自签名证书以及DNS服务器搭建
本文共 14469 字,大约阅读时间需要 48 分钟。
1.TSL链路通信
TLS: Transport Layer Security 安全传输协议,在应用层 传输层之间主要应用https 协议,ftps 协议等
https大体流程客户端A 服务端BA ————》 (连接请求 ) BA《———— (发送CA私钥加密过B的公钥,也就是安全证书)BA (用CA公钥解开证书得到B的公钥)A (生成对称秘钥key,并用B的公钥加密)A ————》(加密的秘钥key) BB (B用自己的私钥解密得到对称私钥key)A B后续通讯使用对称私钥加密通讯2.自签证书
搭建私有CA,用于自签名
- 安装openssl
- 生成CA 私钥
[root@centos7 ~]#(umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)Generating RSA private key, 2048 bit long modulus.................................................................................................+++..........+++e is 65537 (0x10001)
注意生成文件必须与/etc/pki/tls/openssl.cnf配置文件定义一致
dir = /etc/pki/CA # Where everything is keptprivate_key = $dir/private/cakey.pem# The private key而且生成文件权限为600 - CA服务器用自己私钥自签名生成证书
[root@centos7 ~]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7200 -out /etc/pki/CA/cacert.pemYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.Country Name (2 letter code) [XX]:cnState or Province Name (full name) []:gdLocality Name (eg, city) [Default City]:gzOrganization Name (eg, company) [Default Company Ltd]:nvliuOrganizational Unit Name (eg, section) []:dcrfanCommon Name (eg, your name or your server's hostname) []:centos7Email Address []:
注意生成文件必须与/etc/pki/tls/openssl.cnf配置文件定义一致
certificate = $dir/cacert.pem # The CA certificate定义一些国家省份信息 - 把该证书传输到windows客户端添加信任
- 更改后缀为.cer
- 打开证书发现不受信任,点击安装证书
- 选择证书存储路径
- 选择受信任根证书
- 然后点击是确定安装
- 再次打开证书,已经被系统信任了
- 更改后缀为.cer
- 在应用服务器上生成密钥,放在要使用应用文件下
[root@localhost ~]# (umask 066; openssl genrsa -out /data/app.key 2048)Generating RSA private key, 2048 bit long modulus............................................+++........................+++e is 65537 (0x10001)
而且生成文件权限为600
[root@localhost ~]# (umask 066; openssl genrsa -out /data/app.key 2048)Generating RSA private key, 2048 bit long modulus............................................+++........................+++e is 65537 (0x10001) - 在应用服务器生成证书申请文件,然后上传给CA服务器
[root@localhost ~]# openssl req -new -key /data/app.key -out /data/app.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.Country Name (2 letter code) [XX]:cnState or Province Name (full name) []:gdLocality Name (eg, city) [Default City]:gzOrganization Name (eg, company) [Default Company Ltd]:nvliu Organizational Unit Name (eg, section) []:dcrfan1Common Name (eg, your name or your server's hostname) []:centos7.1Email Address []:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:
- 在CA服务器手动生成两个文件
[root@centos7 ~]#echo 01 > /etc/pki/CA/serial[root@centos7 ~]#touch /etc/pki/CA/index.txt
这两个位置在/etc/pki/tls/openssl.cnf 均有定义
database = $dir/index.txt # database index file.serial = $dir/serial # The current serial number - 在CA服务器对刚刚应用服务器传过来申请审批,生成证书
