
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Fri, 18 Mar 2022 08:16:31 GMT
Date: Fri, 18 Mar 2022 08:16:31 GMT
< Server: Apache/2.4.6 (CentOS)
Server: Apache/2.4.6 (CentOS)
< Last-Modified: Wed, 16 Mar 2022 16:10:54 GMT
Last-Modified: Wed, 16 Mar 2022 16:10:54 GMT
< ETag: "1f-5da5828760091"
ETag: "1f-5da5828760091"
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Length: 31
Content-Length: 31
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8

< 
Hell,welcome to www.skills.com
* Connection #0 to host 172.16.22.225 left intact
[root@localhost ~]#

CA认证

1、首先进入/etc/pki/tls/openssl.cnf 并了解CA证书的系统文件内容

[root@Server ~]# vi /etc/pki/tls/openssl.cnf 

#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# This definition stops the following lines choking if HOME isn't
# defined.
HOME                    = .
RANDFILE                = $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:
#oid_file               = $ENV::HOME/.oid
oid_section             = new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions            =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

####################################################################
[ ca ]
default_ca      = CA_default            # The default ca section

####################################################################
[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.

2、在/etc/pki/CA下创建数据库索引文件index.txt

[root@Server ~]# cd /etc/pki/CA/
[root@Server CA]# touch index.txt
[root@Server CA]# echo 66 > serial
[root@Server CA]# ls
cacart.pem  certs  crl  index.txt  newcerts  private  serial
[root@Server CA]#

3、生成CA证书私钥、并设置路径、名称以及密码
在这里插入图片描述

24、cakey.pem私钥中提取出公钥并指定名称cacert.pem，并指定CA机构的有效期（内容包括国家、省份、城市、公司名、公司部门、服务器名称、邮箱地址）在这里插入图片描述
CA证书创建完成

[root@Server CA]# cat cacart.pem 
-----BEGIN CERTIFICATE-----
MIID4zCCAsugAwIBAgIJALjqtmg6JV0kMA0GCSqGSIb3DQEBCwUAMIGHMQswCQYD
VQQGEwJ6ZzERMA8GA1UECAwIc2hhbmRvbmcxETAPBgNVBAcMCGRvbmd5aW5nMRIw
EAYDVQQKDAlqemdranl4Z3MxDjAMBgNVBAsMBWp6Z2JtMQwwCgYDVQQDDANqemcx
IDAeBgkqhkiG9w0BCQEWETI3OTY2NzY0MjdAcXEuY29tMB4XDTIyMDMxNzAxMDg0
NVoXDTQyMDMxMjAxMDg0NVowgYcxCzAJBgNVBAYTAnpnMREwDwYDVQQIDAhzaGFu
ZG9uZzERMA8GA1UEBwwIZG9uZ3lpbmcxEjAQBgNVBAoMCWp6Z2tqeXhnczEOMAwG
A1UECwwFanpnYm0xDDAKBgNVBAMMA2p6ZzEgMB4GCSqGSIb3DQEJARYRMjc5NjY3
NjQyN0BxcS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2IC/k
JLIyYU1V3woYkbuNS5T4vwuNbXNHUUzuOmS+gkzN6fukQjudQCqMofAIOtrS2/dz
qTCjISoXavMEnL5mSufsCJvhJNoE+ZWZ0RZukQoRRpJtzUInggkET/pYpfIYznqC
1K9uwpV48mjGVL3qoj4HwctLjfLEcorQAPPc7BhHkQu5xrwP0WVx7mU6yOSOTdss
acrTQy+p1K+idsP5XqPhlACVjdPsaqcFjyvxrSxIXcf4StoKkq5FbnWKug6y4A7a
W7F1gIpHWuFiVOGesw6fe6ZMgt80wVLkxXdwbuyrVYm06zt7ts1Ofob4mGCXEKMO
DnW7x9eKG2zowEzBAgMBAAGjUDBOMB0GA1UdDgQWBBTjCeEjRjw2//NR7oyC0FwY
AlT4nTAfBgNVHSMEGDAWgBTjCeEjRjw2//NR7oyC0FwYAlT4nTAMBgNVHRMEBTAD
AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCRRuexQFd+bcOIn0eYZ2a81w2J41NUAxD9
tAZbZDPWAaw3TcTLRyi2RQJuYuIKXhb8cxRBeu8m4NV4tVCs/FQOnlqVHr9lCTl0
WytoWQDfZ7EW0zmgvB82Olq4fQiy+1eRkF+KaDHSGn1uklLv7HeSlyiskxK1SQZh
giP51i/nzcU7rBGO9NaDagY2ciT7N5RkClRT/9qbmwBOuLSm/IzlFICKYkyoHvGM
p0S4YlLD+N62jgaNUeen4gV8FASejzrGDICTy0KR6UxXKQgiGmelsEj0O4d90uDf
ckxphrOAemZR+bIB79xFYVU6kc0mroTwulO0A9BMof/GgRmTHMT1
-----END CERTIFICATE-----
[root@Server CA]#

