Week 10 homework
生活随笔
收集整理的這篇文章主要介紹了
Week 10 homework
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
1、在阿里云服務器搭建openv-p-n
環境:
步驟:
購買兩臺ECS云服務器,一臺帶公網IP用作OpenVPN服務器,另一臺不帶公網IP用作web站點;
配置web
1)安裝web
[root@web1 ~]# yum -y install httpd2)啟動服務
[root@web1 ~]# systemctl enable --now httpd Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.3)配置站點內容
[root@web1 ~]# echo website > /var/www/html/index.html4)測試
[root@web1 ~]# curl 192.168.0.11 website配置OpenVPN
1)安裝相關包
安裝包說明:
openvpn:OpenVPN服務包
easy-rsa:證書管理工具
2)生成服務器配置文件
[root@vpn-server ~]# cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/3)準備證書簽發相關文件
[root@vpn-server ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server4)準備簽發證書相關變量的配置文件
[root@vpn-server ~]# cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa-server/3/vars5)修改給CA和OpenVPN服務器頒發證書的有效期
建議修改給CA和OpenVPN服務器頒發的證書的有效期,可適當加長
6)初始化PKI生成PKI相關目錄和文件
[root@vpn-server ~]# cd /etc/openvpn/easy-rsa-server/3 [root@vpn-server 3]# ./easyrsa init-pki7)創建CA機構
[root@vpn-server 3]# ./easyrsa build-ca nopassNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020 Generating RSA private key, 2048 bit long modulus (2 primes) ....................+++++ ........+++++ e is 65537 (0x010001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: # 直接回車CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa-server/3/pki/ca.crt # 生成的自簽名證書8)創建服務端證書申請
[root@vpn-server 3]# ./easyrsa gen-req server nopassNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020 Generating a RSA private key ..................................................................................................+++++ ...................+++++ writing new private key to '/etc/openvpn/easy-rsa-server/3/pki/easy-rsa-2000.MLZnho/tmp.kp9dOk' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]: # 默認直接回車Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa-server/3/pki/reqs/server.req key: /etc/openvpn/easy-rsa-server/3/pki/private/server.key9)頒發服務端證書
[root@vpn-server 3]# ./easyrsa sign server serverNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender.Request subject, to be signed as a server certificate for 3650 days:subject=commonName = serverType the word 'yes' to continue, or any other input to abort.Confirm request details: yes # 輸入yes回車 Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-2029.hRBtmL/tmp.CD2V09 Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'server' Certificate is to be certified until Nov 13 04:39:50 2031 GMT (3650 days)Write out database with 1 new entries Data Base UpdatedCertificate created at: /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt # 生成的服務器證書文件10)查看證書
[root@vpn-server 3]# cat pki/issued/server.crt Certificate:Data:Version: 3 (0x2)Serial Number:a0:c4:30:80:9a:eb:a3:d0:ec:61:d8:08:4e:18:cc:0cSignature Algorithm: sha256WithRSAEncryptionIssuer: CN=Easy-RSA CAValidityNot Before: Nov 15 04:39:50 2021 GMTNot After : Nov 13 04:39:50 2031 GMTSubject: CN=serverSubject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public-Key: (2048 bit)Modulus:00:96:54:18:fd:d3:ba:b3:87:7a:a8:b8:bb:08:13:17:12:8f:37:3f:d6:ff:d5:5a:b5:bf:55:cd:2b:e2:97:98:93:60:20:3a:58:78:47:4b:c6:39:c3:7f:04:cb:50:71:3d:f1:97:85:35:7a:4a:25:4e:b3:0b:d3:83:ce:ae:81:2b:22:c3:e4:8b:bf:25:c3:e8:5f:cd:5d:bb:e9:3f:ca:c6:49:2c:04:3c:83:46:4f:f5:47:c6:36:46:a4:b7:78:bf:1e:3b:8d:0a:f1:2e:64:69:9b:38:89:f3:63:cb:1e:9c:63:37:aa:c1:9a:4e:54:73:69:46:f6:9c:f9:9d:c1:32:a9:10:87:a3:16:33:75:e1:68:2f:c3:e8:43:f0:01:30:cd:20:30:3b:ed:70:80:18:b1:89:d1:e8:9f:a5:5c:55:04:7b:86:29:3c:c8:c5:cb:08:20:4c:65:df:d2:f3:7c:c1:94:2a:a2:1a:11:26:52:8c:06:3e:3a:5c:f3:de:f1:26:ba:59:44:3a:77:b5:7c:e7:e6:ae:c4:00:1b:c7:ad:82:d6:e0:a5:0e:22:3c:dd:08:f4:78:9c:b6:8e:a9:e9:d7:12:d9:6d:ff:2e:b3:cd:db:f5:4d:10:3c:b6:ce:26:a4:38:ac:c0:f2:fd:57:91:e9:ec:cc:be:b8:72:df:71Exponent: 65537 (0x10001)X509v3 extensions:X509v3 Basic Constraints: CA:FALSEX509v3 Subject Key Identifier: 41:20:03:CC:FC:7D:F6:61:92:56:2B:DE:E9:10:86:20:F1:E5:B1:04X509v3 Authority Key Identifier: keyid:97:82:0E:AD:B3:F4:73:4E:64:84:D6:47:86:39:1A:4C:DF:C9:36:52DirName:/CN=Easy-RSA