openssl配置示例及DNS智慧解析實現

阿新 • • 發佈：2018-12-16

搭建apache或者nginx並使用自簽證書實現https訪問，自簽名證書的域名自擬

使用OpenSSL建立私有CA的步驟： 1、生成私鑰2、生成自簽證書 (1) 私鑰用於簽發證書時，向證書新增數字簽名使用； (2) 證書：每個通訊方都匯入此證書至“受信任的證書頒發機構” 涉及的配置檔案：/etc/pki/tls/openssl.cnf 工作目錄：CA Hostname:node1 IP:10.2.10.56 服務端， Hostname:node2 IP:10.2.10.57 客戶端。伺服器端：建立私有CA: 1.建立CA的資料庫索引檔案 # touch CA/{serial,index.txt} # 索引檔案 # echo 01 > CA/serial # 索引檔案編號 [

[email protected] ~]#touch CA/{index.txt,serial} [[email protected] ~]#echo 01 > CA/serial [[email protected] ~]#cd /etc/pki/CA/1 [[email protected] CA]# ls crl private index.txt certs newcerts serial 2.生成私鑰與自簽證書：cakey.pem –> cacert.pem [[email protected] ~]#(umask 077; openssl genrsa -out CA/private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ...............+++ ........+++ e is 65537 (0x10001) [

[email protected] ~]# cd /etc/pki/tls/ [[email protected] tls]# vim openssl.cnf [[email protected] ~]#openssl req -new -x509 -key CA/private/cakey.pem -out CA/cacert.pem -days 365 注：在bash命令列上在小括號中執行的命令，其實是通過開啟一個子shell程序進行的！ You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [Jiangsu]: Locality Name (eg, city) [Nanjing]: Organization Name (eg, company) [Wangsir.com]: Organizational Unit Name (eg, section) [Tech]: Common Name (eg, your name or your server's hostname) []:localhost.localdomain Email Address []:

[email protected] -new: 生成新證書籤署請求； -x509: 專用於CA生成自簽證書； -key: 生成請求時用到的私鑰檔案；- days n：證書的有效期限； -out /PATH/TO/SOMECERTFILE: 證書的儲存路徑 ________________________________________ 給節點頒發證書：客戶端： 1、生成私鑰與證書籤署請求 2、把請求傳送給CA 注：a. 其中subject部分要與CA一致； b. Common Name要使用此主機的真實名字在需要使用證書的主機生成證書請求,譬如給給web伺服器生成私鑰 1.生成私鑰與證書籤署請求 [[email protected] ~]#mkdir /etc/httpd/ssl [[email protected] ~]#(umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048) Generating RSA private key, 2048 bit long modulus .................................................................................................................+++ .......................+++ e is 65537 (0x10001) [[email protected] ~]# [[email protected] ~]#openssl req -new -key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [Jiangsu]: Locality Name (eg, city) [Nanjing]: Organization Name (eg, company) [Wangsir.com]: Organizational Unit Name (eg, section) [Tech]: Common Name (eg, your name or your server's hostname) []:localhost.localdomain Email Address []:[email protected]

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: 注意證書籤署請求時沒有 -x509選項。且國家、州、公司名必須要一致！ 2.把請求傳送給CA [[email protected] ~]#scp /etc/httpd/ssl/httpd.csr 10.2.10.56:CA/ [email protected]'s password: httpd.csr 100% 1070 1.0KB/s 00:00 [[email protected] ~]# ________________________________________ 伺服器端：簽發證書 (1) 驗證請求者資訊 (2) 簽署證書 (3) 把簽署好的證書還給請求者 1.簽署證書： [[email protected] ~]#openssl ca -in CA/httpd.csr -out CA/certs/httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Mar 2 09:29:03 2018 GMT Not After : Mar 2 09:29:03 2019 GMT Subject: countryName = CN stateOrProvinceName = Jiangsu organizationName = Wangsir.com organizationalUnitName = Tech commonName = localhost.localdomain emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: C5:29:56:4F:A6:77:D1:9B:25:0E:85:25:68:08:DF:90:B8:7E:6F:01 X509v3 Authority Key Identifier: keyid:F9:81:4D:D3:C1:D2:50:3E:F0:BF:AF:5E:06:B9:AA:EE:A4:7A:C3:16