[root@centos7 ~]#openssl ca -in /data/app.csr -out /etc/pki/CA/certs/app.crt -days 160Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Jan 8 11:23:04 2019 GMT Not After : Jun 17 11:23:04 2019 GMT Subject: countryName = cn stateOrProvinceName = gd organizationName = nvliu organizationalUnitName = dcrfan1 commonName = centos7.1 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 2C:54:95:C8:30:80:97:89:7E:4A:40:50:F9:64:CB:2F:2E:D9:97:EA X509v3 Authority Key Identifier: keyid:48:8F:FB:78:84:50:F0:B0:AB:6F:2C:10:B6:03:9F:21:03:03:20:70Certificate is to be certified until Jun 17 11:23:04 2019 GMT (160 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated
注意生成文件必须与/etc/pki/tls/openssl.cnf配置文件定义一致
certs = $dir/certs # Where the issued certs are kept - 把生成的app,crt 拷贝会应用服务器使用
3.搭建DNS架构
实验分别准备8台实验机器,
192.168.0.108 远程访问客服端192.168.0.109 缓存dns服务器192.168.0.112 dcrfan.com dns主服务器192.168.0.113 dcrfan.com dns 从服务器192.168.0.114 com dns服务器192.168.0.115 根dns 服务器192.168.0.116 web 服务器192.168.0.117 web 服务器- 先搭建dns主服务器192.168.0.112 ,安装bind服务
- 修改主配置文件/etc/named.conf中文件
options { //listen-on port 53 { 127.0.0.1; }; #注释该行,让本服务器ip监听53端口 allow-query { 192.168.0.0/24; }; # 修改改行,允许该网段的ip使用dns服务器 allow-transfer { 192.168.0.113; }; #新增改行,只允许从dns服务器拉取数据 }; - 修改zone文件/etc/named.rfc1912.zones,新增一个zone,用于解析dcrfan.com域
zone "dcrfan.com" IN { type master;#定义类型为主dns服务器 file "dcrfan.com.zone";#定义该域数据文件位置}; - 新增dns数据记录文件dcrfan.com.zone,注意权限,让named账户能读取该文件,文件在/var/named 目录下-rw-r-----. 1 root named 152 Jun 21 2007 dcrfan.com.zone
@ IN SOA dns1.dcrfan.com. admin.dcrfan.com. ( 0 1D 1H 1W 3H ) NS dns1 NS dns2dns1 A 192.168.0.112dns2 A 192.168.0.113srv A 192.168.0.116srv A 192.168.0.117www CNAME srv
- 启动服务,在远程客户端使用dig 命令测试
[root@centos6 ~]# dig www.dcrfan.com @192.168.0.112; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.dcrfan.com @192.168.0.112;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60001;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2;; QUESTION SECTION:;www.dcrfan.com. IN A;; ANSWER SECTION:www.dcrfan.com. 86400 IN CNAME srv.dcrfan.com.srv.dcrfan.com. 86400 IN A 192.168.0.117srv.dcrfan.com. 86400 IN A 192.168.0.116;; AUTHORITY SECTION:dcrfan.com. 86400 IN NS dns2.dcrfan.com.dcrfan.com. 86400 IN NS dns1.dcrfan.com.;; ADDITIONAL SECTION:dns1.dcrfan.com. 86400 IN A 192.168.0.112dns2.dcrfan.com. 86400 IN A 192.168.0.113;; Query time: 1 msec;; SERVER: 192.168.0.112#53(192.168.0.112);; WHEN: Thu Jan 10 16:09:29 2019;; MSG SIZE rcvd: 152
- 搭建从dns服务器192.168.0.113 ,安装dns服务
- 修改主配置文件/etc/named.conf中文件
options { //listen-on port 53 { 127.0.0.1; }; #注释该行,让本服务器ip监听53端口 allow-query { 192.168.0.0/24; }; # 修改改行,允许该网段的ip使用dns服务器 allow-transfer { none; }; #新增改行,不允许任何dns服务器拉取数据 }; - 修改zone文件/etc/named.rfc1912.zones,新增一个zone,用于解析dcrfan.com域
zone "dcrfan.com" IN { type slave;#定义类型是从dns服务器 masters { 192.168.0.112; }; #指定主dns服务器 file "slaves/dcrfan.com.slave.zone"; #dns记录数据存放位置}; - 启动dns服务,查看dns数据文件已经同步到slaves文件夹下
[root@localhost ~]# ll /var/named/slaves/dcrfan.com.slave.zone -rw-r--r--. 1 named named 371 Jan 10 16:38 /var/named/slaves/dcrfan.com.slave.zone
- 在远程客户端使用dig 命令测试