CAserial:58:EA:00:08:41:BB:F3:87:EA:BF:65:B6:AB:D5:10:8C:02:39:5E:6EX509v3 Extended Key Usage: TLS Web Server AuthenticationX509v3 Key Usage: Digital Signature, Key EnciphermentX509v3 Subject Alternative Name: DNS:serverSignature Algorithm: sha256WithRSAEncryption05:4e:e7:39:2b:0b:9c:c4:c9:fc:96:f3:12:4b:fc:cc:2a:d9:3e:4b:ab:9f:d3:48:f6:35:24:59:b4:eb:a2:14:8e:1b:6e:ab:19:ec:3a:20:3b:1e:9f:b0:01:89:56:88:f4:0c:4c:3b:bd:16:38:f8:27:55:78:29:f4:18:f7:45:98:a5:fa:17:61:b9:1c:6d:0d:dd:d3:de:a4:82:bd:6d:56:35:13:c3:8f:97:aa:a6:94:df:2f:2b:d3:04:33:65:06:12:70:94:3a:2f:30:3e:c9:2f:26:8b:db:43:57:76:a3:e9:f7:83:13:b9:32:5f:d4:48:e2:fb:81:31:bd:0f:b4:10:31:bf:13:bc:cc:a0:82:39:2f:03:a7:84:bc:f0:d7:2c:5d:f5:17:e4:8a:c8:2e:fc:22:78:58:4f:f3:e5:4b:33:5c:0c:75:80:f8:33:1e:b9:4b:64:00:68:13:31:74:e4:3e:3d:58:ce:a6:cb:72:79:85:c9:75:60:db:7f:47:75:7b:85:28:42:3e:d0:10:6b:c3:d0:8b:5b:9b:7f:cc:26:b7:db:0f:0b:59:d2:60:e8:78:fc:cb:a9:6c:bb:0f:c7:da:94:5f:d5:7f:1a:32:ec:5f:35:b6:19:93:43:67:d3:90:5a:99:97:17:6b:0b:c1:c2:60:55:de:89:2b -----BEGIN CERTIFICATE----- MIIDaDCCAlCgAwIBAgIRAKDEMICa66PQ7GHYCE4YzAwwDQYJKoZIhvcNAQELBQAw FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjExMTE1MDQzOTUwWhcNMzExMTEz MDQzOTUwWjARMQ8wDQYDVQQDDAZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQCWVBj907qzh3qouLsIExcSjzc/1v/VWrW/Vc0r4peYk2AgOlh4 R0vGOcN/BMtQcT3xl4U1ekolTrML04POroErIsPki78lw+hfzV276T/KxkksBDyD Rk/1R8Y2RqS3eL8eO40K8S5kaZs4ifNjyx6cYzeqwZpOVHNpRvac+Z3BMqkQh6MW M3XhaC/D6EPwATDNIDA77XCAGLGJ0eifpVxVBHuGKTzIxcsIIExl39LzfMGUKqIa ESZSjAY+Olzz3vEmullEOne1fOfmrsQAG8etgtbgpQ4iPN0I9Hicto6p6dcS2W3/ LrPN2/VNEDy2ziakOKzA8v1XkenszL64ct9xAgMBAAGjgbUwgbIwCQYDVR0TBAIw ADAdBgNVHQ4EFgQUQSADzPx99mGSVive6RCGIPHlsQQwUQYDVR0jBEowSIAUl4IO rbP0c05khNZHhjkaTN/JNlKhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghRY 6gAIQbvzh+q/Zbar1RCMAjlebjATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8E BAMCBaAwEQYDVR0RBAowCIIGc2VydmVyMA0GCSqGSIb3DQEBCwUAA4IBAQAFTuc5 KwucxMn8lvMSS/zMKtk+S6uf00j2NSRZtOuiFI4bbqsZ7DogOx6fsAGJVoj0DEw7 vRY4+CdVeCn0GPdFmKX6F2G5HG0N3dPepIK9bVY1E8OPl6qmlN8vK9MEM2UGEnCU Oi8wPskvJovbQ1d2o+n3gxO5Ml/USOL7gTG9D7QQMb8TvMyggjkvA6eEvPDXLF31 F+SKyC78InhYT/PlSzNcDHWA+DMeuUtkAGgTMXTkPj1YzqbLcnmFyXVg239HdXuF KEI+0BBrw9CLW5t/zCa32w8LWdJg6Hj8y6lsuw/H2pRf1X8aMuxfNbYZk0Nn05Ba mZcXawvBwmBV3okr -----END CERTIFICATE-----[root@vpn-server 3]# cat pki/serial A0C430809AEBA3D0EC61D8084E18CC0D [root@vpn-server 3]# cat pki/index.txt V 311113043950Z A0C430809AEBA3D0EC61D8084E18CC0C unknown /CN=server11)創建Diffie-Hellman密鑰
[root@vpn-server 3]# ./easyrsa gen-dhNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020 Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ............................................................................................................... ... ... DH parameters of size 2048 created at /etc/openvpn/easy-rsa-server/3/pki/dh.pem12)查看生成的文件
[root@vpn-server 3]# ll pki/dh.pem -rw------- 1 root root 424 Nov 15 12:43 pki/dh.pem [root@vpn-server 3]# cat pki/dh.pem -----BEGIN DH PARAMETERS----- MIIBCAKCAQEAylc+QZI9cYYj8q7nHIJL0E1kBPhjkkyerlo8foqMGD2VtBet0Kwv +xRpcgLcinOa7Hu40BczOTLHycoeubJkEGM8dP/1NEldx3ASxE8SZG//UPOAE8WF r4V9yl1L/G2454cAbakS6ca8FNlXOPxYybl40hjc+D06H1ttN29mQ3tnEoHCVpa7 Uf9Aypj/SVECeXr4n5dkaqJb56WYldwP9bpGKwhGODux4RqQjtdOYR3g418IFwcN +k9ZDdV3jYMjCCtuR+keLcvVUyTUGXJE92MW7pALs39GUUiTdG3TTT315vqshTnU U9ev9EFtpcKSn1soBfjulRd3PhyTzS6e0wIBAg== -----END DH PARAMETERS-----13)準備客戶端證書環境
[root@vpn-server ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-client [root@vpn-server ~]# cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa-client/3/vars [root@vpn-server ~]# cd /etc/openvpn/easy-rsa-client/3 [root@vpn-server 3]# ls easyrsa openssl-easyrsa.cnf vars x509-types14)生成證書申請所需目錄PKI和文件
[root@vpn-server 3]# ./easyrsa init-pkiNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-client/3.0.8/varsinit-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa-client/3/pki # 生成的新目錄15)創建客戶端證書申請
