本文深入探讨DNS服务原理,包括正向与反向解析、域名结构、查询类型及服务器类型,详细讲解DNS主从配置与子域授权过程。同时,全面解析HTTP服务,涵盖请求与响应机制、URL与URN的区别、请求方法、资源访问流程及日志记录。并通过实例演示基于用户的访问控制、虚拟主机配置与HTTPS服务搭建。
1、简述DNS服务,并搭建DNS服务器,实现主从,子域授权
-
DNS服务:(Domain Name System 应用层)协议,是一个应用层协议,能够将我们的域名地址转换为ip地址,这个称之为正向解析,反过来将IP地址解析为域名也可以,称之为反向解析
-
域名结构:由根域,顶级域,二级域层层往下延伸
-
DNS查询类型: 递归查询:可以理解为由一台服务器一查到底,如果他没有,他则会询问上级域名服务器,最后把结果返回给你
迭代查询:如果你查询的服务器没有找到这个域名,他会告诉你上级域名服务器的地址,让你自己去找上级服务器查, -
DNS服务器的类型:主服务器:管理和维护所负责解析的域内解析库的服务器
从服务器:可以理解为主服务器的备份者,从主服务器中获取解析库记录,主服务器解析库发生变化时,从服务器也会同步更新,当主服务器故障时,从服务器会接手代替其完成工作。 -
DNS的一次解析过程:Client -->hosts文件 -->DNS Service Local Cache --> DNS Server (recursion) --> Server Cache --> iteration(迭代) --> 根–> 顶级域名DNS–> 二级域名DNS…
-
请点击以下链接查看DNS的主从配置过程
2、简述HTTP服务,并实现基于用户的访问控制,虚拟主机,https
-
http服务:文本传输协议(英语:HyperText Transfer Protocol),缩写为HTTP,它是一种用于分布式、协作式和超媒体信息系统的应用层协议,是万维网的数据通信的基础,也是互联网应用最为广泛的一种网络传输协议。最初设计HTTP的目的是为了提供一种发布和接收HTML页面的方法。
-
HTTP服务通信过程 :
-
htttp服务工作机制:http请求:http request
http响应:http response
一次http事务:请求<–>响应 -
URL:Uniform Resource Identifier 统一资源标识,分为URL和URN ,
URN: Uniform Resource Naming,统一资源命名 ,用于描述某服务器某特 定资源位置
两者区别:URN如同一个人的名称,而URL代表一个人的住址。换言之, URN定义某事物的身份,而URL提供查找该事物的方法。URN仅用于命名, 而不指定地址
示例:http://apache.org/index.html#projects-list
URL的组成:
-
一次完整的http请求处理过程 :
1、建立连接:接收或拒绝连接请求
2、接收请求:接收客户端请求报文中对某资源的一次请求的过程
Web访问响应模型(Web I/O) 单进程I/O模型:启动一个进程处理用户请求,而且一次只处理一个
多个请求被串行响应 多进程I/O模型:并行启动多个进程,每个进程响应一个连接请求
复用I/O结构:启动一个进程,同时响应N个连接请求
复用的多进程I/O模型:启动M个进程,每个进程响应N个连接请求,同时接 收M*N个请求
3、处理请求:服务器对请求报文进行解析,并获取请求的资源及请求方法等相 关信息,根据方法,资源,首部和可选的主体部分对请求进行处理
元数据:请求报文首部
HEADERS
格式 name:value
示例: Host: www.magedu.com
请求的主机名称 Server: Apache/2.4.7
HTTP常用请求方式,Method GET、POST、HEAD、PUT、DELETE、TRACE、OPTIONS
4、访问资源: 服务器获取请求报文中请求的资源web服务器,即存放了web资源的服务器, 负责向请求者提供对方请求的静态资源,或动态运行后生成的资源 ,
资源放置于本地文件系统特定的路径:/var/www/html
5、构建响应报文: 一旦Web服务器识别除了资源,就执行请求方法中描述的动作,并返回响应 报文。响应报文中 包含有响应状态码、响应首部,如果生成了响应主体的话,还包括响应主体
6、发送响应报文: Web服务器通过连接发送数据时也会面临与接收数据一样的问题。服务器 可能有很多条到各个客户端的连接,有些是空闲的,有些在向服务器发送数据,还 有一些在向客户端回送响应数据。服务器要记录连接的状态,还要特别注意对持久 连接的处理。对非持久连接而言,服务器应该在发送了整条报文之后,关闭自己这 一端的连接。对持久连接来说,连接可能仍保持打开状态,在这种情况下,服务器 要正确地计算Content-Length首部,不然客户端就无法知道响应什么时候结束了
7、记录日志 最后,当事务结束时,Web服务器会在日志文件中添加一个条目,来描述已执行的事务
下面实操几个常用的案例
(1)基于用户的访问控制 -
认证质询:WWW-Authenticate:响应码为401,拒绝客户端请求,并说明要求客 户端提供账号和密码
-
认证:Authorization:客户端用户填入账号和密码后再次发送请求报文;认证通过 时,则服务器发送响应的资源
-
认证方式两种: basic:明文 digest:消息摘要认证,兼容性差
(1)自行创建一个登录用户tom,保存于/etc/httpd/test.users文件下
[root@localhost conf.d]# htpasswd -c /etc/httpd/test.users tom
New password:
Re-type new password:
Adding password for user tom
[root@localhost conf.d]# cat /etc/httpd/test.users
tom:$apr1$d2XT/2Up$y7tRKiARICHWFb46592q41
(2)新建一个用于用户认证的配置文件
[root@localhost conf.d]# vi lock.conf
<Directory "/var/www/html"> //访问的网站路径
Options None
AllowOverride None
AuthType Basic //基于明文
AuthName "please input passwd." //访问时的提示信息
Authuserfile "/etc/httpd/test.users" //认证文件路径
require user tom //
</Directory>
