Server04

Network

Device	Hostname	System	FQDN	IP Adress	Service
Server04	Server04	Linux server	Server04.skills.com	192.168.10.4	DNS(bind) Webserver(apache) SSH

修改 /etc/network/interfaces 文件，增加如下语句

auto ens35
iface ens35 inet static
address 192.168.10.4/28
gateway 192.168.10.2

环境不同，网卡号不同，根据环境修改，使用命令 ip link 可以查看

修改 /etc/hosts 文件，将 127.0.0.1 debain修改为如下语句

127.0.0.1 Server04
192.168.10.4 Server04.skills.com  Server04

修改 /etc/hostname 文件，将内容改为对应主机名

Server04

新建 /etc/resolv.conf 文件，添加如下内容

nameserver 192.168.10.4

DNS(bind)

安装 bind 服务

为域 skills.com 提供必要的域名解析

当非 skills.com 域的解析时，统一解析到 Rserver 连接 Internet 网段的 IP 地址或 Rserver.skills.com

安装 bind 服务

apt install -y bind9

修改 /etc/bind/named.conf.options 文件

options {
 allow-recursion { any; };
 allow-query-cache { any; };
 allow-query { any; };
 dnssec-validation no;
 dnssec-enable no;
};

编辑 /etc/bind/named.conf.default-zones 文件，创建域

zone "." {
 type master;
 file "/etc/bind/db.root";
};

zone "skills.com" {
 type master;
 file “/etc/bind/db.skills.com";
};

zone "10.168.192.in-addr.arpa" {
 type master;
 file "/etc/bind/db.192.168.10";
};

复制 local 域数据库文件，并修改

cp /etc/bind/db.local /etc/bind/db.root
cp /etc/bind/db.local /etc/bind/db.skills.com
cp /etc/bind/db.127 /etc/bind/db.192.168.10

db.skills.com：

$TTL 604800
@ IN SOA skills.com. ns.skills.com. (
         2  ; Serial
    604800  ; Refresh
     86400  ; Retry
   2419200  ; Expire
    604800 ) ; Negative Cache TTL
;
@ IN NS ns.skills.com.
ns IN A 192.168.10.4
www IN A 192.168.10.4
* IN A 192.168.10.4.

db.192.168.10：

$TTL 604800
@ IN SOA skills.com. ns.skills.com. (
         1  ; Serial
    604800  ; Refresh
     86400  ; Retry
   2419200  ; Expire
    604800 ) ; Negative Cache TTL
;
@ IN NS ns.skills.com.
4 IN PTR ns.skills.com.
4 IN PTR www.skills.com.

db.root：

$TTL 604800
@ IN SOA @ none. (
         2  ; Serial
    604800  ; Refresh
     86400  ; Retry
   2419200  ; Expire
    604800 ) ; Negative Cache TTL
;
. IN NS @
@ IN A 192.168.10.4
* IN A 192.168.10.2

Webserver(apache)

安装 apache2

apt install -y apache2

使用 apache 服务

• 网页文件放在 /data/share/htdocs/skills
• 服务以用户 webuser 运行
• 首页内容为 “This is the front page of sdskills's website.”
• /htdocs/skills/staff.html 内容为 “Staff Information”
• 该页面需要员工的账号 Basic 认证才能访问
• 员工账号存储在文件 /etc/apache2/.htpasswd 中，账号为 zsuser、lsus

创建网页文件目录

mkdir -p /htdocs/skills

修改内容

echo "This is the front page of skills's website." > /htdocs/skills/index.html
echo "Staff Information" > /htdocs/skills/staff.html 

创建 webuser 用户

useradd webuser

修改 /etc/apache2/apache2.conf 文件的第 115、116行

User webuser
Group webuser

创建认证用户

htpasswd -c /etc/apache2/.htpasswd zsuser
htpasswd /etc/apache2/.htpasswd lsus

修改 /etc/apache2/apache2.conf 文件，配置站点路径，将/var/www修改为/htdocs/skills

<Directory /htdocs/skills>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>
<Directory /htdocs/skills/staff.html>
        authtype basic
        authname "passoword"
        authuserfile /etc/apache2/.htpasswd
        Require valid-user
</Directory>

将 /etc/apache2/apache2.conf 文件中第 202 - 204 行修改为如下语句

<FilesMatch "^\.ht">
        Require all granted
</FilesMatch>

修改 /etc/apache2/sites-enabled/000-default.conf 配置虚拟主机，取消第 9 行注释

ServerAlias *.skills.com
ServerName www.skills.com
ServerAdmin webmaster@localhost
DocumentRoot /htdocs/skills

RewriteEngine on
RewriteCond %{SERVER_PORT} !^443
RewriteRule ^(.*)?$ https://%{SERVER_NAME}/%1 [L,R=301]

网站使用 https 协议

• SSL 使用 Rserver 颁发的证书，颁发给： C = CN ST = China L = ShanDong O = skills OU = Operations Departments CN = *.skills.com
• Server01 的证书路径：/CA/cacert.pem
• 签发数字证书，颁发者： C = CN O = Inc OU = www.skills.com CN = skills Global Root CA
• 客户端访问 https 时应无浏览器（含终端）安全警告信息
• 当用户使用 http 访问时自动跳转到 https 安全协议
• 当用户使用 skills.com 或 any.skills.com（any 代表任意网址前缀）访问时，自动跳转到 www.skills.com

复制 SSL 虚拟主机配置文件

cp -a /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/001-default.conf

编辑 /etc/apache2/sites-enabled/001-default.conf 文件

ServerAdmin webmaster@localhost
ServerName www.skills.com
DocumentRoot /htdocs/skills
ServerAlias *.skills.com

SSLCertificateFile      /CA/skills.crt
SSLCertificateKeyFile /CA/skills.key

SSLCertificateChainFile /CA/cacert.pem

新建 /htdocs/skills/.htaccess 文件，并添加如下内容

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.skills.com [L,NE,R=301]

创建 CA 文件夹，并进入该文件夹

mkdir /CA && cd /CA

生成 SSL 证书密钥

openssl genrsa -out skills.key 4096

生成 SSL 证书请求

root@Server01:/CA# openssl req -new -key skills.key -out skills.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:China
Locality Name (eg, city) []:ShangDong
Organization Name (eg, company) [Internet Widgits Pty Ltd]:skills
Organizational Unit Name (eg, section) []:Operations Departments
Common Name (e.g. server FQDN or YOUR name) []:*.skills.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

通过 SCP 将证书请求上传至 Rserver

scp skills.csr 1921.68.10.2:/CA

如下操作在 Rserver 上操作

# 签发证书
openssl x509 -req -in skills.csr -CA /CA/cacert.pem -CAkey /CA/private/cakey.pem  -CAcreateserial -out skills.crt
# 通过 SCP 将证书上传至 Server01
scp skills.crt 192.168.10.4:/CA
scp cacert.pem 192.168.10.4:/CA

在 Server01 上启动 apache 重写及SSL模块

a2enmod rewrite
a2enmod ssl

重启 apache2

systemctl restart apache2

SSH

安装 SSH

仅允许 client 客户端进行 ssh 访问，其余所有主机的请求都应该拒绝

配置 client 只能在 a1 用户环境下可以免密钥登录，端口号为 3344，并有用 root 控制权限

安装 SSH

apt install -y openssh-server

编辑 /etc/ssh/sshd_config 文件，修改至如下内容

Port 3344
PermitRootLogin yes
AllowUsers *@10.10.100.*

如下操作在 Client 上用户 a1 上进行

ssh-keygen
ssh-copy-id root@192.168.10.4 -p 3344