[root@vpn-server 3]# ./easyrsa init-pkiNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-client/3.0.8/varsinit-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa-client/3/pki[root@vpn-server 3]# ./easyrsa gen-req liuxiaofu nopassNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-client/3.0.8/vars Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020 Generating a RSA private key ..................................................................................+++++ ......................+++++ writing new private key to '/etc/openvpn/easy-rsa-client/3/pki/easy-rsa-2212.DsHZHR/tmp.LoJezq' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [liuxiaofu]: # 直接回車Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa-client/3/pki/reqs/liuxiaofu.req #生成的證書申請文件 key: /etc/openvpn/easy-rsa-client/3/pki/private/liuxiaofu.key # 生成的私鑰文件16)簽發客戶端證書
[root@vpn-server 3]# cd /etc/openvpn/easy-rsa-server/3 [root@vpn-server 3]# ./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/liuxiaofu.req liuxiaofu Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020The request has been successfully imported with a short name of: liuxiaofu You may now use this name to perform signing operations on this request.[root@vpn-server 3]# tree pki pki ├── ca.crt ├── certs_by_serial │ └── A0C430809AEBA3D0EC61D8084E18CC0C.pem ├── dh.pem ├── index.txt ├── index.txt.attr ├── index.txt.attr.old ├── index.txt.old ├── issued │ └── server.crt ├── openssl-easyrsa.cnf ├── private │ ├── ca.key │ └── server.key ├── renewed │ ├── certs_by_serial │ ├── private_by_serial │ └── reqs_by_serial ├── reqs │ ├── liuxiaofu.req # 導入的證書申請文件 │ └── server.req ├── revoked │ ├── certs_by_serial │ ├── private_by_serial │ └── reqs_by_serial ├── safessl-easyrsa.cnf ├── serial └── serial.old12 directories, 16 files17)修改給客戶端頒發的證書有效期,修改為90天
[root@vpn-server 3]# vim vars set_var EASYRSA_CERT_EXPIRE 9018)頒發客戶端證書
[root@vpn-server 3]# ./easyrsa sign client liuxiaofuNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender.Request subject, to be signed as a client certificate for 90 days:subject=commonName = liuxiaofuType the word 'yes' to continue, or any other input to abort.Confirm request details: yes Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-2294.v8lKUn/tmp.5MQqJb Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'liuxiaofu' Certificate is to be certified until Feb 13 04:51:52 2022 GMT (90 days)Write out database with 1 new entries Data Base UpdatedCertificate created at: /etc/openvpn/easy-rsa-server/3/pki/issued/liuxiaofu.crt # 生成的客戶端證書文件19)查看客戶端證書
[root@vpn-server 3]# cat pki/issued/liuxiaofu.crt Certificate:Data:Version: 3 (0x2)Serial Number:d2:45:68:cb:95:61:9a:97:c9:e4:8e:e8:d0:90:20:7eSignature Algorithm: sha256WithRSAEncryptionIssuer: CN=Easy-RSA CAValidityNot Before: Nov 15 04:51:52 2021 GMTNot After : Feb 13 04:51:52 2022 GMTSubject: CN=liuxiaofuSubject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public-Key: (2048 bit)Modulus:00:dd:78:f2:0e:a0:41:6f:f1:89:17:12:58:44:f9:1a:38:dd:95:83:1a:ba:08:b7:23:bd:69:a0:31:f3:9b:0a:dc:9c:d0:2d:15:43:95:23:eb:79:2d:dd:9c:3b:c2:a8:1d:80:b3:91:27:1e:32:20:51:75:76:17:a7:44:1f:5d:9b:96:ef:a5:be:8e:ef:78:07:1e:76:94:16:5f:4d:a9:58:fd:9b:fa:15:74:6b:6c:e6:2d:6d:11:cc:0e:72:5a:87:f5:67:c1:28:49:51:68:fb:a7:bc:8a:24:24:ab:23:c3:06:d5:00:ec:9f:a1:f6:cc:da:56:98:01:6c:a1:0a:41:69:90:f1:6a:82:a9:f4:6b:65:b4:bc:ba:15:68:41:bd:4f:d1:8c:74:3e:4c:e5:df:88:32:fa:f9:60:99:97:c9:4f:33:21:6f:09:44:b3:85:df:f8:4a:80:84:c1:cc:05:27:ca:97:48:2d:60:e5:c4:a6:0e:25:5c:5b:5e:7e:59:63:ec:83:17:cd:d4:12:ac:cf:6d:09:f6:a8:2f:4f:06:24:78:0d:c5:dc:71:71:72:33:d1:f6:0a:c3:5d:ce:42:04:fc:38:55:90:c5:8d:23:d0:96:5a:1c:e7:5a:dc:70:db:c0:b8:22:cc:8a:05:db:fa:3c:95:22:9c:b4:c9:05Exponent: 65537 (0x10001)X509v3 extensions:X509v3 Basic Constraints: CA:FALSEX509v3 Subject Key Identifier: 3D:C6:FF:D6:AC:76:C5:17:4A:38:41:6F:1E:BC:DE:B1:22:5A:45:34X509v3 Authority Key Identifier: keyid:97:82:0E:AD:B3:F4:73:4E:64:84:D6:47:86:39:1A:4C:DF:C9:36:52DirName:/CN=Easy-RSA CAserial:58:EA:00:08:41:BB:F3:87:EA:BF:65:B6:AB:D5:10:8C:02:39:5E:6EX509v3 Extended Key Usage: TLS Web Client