节点申请证书生成密钥对

[root@localhost ~]# mkdir /etc/httpd/ssl
[root@localhost ~]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
...............................+++
..............................+++
e is 65537 (0x10001)
[root@localhost ~]#

生成证书请求

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = XX
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
#stateOrProvinceName_default    = Default Province

localityName                    = Locality Name (eg, city)
localityName_default            = Default City

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Default Company Ltd

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
#organizationalUnitName_default =

commonName                      = Common Name (eg, your name or your server\'s hostname)
commonName_max                  = 64

[root@localhost ~]# vim /etc/pki/tls/openssl.cnf 
[root@localhost ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/
conf/           conf.modules.d/ modules/        ssl/            
conf.d/         logs/           run/            
[root@localhost ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.key 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:SD
Locality Name (eg, city) [Default City]:SD
Organization Name (eg, company) [Default Company Ltd]:jzg
Organizational Unit Name (eg, section) []:jzg
Common Name (eg, your name or your server's hostname) []:www.skills.com
Email Address []:2796676427@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:000000
An optional company name []:jzg
[root@localhost ~]#

把签署请求文件发送给CA服务器

[root@localhost ~]# scp httpd.csr 172.16.22.225:/etc/pki/CA/csr
root@172.16.22.225's password: 
httpd.csr: No such file or directory  #此时这里出现了错误

[root@Server CA]# openssl ca -in /etc/pki/CA/csr/httpd.csr -out /etc/pki/CA/httpd.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Error opening CA certificate /etc/pki/CA/cacert.pem
140120267863952:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/cacert.pem','r')
140120267863952:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
unable to load certificate
[root@Server CA]      ##由于上一步没有连接上导致一下步骤无法实现

六.任务总结

任务过程中出现的问题，如何解决的，哪些关键点需要强调和引起注意的
1、DNS中的配置文件一点要仔细，出现问题之后查看报错分析日志
/etc/named.rfc1912.zones
2、只要仔细问题范围就可以缩小、出现问题后先分析排除错误、有问题就找度娘、只要认真对待我相信再大的困难也会克服。
3、结合以上问题CA认证无法接收到发送与客户认证，遇到一些问题后续继续学习更新

Linux

更多推荐

Linux虚拟文件系统之文件系统卸载（sys_umount())

Linux中卸载文件系统由umount系统调用实现，入口函数为sys_umount()。较于文件系统的安装较为简单，下面是具体的实现。1. /*sys_umont系统调用*/2. SYSCALL_DEFINE2(umount, char __user *, name, int, flags)3. {4.struct path path;

Linux

网卡速率和双工模式的配置

http://linux.chinaitlab.com/system/792187.html1、mii-tool 配置网络设备协商方式的工具； 1.1 mii-tool 介绍； mii-tool - view, manipulate media-independent interface status （mii-tool 是查看，管理介质的网络接口的状态）

Linux

Linux系统下超级终端Minicom的使用方法（例如：连接交换机，路由器等）转http://baike.baidu.com/view/2911642.htm?fr=ala0_1

Linux系统下超级终端Minicom的使用方法 　　Linux下的Minicom的功能与下的超级终端功能相似，适于在通过超级终端对设备的管理以及对嵌入操作系统的升级，现写出Minicom的使用手册： 　　1．启动minicom 　　以root权限登录系统 　　使用命令 　　minicom –s 则minicom启动，屏