Certificate is to be certified until Mar 2 09:29:03 2019 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 檢視簽署的證書： [[email protected] ~]# openssl x509 -in CA/certs/httpd.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=Jiangsu, L=Nanjing, O=Wangsir.com, OU=Tech, CN=localhost.localdomain/[email protected] Validity Not Before: Mar 2 09:29:03 2018 GMT Not After : Mar 2 09:29:03 2019 GMT Subject: C=CN, ST=Jiangsu, O=Wangsir.com, OU=Tech, CN=localhost.localdomain/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ba:e4:68:27:68:fb:6a:20:4d:66:ed:8e:3d:1d: e7:f3:96:45:4c:22:2b:45:38:65:a4:8a:42:94:92: ac:0a:d0:5c:a0:a8:ed:13:ca:8c:69:2f:45:ff:71: ad:0c:e4:3b:6c:58:4c:b2:3e:01:36:b8:17:7a:10: e9:33:91:ee:b5:13:8c:61:35:cc:f4:c9:5a:f2:c2: 54:f9:9a:e1:ef:bb:47:ba:56:7b:a1:01:2e:62:76: 5b:39:29:8a:17:6c:c1:e8:e3:4e:1b:d2:91:ff:d2: 08:ae:5e:7c:c5:cf:4a:cc:9c:25:da:f8:8f:00:39: b1:42:33:6f:5d:cf:9d:c0:27:48:b2:fe:1e:df:7d: 63:09:7a:d5:97:b5:dc:e8:f6:b9:13:09:27:1e:a0: bb:fb:c5:ac:b4:ee:b1:af:ae:5e:f0:b8:82:02:93: ff:cc:b1:db:98:9f:82:ef:e3:b5:8d:8b:22:df:52: 7c:6b:4a:95:61:2b:d0:67:61:a8:f5:97:3c:4f:42: 01:b6:c8:f5:de:02:40:69:fb:3a:44:c3:11:9b:16: b7:05:b9:19:25:99:7c:e6:8a:cd:f3:e2:a4:da:da: d4:d7:1c:2f:40:44:fc:54:0f:e3:fb:86:a4:fd:25: c4:ec:a9:50:15:8d:ef:5d:ad:08:3e:cd:41:b6:82: f1:eb Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: C5:29:56:4F:A6:77:D1:9B:25:0E:85:25:68:08:DF:90:B8:7E:6F:01 X509v3 Authority Key Identifier: keyid:F9:81:4D:D3:C1:D2:50:3E:F0:BF:AF:5E:06:B9:AA:EE:A4:7A:C3:16

Signature Algorithm: sha256WithRSAEncryption 7e:f7:73:a3:de:c9:c6:c6:e2:fd:44:de:a7:ff:a5:3c:95:dc: 85:da:ae:82:40:a5:27:f3:9c:61:1f:b2:2f:b8:22:8a:19:b7: 83:82:dd:bc:34:90:af:36:b9:17:06:02:03:dc:8a:72:51:f6: 47:63:41:41:db:c4:91:6d:bd:be:db:9f:66:58:03:2e:da:52: 7b:c0:69:50:fe:31:2d:cc:9c:a3:5c:fd:d2:6c:7b:d2:5c:12: de:1e:da:fe:a1:d4:e5:41:b7:6a:1c:61:9c:0f:b3:b3:50:8d: 05:0d:38:74:fa:f3:e7:f4:c4:43:8e:d5:40:81:60:b3:61:9b: c9:35:60:d4:d2:11:2f:83:5f:a3:97:a8:67:a7:d0:05:9f:c4: a1:a3:90:8c:69:af:16:a1:79:6c:87:8f:a3:49:00:e8:45:fc: 70:64:98:c3:6e:6a:d1:40:0b:a2:af:a0:55:b5:86:ab:2e:86: 9d:c2:44:9b:74:b8:2d:b8:60:90:04:af:32:16:32:13:2b:ee: cf:e1:59:93:12:f5:8f:a7:62:d9:f1:88:7e:78:9c:4f:19:04: 93:f6:79:20:2c:42:09:66:f6:dc:ec:95:c5:cc:e5:5e:24:92: fa:8d:39:0d:0e:aa:21:da:46:0b:c2:2f:06:a7:ef:9e:12:23: 5c:3a:27:c6 2.把簽署好的證書發給請求者 [[email protected] ~]#scp CA/certs/httpd.crt 10.2.10.54:/etc/httpd/ssl [email protected]'s password: httpd.crt 100% 4677 4.6KB/s 00:00 [[email protected]~]# 檢視資料庫檔案是否更新： [[email protected] ~]# cd CA/ [[email protected] CA]# cat index.txt V 190302092903Z 01 unknown /C=CN/ST=Jiangsu/O=Wangsir.com/OU=Tech/CN=localhost.localdomain/[email protected] [[email protected] CA]#