AuthenticationX509v3 Key Usage: Digital SignatureSignature Algorithm: sha256WithRSAEncryptionbb:ab:d9:f2:26:a7:88:15:1c:81:39:2c:10:ce:14:36:ea:b9:3a:e1:a7:39:b8:37:42:05:ba:bd:99:98:af:01:39:7e:ff:3b:47:63:9c:6d:a4:47:3d:37:8f:4a:f7:20:19:74:c3:31:72:95:6a:44:35:c5:92:6c:d5:5c:0b:4c:e9:46:41:ae:96:2c:ff:fa:20:f8:cf:31:e9:96:7d:07:16:fd:1f:2c:fc:e8:4c:18:7d:b8:36:1b:02:a9:e7:99:b0:24:58:92:66:9d:d0:42:2b:93:34:77:43:e2:66:ac:4e:6d:6e:aa:e0:10:57:16:68:c0:f4:5d:4b:26:ff:b9:95:46:f7:2d:ad:f5:31:ed:00:0c:d8:5d:50:9c:99:2f:6e:3f:82:9f:60:77:c3:43:20:d2:6f:07:9d:97:52:96:4f:8c:a7:65:cd:40:60:01:20:47:6f:4d:cd:d3:23:67:85:ec:6c:c3:43:12:0f:0e:6f:35:4e:9d:2d:5f:b9:64:4f:7e:64:db:e7:8d:98:6a:b2:97:49:2a:81:56:f9:6b:ab:ed:a4:e1:9a:74:9a:07:c3:94:9a:65:79:69:76:77:6c:d4:ad:7b:55:e9:23:ca:80:8d:ca:80:83:dc:03:82:6f:bb:67:a0:06:40:fb:81:0f:10:0d:c7:e8:11:be:79 -----BEGIN CERTIFICATE----- MIIDWDCCAkCgAwIBAgIRANJFaMuVYZqXyeSO6NCQIH4wDQYJKoZIhvcNAQELBQAw FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjExMTE1MDQ1MTUyWhcNMjIwMjEz MDQ1MTUyWjAUMRIwEAYDVQQDDAlsaXV4aWFvZnUwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDdePIOoEFv8YkXElhE+Ro43ZWDGroItyO9aaAx85sK3JzQ LRVDlSPreS3dnDvCqB2As5EnHjIgUXV2F6dEH12blu+lvo7veAcedpQWX02pWP2b +hV0a2zmLW0RzA5yWof1Z8EoSVFo+6e8iiQkqyPDBtUA7J+h9szaVpgBbKEKQWmQ 8WqCqfRrZbS8uhVoQb1P0Yx0Pkzl34gy+vlgmZfJTzMhbwlEs4Xf+EqAhMHMBSfK l0gtYOXEpg4lXFtefllj7IMXzdQSrM9tCfaoL08GJHgNxdxxcXIz0fYKw13OQgT8 OFWQxY0j0JZaHOda3HDbwLgizIoF2/o8lSKctMkFAgMBAAGjgaIwgZ8wCQYDVR0T BAIwADAdBgNVHQ4EFgQUPcb/1qx2xRdKOEFvHrzesSJaRTQwUQYDVR0jBEowSIAU l4IOrbP0c05khNZHhjkaTN/JNlKhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENB ghRY6gAIQbvzh+q/Zbar1RCMAjlebjATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNV HQ8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBALur2fImp4gVHIE5LBDOFDbquTrh pzm4N0IFur2ZmK8BOX7/O0djnG2kRz03j0r3IBl0wzFylWpENcWSbNVcC0zpRkGu liz/+iD4zzHpln0HFv0fLPzoTBh9uDYbAqnnmbAkWJJmndBCK5M0d0PiZqxObW6q 4BBXFmjA9F1LJv+5lUb3La31Me0ADNhdUJyZL24/gp9gd8NDINJvB52XUpZPjKdl zUBgASBHb03N0yNnhexsw0MSDw5vNU6dLV+5ZE9+ZNvnjZhqspdJKoFW+Wur7aTh mnSaB8OUmmV5aXZ3bNSte1XpI8qAjcqAg9wDgm+7Z6AGQPuBDxANx+gRvnk= -----END CERTIFICATE-----[root@vpn-server 3]# cat pki/index.txt V 311113043950Z A0C430809AEBA3D0EC61D8084E18CC0C unknown /CN=server V 220213045152Z D24568CB95619A97C9E48EE8D090207E unknown /CN=liuxiaofu20)將CA和服務器證書相關文件復制到服務器相應的目錄
[root@vpn-server 3]# mkdir /etc/openvpn/certs [root@vpn-server 3]# cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt /etc/openvpn/certs/ [root@vpn-server 3]# cp /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt /etc/openvpn/certs/ [root@vpn-server 3]# cp /etc/openvpn/easy-rsa-server/3/pki/private/server.key /etc/openvpn/certs/ [root@vpn-server 3]# cp /etc/openvpn/easy-rsa-server/3/pki/dh.pem /etc/openvpn/certs/ [root@vpn-server 3]# ll /etc/openvpn/certs/ total 20 -rw------- 1 root root 1204 Nov 15 12:55 ca.crt -rw------- 1 root root 424 Nov 15 12:56 dh.pem -rw------- 1 root root 4608 Nov 15 12:55 server.crt -rw------- 1 root root 1704 Nov 15 12:56 server.key21)將客戶端私鑰與證書相關文件復制到服務器相關的目錄
[root@vpn-server 3]# mkdir /etc/openvpn/client/liuxiaofu [root@vpn-server 3]# cp /etc/openvpn/easy-rsa-client/3/pki/private/liuxiaofu.key /etc/openvpn/client/liuxiaofu/ [root@vpn-server 3]# cp /etc/openvpn/easy-rsa-server/3/pki/issued/liuxiaofu.crt /etc/openvpn/client/liuxiaofu/ [root@vpn-server 3]# cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt /etc/openvpn/client/liuxiaofu/ [root@vpn-server 3]# ll /etc/openvpn/client/liuxiaofu/ total 16 -rw------- 1 root root 1204 Nov 15 13:01 ca.crt -rw------- 1 root root 4499 Nov 15 13:00 liuxiaofu.crt -rw------- 1 root root 1704 Nov 15 13:00 liuxiaofu.key22)修改服務端配置文件
[root@vpn-server ~]# vim /etc/openvpn/server.conf port 1194 proto tcp dev tun ca /etc/openvpn/certs/ca.crt cert /etc/openvpn/certs/server.crt key /etc/openvpn/certs/server.key dh /etc/openvpn/certs/dh.pem server 10.8.0.0 255.255.255.0 push "route 192.168.0.0 255.255.255.0" keepalive 10 120 cipher AES-256-CBC compress lz4-v2 push "compress lz4-v2" max-clients 2048 user openvpn group openvpn status /var/log/openvpn/openvpn-status.log log-append /var/log/openvpn/openvpn.log verb 3 mute 2023)準備日志相關目錄
