1、詳細描述一次加密通訊的過程，結合圖示最佳。

?以Bob和Alice安全通訊為例：

????Bob<--------->Alice

? ?1. Bob要和Alice安全通信首先要取得對方的公鑰，即對方的證書，并驗證證書的合法性。驗證過程和內容：

????1）、用CA的公鑰（雙方已知）解密對方證書中CA的簽名；能解密說明證書來原可靠；

????2）、用證書中標記的“簽名算法”來計算證書的相關信息，并將散列計算的結果與證書“發行者簽名”解密的結果（證書特征碼）進行比較，如果一致說明證書完整性可靠；

????3）、檢查證書的有效期限是否在合法范圍內，防止證書過期；

????4）、驗證證書的“主體名稱”和預通信的人是否對應；

????5）、檢查證書是否被吊銷；

????以上驗證成功則說明對方證書可靠，并信任該證書。

? ?2. 取得對方證書（即公鑰）后進行如下操作：

????加密：

????1)、Bob對明文數據進行散列計算，提取出數據指紋（特征碼，也叫信息摘要）；

????2)、Bob使用自己的私鑰對該數據指紋進行加密，生成數字簽名，并將該數字簽名附加在明文數據之后；

????3)、Bob使用一個一次性的對稱加密算法密鑰對明文和數字簽名進行加密，生成密文；

????4)、Bob再使用Alice的公鑰對對稱加密算法的密鑰進行加密，生成數字信封；

????5)、Bob將密文和數字信封打包發送給Alice；

????解密：

????1)、Alice收到數據（密文+數字信封）后，使用自己的私鑰解密數字信封，得到對稱加密算法的密鑰；

????2)、使用對稱加密密鑰解密密文，得到明文數據和數字簽名。保證了數據的私密性；

????3)、使用Bob的公鑰解密數字簽名，得到明文的數據指紋（特征碼）。如果能解出，說明數據為Bob發送，保證了數據的不可否認性；

????4)、Alice使用同樣的散列算法對明文計算得出數據指紋（特征碼），并與Bob計算的數據指紋進行比對，如果一致，說明數據沒有被篡改。保證的數據的完整性；

???

2、描述創建私有CA的過程，以及為客戶端發來的證書請求進行辦法證書。

????應用服務器如果使用證書需向RA（證書注冊機構）提出申請，RA對申請人信息進行核驗，核驗成功后由CA進行簽署并生成證書。為了保證CA簽署的證書可信，CA在簽署客戶證書前需要先生成自簽證書，客戶端會使用CA的證書來驗證CA所簽署的證書。

????證書頒發過程：

???????? 1）、申請方向RA遞交證書申請；

???????? 2）、RA會要求申請人遞交自己的公鑰和其它相關信息；

???????? 3）、RA核驗該申請方的真實信息；

????? ? 4）、核驗通過后，RA會將請求轉交給CA進行簽署。由CA對這些信息進行散列，并用自己的私鑰對散列結果進行加密，生成數字簽名；

???????? 5）、將申請方的信息和數字簽名一起封裝到證書內，頒發給申請方；

????證書申請及簽署實例（使用自建CA簽署證書時CA和RA可合并）：?

????1) ?構建私有CA：

????????(1) 檢查安裝openssl；??????

????????(2) 根據openssl的配置文件（/etc/pki/tls/openssl.cnf）創建所需要的文件；

#?touch?/etc/pki/CA/index.txt??????????#創建證書索引文件 #?echo?01?>?/etc/pki/CA/serial????????#設置證書的序列號

?????? ?(3) 自簽證書：

#?(umask?077;?openssl?genrsa?-out?/etc/pki/CA/private/cakey.pem?2048)????????#生成CA的私鑰#?openssl?req?-new?-x509?-key?/etc/pki/CA/private/cakey.pem?-days?3650?-out?/etc/pki/CA/cacert.pem????????????#生成自簽證書簽署請求，只有在生成自簽證書時使用-x509選項 You?are?about?to?be?asked?to?enter?information?that?will?be?incorporated into?your?certificate?request. What?you?are?about?to?enter?is?what?is?called?a?Distinguished?Name?or?a?DN. There?are?quite?a?few?fields?but?you?can?leave?some?blank For?some?fields?there?will?be?a?default?value, If?you?enter?'.',?the?field?will?be?left?blank. ----- Country?Name?(2?letter?code)?[XX]:CN State?or?Province?Name?(full?name)?[]:Beijing Locality?Name?(eg,?city)?[Default?City]:Beijing Organization?Name?(eg,?company)?[Default?Company?Ltd]:Yinkai Organizational?Unit?Name?(eg,?section)?[]:Ops Common?Name?(eg,?your?name?or?your?server's?hostname)?[]:ca.yinkai.site??? Email?Address?[]:caadmin@yinkai.site

????2) 為客戶端簽發證書：

????????(1) 客戶端提交證書簽署請求：

#?(umask?077;?openssl?genrsa?-out?/etc/httpd/ssl/httpd.key?2048)????????????????#客戶端生成私鑰 #?openssl?req?-new?-key?/etc/httpd/ssl/httpd.key?-days?365?-out?/etc/httpd/ssl/httpd.csr????????????#客戶端生成證書簽署請求文件? You?are?about?to?be?asked?to?enter?information?that?will?be?incorporated into?your?certificate?request. What?you?are?about?to?enter?is?what?is?called?a?Distinguished?Name?or?a?DN. There?are?quite?a?few?fields?but?you?can?leave?some?blank For?some?fields?there?will?be?a?default?value, If?you?enter?'.',?the?field?will?be?left?blank. ----- Country?Name?(2?letter?code)?[XX]:CN State?or?Province?Name?(full?name)?[]:Beijing Locality?Name?(eg,?city)?[Default?City]:Beijing Organization?Name?(eg,?company)?[Default?Company?Ltd]:Yinkai Organizational?Unit?Name?(eg,?section)?[]:Tech Common?Name?(eg,?your?name?or?your?server's?hostname)?[]:www.yinkai.site????????#此處的公共名需與實際使用的服務器訪問名稱一致 Email?Address?[]:caadmin@yinkai.site Please?enter?the?following?'extra'?attributes to?be?sent?with?your?certificate?request A?challenge?password?[]: An?optional?company?name?[]:

????????(2) 將證書簽署請求發給RA（此處RA與CA一致）

#?scp?/etc/httpd/ssl/httpd.csr?root@192.168.1.71:/tmp

????????(3) CA簽署請求：

#?openssl?ca?-in?/tmp/httpd.csr?-days?365?-out?/etc/pki/CA/certs/httpd.crt Using?configuration?from?/etc/pki/tls/openssl.cnf Check?that?the?request?matches?the?signature Signature?ok Certificate?Details:Serial?Number:?1?(0x1)ValidityNot?Before:?Oct?29?06:53:10?2016?GMTNot?After?:?Oct?29?06:53:10?2017?GMTSubject:countryName???????????????=?CNstateOrProvinceName???????=?BeijingorganizationName??????????=?YinkaiorganizationalUnitName????=?TechcommonName????????????????=?www.yinkai.siteemailAddress??????????????=?caadmin@yinkai.siteX509v3?extensions:X509v3?Basic?Constraints:?CA:FALSENetscape?Comment:?OpenSSL?Generated?CertificateX509v3?Subject?Key?Identifier:?4B:08:90:15:E3:FE:E2:44:AF:BD:C2:79:F9:13:4A:B8:FB:70:BF:4AX509v3?Authority?Key?Identifier:?keyid:32:43:7A:30:8C:2E:22:87:85:63:04:F1:37:D4:8C:4D:3B:41:10:B8 Certificate?is?to?be?certified?until?Oct?29?06:53:10?2017?GMT?(365?days) Sign?the?certificate??[y/n]:y 1?out?of?1?certificate?requests?certified,?commit??[y/n]y Write?out?database?with?1?new?entries Data?Base?Updated

????????(4) 將證書發送給請求客戶端：

????#?scp?/etc/pki/CA/certs/httpd.crt?root@192.168.1.61:/etc/httpd/ssl/

3、搭建一套DNS服務器，負責解析magedu.com域名（自行設定主機名及IP）??