________________________________________ 吊銷證書 1.在客戶端獲取要吊銷的證書的serial [[email protected] ~]#openssl x509 -in /etc/httpd/ssl/httpd.crt -noout -serial -subject serial=01 subject=/C=CN/ST=Jiangsu/O=Wangsir.com/OU=Tech/CN=localhost.localdomain/[email protected] [[email protected] ~]# 2.在CA上，根據客戶提交的serial與subject資訊，對比檢驗是否與index.txt檔案中的資訊一致,然後吊銷證書 [[email protected] CA]#openssl ca -revoke certs/httpd.crt Using configuration from /etc/pki/tls/openssl.cnf Revoking Certificate 01. Data Base Updated [[email protected] CA]# 檢視吊銷證書後的資料庫狀態： [[email protected] CA]# cat index.txt R 190302092903Z 180302134637Z 01 unknown /C=CN/ST=Jiangsu/O=Wangsir.com/OU=Tech/CN=localhost.localdomain/[email protected] [[email protected] CA]# 3.生成吊銷證書的編號 [[email protected] CA]#touch crlnumber [[email protected] CA]#echo 01 > crlnumber 4.更新證書吊銷列表 [[email protected] CA]#openssl ca -gencrl -out ./crl/ca.crl Using configuration from /etc/pki/tls/openssl.cnf [[email protected] CA]# [[email protected] CA]# cat ./crl/ca.crl -----BEGIN X509 CRL----- MIICCDCB8QIBATANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMCQ04xEDAOBgNV BAgMB0ppYW5nc3UxEDAOBgNVBAcMB05hbmppbmcxFDASBgNVBAoMC1dhbmdzaXIu Y29tMQ0wCwYDVQQLDARUZWNoMR4wHAYDVQQDDBVsb2NhbGhvc3QubG9jYWxkb21h aW4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQFdhbmdzaXIuY29tFw0xODAzMDIxMzUy MDZaFw0xODA0MDExMzUyMDZaMBQwEgIBARcNMTgwMzAyMTM0NjM3WqAOMAwwCgYD VR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggEBABzuMF0xuSEIb+464+P0CoJSYcE1 Xt0XVwiLL8X+9LnsNFfIPlwO8uwJns1VtJ3l0LPd+6WGmjN06X+xMJODZT+FerZM hJjSvp5SNlBca48OcmrYnA9OoTCgKAlKLHR050hdf/zR9UwQJTgI5jJKDAUduJmX zXebIFWsbeq0ec5463C7ZRchbvzeZeyrvxuUL8cYBLr6Fk7ocNUFrn2ZtrTqIUsl 80v2t4qgi5w8G1AstYZUd+lvUveoMiTSx+dy53lDbNzVtUUFKw3p/PrXAbNa+Fg2 DmAP0V8cV34xV1UUUYxr0KCZmBBX/YgMJhM7k4+P5bkz2n0dtWdi5Oy7gmk= -----END X509 CRL-----

部署DNS主從伺服器

作為重要的網際網路基礎設施服務，保證DNS域名解析服務的正常運轉至關重要，只有這樣才能提供穩定、快速且不間斷的域名查詢服務。在DNS域名解析服務中，從伺服器可以從主伺服器上獲取指定的區域資料檔案，從而起到備份解析記錄與負載均衡的作用，因此通過部署從伺服器可以減輕主伺服器的負載壓力，還可以提升使用者的查詢效率。在本實驗中，主伺服器與從伺服器分別使用的作業系統和IP地址。主機名稱作業系統 IP地址 master伺服器 RHEL 7 192.168.170.8 slave伺服器 RHEL 7 192.168.170.9

首先在2臺伺服器安裝Bind服務程式 [[email protected] ~]# yum -y install bind 主配置檔案（/etc/named.conf）：這些引數用來定義bind服務程式的執行。區域配置檔案（/etc/named.rfc1912.zones）：用來儲存域名和IP地址對應關係的所在位置。資料配置檔案目錄（/var/named）：該目錄用來儲存域名和IP地址真實對應關係的資料配置檔案。 [[email protected] ~]# vim /etc/named.conf options { listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; dnssec-enable no; dnssec-validation no; dnssec-lookaside no; 第1步：在主伺服器的區域配置檔案中允許該從伺服器的更新請求。 [[email protected] ~]# vim /etc/named.rfc1912.zones zone "test.com" IN { type master; file "test.com.zone"; allow-update { 192.168.170.9; }; #允許更新區域資訊的主機地址 }; zone "8.168.192.in-addr.arpa" IN { type master; file "192.168.8.zone"; allow-update { 192.168.170.9; }; };