[root@vpn-server ~]# getent passwd openvpn openvpn:x:989:985:OpenVPN:/etc/openvpn:/sbin/nologin [root@vpn-server ~]# mkdir /var/log/openvpn [root@vpn-server ~]# chown openvpn.openvpn /var/log/openvpn [root@vpn-server ~]# ls -ld /var/log/openvpn drwxr-xr-x 2 openvpn openvpn 6 Nov 15 13:04 /var/log/openvpn24)開啟路由轉發功能
[root@vpn-server ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf [root@vpn-server ~]# sysctl -p vm.swappiness = 0 kernel.sysrq = 1 net.ipv4.neigh.default.gc_stale_time = 120 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.default.arp_announce = 2 net.ipv4.conf.lo.arp_announce = 2 net.ipv4.conf.all.arp_announce = 2 net.ipv4.tcp_max_tw_buckets = 5000 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 1024 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_slow_start_after_idle = 0 net.ipv4.ip_forward = 125)添加SNAT規則
[root@vpn-server ~]# echo 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE' >> /etc/rc.d/rc.local [root@vpn-server ~]# chmod +x /etc/rc.d/rc.local [root@vpn-server ~]# /etc/rc.d/rc.local [root@vpn-server ~]# iptables -t nat -vnL --line-number Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 MASQUERADE all -- * * 10.8.0.0/24 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination26)啟動openvpn服務
[root@vpn-server ~]# vim /usr/lib/systemd/system/openvpn@.service [Unit] Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I After=network.target [Service] Type=notify PrivateTmp=true ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf [Install] WantedBy=multi-user.target[root@vpn-server ~]# systemctl daemon-reload [root@vpn-server ~]# systemctl enable --now openvpn@server Created symlink /etc/systemd/system/multi-user.target.wants/openvpn@server.service → /usr/lib/systemd/system/openvpn@.service.27)查看服務狀態
[root@vpn-server ~]# systemctl status openvpn@server.service ● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On serverLoaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)Active: active (running) since Mon 2021-11-15 13:10:26 CST; 22s agoMain PID: 2763 (openvpn)Status: "Initialization Sequence Completed"Tasks: 1 (limit: 22988)Memory: 1.7MCGroup: /system.slice/system-openvpn.slice/openvpn@server.service└─2763 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.confNov 15 13:10:26 vpn-server.node.com systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application> Nov 15 13:10:26 vpn-server.node.com systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application > lines 1-12/12 (END)28)查看端口
[root@vpn-server ~]# ss -ntlp State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1032,fd=5)) LISTEN 0 32 0.0.0.0:1194 0.0.0.0:* users:(("openvpn",pid=2763,fd=8))29)查看日志
[root@vpn-server ~]# cat /var/log/openvpn/openvpn.log Mon Nov 15 13:10:26 2021 OpenVPN 2.4.11 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 21 2021 Mon Nov 15 13:10:26 2021 library versions: OpenSSL 1.1.1g FIPS 21 Apr 2020, LZO 2.08 Mon Nov 15 13:10:26 2021 WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail Mon Nov 15 13:10:26 2021 WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail Mon Nov 15 13:10:26 2021 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet. Mon Nov 15 13:10:26 2021 Diffie-Hellman initialized with 2048 bit key Mon Nov 15 13:10:26 2021 ROUTE_GATEWAY 192.168.0.253/255.255.255.0 IFACE=eth0 HWADDR=00:16:3e:02:89:bf Mon Nov 15 13:10:26 2021 TUN/TAP device tun0 opened Mon Nov 15 13:10:26 2021 TUN/TAP TX queue length set to 100 Mon Nov 15 13:10:26 2021 /sbin/ip link set dev tun0 up mtu 1500 Mon Nov 15 13:10:26 2021 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2 Mon Nov 15 13:10:26 2021 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2 Mon Nov 15 13:10:26 2021 Could not determine IPv4/IPv6 protocol. Using AF_INET Mon Nov 15 13:10:26 2021 Socket Buffers: R=[87380->87380] S=[16384->16384] Mon Nov 15 13:10:26 2021 Listening for incoming TCP connection on [AF_INET][undef]:1194 Mon Nov 15 13:10:26 2021 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194 Mon Nov 15 13:10:26 2021 TCPv4_SERVER link remote: [AF_UNSPEC] Mon Nov 15 13:10:26 2021 GID set to openvpn Mon Nov 15 13:10:26 2021 UID set to openvpn Mon Nov 15 13:10:26 2021 MULTI: multi_init called, r=256 v=256 Mon Nov 15 13:10:26 2021 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0 Mon Nov 15 13:10:26 2021 MULTI: TCP INIT maxclients=2048 maxevents=2052 Mon Nov 15 13:10:26 2021 Initialization Sequence Completed30)查看IP地址