(1)、能夠對一些主機名進行正向解析和逆向解析；

(2)、對子域cdn.magedu.com進行子域授權，子域負責解析對應子域中的主機名；

(3)、為了保證DNS服務系統的高可用性，請設計一套方案，并寫出詳細的實施過程

????環境說明：

????????magedu.com主ns服務器IP：192.168.1.71?

????????magedu.com輔助ns服務器：192.168.1.72

????????cdn.magedu.com子域ns服務器：192.168.1.61???????

????主域名稱服務器（192.168.1.71）：

????????bind主配置文件（/etc/named.conf）如下：

acl?slaves?{????????????????????????????//定義輔助ns192.168.1.71;192.168.1.72;127.0.0.1; };acl?mynet?{?????????????????????//定義接受遞歸的服務器192.168.1.71;192.168.1.61;127.0.0.1; };options?{listen-on?port?53?{?127.0.0.1;?192.168.1.71;?};????????????//定義監聽的IP // listen-on-v6?port?53?{?::1;?};directory? "/var/named";dump-file? "/var/named/data/cache_dump.db";statistics-file?"/var/named/data/named_stats.txt";memstatistics-file?"/var/named/data/named_mem_stats.txt";allow-query?????{?any;?};forward?first;????????????????//定義轉發服務器。接受“mynet”遞歸請求，轉發至8.8.8.8forwarders?{?8.8.8.8;?};allow-recursion?{?mynet;?}; };logging?{channel?default_debug?{file?"data/named.run";severity?dynamic;}; };include?"/etc/named.rfc1912.zones"; include?"/etc/named.root.key";

????????編輯/etc/named.rfc1912.zones，添加以下區域：

zone?"1.168.192.in-addr.arpa"?IN?{type?master;file?"192.168.1.zone"; allow-update?{?none;?}; };zone?"magedu.com"?IN?{type?master;file?"magedu.com.zone";allow-query?{?any;?};allow-transfer?{?slaves;?};????????????//接受“slaves”傳輸請求allow-update?{?none;?}; };

????添加區域資源記錄：

????????正向資源記錄：

#?cat?magedu.com.zone? $TTL?1D $ORIGIN?magedu.com. @???????IN??????SOA?????ns1.magedu.com.?????admin.magedu.com????(20161030021H5M7D1D?)IN??????NS??????ns1IN??????NS??????ns2IN??????MX??10??mx1IN??????MX??20??mx2 ns1?????IN??????A???????192.168.1.71 ns2?????IN??????A???????192.168.1.72 mx1?????IN??????A???????192.168.1.100 mx2?????IN??????A???????192.168.1.200 www?????IN??????A???????192.168.1.5? cdn?????IN??????NS??????ns.cdn ns.cdn??IN??????A???????192.168.1.61 *???????IN??????A???????192.168.1.100

????????反向資源記錄：

#?cat?192.168.1.zone $TTL?1D $ORIGIN?1.168.192.in-addr.arpa. @???????IN??????SOA?????ns1.magedu.com.?????admin.magedu.com.????(20161030011H5M7D1D?)IN??????NS??????ns1.magedu.com.IN??????NS??????ns2.magedu.com. 71??????IN??????PTR?????ns1.magedu.com. 72??????IN??????PTR?????ns2.magedu.com. 100?????IN??????PTR?????mx1.magedu.com. 200?????IN??????PTR?????mx2.magedu.com. 5???????IN??????PTR?????www.magedu.com. 61??????IN??????PTR?????ns.cdn.magedu.com.

????輔助名稱服務器（192.168.1.72）：

????????/etc/named.conf:

options?{listen-on?port?53?{?127.0.0.1;?192.168.1.72;?}; // listen-on-v6?port?53?{?::1;?};directory? "/var/named";dump-file? "/var/named/data/cache_dump.db";statistics-file?"/var/named/data/named_stats.txt";memstatistics-file?"/var/named/data/named_mem_stats.txt";allow-query?????{?any;?}; }; logging?{channel?default_debug?{file?"data/named.run";severity?dynamic;}; }; zone?"."?IN?{type?hint;file?"named.ca"; };include?"/etc/named.rfc1912.zones"; include?"/etc/named.root.key";

????????/etc/named.rfc1912.zones添加以下部分：

zone?"magedu.com"?IN?{type?slave;masters?{?192.168.1.71;?};file?"slaves/magedu.com.zone"; }; zone?"1.168.192.in-addr.arpa"?IN?{type?slave;masters?{?192.168.1.71;?};file?"slaves/192.168.1.zone"; };

????cdn.magedu.com子域服務器（192.168.1.61）:

????????/etc/named.conf:

options?{ listen-on?port?53?{?127.0.0.1;?192.168.1.61;?}; //listen-on-v6?port?53?{?::1;?}; directory?"/var/named"; allow-query?????{?any;?}; recursion?yes;forward?first;????????????????//定義全局轉發服務器，當主服務器不予遞歸時再將請求轉發至根域服務器forwarders?{?192.168.1.71;?}; }; logging?{channel?default_debug?{file?"data/named.run";severity?dynamic;}; }; zone?"."?IN?{ type?hint; file?"named.ca"; }; include?"/etc/named.rfc1912.zones";

????????/etc/named.rfc1912.zones

zone?"cdn.magedu.com"?IN?{type?master;file?"cdn.magedu.com.zone";allow-update?{?none;?}; }; //zone?"magedu.com"?IN?{????????????//定義區域轉發服務器，與全局轉發選其一。區域轉發只轉發magedu.com域的請求 //????type?forward; //????forward?only; //????forwarders?{?192.168.1.71;?192.168.1.72;?}; //};

????????/var/named/cdn.magedu.com.zone:

$TTL?1D $ORIGIN?cdn.magedu.com. @???????IN??????SOA?????ns.cdn.magedu.com.??????admin.cdn.magedu.com.???(20161030011H5M7D1D?)IN??????NS??????nsIN??????MX??10??mx ns??????IN??????A???????192.168.1.61 mx??????IN??????A???????192.168.1.101 www?????IN??????A???????192.168.1.110 *???????IN??????A???????192.168.1.111

重啟named服務后驗證：

????主域服務器測試正反解析：

????測試輔助服務器正反解析：

????測試子域服務器：

4、請描述一次完整的http請求處理過程；

http請求處理過程：????