[[email protected] named]# vim test.com.zone $TTL 1D @ IN SOA test.com. root.test.com. ( #授權資訊開始: #DNS區域的地址 #域名管理員的郵箱 0;serial #更新序列號 1D;refresh #更新時間 1H;retry #重試延時 1W;expire #失效時間 3H;)minimum #無效解析記錄的快取時間 NS ns.test.com. #域名伺服器記錄 ns IN A 192.168.170.8 #地址記錄(ns.test.com.) IN MX 8 mail.test.com. #郵箱交換記錄 mail IN A 192.168.170.8 #地址記錄(mail.test.com.) www IN A 192.168.170.8 #地址記錄(www.test.com.) bbs IN A 192.168.170.9 #地址記錄(bbs.test.com.) [[email protected] ~]# chgrp named /var/named/test.com.zone [[email protected] ~]# chmod o= /var/named/test.com.zone [[email protected] named]# named-checkzone test.com /var/named/test.com.zone [[email protected] named]# named-checkconf [[email protected] named]# systemctl restart named 測試正向解析： [[email protected] ~]#vi /etc/sysconfig/network-scripts/ifcfg-ens192 新增主從DNS伺服器的ip地址 DNS1="192.168.170.8" DNS2="192.168.170.9 [[email protected] named]# yum -y install bind-utils //安裝bind客戶端程式 [[email protected] ~]# nslookup www.test.com Server: 192.168.170.8 Address: 192.168.170.8#53

Name: www.test.com Address: 192.168.170.8

[[email protected] named]# vim 192.168.170.zone $TTL 1D @ IN SOA test.com. root.test.com. ( 0;serial 1D;refresh 1H;retry 1W;expire 3H);minimum NS ns.test.com. ns A 192.168.170.8 8 PTR ns.test.com. #PTR為指標記錄，僅用於反向解析中。 8 PTR mail.test.com. 8 PTR www.test.com. 9 PTR bbs.test.com. [[email protected] named]# chgrp named /var/named/192.168.170.zone [[email protected] named]# chmod o= /var/named/192.168.170.zone [[email protected] named]# named-checkzone 192.168.170.in-addr.arpa /var/named/192.168.170.zone [[email protected] named]# named-checkconf [[email protected] named]# systemctl restart named 測試反向解析： [[email protected] named]# nslookup 192.168.170.9 Server: 192.168.170.9 Address: 192.168.170.9#53 9.170.168.192.in-addr.arpa name = bbs.test.com.

第2步：在從伺服器中填寫主伺服器的IP地址與要抓取的區域資訊，然後重啟服務。 [[email protected] ~]#vi /etc/sysconfig/network-scripts/ifcfg-ens192 新增主從DNS ip地址 DNS1="192.168.170.8" DNS2="192.168.170.9 [[email protected] ~]# yum -y install bind [[email protected] ~]# vim /etc/named.conf options { listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; dnssec-enable no; dnssec-validation no; dnssec-lookaside no; [[email protected] ~]# vim /etc/named.rfc1912.zones zone "test.com" IN { type slave; masters { 192.168.170.8; }; file "slaves/test.com.zone"; }; zone "170.168.192.in-addr.arpa" IN { type slave; masters { 192.168.170.8; }; file "slaves/192.168.170.arpa"; };

第3步：檢驗解析結果。當從伺服器的DNS服務程式在重啟後，一般就已經自動從主伺服器上同步了資料配置檔案，而且該檔案預設會放置在區域配置檔案中所定義的目錄位置中。 [[email protected] ~]# cd /var/named/slaves [[email protected] slaves]# ls 192.168.8.arpa test.com.zone [[email protected] slaves]# nslookup > www.test.com Server: 192.168.170.9 Address: 192.168.170.9#53 Name: www.test.com Address: 192.168.170.8