[root@vpn-server ~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000link/ether 00:16:3e:02:89:bf brd ff:ff:ff:ff:ff:ffinet 192.168.0.10/24 brd 192.168.0.255 scope global dynamic noprefixroute eth0valid_lft 315356832sec preferred_lft 315356832secinet6 fe80::216:3eff:fe02:89bf/64 scope link valid_lft forever preferred_lft forever 3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100link/none inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0valid_lft forever preferred_lft foreverinet6 fe80::6c98:c0b2:dc46:91c2/64 scope link stable-privacy valid_lft forever preferred_lft forever31)查看路由
[root@vpn-server ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.0.253 0.0.0.0 UG 100 0 0 eth0 10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 eth032)生成openvpn客戶端配置文件
[root@vpn-server ~]# grep '^[[[:alpha:]].*' /usr/share/doc/openvpn/sample/sample-config-files/client.conf > /etc/openvpn/client/liuxiaofu/client.ovpn33)修改客戶端配置文件
[root@vpn-server ~]# vim /etc/openvpn/client/liuxiaofu/client.ovpn client dev tun proto tcp remote 8.142.178.13 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert liuxiaofu.crt key liuxiaofu.key remote-cert-tls server cipher AES-256-CBC verb 3windows配置部署openvpn客戶端
1)安裝openvpn客戶端
官方客戶端下載地址:
https://openvpn.net/community-downloads/
2)在服務器打包證書并下載發送給windows客戶端
[root@vpn-server ~]# cd /etc/openvpn/client/liuxiaofu/ [root@vpn-server liuxiaofu]# ll total 20 -rw------- 1 root root 1204 Nov 15 13:01 ca.crt -rw-r--r-- 1 root root 217 Nov 15 13:16 client.ovpn -rw------- 1 root root 4499 Nov 15 13:00 liuxiaofu.crt -rw------- 1 root root 1704 Nov 15 13:00 liuxiaofu.key [root@vpn-server liuxiaofu]# zip -e liuxiaofu.zip * Enter password: Verify password: adding: ca.crt (deflated 26%)adding: client.ovpn (deflated 27%)adding: liuxiaofu.crt (deflated 45%)adding: liuxiaofu.key (deflated 23%)3)放置到windows客戶端的c:\program files\openvpn\config目錄下
[root@vpn-server liuxiaofu]# sz liuxiaofu.zip -bash: sz: command not found [root@vpn-server liuxiaofu]# yum -y install lrzsz [root@vpn-server liuxiaofu]# sz liuxiaofu.zip
4)連接openvpn
5)驗證連通性及web訪問
2、通過編譯、二進制安裝MySQL5.7
二進制安裝MySQL5.7
1)下載安裝包(mysql-5.7.36為例)
wget http://mirrors.163.com/mysql/Downloads/MySQL-5.7/mysql-5.7.36-linux-glibc2.12-x86_64.tar.gz2)安裝相關包
yum -y install libaio numactl-libs3)添加用戶和組
groupadd -r -g 306 mysql useradd -r -g 306 -u 306 -s /sbin/nologin mysql4)準備程序文件
tar xf mysql-5.7.36-linux-glibc2.12-x86_64.tar.gz -C /usr/local cd /usr/local ln -s mysql-5.7.36-linux-glibc2.12-x86_64/ mysql chown -R mysql.mysql /usr/local/mysql/*5)準備環境變量
echo 'PATH=/usr/local/mysql/bin:$PATH' > /etc/profile.d/mysql.sh . /etc/profile.d/mysql.sh6)準備配置文件
vim /etc/my.cnf [mysqld] datadir=/data/mysql skip_name_resolve=1 socket=/data/mysql/mysql.sock log_error=/data/mysql/mysql.log pid-file=/data/mysql/mysql.pid [client] socket=/data/mysql/mysql.sock7)生成數據庫文件,并提取root密碼
mysqld --initialize --user=mysql --datadir=/data/mysql awk '/temporary password/{print $NF}' /data/mysql/mysql.log !inp)o#0pr0H8)準備服務啟動腳本
cp /usr/local/mysql/support-files/mysql.server /etc/init.d/mysqld9)啟動服務
chkconfig --add mysqld service mysqld start10)修改root口令
mysqladmin -u root -p'!inp)o#0pr0H' password 12345611)連接MySQL
mysql -uroot -p123456 mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 4 Server version: 5.7.36 MySQL Community Server (GPL)Copyright (c) 2000, 2021, Oracle and/or its affiliates.Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql>編譯安裝MySQL5.7(centos7.9)
基礎環境:
1)安裝相關依賴包(需配置好epel源)
安裝之前請確保系統中無其他版本的數據庫!