????1) 客戶端遞歸請求服務器網站域名，DNS服務器解析到結果后返回給客戶端；

????2) 客戶端使用IP地址向http服務器發起TCP三次握手；

????3) 客戶端封裝http報文，并向http服務器發起請求;

????4) http服務器解析請求，獲取URL中指定資源，構建響應報文并封裝為http響應報文返回給客戶端；

????5) 客戶端收到http響應報文后由瀏覽器負責解析并渲染呈現給用戶，并記錄日志。完成一個http事務。在此過程中http返回的響應報文有可能引用了多個服務器資源，若服務器沒有啟用“KeepAlived”則每個資源的獲取都需要一個tcp三次握手和四次斷開過程。

5、httpd所支持的處理模型有哪些，他們的分別使用于哪些環境。

httpd支持以下三種處理模型(MPM)：

? ? prefork: 多進程模型。一個主進程負責生成多個工作進程，每個工作進程處理一個用戶請求；即使沒有用戶請求也會預先生成多個工作進程，以便隨時響應用戶請求，默認8個，最大不會超過1024個；特點是工作穩定，進程間獨立工作，某個進程掛起不會影響其它進程。用于請求量不大，但穩定性要求較高的環境；

? ? worker: 多線程模型。一個主進程負責生成多個子進程(m，默認4個)，每個子進程負責生成多個線程(n)，由線程處理用戶請求，同時可接受m×n個http請求。由于linux中進程的輕量化設計，進程與線程的效率無太大差別，所以工作效率與profork也沒有太大差異，但一個工作進程中的多個線程共享一個內存數據區，某個線程故障會影響到同進程下的其它線程，故穩定性不如prefork；

? ? event： 事件驅動模型。一個主進程負責生成多個工作進程(m)，每個進程基于epoll事件通知機制直接響應多個用戶請求(n)。同時可響應m*n個用戶>請求，httpd2.4中可用于生產。

6、建立httpd服務器(基于編譯的方式進行)，要求：

提供兩個基于名稱的虛擬主機:

(a)www1.stuX.com，頁面文件目錄為/web/vhosts/www1；錯誤日志為/var/log/httpd/www1.err，訪問日志為/var/log/httpd/www1.access；

(b)www2.stuX.com，頁面文件目錄為/web/vhosts/www2；錯誤日志為/var/log/httpd/www2.err，訪問日志為/var/log/httpd/www2.access；

(c)為兩個虛擬主機建立各自的主頁文件index.html，內容分別為其對應的主機名；

(d)通過www1.stuX.com/server-status輸出httpd工作狀態相關信息，且只允許提供帳號密碼才能訪問(status:status)；

在RHEL6上編譯安裝httpd2.4

(1) 環境準備：

httpd的運行依賴于apr1.4+和apr-util1.4（apr和apr-util（apr-util為apr的工具組件）相當于httpd的虛擬機）。httpd2.4依賴1.4版以上的apr和apr-util，而RHEL6默認安裝的apr和apr-utils版本為1.3.9，為了不影響其他程序對apr-1.3.9的依賴，需單獨編譯安裝apr和apr-util1.4以上版。

1).編譯安裝apr-1.5.2和apr-util-1.5.4：

[root@C1?~]#?tar?xf?/tmp/httpd/apr-1.5.2.tar.bz2?-C?/usr/local/src/ [root@C1?~]#?cd?/usr/local/src/apr-1.5.2/ [root@C1?apr-1.5.2]#?./configure?--prefix=/usr/local/apr-1.5.2 [root@C1?apr-1.5.2]#?make?&&?make?install[root@C1?httpd]#?tar?xf?apr-util-1.5.4.tar.bz2?-C?/usr/local/src/ [root@C1?httpd]#?cd?/usr/local/src/apr-util-1.5.4/ [root@C1?apr-util-1.5.4]#?./configure?--prefix=/usr/local/apr-util-1.5.4?--with-apr=/usr/local/apr-1.5.2/ [root@C1?apr-util-1.5.4]#?make?&&?make?install

#創建apr和apr-util的鏈接文件，以便后期引用：

[root@C1?~]#?ln?-s?/usr/local/apr-1.5.2/?/usr/local/apr [root@C1?~]#?ln?-s?/usr/local/apr-util-1.5.4/?/usr/local/apr-util

2).安裝PCRE（Perl Compatible Regular Expressions）的開發庫：

[root@C1?~]#?yum?install?-y?pcre-devel

3).創建apache系統用戶：

[root@C1?~]#?useradd?-r?apache

(2) 編譯安裝httpd-2.4：

1).安裝httpd程序：

[root@C1?httpd]#?tar?xv?httpd-2.4.23.tar.bz2?-C?/usr/local/src/ [root@C1?httpd]#?cd?/usr/local/src/httpd-2.4.23/ [root@C1?httpd-2.4.23]#?./configure?--prefix=/usr/local/httpd24?--sysconf=/etc/httpd24?--enable-ssl?--enable-cgi?--enable-rewrite?--with-zlib?--with-pcre?--with-apr=/usr/local/apr?--with-apr-util=/usr/local/apr-util?--enable-so?--enable-modules=most?--enable-mpms-shared=all?--with-mpm=prefork

#選項說明：

--prefix=/usr/local/httpd24：指定httpd的安裝路徑；

--sysconf=/etc/httpd24：指定httpd的配置文件路徑，為了不與系統上已安裝的httpd2.2相沖突，需另指一個目錄；

--enable-ssl：啟用SSL功能

--enable-cgi：啟用cgi機制；

--enable-rewrite：啟用URL重寫機制；

--with-zlib：當使用compress壓縮機制時，需加載壓縮算所使用的壓縮庫；

--with-pcre：啟用PCRE庫。通常在使用URL重寫或過濾時會用到。注意：在使用該選項編譯httpd前需事先安裝pcre-devel；

--with-apr=/usr/local/apr：指定apr的安裝路徑；

--with-apr-util=/usr/local/apr-util/：指定apr-util的安裝路徑；

--enable-so：啟用動態模塊加載機制；

--enable-modules=most：指定要編譯的模塊。可用選項："all" | "most" | "few" | "none" | "reallyall"；

--enable-mpms-shared=all：httpd支持DSO（共享模塊編譯機制），此處將編譯所有支持的MPM模塊。可用選項："all" | "most" | "few" | "reallyall"

--with-mpm=prefork：指定httpd默認使用的MPM處理模塊。MPM={event|worker|prefork|winnt}

[root@C1?httpd-2.4.23]#?make?&&?make?install

2).將httpd-2.4的程序目錄添加到PATH環境變量中：

[root@C1?init.d]#?vim?/etc/profile.d/httpd24.sh export?PATH=/usr/local/httpd24/bin:$PATH [root@C1?init.d]#?.?/etc/profile.d/httpd24.sh [root@C1?init.d]#?echo?$PATH /usr/local/httpd24/bin:/usr/lib/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin [root@C1?init.d]#?which?httpd /usr/local/httpd24/bin/httpd