[root@centos6 ~]# dig www.dcrfan.com @192.168.0.113; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.dcrfan.com @192.168.0.113;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38752;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2;; QUESTION SECTION:;www.dcrfan.com. IN A;; ANSWER SECTION:www.dcrfan.com. 86400 IN CNAME srv.dcrfan.com.srv.dcrfan.com. 86400 IN A 192.168.0.117srv.dcrfan.com. 86400 IN A 192.168.0.116;; AUTHORITY SECTION:dcrfan.com. 86400 IN NS dns2.dcrfan.com.dcrfan.com. 86400 IN NS dns1.dcrfan.com.;; ADDITIONAL SECTION:dns1.dcrfan.com. 86400 IN A 192.168.0.112dns2.dcrfan.com. 86400 IN A 192.168.0.113;; Query time: 4 msec;; SERVER: 192.168.0.113#53(192.168.0.113);; WHEN: Thu Jan 10 16:41:18 2019;; MSG SIZE rcvd: 152
- 配置com dns服务器192.168.0.114 ,安装dns服务
- 修改主配置文件/etc/named.conf中文件
options { //listen-on port 53 { 127.0.0.1; }; #注释该行,让本服务器ip监听53端口 //allow-query { 192.168.0.0/24; }; # 注释改行,允许所有ip使用dns服务器 dnssec-enable no; dnssec-validation no; #都修改为no }; - 修改zone文件/etc/named.rfc1912.zones,新增一个zone,用于解析com域和指派dcrfan.com域(使用dns转发)
zone "dcrfan.com" IN { type forward; forward first; forwarders { 192.168.0.112; 192.168.0.113;};}; - 启动服务,在远程客户端使用dig 命令测试
[root@centos6 ~]# dig www.dcrfan.com @192.168.0.114; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.dcrfan.com @192.168.0.114;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26492;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2;; QUESTION SECTION:;www.dcrfan.com. IN A;; ANSWER SECTION:www.dcrfan.com. 86400 IN CNAME srv.dcrfan.com.srv.dcrfan.com. 86400 IN A 192.168.0.117srv.dcrfan.com. 86400 IN A 192.168.0.116;; AUTHORITY SECTION:dcrfan.com. 86400 IN NS dns2.dcrfan.com.dcrfan.com. 86400 IN NS dns1.dcrfan.com.;; ADDITIONAL SECTION:dns1.dcrfan.com. 86400 IN A 192.168.0.112dns2.dcrfan.com. 86400 IN A 192.168.0.113;; Query time: 14 msec;; SERVER: 192.168.0.114#53(192.168.0.114);; WHEN: Thu Jan 10 17:18:21 2019;; MSG SIZE rcvd: 152
- 配置根 dns服务器192.168.0.115 ,安装dns服务
- 修改主配置文件/etc/named.conf中文件
options { //listen-on port 53 { 127.0.0.1; }; #注释该行,让本服务器ip监听53端口 //allow-query { 192.168.0.0/24; }; # 注释改行,允许所有ip使用dns服务器 dnssec-enable no; dnssec-validation no; #都修改为no }; zone "." IN { #删除这个根zone type hint; file "named.ca";}; - 修改zone文件/etc/named.rfc1912.zones,新增一个zone,用于解析根域
zone "." IN { type master;#定义类型为主dns服务器 file "root.zone";#定义该域数据文件位置}; - 新增dns数据记录文件root.zone,注意权限,让named账户能读取该文件文件在新增dns数据记录文件dcrfan.com.zone,注意权限,让named账户能读取该文件,文件在/var/named下$TTL 1D
@ IN SOA dns1. admin. ( 0 1D 1H 1W 3H ) NS dns1com NS dns2 #指派com域到192.168.0.114管理dns1 A 192.168.0.115dns2 A 192.168.0.114
- 启动服务,在远程客户端使用dig 命令测试
[root@centos6 ~]# dig www.dcrfan.com @192.168.0.115; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.dcrfan.com @192.168.0.115;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51669;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2;; QUESTION SECTION:;www.dcrfan.com. IN A;; ANSWER SECTION:www.dcrfan.com. 84281 IN CNAME srv.dcrfan.com.srv.dcrfan.com. 86400 IN A 192.168.0.117srv.dcrfan.com. 86400 IN A 192.168.0.116;; AUTHORITY SECTION:dcrfan.com. 84281 IN NS dns2.dcrfan.com.dcrfan.com. 84281 IN NS dns1.dcrfan.com.;; ADDITIONAL SECTION:dns1.dcrfan.com. 84281 IN A 192.168.0.112dns2.dcrfan.com. 84281 IN A 192.168.0.113;; Query time: 14 msec;; SERVER: 192.168.0.115#53(192.168.0.115);; WHEN: Thu Jan 10 17:53:40 2019;; MSG SIZE rcvd: 152`