2)安裝cmake(編譯工具)
# 準備cmake-3.8.2.tar.gz(使用windows下載) URL:https://cmake.org/files/v3.8/cmake-3.8.2.tar.gz tar xf cmake-3.8.2.tar.gz cd cmake-3.8.2/ ./bootstrap gmake -j 12 make install3)安裝Boost庫
# 準備boost_1_59_0.tar.gz(使用windows下載) # URL:https://udomain.dl.sourceforge.net/project/boost/boost/1.59.0/boost_1_59_0.tar.gz tar xf boost_1_59_0.tar.gz -C /usr/local chown -R root:root /usr/local/boost_1_59_0 chmod -R 755 /usr/local/boost_1_59_0 ln -s /usr/local/boost_1_59_0/ /usr/local/boost安裝MySQL
1)創建MySQL組及mysql用戶
2)創建數據庫目錄及修改目錄屬性
mkdir -p /data/mysql chown mysql.mysql /data/mysql chmod 700 /data/mysql3)下載并解壓MySQL壓縮包
wget https://downloads.mysql.com/archives/get/p/23/file/mysql-5.7.35.tar.gztar xf mysql-5.7.35.tar.gz -C /usr/local/ cd /usr/local/mysql-5.7.354)cmake配置
cmake . \ -DCMAKE_INSTALL_PREFIX=/apps/mysql \ -DMYSQL_DATADIR=/data/mysql \ -DSYSCONFDIR=/etc \ -DMYSQL_TCP_PORT=3306 \ -DMYSQL_USER=mysql \ -DMYSQL_UNIX_ADDR=/data/mysql/mysql.sock \ -DWITH_EXTRA_CHARSETS=all \ -DDEFAULT_CHARSET=utf8mb4 \ -DDEFAULT_COLLATION=utf8mb4_unicode_ci \ -DWITH_INNOBASE_STORAGE_ENGINE=1 \ -DWITH_MYISAM_STORAGE_ENGINE=1 \ -DWITH_ARCHIVE_STORAGE_ENGINE=1 \ -DWITH_FEDERATED_STORAGE_ENGINE=1 \ -DWITH_BLACKHOLE_STORAGE_ENGINE=1 \ -DWITH_PERFSCHEMA_STORAGE_ENGINE=1 \ -DWITHOUT_EXAMPLE_STORAGE_ENGINE=1 \ -DWITH_ZLIB=bundled \ -DWITH_SSL=system \ -DENABLED_LOCAL_INFILE=1 \ -DWITH_DEBUG=0 \ -DMYSQL_MAINTAINER_MODE=0 \ -DWITH_EMBEDDED_SERVER=0 \ -DINSTALL_SHAREDIR=share \ -DDOWNLOAD_BOOST=0 \ -DWITH_BOOST=/usr/local/boost5)編譯安裝
make -j 12 make install cd /usr/local ln -s mysql-5.7.35 mysql配置MySQL
1)準備環境變量
2)創建配置文件
vim /etc/my.cnf [mysqld] server-id=1 log-bin datadir=/data/mysql socket=/data/mysql/mysql.sock log-error=/data/mysql/mysql.log pid-file=/data/mysql/mysql.pid [client] socket=/data/mysql/mysql.sock3)設置安裝目錄權限
chown -R root.root /apps/mysql4)初始化數據庫
mysqld --initialize-insecure --user=mysql --basedir=/apps/mysql --datadir=/data/mysql5)配置MySQL服務
cp /apps/mysql/support-files/mysql.server /etc/init.d/mysqld6)啟動服務
chkconfig --add mysqld service mysqld start7)登錄Mysql
mysql -uroot -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 2 Server version: 5.7.35-log Source distributionCopyright (c) 2000, 2021, Oracle and/or its affiliates.Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql>8)修改root口令
mysqladmin -uroot password Centos79@202111mysql -uroot -p # 此時無法使用空密碼登錄 Enter password: ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)mysql -uroot -pCentos79@202111 # 指定修改后的密碼登錄,成功了! mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 5 Server version: 5.7.35-log Source distributionCopyright (c) 2000, 2021, Oracle and/or its affiliates.Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql>3、二進制安裝mariadb10.4
1)安裝相關包
yum -y install libaio2)下載mariadb10.4的二進制包
wget https://mirrors.tuna.tsinghua.edu.cn/mariadb/mariadb-10.4.22/bintar-linux-x86_64/mariadb-10.4.22-linux-glibc_214-x86_64.tar.gzls mari* mariadb-10.4.22-linux-glibc_214-x86_64.tar.gz3)解壓二進制包,解壓包建立軟鏈接
tar xf mariadb-10.4.22-linux-glibc_214-x86_64.tar.gz -C /usr/local/ cd /usr//local/ ln -s mariadb-10.4.22-linux-glibc_214-x86_64/ mysql4)目錄內的所有者和所屬組
# 查看該目錄下所有的所屬者和所屬組 ll total 168 drwxr-xr-x 2 liuxiaofu liuxiaofu 4096 Oct 22 2020 bin -rw-r--r-- 1 liuxiaofu liuxiaofu 17987 Nov 6 03:03 COPYING -rw-r--r-- 1 liuxiaofu liuxiaofu 2093 Nov 6 03:03 CREDITS drwxrwxr-x 2 liuxiaofu liuxiaofu 81 Nov 6 03:55 docs drwxrwxr-x 3 liuxiaofu liuxiaofu 19 Nov 6 03:55 include -rw-r--r-- 1 liuxiaofu liuxiaofu 8779 Nov 6 03:03 INSTALL-BINARY drwxr-xr-x 5 liuxiaofu liuxiaofu 4096 Jul 29 06:02 lib drwxrwxr-x 4 liuxiaofu liuxiaofu 30 Nov 6 03:55 man drwxrwxr-x 9 liuxiaofu liuxiaofu 4096 Nov 6 03:55 mysql-test -rw-r--r-- 1 liuxiaofu liuxiaofu 2874 Nov 6 03:03 README.md -rw-r--r-- 1 liuxiaofu liuxiaofu 19520 Nov 6 03:03 README-wsrep drwxrwxr-x 2 liuxiaofu liuxiaofu 56 Nov 6 03:55 scripts drwxrwxr-x 31 liuxiaofu liuxiaofu 4096 Nov 6 03:55 share drwxrwxr-x 4 liuxiaofu liuxiaofu 4096 Nov 6 03:55 sql-bench drwxrwxr-x 3 liuxiaofu liuxiaofu 165 Nov 6 03:55 support-files -rw-r--r-- 1 liuxiaofu liuxiaofu 86263 Nov 6 03:03 THIRDPARTY# 修改該目錄下所有的所屬者和所屬組 chown -R root.root /usr/local/mysql/ ll /usr/local/mysql/ total 168 drwxr-xr-x 2 root root 4096 Oct 22 2020 bin -rw-r--r-- 1 root root 17987 Nov 6 03:03 COPYING -rw-r--r-- 1 root root 2093 Nov 6 03:03 CREDITS drwxrwxr-x 2 root root 81 Nov 6 03:55 docs drwxrwxr-x 3 root root 19 Nov 6 03:55 include -rw-r--r-- 1 root root 8779 Nov 6 03:03 INSTALL-BINARY drwxr-xr-x 5 root root 4096 Jul 29 06:02 lib drwxrwxr-x 4 root root 30 Nov 6 03:55 man drwxrwxr-x 9 root root 4096 Nov 6 03:55 mysql-test -rw-r--r-- 1 root root 2874 Nov 6 03:03 README.md -rw-r--r-- 1 root root 19520 Nov 6 03:03 README-wsrep drwxrwxr-x 2 root root 56 Nov 6 03:55 scripts drwxrwxr-x 31 root root 4096 Nov 6 03:55 share drwxrwxr-x 4 root root 4096 Nov 6 03:55 sql-bench drwxrwxr-x 3 root root 165 Nov 6 03:55 support-files -rw-r--r-- 1 root root 86263 Nov 6 03:03 THIRDPARTY5)創建該服務對應的用戶賬號和組
groupadd -r -g 306 mysql useradd -u 306 -g 306 -r -s /sbin/nologin -d /data/mysql mysql getent passwd mysql mysql:x:306:306::/data/mysql:/sbin/nologinmkdir -p /data/mysql chown mysql.mysql /data/mysql chmod 770 /data/mysql ll -d /data/mysql drwxr-x--- 2 mysql mysql 6 Nov 18 15:50 /data/mysql6)創建存放數據庫的目錄