3).啟動httpd-2.4：

#注意：啟動前要確保80/tcp端口沒有被占用。

[root@C1?httpd-2.4.23]#?apachectl?start

#測試httpd-2.4是否成功啟動：

[root@C1?httpd-2.4.23]#?ss?-taln?|?grep?:80 0??????128???????????????????????????:::80???????????????????????????:::* [root@C1?httpd-2.4.23]#?ps?aux?|?grep?httpd root??????4415??0.0??0.3???4500??1828??????????Ss???16:59???0:00?/usr/local/httpd24/bin/httpd?-k?start daemon????4416??0.0??0.2???4500??1228??????????S????16:59???0:00?/usr/local/httpd24/bin/httpd?-k?start daemon????4417??0.0??0.2???4500??1228??????????S????16:59???0:00?/usr/local/httpd24/bin/httpd?-k?start daemon????4418??0.0??0.2???4500??1228??????????S????16:59???0:00?/usr/local/httpd24/bin/httpd?-k?start daemon????4419??0.0??0.2???4500??1228??????????S????16:59???0:00?/usr/local/httpd24/bin/httpd?-k?start daemon????4420??0.0??0.2???4500??1228??????????S????16:59???0:00?/usr/local/httpd24/bin/httpd?-k?start root??????4443??0.0??0.1???4328???724?pts/0????S+???17:02???0:00?grep?httpd

(3) 配置httpd服務器

1) 創建數據目錄，并準備測試頁面：

[root@C1?extra]#?mkdir?-vp?/web/vhosts/www{1,2} mkdir:?created?directory?`/web' mkdir:?created?directory?`/web/vhosts' mkdir:?created?directory?`/web/vhosts/www1' mkdir:?created?directory?`/web/vhosts/www2' [root@C1?extra]#?echo?"The?vhost1?site."?>?/web/vhosts/www1/index.html [root@C1?extra]#?echo?"The?vhost2?site."?>?/web/vhosts/www2/index.html

2) 編輯httpd-2.4的配置文件：

[root@C1?httpd24]#?cp?-p?httpd.conf{,bak} #備份原始的配置文件

/etc/httpd24/httpd.conf：

[root@C1?~]#?egrep?-v?'^#|^$|^[[:space:]]+#'?/etc/httpd24/httpd.conf ServerRoot?"/usr/local/httpd24" Listen?80#定義httpd-2.4監聽端口 LoadModule?authn_file_module?modules/mod_authn_file.so LoadModule?authn_core_module?modules/mod_authn_core.so LoadModule?authz_host_module?modules/mod_authz_host.so LoadModule?authz_groupfile_module?modules/mod_authz_groupfile.so LoadModule?authz_user_module?modules/mod_authz_user.so LoadModule?authz_core_module?modules/mod_authz_core.so LoadModule?access_compat_module?modules/mod_access_compat.so LoadModule?auth_basic_module?modules/mod_auth_basic.so LoadModule?reqtimeout_module?modules/mod_reqtimeout.so LoadModule?filter_module?modules/mod_filter.so LoadModule?mime_module?modules/mod_mime.so LoadModule?log_config_module?modules/mod_log_config.so LoadModule?env_module?modules/mod_env.so LoadModule?headers_module?modules/mod_headers.so LoadModule?setenvif_module?modules/mod_setenvif.so LoadModule?version_module?modules/mod_version.so LoadModule?mpm_prefork_module?modules/mod_mpm_prefork.so LoadModule?unixd_module?modules/mod_unixd.so LoadModule?status_module?modules/mod_status.so LoadModule?autoindex_module?modules/mod_autoindex.so <IfModule?!mpm_prefork_module> </IfModule> <IfModule?mpm_prefork_module> </IfModule> LoadModule?dir_module?modules/mod_dir.so LoadModule?alias_module?modules/mod_alias.so <IfModule?unixd_module> User?apache#修改httpd的啟動用戶。編譯安裝的httpd-2.4默認使用deamon用戶來啟動httpd，需修改為apache： Group?apache </IfModule> ServerAdmin?you@example.com <Directory?/>AllowOverride?noneRequire?all?denied </Directory> DocumentRoot?"/web/vhosts"#修改httpd的主目錄 <Directory?"/web/vhosts">Options?Indexes?FollowSymLinksAllowOverride?NoneRequire?all?granted </Directory> <IfModule?dir_module>DirectoryIndex?index.html </IfModule> <Files?".ht*">Require?all?denied </Files> ErrorLog?"logs/error_log" LogLevel?warn <IfModule?log_config_module>LogFormat?"%h?%l?%u?%t?\"%r\"?%>s?%b?\"%{Referer}i\"?\"%{User-Agent}i\""?combinedLogFormat?"%h?%l?%u?%t?\"%r\"?%>s?%b"?common<IfModule?logio_module>LogFormat?"%h?%l?%u?%t?\"%r\"?%>s?%b?\"%{Referer}i\"?\"%{User-Agent}i\"?%I?%O"?combinedio</IfModule>CustomLog?"logs/access_log"?common </IfModule> <IfModule?alias_module>ScriptAlias?/cgi-bin/?"/usr/local/httpd24/cgi-bin/" </IfModule> <IfModule?cgid_module> </IfModule> <Directory?"/usr/local/httpd24/cgi-bin">AllowOverride?NoneOptions?NoneRequire?all?granted </Directory> <IfModule?mime_module>TypesConfig?/etc/httpd24/mime.typesAddType?application/x-compress?.ZAddType?application/x-gzip?.gz?.tgz </IfModule> Include?/etc/httpd24/extra/httpd-vhosts.conf#加載虛擬主機配置文件 <IfModule?proxy_html_module> Include?/etc/httpd24/extra/proxy-html.conf </IfModule> <IfModule?ssl_module> SSLRandomSeed?startup?builtin SSLRandomSeed?connect?builtin </IfModule>

/etc/httpd24/extra/httpd-vhosts.conf：

[root@C1?~]#?egrep?-v?'^#|^$'?/etc/httpd24/extra/httpd-vhosts.conf<VirtualHost?*:80>ServerName?www1.stuX.comDocumentRoot?"/web/vhosts/www1"#定義www1虛擬主機的數據目錄ErrorLog?"/web/vhosts/www1.err"#定義錯誤日志文件CustomLog?"/web/vhosts/www1.access"?common#定義訪問日志文件<Location?/server-status>#定義"www1.stuX.com/server-status"SetHandler?server-statusAuthType?Basic#認證類型為BasicAuthName?"Administrator?Private."#認證時的提示信息AuthBasicProvider?file#認證方式AuthUserFile?"/etc/httpd24/extra/.htpasswd"#認證文件，用于存儲用戶名和密碼<RequireAll>Require?valid-user#允許賬號文件中的所有用戶登錄訪問</RequireAll></Location> </VirtualHost> <VirtualHost?*:80>ServerName?www2.stuX.comDocumentRoot?"/web/vhosts/www2"ErrorLog?"/web/vhosts/www2.err"CustomLog?"/web/vhosts/www2.access"?common </VirtualHost>

3) 配置用戶認證：

添加認證用戶：

[root@C1?~]#?cd?/etc/httpd24/extra/ [root@C1?extra]#?htpasswd?-c?-s?-b?.htpasswd?yinkai?yinkaipass Adding?password?for?user?yinkai