5、實現智慧DNS 要實現DNS伺服器的智慧DNS解析，首先需要了解view的概念：view就是將不同IP地址段發來的查詢響應到不同的DNS解析。如需要對兩個不同的IP地址段進行配置，就需要明確這些IP地址段的範圍，這樣view才能生效。需要注意的是，一旦使用了view，所有域都必須定義在view中。我這裡以192.168.0.189/32代表電信網路，192.168.0.190/32代表聯通網路，進行模擬測試：配置修改此前例項DNS主伺服器的named.conf： acl "telecom"{ 192.168.170.8; }; acl "unicom"{ 192.168.170.9; }; options{ ... }; logging{ ... }; view telecom { match-clients { telecom;}; zone "." IN { type hint; file "named.ca"; }; zone "charlie.com" IN { type master; file "charlie.com.zone.telecom"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; };

view unicom { match-clients { unicom;}; zone "." IN { type hint; file "named.ca"; }; zone "charlie.com" IN { type master; file "charlie.com.zone.unicom"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; }; view others { match-clients { any;}; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; }; 新建charlie.com.zone.telecom： [[email protected] ~]# vim /var/named/charlie.com.zone.telecom $TTL 3600 @ IN SOA ns.charlie.com. admin.charlie.com ( 00 1D 1H 1W 3H ) IN NS ns.charlie.com. ns IN A 192.168.170.8 IN MX 8 mx.charlie.com. mx IN A 192.168.170.8 www IN A 1.1.1.1 blog IN A 1.1.1.2 新建charlie.com.zone.unicom： [[email protected] ~]# vim /var/named/charlie.com.zone.unicom $TTL 3600 @ IN SOA ns.charlie.com. admin.charlie..com. ( 00 1D 1H 1W 3H ) IN NS ns.charlie.com. ns IN A 192.168.170.8 IN MX 8 mx.charlie.com. mx IN A 192.168.170.8 www IN A 2.2.2.1 blog IN A 2.2.2.2 檢查相應的配置檔案： [[email protected] ~]# named-checkconf /etc/named.conf [[email protected] ~]# named-checkzone charlie.com /var/named/charlie.com.zone.telecom zone charlie.com/IN: loaded serial 0 OK [[email protected] ~]# named-checkzone charlie.com /var/named/charlie.com.zone.unicom zone charlie.com/IN: loaded serial 0 OK 重啟或過載named服務： [[email protected] ~]# systemctl restart named 在192.168.0.189從伺服器上驗證解析結果： [[email protected] ~]# nslookup > server 192.168.170.8 Default server: 192.168.170.8 Address: 192.168.170.8#53 > set q=A > www.charlie.com Server: 192.168.170.8 Address: 192.168.170.8#53 Name: www.charlie.com Address: 1.1.1.1 #能正確解析出指定的telecomIP； > blog.charlie.com Server: 192.168.170.8 Address: 192.168.170.8#53 Name: blog.charlie.com Address: 1.1.1.2 #能正確解析出指定的telecomIP； > ns1.magedu.com Server: 192.168.170.8 Address: 192.168.170.8#53 Name: ns1.magedu.com Address: 192.168.170.8 在192.168.170.9從伺服器上驗證解析結果： [[email protected] ~]# nslookup > server 192.168.170.8 Default server: 192.168.170.8 Address: 192.168.170.8#53 > set q=A > www.charlie.com Server: 192.168.170.8 Address: 192.168.170.8#53 Name: www.charlie.com Address: 2.2.2.1 #能正確解析出指定的unicomIP； > blog.charlie.com Server: 192.168.170.8 Address: 192.168.170.8#53 Name: blog.charlie.com Address: 2.2.2.2 #能正確解析出指定的unicomIP； > ns1.magedu.com Server: 192.168.170.8 Address: 192.168.170.8#53 Name: ns1.magedu.com Address: 192.168.170.8

到此為止智慧DNS解析完成！！！

openssl配置示例及DNS智慧解析實現

openssl配置示例及DNS智慧解析實現

負載均衡之DNS域名解析,實現一個域名對應多個IP地址

快取記憶體及dns的解析

cisco SSH 配置示例及詳解

小型公司網絡組建及WEB服務配置及DNS解析

搭建主、從DNS伺服器，並實現智慧解析

多區域 DNS 服務,子域授權,緩存 DNS及Split 分離解析的原理和實現

使用java配置定時任務的幾種配置方式及示例

DNS—正、反向解析；委派；主從；子域；轉發；智能dns等的實現

三、.XenServer 配置域環境及DNS

DNS分離解析配置詳解

dns泛解析及代碼測試

InnoDB MVCC實現原理及源碼解析

linux redhat6.5 中 DNS分離解析配置

sqlite 使用 cte 及遞歸的實現示例

Linux中DNS反向解析配置

DNS正向解析配置

構建DNS分離解析域名服務器、?實現NFS共享存儲服務

Linux上配置DNS分離解析

大數據學習——MapReduce配置及java代碼實現wordcount算法

openssl配置示例及DNS智慧解析實現

相關推薦