mkdir /data/mysql chown mysql:mysql /data/mysql ll -d /data/mysql drwxr-xr-x 2 mysql mysql 6 Nov 19 12:46 /data/mysql7)創建數據庫文件
./scripts/mysql_install_db --user=mysql --datadir=/data/mysql Installing MariaDB/MySQL system tables in '/data/mysql' ... OKTo start mysqld at boot time you have to copy support-files/mysql.server to the right place for your systemTwo all-privilege accounts were created. One is root@localhost, it has no password, but you need to be system 'root' user to connect. Use, for example, sudo mysql The second is mysql@localhost, it has no password either, but you need to be the system 'mysql' user to connect. After connecting you can set the password, if you would need to be able to connect as any of these users with a password and without sudoSee the MariaDB Knowledgebase at http://mariadb.com/kb or the MySQL manual for more instructions.You can start the MariaDB daemon with: cd '.' ; ./bin/mysqld_safe --datadir='/data/mysql'You can test the MariaDB daemon with mysql-test-run.pl cd './mysql-test' ; perl mysql-test-run.plPlease report any problems at http://mariadb.org/jiraThe latest information about MariaDB is available at http://mariadb.org/. You can find additional information about the MySQL part at: http://dev.mysql.com Consider joining MariaDB's strong and vibrant community: https://mariadb.org/get-involved/8)創建數據庫的配置文件
vim /etc/my.cnf [mysqld] server-id=1 log-bin datadir=/data/mysql socket=/data/mysql/mysql.sock log-error=/data/mysql/mysql.log pid-file=/data/mysql/mysql.pid[client] socket=/data/mysql/mysql.sock9)設置啟動腳本
cp /usr/local/mysql/support-files/mysql.server /etc/init.d/mysqld vim /etc/init.d/mysqld datadir= 修改成 datadir=/data/mysqld10)啟動服務
chkconfig --add mysqld chkconfig --list mysql mysqld 0:off 1:off 2:on 3:on 4:on 5:on 6:offservice mysqld start Starting mysqld (via systemctl): [ OK ]ss -tnl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 128 [::]:22 [::]:* LISTEN 0 80 *:3306 *:*11)設置PATH環境變量
echo 'PATH=/usr/local/mysql/bin:$PATH' > /etc/profile.d/mysql.sh . /etc/profile.d/mysql.sh echo $PATH /usr/local/mysql/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin12)登錄到Mariadb
mysql Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 10 Server version: 10.4.22-MariaDB-log MariaDB ServerCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | test | +--------------------+ 4 rows in set (0.000 sec)13)對數據庫進行安全加固
mysql_secure_installation NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDBSERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!In order to log into MariaDB to secure it, we'll need the current password for the root user. If you've just installed MariaDB, and haven't set the root password yet, you should just press enter here.Enter current password for root (enter for none): OK, successfully used password, moving on...Setting the root password or using the unix_socket ensures that nobody can log into the MariaDB root user without the proper authorisation.You already have your root account protected, so you can safely answer 'n'.Switch to unix_socket authentication [Y/n] y Enabled successfully! Reloading privilege tables..... Success!You already have your root account protected, so you can safely answer 'n'.Change the root password? [Y/n] y New password: Re-enter new password: Password updated successfully! Reloading privilege tables..... Success!By default, a MariaDB installation has an anonymous user, allowing anyone to log into MariaDB without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment.Remove anonymous users? [Y/n] y... Success!Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network.Disallow root login remotely? [Y/n] y... Success!By default, MariaDB comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment.Remove test database and access to it? [Y/n] y- Dropping test database...... Success!- Removing privileges on test database...... Success!Reloading the privilege tables will ensure that all changes made so far will take effect immediately.Reload privilege tables now? [Y/n] y... Success!Cleaning up...All done! If you've completed all of the above steps, your MariaDB installation should now be secure.Thanks for using MariaDB!14)再次登錄Mariadb
mysql -uroot -p123456 Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 10 Server version: 10.4.22-MariaDB-log MariaDB ServerCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MariaDB [(none)]>總結
以上是生活随笔為你收集整理的Week 10 homework的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: Oracle 跨库 查询 复制表数据 分
- 下一篇: 10截图时屏幕变大_手机上网课、开视频会