選項說明：

-c: 創建用戶文件，只在第一次使用

-s: 強制使用SHA加密用戶密碼

-b: 從命令行讀取用戶密碼

測試：

[root@C1?httpd24]#?ps?aux?|?grep?httpd#檢查httpd是否以apache用戶成功啟動 root??????4415??0.0??0.4???4500??2148??????????Ss???16:59???0:00?/usr/local/httpd24/bin/httpd?-k?start apache????4495??0.0??0.2???4500??1232??????????S????17:18???0:00?/usr/local/httpd24/bin/httpd?-k?start apache????4496??0.0??0.2???4500??1232??????????S????17:18???0:00?/usr/local/httpd24/bin/httpd?-k?start apache????4497??0.0??0.2???4500??1232??????????S????17:18???0:00?/usr/local/httpd24/bin/httpd?-k?start apache????4498??0.0??0.2???4500??1232??????????S????17:18???0:00?/usr/local/httpd24/bin/httpd?-k?start apache????4499??0.0??0.2???4500??1232??????????S????17:18???0:00?/usr/local/httpd24/bin/httpd?-k?start root??????4501??0.0??0.1???4328???720?pts/0????S+???17:18???0:00?grep?httpd

7、為第6題中的第2個虛擬主機提供https服務，使得用戶可以通過https安全的訪問此web站點；

(1)要求使用證書認證，證書中要求使用的國家(CN)、州(HA)、城市(ZZ)和組織(MageEdu)；

(2)設置部門為Ops，主機名為www2.stuX.com，郵件為admin@stuX.com；

1. 創建私有CA服務器

?(1) 根據openssl配置文件(/etc/pki/tls/openssl.cnf)準備CA服務器環境：

[root@C1?~]#?cd?/etc/pki/CA/?//切換到CA根目錄 [root@C1?CA]#?touch?index.txt?//創建證書數據庫索引文件 [root@C1?CA]#?echo?01?>?serial?//設置當前證書（第一個）序列號

?(2) 生成CA的私鑰

[root@C1?CA]#?(umask?077;?openssl?genrsa?-out?/etc/pki/CA/private/cakey.pem?2048)? Generating?RSA?private?key,?2048?bit?long?modulus ......+++ ..........................................+++ e?is?65537?(0x10001)

?(3) 生成CA自簽證書

[root@C1?CA]#?openssl?req?-new?-x509?-key?/etc/pki/CA/private/cakey.pem?-days?3650?-out?/etc/pki/CA/cacert.pem? You?are?about?to?be?asked?to?enter?information?that?will?be?incorporated into?your?certificate?request. What?you?are?about?to?enter?is?what?is?called?a?Distinguished?Name?or?a?DN. There?are?quite?a?few?fields?but?you?can?leave?some?blank For?some?fields?there?will?be?a?default?value, If?you?enter?'.',?the?field?will?be?left?blank. ----- Country?Name?(2?letter?code)?[XX]:CN State?or?Province?Name?(full?name)?[]:HA Locality?Name?(eg,?city)?[Default?City]:ZZ Organization?Name?(eg,?company)?[Default?Company?Ltd]:MageEdu Organizational?Unit?Name?(eg,?section)?[]:Ops Common?Name?(eg,?your?name?or?your?server's?hostname)?[]:ca.stuX.com Email?Address?[]:admin@stuX.com

?(4) 檢查CA自簽證書內容：

[root@C1?CA]#?openssl?x509?-in?/etc/pki/CA/cacert.pem?-noout?-subject subject=?/C=CN/ST=HA/L=ZZ/O=MageEdu/OU=Ops/CN=ca.stuX.com/emailAddress=admin@stuX.com

2. http服務器申請簽署證書

?(1) 客戶端生成證書簽署請求：

[root@C1?~]#?mkdir?/etc/httpd24/ssl [root@C1?~]#?cd?/etc/httpd24/ssl [root@C1?ssl]#?(umask?077;?openssl?genrsa?-out?httpd.key?2048) Generating?RSA?private?key,?2048?bit?long?modulus .................................................................................................................................................................................................................................................................................................................+++ ...........+++ e?is?65537?(0x10001) [root@C1?ssl]#?openssl?req?-new?-key?httpd.key?-days?3650?-out?httpd.csr You?are?about?to?be?asked?to?enter?information?that?will?be?incorporated into?your?certificate?request. What?you?are?about?to?enter?is?what?is?called?a?Distinguished?Name?or?a?DN. There?are?quite?a?few?fields?but?you?can?leave?some?blank For?some?fields?there?will?be?a?default?value, If?you?enter?'.',?the?field?will?be?left?blank. ----- Country?Name?(2?letter?code)?[XX]:CN State?or?Province?Name?(full?name)?[]:HA Locality?Name?(eg,?city)?[Default?City]:ZZ Organization?Name?(eg,?company)?[Default?Company?Ltd]:MageEdu Organizational?Unit?Name?(eg,?section)?[]:Ops Common?Name?(eg,?your?name?or?your?server's?hostname)?[]:www2.stuX.com Email?Address?[]:admin@stuX.com Please?enter?the?following?'extra'?attributes to?be?sent?with?your?certificate?request A?challenge?password?[]: An?optional?company?name?[]:

?(2) 將證書簽署請求發送給CA(RA):

[root@C1?ssl]#?scp?httpd.csr?root@192.168.1.97:/tmp

?(3) CA為http服務器簽署證書：

[root@C1?CA]#?openssl?ca?-in?/tmp/httpd.csr?-days?3650?-out?/etc/pki/CA/certs/httpd.crt Using?configuration?from?/etc/pki/tls/openssl.cnf Check?that?the?request?matches?the?signature Signature?ok Certificate?Details:Serial?Number:?1?(0x1)ValidityNot?Before:?Nov?17?09:22:25?2016?GMTNot?After?:?Nov?15?09:22:25?2026?GMTSubject:countryName???????????????=?CNstateOrProvinceName???????=?HAorganizationName??????????=?MageEduorganizationalUnitName????=?OpscommonName????????????????=?www2.stuX.comemailAddress??????????????=?admin@stuX.comX509v3?extensions:X509v3?Basic?Constraints:CA:FALSENetscape?Comment:OpenSSL?Generated?CertificateX509v3?Subject?Key?Identifier:BD:64:23:20:D3:3B:79:0C:C4:2B:AB:F4:47:84:6F:54:38:78:68:5BX509v3?Authority?Key?Identifier:keyid:C1:CA:83:F5:FA:CC:BA:15:CE:BC:D2:A1:13:1D:6F:17:5F:C9:59:0C Certificate?is?to?be?certified?until?Nov?15?09:22:25?2026?GMT?(3650?days) Sign?the?certificate??[y/n]:y 1?out?of?1?certificate?requests?certified,?commit??[y/n]y Write?out?database?with?1?new?entries Data?Base?Updated

?(4) 檢查http服務器證書，并將該證書傳遞給http服務器：

[root@C1?CA]#?openssl?x509?-in?/etc/pki/CA/certs/httpd.crt?-noout?-subject subject=?/C=CN/ST=HA/O=MageEdu/OU=Ops/CN=www2.stuX.com/emailAddress=admin@stuX.com [root@C1?CA]#?scp?/etc/pki/CA/certs/httpd.crt?root@192.168.1.83:/etc/httpd24/ssl/

#重啟名虛擬主機的證書和私鑰文件，以便后期引用：

[root@C1?~]#?cd?/etc/httpd24/ssl/ [root@C1?ssl]#?mv?httpd.crt?www2.stuX.com.crt [root@C1?ssl]#?mv?httpd.key?www2.stuX.com.key