- 配置缓存服务器192.168.0.108 ,安装named服务
- 修改主配置文件/etc/named.conf中文件
options { //listen-on port 53 { 127.0.0.1; }; #注释该行,让本服务器ip监听53端口 //allow-query { 192.168.0.0/24; }; # 注释改行,允许所有ip使用dns服务器 dnssec-enable no; dnssec-validation no; #都修改为no }; - 修改named.ca文件,让它的根指向我们搭建跟服务器192.168.0.115
. 518400 IN NS a.root-servers.net.a.root-servers.net. 3600000 IN A 192.168.0.115
- 启动服务,在远程客户端使用dig 命令测试
[root@centos6 ~]# dig www.dcrfan.com @192.168.0.109; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.dcrfan.com @192.168.0.109;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41909;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2;; QUESTION SECTION:;www.dcrfan.com. IN A;; ANSWER SECTION:www.dcrfan.com. 83143 IN CNAME srv.dcrfan.com.srv.dcrfan.com. 86400 IN A 192.168.0.116srv.dcrfan.com. 86400 IN A 192.168.0.117;; AUTHORITY SECTION:dcrfan.com. 83143 IN NS dns1.dcrfan.com.dcrfan.com. 83143 IN NS dns2.dcrfan.com.;; ADDITIONAL SECTION:dns2.dcrfan.com. 83143 IN A 192.168.0.113dns1.dcrfan.com. 83143 IN A 192.168.0.112;; Query time: 16 msec;; SERVER: 192.168.0.109#53(192.168.0.109);; WHEN: Thu Jan 10 18:12:37 2019;; MSG SIZE rcvd: 152
- 然后搭建两个web服务器测试,分别安装httpd服务,并修改主页,启动服务测试echo dcrfan1 > /var/www/html/index.htmlecho dcrfan2 > /var/www/html/index.html
- 分别用ip正常访问[root@centos6 ~]# curl 192.168.0.116dcrfan1[root@centos6 ~]# curl 192.168.0.117dcrfan2
- 修改客服端的dns指向缓存dns服务器192.168.0.109网卡中加入DNS1=192.168.0.109,重启网络服务测试
[root@centos6 ~]# curl www.dcrfan.comdcrfan2[root@centos6 ~]# curl www.dcrfan.comdcrfan1
- 清理dns缓存,在各个dns服务器执行rndc flush命令停掉主dns的服务,继续测试,从服务器可以使用
[root@centos6 ~]# curl www.dcrfan.comdcrfan2[root@centos6 ~]# curl www.dcrfan.comdcrfan2[root@centos6 ~]# curl www.dcrfan.comdcrfan1
4.dnspod解析类型
- 在dnspod中的记录,一般有主机记录,记录类型,线路类型,记录值,MX优先值,TTL主机记录:www 表示 解析后域名为 www@表示 直接解析主域名 表示泛解析 .域名
- 记录类型A记录:用来指定域名的IPv4地址,如果需要将域名指向一个IP地址需要一个A记录CNAME:(别名) 如果需要将域名指向另一个域名,再由另一个域名提供ip地址,就需要添加CNAME记录。TXT:在这里可以填写任何东西,长度限制255。绝大多数的TXT记录是用来做SPF记录(反垃圾邮件)。NS:dns服务器记录,如果需要把子域名交给其他DNS服务器解析,就需要添加NS记录。AAAA:ipv6 的A记录MX:设置邮箱服务器地址解析,就需要添加MX记录。显性URL:从一个地址301重定向到另一个地址的时候,就需要添加显性URL记录(注:DNSPod目前只支持301重定向)。隐性URL:类似于显性URL,区别在于隐性URL不会改变地址栏中的域名。SRV:记录了哪台计算机提供了哪个服务。格式为:服务的名字、点、协议的类型
- 记录值:A记录填写相应ip地址CNAME 填写别名的域名MX 邮件服务器ip地址NS dns服务器域名(需要配合A记录来指定ip地址)
- MX邮件记录还要记录MX优先值
转载于:https://blog.51cto.com/6289984/2342154
你可能感兴趣的文章
LINQ
查看>>
1042 Shuffling Machine
查看>>
Weblogic配置和部署
查看>>
font: 12px/1.5 Tahoma, Helvetica, Arial, sans-serif;
查看>>
纯js实现DIV拖拽
查看>>
android内部培训视频_第三节(3)_常用控件(ViewPager、日期时间相关、ListView)
查看>>
UVALive - 7147 (数学)
查看>>
EOJ 262 润清的烦恼
查看>>
sql 183. 从不订购的客户
查看>>
iOS---实现在屏幕上实时绘图的简单效果---CAShaperLayer和UIBezierPath的简单运用
查看>>
Vue.js项目中,当图片无法显示时则显示默认图片
查看>>
使用jquery做一个动态简历
查看>>
c++中this指针的用法
查看>>
ubuntu和ok6410开发板之间架设nfs
查看>>
git将本地练手的项目放置到git远端上--本地仓库和远程建立连接
查看>>
【转】用C#获取浏览文件夹对话框
查看>>
查看oracle数据库服务器的名字
查看>>
hdu 4707 Pet
查看>>
hdu 1249 三角形 (递推)
查看>>
小图标垂直居中
查看>>