(3)检查语法是否有错。然后重启
[root@localhost conf.d]# httpd -t
Syntax OK
[root@localhost conf.d]# systemctl restart httpd.service
(4)最终效果,输入创建的用户tom和密码即可登录
(2)虚拟主机,方式有三种:
- 基于IP地址,即访问的IP地址不同
在开始前需要使用ipaddr命令给本机ens33在添加一个地址
基于ip的虚拟主机配置文件
[root@localhost conf.d]# vi vir.conf
<virtualHost 192.168.164.138:80>
ServerName 192.168.164.138
DocumentRoot "/var/www/html/test1"
</VirtualHost>
<VirtualHost 192.168.164.141:80>
ServerName 192.168.164.141
DocumentRoot "/var/www/html/test2"
</VirtualHost>
- 基于端口,即访问不同的端口号
8080端口需先在/etc/httpd/conf/httpd.conf文件中添加进行监听
[root@localhost conf.d]# vi vir.conf
<virtualHost 192.168.164.141:80>
ServerName 192.168.164.141
DocumentRoot "/var/www/html/test1"
</VirtualHost>
<VirtualHost 192.168.164.141:8080>
ServerName 192.168.164.141
DocumentRoot "/var/www/html/test2"
</VirtualHost>
- 基于域名,即访问不同的域名
同样的域名应先在于/etc/httpd/conf/httpd.conf中
<virtualHost 192.168.164.141:80>
ServerName www.ns1.123.com
DocumentRoot "/var/www/html/test1"
</VirtualHost>
<VirtualHost 192.168.164.141:80>
ServerName www.ns2.123.com
DocumentRoot "/var/www/html/test2"
</VirtualHost>
所有配置完成进行httpd -t检查,无误后重启http服务即可
(3)https:https是http的升级版。运行于ssl协议之上,更加的安全,我们要想让自己的主机运行于https之上,需要先自行创建一个证书,签名后导入到我们的浏览器中,最后注意的是https使用的端口为443
1.自建CA签证机构在192.168.164.138这台主机上
[root@localhost centos]# cd /etc/pki/CA #进入/etc/pki/CA目录
[root@localhost CA]# ls
certs crl newcerts private
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) #创建密钥cakey.pem
Generating RSA private key, 2048 bit long modulus
..................................................................+++
.....+++
e is 65537 (0x10001)
[root@localhost CA]# ll private/
total 4
-rw-------. 1 root root 1675 Apr 3 08:33 cakey.pem
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 #生成证书cacert.pem,写好相关的公司地址,这里就建好了签证中心
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:xiaoping
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:ca.xiaoming.com
Email Address []:
(2)在192.168.164.139这台机上创建证书发送给CA主机签名
1.#生成一个私钥
[root@xiaoping ssl]# (umask 077;openssl genrsa -out httpd_key.pem 1024) #生成一个私钥
Generating RSA private key, 1024 bit long modulus
..........++++++
...........................++++++
e is 65537 (0x10001)
2.生成一个待签名的证书,注意后面公司信息应该与CA主机上设置的相一致
[root@xiaoping ssl]# openssl req -new -key httpd_key.pem -out httpd_crt.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:xiaoping
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:192.168.164.139
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3.将签名请求发送给CA主机,等待签名
[root@xiaoping ssl]# scp httpd_crt.pem root@192.168.164.138:/tmp/
root@192.168.164.138's password:
httpd_crt.pem 100% 660 145.9KB/s 00:00
(3)CA主机收到证书签名请求,签名后返回给待签名主机,在CA主机上操作
1.添加标签,CA签名应该有签名记录
[root@localhost CA]# touch index.txt serial
[root@localhost CA]# echo 01 > serial
2.对证书进行签名,
[root@localhost CA]# openssl ca -in /tmp/httpd_csr.pem -out certs/httpd_crt.pem 对证书进行签名,注意后缀应该是.csr.