3. 配置http服務器使用證書使之支持https

?(1) 為httpd安裝mod_ssl模塊：

[root@C1?~]#?yum?install?-y?mod_ssl

?(2)檢查httpd主配置文件/etc/httpd24/httpd.conf是否存在并啟用以下條目：

LoadModule?ssl_module?modules/mod_ssl.so? LoadModule?socache_shmcb_module?modules/mod_socache_shmcb.so? Include?/etc/httpd24/extra/httpd-ssl.conf

?(3) 修改ssl相關的配置文件/etc/httpd24/extra/httpd-ssl.conf：

[root@C1?extra]#?egrep?-v?'^#|^$'?httpd-ssl.conf Listen?443 SSLCipherSuite?HIGH:MEDIUM:!MD5:!RC4 SSLProxyCipherSuite?HIGH:MEDIUM:!MD5:!RC4 SSLHonorCipherOrder?on SSLProtocol?all?-SSLv3 SSLProxyProtocol?all?-SSLv3 SSLPassPhraseDialog??builtin SSLSessionCache????????"shmcb:/usr/local/httpd24/logs/ssl_scache(512000)" SSLSessionCacheTimeout??300 <VirtualHost?*:443>#定義基于443端口的虛擬主機 DocumentRoot?"/web/vhosts/www2" ServerName?www2.stuX.com:443 ServerAdmin?you@example.com ErrorLog?"/web/vhosts/www2.err" TransferLog?"/web/vhosts/www2.access" SSLEngine?on SSLCertificateFile?"/etc/httpd24/ssl/www2.stuX.com.crt"#指定www2.stuX.com.crt虛擬主機的證書文件 SSLCertificateKeyFile?"/etc/httpd24/ssl/www2.stuX.com.key"#指定www2.stuX.com.crt虛擬主機的私鑰文件 <FilesMatch?"\.(cgi|shtml|phtml|php)$">SSLOptions?+StdEnvVars </FilesMatch> <Directory?"/usr/local/httpd24/cgi-bin">SSLOptions?+StdEnvVars </Directory> BrowserMatch?"MSIE?[2-5]"?\nokeepalive?ssl-unclean-shutdown?\downgrade-1.0?force-response-1.0 CustomLog?"/usr/local/httpd24/logs/ssl_request_log"?\"%t?%h?%{SSL_PROTOCOL}x?%{SSL_CIPHER}x?\"%r\"?%b" </VirtualHost>

?(4) 在虛擬主機相關的配置文件/etc/httpd24/extra/httpd-vhosts.conf中注釋掉80端口的www2.stuX.com主機。可選：

#<VirtualHost?*:80> #????ServerName?www2.stuX.com #????DocumentRoot?"/web/vhosts/www2" #????ErrorLog?"/web/vhosts/www2.err" #????CustomLog?"/web/vhosts/www2.access"?common #</VirtualHost>

4. 檢查配置文件，重啟服務并檢查443端口：

[root@C1?~]#?httpd?-t Syntax?OK [root@C1?~]#?apachectl?restart [root@C1?~]#?ss?-tanl?|?grep?:443 0??????128???????????????????????????:::443??????????????????????????:::*

5. 測試：

8、建立samba共享，共享目錄為/data，要求：（描述完整的過程）

1)共享名為shared，工作組為magedu；

2)添加組develop，添加用戶gentoo,centos和ubuntu，其中gentoo和centos以develop為附加組，ubuntu不屬于develop組；密碼均為用戶名；

3)添加samba用戶gentoo,centos和ubuntu，密碼均為“mageedu”；

4)此samba共享shared僅允許develop組具有寫權限，其他用戶只能以只讀方式訪問；

5)此samba共享服務僅允許來自于172.16.0.0/16網絡的主機訪問；

安裝samba服務器程序、samba客戶端工具和公共庫：

[root@C1?~]#?yum?install?-y?samba?samba-common?samba-client

添加系統用戶和組：

[root@C1?~]#?groupadd?develop [root@C1?~]#?useradd?-G?develop?gentoo;?echo?"gentoo"?|?passwd?--stdin?gentoo Changing?password?for?user?gentoo. passwd:?all?authentication?tokens?updated?successfully. [root@C1?~]#?useradd?-G?develop?centos;?echo?"centos"?|?passwd?--stdin?centos Changing?password?for?user?centos. passwd:?all?authentication?tokens?updated?successfully. [root@C1?~]#?useradd?ubuntu;?echo?"ubuntu"?|?passwd?--stdin?ubuntu Changing?password?for?user?ubuntu. passwd:?all?authentication?tokens?updated?successfully.

創建共享目錄并編輯權限：

[root@C1?~]#?mkdir?-v?/data mkdir:?created?directory?‘/data’ [root@C1?~]#?setfacl?-m?g:develop:rwx?/data/ [root@C1?~]#?getfacl?/data/ getfacl:?Removing?leading?'/'?from?absolute?path?names #?file:?data/ #?owner:?root #?group:?root user::rwx group::r-x group:develop:rwx mask::rwx other::r-x

添加samba用戶：

[root@C1?~]#?smbpasswd?-a?gentoo New?SMB?password: Retype?new?SMB?password: Added?user?gentoo. [root@C1?~]#?smbpasswd?-a?centos New?SMB?password: Retype?new?SMB?password: Added?user?centos. [root@C1?~]#?smbpasswd?-a?ubuntu New?SMB?password: Retype?new?SMB?password: Added?user?ubuntu. [root@C1?~]#?pdbedit?-L//列出所有的samba用戶 gentoo:1039: ubuntu:1041: centos:1040:

修改samba配置文件創建編輯共享：

[root@C1?~]#?cp?-p?/etc/samba/smb.conf{,.bak} [root@C1?~]#?cp?-p?/etc/samba/smb.conf{,.bak} [global] workgroup?=?magedu server?string?=?Samba?Server?Version?%v netbios?name?=?MYSERVER hosts?allow?=?192.168.1.0/24#環境所限，此處代替172.16.0.0/16網絡 log?file?=?/var/log/samba/log.%m max?log?size?=?50 security?=?user passdb?backend?=?tdbsam load?printers?=?yes cups?options?=?raw [homes] comment?=?Home?Directories browseable?=?no writable?=?yes [shared] comment?=?develop's?directory path?=?/data guest?ok?=?yes writable?=?yes write?list?=?+develop

測試samba配置文件是否有語法錯誤：

[root@C1?~]#?testparm? Load?smb?config?files?from?/etc/samba/smb.conf rlimit_max:?increasing?rlimit_max?(1024)?to?minimum?Windows?limit?(16384) Processing?section?"[homes]" Processing?section?"[shared]" Loaded?services?file?OK. Server?role:?ROLE_STANDALONE Press?enter?to?see?a?dump?of?your?service?definitions [global] workgroup?=?MAGEDU netbios?name?=?MYSERVER server?string?=?Samba?Server?Version?%v log?file?=?/var/log/samba/log.%m max?log?size?=?50 idmap?config?*?:?backend?=?tdb hosts?allow?=?192.168.1.0/24 cups?options?=?raw [homes] comment?=?Home?Directories read?only?=?No browseable?=?No [shared] comment?=?develop's?directory path?=?/data write?list?=?+develop read?only?=?No guest?ok?=?Yes

啟動并檢查smb服務：

[root@C1?~]#?systemctl?start?smb.service [root@C1?~]#?systemctl?start?nmb.service [root@C1?~]#?ss?-tnlap?|?grep?smb LISTEN?????0??????50???????????*:139??????????????????????*:*???????????????????users:(("smbd",pid=2259,fd=34)) LISTEN?????0??????50???????????*:445??????????????????????*:*???????????????????users:(("smbd",pid=2259,fd=33)) LISTEN?????0??????50??????????:::139?????????????????????:::*???????????????????users:(("smbd",pid=2259,fd=32)) LISTEN?????0??????50??????????:::445?????????????????????:::*???????????????????users:(("smbd",pid=2259,fd=31))

驗證：

[root@C1?~]#?smbclient?-L?192.168.1.71?-U?centos Enter?centos's?password:? Domain=[MAGEDU]?OS=[Unix]?Server=[Samba?4.1.1] Sharename???????Type??????Comment ---------???????----??????------- IPC$????????????IPC???????IPC?Service?(Samba?Server?Version?4.1.1) shared??????????Disk??????develop's?directory centos??????????Disk??????Home?Directories Domain=[MAGEDU]?OS=[Unix]?Server=[Samba?4.1.1] Server???????????????Comment ---------????????????------- MYSERVER?????????????Samba?Server?Version?4.1.1 Workgroup????????????Master ---------????????????------- MAGEDU???????????????MYSERVER WORKGROUP????????????YINKAI-NB-X230 從Windows登陸\\192.168.1.71，并創建測試文件： [root@C1?tmp]#?ll?/data/ total?0 -rwxr--r--?1?centos?centos?0?11月?16?22:05?centos.txt -rwxr--r--?1?gentoo?gentoo?0?11月?16?22:05?gentoo.txt

9、搭建一套文件vsftp文件共享服務，共享目錄為/ftproot,要求：（描述完整的過程）

1)基于虛擬用戶的訪問形式；

2)匿名用戶只允許下載，不允許上傳；

3)禁錮所有的用戶于其家目錄當中；

4)限制最大并發連接數為200:；

5)匿名用戶的最大傳輸速率512KB/s

6)虛擬用戶的賬號存儲在mysql數據庫當中。

7)數據庫通過NFS進行共享。

環境說明：

FTP服務器：192.168.1.71

Mariadb服務器：192.168.1.71

NFS服務器：192.168.1.72

1. 在192.168.1.72上搭建NFS服務器

?(1). 創建nfs目錄，用戶實際存儲數據：

[root@C2?~]#?mkdir?-vp?/shared/nfs mkdir:?created?directory?`/shared' mkdir:?created?directory?`/shared/nfs' [root@C2?~]#?useradd?-r?-M?-s?/sbin/nologin?mysql [root@C2?~]#?chown?-R?mysql.mysql?/shared/nfs/

?(2). 修改nfs配置文件，定義導出目錄：?

[root@C2?~]#?vim?/etc/exports /shared/nfs?????192.168.1.0/24(rw,no_root_squash)

?(3). 啟動nfs服務：

[root@C2?~]#?systemctl?start?nfs.service [root@C2?~]#?ss?-tnlp?|?egrep?'2049|rpc' LISTEN?????0??????128??????????*:111??????????????????????*:*???????????????????users:(("rpcbind",pid=1645,fd=8)) LISTEN?????0??????128??????????*:20048????????????????????*:*???????????????????users:(("rpc.mountd",pid=2098,fd=8)) LISTEN?????0??????128??????????*:46620????????????????????*:*???????????????????users:(("rpc.statd",pid=1643,fd=9)) LISTEN?????0??????64???????????*:2049?????????????????????*:*?????????????????? LISTEN?????0??????128?????????:::37518???????????????????:::*???????????????????users:(("rpc.statd",pid=1643,fd=11)) LISTEN?????0??????128?????????:::111?????????????????????:::*???????????????????users:(("rpcbind",pid=1645,fd=11)) LISTEN?????0??????128?????????:::20048???????????????????:::*???????????????????users:(("rpc.mountd",pid=2098,fd=10)) LISTEN?????0??????64??????????:::2049????????????????????:::*

2. 在192.168.1.71上搭建Mariadb服務器，并使用NFS作為存儲

?(1). 使用NFS文件系統，并掛載為數據庫目錄：

[root@C1?~]#?showmount?-e?192.168.1.72?????????????????????#查看NFS服務器導出的目錄 Export?list?for?192.168.1.72: /shared/nfs?192.168.1.0/24 [root@C1?~]#?mkdir?/data?????????????#作為數據庫存儲目錄 [root@C1?~]#?mount?-t?nfs?192.168.1.72:/shared/nfs?/data/

?(2). 安裝配置MariaDB:

[root@C2?~]#?id?mysql uid=992(mysql)?gid=989(mysql)?組=989(mysql) [root@C1?~]#?groupadd?-r?-g?989?mysql [root@C1?~]#?useradd?-r?-s?/sbin/nologin?-M?-u?992?-g?989?mysql??????????????????#與NFS服務器上的mysql用戶對應，以便標識? [root@C1?~]#?yum?install?-y?mariadb?mariadb-server [root@C1?~]#?cp?-p?/etc/my.cnf.d/server.cnf{,.bak} [root@C1?~]#?vim?/etc/my.cnf [mysqld] datadir=/data/mysql socket=/var/lib/mysql/mysql.sock symbolic-links=0 skip_name_resolve?=?on innodb_file_per_table?=?on character-set-server?=?utf8 [mysqld_safe] log-error=/var/log/mariadb/mariadb.log pid-file=/var/run/mariadb/mariadb.pid !includedir?/etc/my.cnf.d [root@C1?~]#?systemctl?start?mariadb.service??????????????????#啟動mariadb服務 [root@C1?~]#?ss?-tnl?|?grep?3306 LISTEN?????0??????50???????????*:3306?????????????????????*:*?? [root@C1?~]#?mysql_secure_installation??????????????#初始化MariaDB數據庫 [root@C1?~]#?mysql?-uroot?-p MariaDB?[(none)]>?SHOW?VARIABLES?LIKE?'%datadir%';???????????????//檢查數據文件的存儲路徑是否生效 +------------------------------+-----------------------------+ |?Variable_name?|?Value????????| +------------------------------+----------------------------+ |?datadir???????|?/data/mysql/?| +------------------------------+-----------------------------+ 1?row?in?set?(0.00?sec)

3. 搭建FTP服務器

?(1).安裝vsftpd和pam_mysql：

[root@C1?~]#?yum?--enablerepo=epel?install?vsftpd?pam_mysql

編譯安裝pam_mysql：

下載pam_mysql源文件：pam_mysql-0.7RC1.tar.gz

[root@C1?tmp]#?tar?xf?pam_mysql-0.7RC1.tar.gz??-C?/usr/local/src/ [root@C1?tmp]#?cd?/usr/local/src/pam_mysql-0.7RC1/ [root@C1?pam_mysql-0.7RC1]#?yum?install?-y?pam-devel.x86_64?mariadb-devel???????????#在編譯前確保已經安裝了mariadb-devel、pam-devel.x86_64 [root@C1?pam_mysql-0.7RC1]#?./configure?--with-pam-mods-dir=/usr/lib64/???????????#手工指定pam模塊目錄 [root@C1?pam_mysql-0.7RC1]#?make?&&?make?install