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 3 13:09:25 2020 GMT
Not After : Apr 3 13:09:25 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = xiaoping
organizationalUnitName = devops
commonName = 192.168.164.139
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
20:3C:4C:74:1D:C5:C5:BA:17:D5:14:84:52:F5:97:00:E2:31:AE:26
X509v3 Authority Key Identifier:
keyid:CC:42:D3:9A:FD:CF:A3:C6:C1:7F:88:3F:6C:12:38:2F:5A:09:5E:E8
Certificate is to be certified until Apr 3 13:09:25 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
3.查看签名证书并发回主机
[root@localhost CA]# ll certs/ 签完的证书保存在certs目录下
total 4
-rw-r--r--. 1 root root 3736 Apr 3 09:09 httpd_csr.pem
[root@localhost CA]# scp certs/httpd_csr.pem 192.168.164.139:/etc/httpd/ssl 将签好的证书发回被签主机
The authenticity of host '192.168.164.139 (192.168.164.139)' can't be established.
ECDSA key fingerprint is SHA256:fWGaGyZMLhbZcVAFGIjwwpjnhzfSEsdKhy82Xq9QR1I.
ECDSA key fingerprint is MD5:10:c7:b6:0b:69:52:2f:10:11:7e:dd:db:f2:f2:8f:55.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.164.139' (ECDSA) to the list of known hosts.
root@192.168.164.139's password:
httpd_crt.pem 100% 3736 1.0MB/s 00:00
4.测试证书
[root@localhost CA]# openssl s_client -connect 192.168.164.139:443 -CAfile /etc/pki/CA/cacert.pem
CONNECTED(00000003)
depth=1 C = CN, ST = beijing, L = beijing, O = xiaoping, OU = devops, CN = ca.xiaoming.com
verify return:1
depth=0 C = CN, ST = beijing, O = xiaoping, OU = devops, CN = 192.168.164.139
verify return:1
---
Certificate chain
0 s:/C=CN/ST=beijing/O=xiaoping/OU=devops/CN=192.168.164.139
i:/C=CN/ST=beijing/L=beijing/O=xiaoping/OU=devops/CN=ca.xiaoming.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDPjCCAiagAwIBAgIBATANBgkqhkiG9w0BAQsFADBvMQswCQYDVQQGEwJDTjEQ
MA4GA1UECAwHYmVpamluZzEQMA4GA1UEBwwHYmVpamluZzERMA8GA1UECgwIeGlh
b3BpbmcxDzANBgNVBAsMBmRldm9wczEYMBYGA1UEAwwPY2EueGlhb21pbmcuY29t
MB4XDTIwMDQwMzEzMDkyNVoXDTIxMDQwMzEzMDkyNVowXTELMAkGA1UEBhMCQ04x
EDAOBgNVBAgMB2JlaWppbmcxETAPBgNVBAoMCHhpYW9waW5nMQ8wDQYDVQQLDAZk
ZXZvcHMxGDAWBgNVBAMMDzE5Mi4xNjguMTY0LjEzOTCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAxnaYPZ9EHzA33TJQFL1Ym5EZF20+U+b1aoryHBE06gloXT4N
OvpdxP2xmjEcMpq9eipX4pU2JSwIL/MBGrFBvIveynXC60AQ7QAO7qxHte5HDdSt
tala2MJ3RGFBdUJT9o/Dh5TMf4E9ACBZFr+74NMCyASxdgq7S54RipG6+8MCAwEA
AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFCA8THQdxcW6F9UUhFL1lwDiMa4mMB8G
A1UdIwQYMBaAFMxC05r9z6PGwX+IP2wSOC9aCV7oMA0GCSqGSIb3DQEBCwUAA4IB
AQCA2djQcOhP6PDslZctJ6RV2Veqo9lexNWCLvy0vGkCxps44wZ3KH2dNCj+PqqC
u9/ASP2L5Nt7FWkkOtyGURZJZVaR8cAaER/PPt20KJIU+QuxuBqfLvjY1kCQDS2u
5QJCVT44zHYZKv6oVpDFH/fwLQtQpMIYDkYn7uAEb2ddaFmXDk9y/+HBOp5p46lo
Zt3ebxoRDvAzrn052rdyDWd2jHxs4NyVjE/qwCxWsJI+I9hNJZUHhOF9rusL07zr
MFWGAQxuwN1WjuTBzN2MDha4BCSf3Fy0r6Ctxx6MC4Wi5BmJCQc7HpV4S9JoYhZo
XT8oTY5gjdyXfQsv/8BpIuXu
-----END CERTIFICATE-----
subject=/C=CN/ST=beijing/O=xiaoping/OU=devops/CN=192.168.164.139
issuer=/C=CN/ST=beijing/L=beijing/O=xiaoping/OU=devops/CN=ca.xiaoming.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1397 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: D4DB4FC7C45655DD8F55AD22558CC1BD5B6A2DA310744FF9EE22DE1974EEEB21
Session-ID-ctx:
Master-Key: 25215D9372CBBEC801F4987581C23A0C62FDF471C8DBC39E11B05C43737BDE5D594B87EFED1FFEA60E15665534675E57
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - c7 62 45 9a dd 6a f2 41-4b 39 af 74 50 5f 5c 92 .bE..j.AK9.tP_\.
0010 - 44 25 a8 77 9f fd 73 2d-49 96 79 43 73 fd ae 4f D%.w..s-I.yCs..O
0020 - 7b a0 13 07 e2 a0 18 25-33 02 5c d1 a9 2e 11 82 {......%3.\.....
0030 - ad 9a de ca b0 88 26 30-c6 0e d6 8f fa 32 af 54 ......&0.....2.T
0040 - 37 76 a1 e0 8e a1 58 70-6b d2 40 50 4e 24 8a ba 7v....Xpk.@PN$..
0050 - 85 cc 4d d5 5b 9d 62 fb-24 a8 e6 51 5c f1 b2 e8 ..M.[.b.$..Q\...
0060 - f3 6e 32 c7 ae 4d 49 95-05 9c 1f 53 8d 81 b5 8f .n2..MI....S....
0070 - e6 9f 86 1d b4 76 20 86-72 bc fb 19 ce 68 7b 49 .....v .r....h{I
0080 - 59 ca 64 56 61 79 38 fc-a9 d9 f7 9d 23 46 1c e9 Y.dVay8.....#F..
0090 - 78 e7 3e d6 e3 9b e4 58-9b 91 49 16 23 9a a0 d3 x.>....X..I.#...
00a0 - 1a 7e c4 cc 90 53 cf ce-7c 56 f2 e0 bb 40 36 a5 .~...S..|V...@6.
00b0 - 45 ec b0 b1 4e 54 50 07-1c 09 c4 00 f8 cc 80 17 E...NTP.........
Start Time: 1585922732
Timeout : 300 (sec)
Verify return code: 0 (ok) 证书校验成功
---
read:errno=0
(4)在浏览器中导入证书即可,其中还有可能涉及到httpd的权限问题
[root@xiaoping conf.d]# httpd -t -D DUMP_VHOSTS 查看主机虚拟机,基于443端口一个ip只能配置一个虚拟主机,80端口可转至443
VirtualHost configuration:
*:443 192.168.164.139 (/etc/httpd/conf.d/ssl.conf:56)
[root@xiaoping conf.d]# vi ssl.conf 修改conf文件
DocumentRoot "/var/www/html"
ServerName 192.168.164.139:443
修改完重启服务,要在浏览器导入/etc/pki/CA/cacert.pem证书
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