?(2). 創建虛擬用戶數據庫.表，插入用戶數據，并授權查詢：

CREATE?DATABASE?vsftpd; GRANT?SELECT?ON?vsftpd.*?TO?'vsftpd'@'192.168.1.%'?IDENTIFIED?BY?'vsftpdpass'; GRANT?SELECT?ON?vsftpd.*?TO?'vsftpd'@'localhost'?IDENTIFIED?BY?'vsftpdpass'; GRANT?SELECT?ON?vsftpd.*?TO?'vsftpd'@'127.0.0.1'?IDENTIFIED?BY?'vsftpdpass'; FLUSH?PRIVILEGES; USE?vsftpd CREATE?TABLE?`users`?(`id`?int(11)?NOT?NULL?AUTO_INCREMENT,`name`?char(20)?CHARACTER?SET?utf8?COLLATE?utf8_bin?NOT?NULL,`password`?char(48)?CHARACTER?SET?utf8?COLLATE?utf8_bin?NOT?NULL,PRIMARY?KEY?(`id`) )?ENGINE=InnoDB?DEFAULT?CHARSET=utf8

#添加虛擬用戶：

INSERT?INTO?users(name,password)?VALUES('yinkai',password('yinkaipass')),('chris',password('chrispass'));

?(3). 配置vsftpd：

? 1) 建立pam認證所需文件:

[root@C1?~]#?vim?/etc/pam.d/vsftpd.mysql? auth?required?/usr/lib64/pam_mysql.so?user=vsftpd?passwd=vsftpdpass?host=localhost?db=vsftpd?table=users?usercolumn=name?passwdcolumn=password?crypt=2 account?required?/usr/lib64/pam_mysql.so?user=vsftpd?passwd=vsftpdpass?host=localhost?db=vsftpd?table=users?usercolumn=name?passwdcolumn=password?crypt=2

? ?說明：auth行用于認證，檢查用戶名和密碼是否匹配；account行用于審查，檢查用戶是否在有效期限內

? ?/usr/lib64/pam_mysql.so為pam_mysql的模塊；user=vsftpd（登陸mysql數據庫的用戶名） passwd=www.magedu.com（登陸mysql數據庫的密碼） host=localhost（mysql數據庫服務器主機） db=vsftpd（指定存儲用戶表的數據庫） table=users（指定表） usercolumn=name（登陸vsftpd用戶的用戶名字段） passwdcolumn=password（登陸vsftpd用戶的密碼字段） crypt=2（密碼使用MySQL PASSWORD()加密）

? 2) 建立虛擬用戶映射的系統用戶及對應的目錄

[root@C1?~]#?useradd?-s?/sbin/nologin?-d?/var/ftp/ftproot?vuser [root@C1?~]#?chmod?go+rx?/var/ftp/ftproot/ [root@C1?~]#?chmod?-w?/var/ftp/ftproot/????????#由于安全限制vsftpd不允許ftp用戶根目錄有寫權限，否則登陸FTP服務器時會報：500?OOPS:?vsftpd:?refusing?to?run?with?writable?root?inside?chroot() [root@C1?~]#?mkdir?/var/ftp/ftproot/test????????#創建一個可上傳數據的目錄 [root@C1?~]#?chown?-R?vuser.vuser?/var/ftp/ftproot/test

? 3) 修改vsftpd的配置文件，使其使用mysql認證： ?

[root@C1?ftproot]#?egrep?-v?'^#|^$'?/etc/vsftpd/vsftpd.conf anonymous_enable=YES local_enable=YES write_enable=YES local_umask=022 anon_upload_enable=NO anon_mkdir_write_enable=NO anon_other_write_enable=NO dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_file=/var/log/xferlog xferlog_std_format=YES ftpd_banner=Welcome?to?blah?FTP?service. chroot_local_user=YES listen=NO listen_ipv6=YES pam_service_name=vsftpd.mysql????#連接到MySql認證虛擬用戶時用到的的pam配置文件 userlist_enable=YES userlist_deny=YES tcp_wrappers=YES max_clients=200 anon_max_rate=5120 guest_enable=YES????#啟用虛擬用戶認證 guest_username=vuser????#所有虛擬用戶都映射為vuser本地系統用戶 user_config_dir=/etc/vsftpd/vusers [root@C1?ftproot]#?cat?/etc/vsftpd/vusers/yinkai? anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES [root@C1?ftproot]#?cat?/etc/vsftpd/vusers/chris? anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES

測試：

yinkai@yinkai-NB-X230?~?$?ftp?192.168.1.71 Connected?to?192.168.1.71. 220?Welcome?to?blah?FTP?service. Name?(192.168.1.71:yinkai):?chris??????#使用虛擬用戶登陸 331?Please?specify?the?password. Password: 230?Login?successful. Remote?system?type?is?UNIX. Using?binary?mode?to?transfer?files. ftp>?pwd 257?"/"????????????????#已禁錮用戶 ftp>?ls 200?PORT?command?successful.?Consider?using?PASV. 150?Here?comes?the?directory?listing. -rw-------????1?1000?????1000?????????1124?Nov?19?17:29?fstab drwxr-xr-x????1?1000?????1000????????????0?Nov?20?13:49?test 226?Directory?send?OK. ftp>?cd?test 250?Directory?successfully?changed. ftp>?lcd?/etc Local?directory?now?/etc ftp>?put?issue local:?issue?remote:?issue 200?PORT?command?successful.?Consider?using?PASV. 150?Ok?to?send?data. 226?Transfer?complete.??????????#虛擬用戶可上傳數據 27?bytes?sent?in?0.00?secs?(418.5?kB/s) ftp>?bye 221?Goodbye. yinkai@yinkai-NB-X230?~?$?ftp?192.168.1.71 Connected?to?192.168.1.71. 220?Welcome?to?blah?FTP?service. Name?(192.168.1.71:yinkai):?ftp???????#匿名用戶登陸 331?Please?specify?the?password. Password: 230?Login?successful. Remote?system?type?is?UNIX. Using?binary?mode?to?transfer?files. ftp>?pwd 257?"/"????????????#已禁錮匿名用戶 ftp>?ls 200?PORT?command?successful.?Consider?using?PASV. 150?Here?comes?the?directory?listing. dr-xr-xr-x????1?1000?????1000???????????98?Nov?20?13:44?ftproot drwxrwxr-x????1?0????????0??????????????14?Nov?19?16:47?pub -rw-r--r--????1?0????????0???????????????0?Nov?19?16:49?tf1 226?Directory?send?OK. ftp>?mkdit?testdir????????#匿名用戶不可寫 ?Invalid?command ftp>?get?tf1 local:?tf1?remote:?tf1 200?PORT?command?successful.?Consider?using?PASV. 150?Opening?BINARY?mode?data?connection?for?tf1?(0?bytes). 226?Transfer?complete. ftp>?bye 221?Goodbye.

轉載于:https://blog.51cto.com/yinkai/1866019

總結

以上是生活随笔為你收集整理的Linux作业9的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。