1, shown in FIG TSL communication link
SSL: Secure the Socket Layer
TLS: Transport Layer Security
1995: SSL 2.0 Netscape
1996: SSL 3.0
1999: TLS 1.0
2006: TLS 1.1 the IETF (Internet Engineering Task Force) RFC 4346
2008: TLS 1.2 are currently using
2015: TLS 1.3
functionality: Confidentiality , authentication, integrity, replay protection
two-phase protocol, the handshake stage and into the application stage
handshake phase (negotiation phase): The client and server authenticate each other's identity (depends on the PKI system, the use of digital certificates for authentication), and security negotiation parameters used for communication, a password sleeve
member and the master key. All subsequent keys are generated by using the communication MasterSecret.
Application phase: After entering the handshake stage is completed, the two sides in the application phase of the communication using the handshake stage negotiated key for secure communications
Note: Photo from Marco education
2, how to make a self-signed certificate browser identification of
What is a self-signed certificate
Recognized certificate often require fees if the client and server are used to manipulate our own, that you can use a self-signed certificate
ca-signed certificate
ca-signed certificate, that is, when we ourselves are certified organizations to authenticate a certificate, the client of the new ca certificate also represents a distrust of all self-signed certificate of the ca certificate signature.
Here achieve self-signed certificate with openssl
OpenSSL is an open source cryptographic toolkit
The SSL protocol, we use a lot cryptographic means to protect the data, including symmetric ciphers, public key cryptography, digital signatures, certificates, integrity check, a pseudo-random number generator. Since these algorithms and operations are very complex, so the open source community to develop a set of libraries, the library which provides many ready-made standard method, other developers as long as these methods are called correctly, you can adapt the SSL encryption protocol / decryption to operate.
Linux environment using openssl ca certificate and generate a self-signed certificate
Ca certificate generation
1) Generate key certificate key ca
openssl genrsa -des3 -out ca.key 1024
2) Generate a self-signed certificate ca, yes, here ca certificate is also a self-signed certificate
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
After entering the password ca.key enter information according to the situation, in Commom Name option to fill in the domain name you want to use
If you do not want to enter a password when calling key file, you can use the following operations to remove
openssl rsa -in ca.key -out ca.key
Use ca Certificate Signing self-signed certificate
1) Generate a self-signed certificate key
openssl genrsa -des3 -out server.key 1024
2) Generate a self-signed certificate request file
openssl req -new -key server.key -out server.csr
After entering the appropriate information to obtain the requested file server.csr
3) Use the ca certificate request file for self-signed certificate is signed
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
3, set up DNS server
centos6 (here 6.7):
1. Bind to see whether the package is installed, only the following two default
[root@centos named]# rpm -qa | grep bind
bind-libs-9.8.2-0.47.rc1.el6_8.4.x86_64
bind-utils-9.8.2-0.47.rc1.el6_8.4.x86_64
2, install the following two packages:
bind-chroot-9.8.2-0.47.rc1.el6_8.4.x86_64
bind-9.8.2-0.47.rc1.el6_8.4.x86_64
[root@centos named]# yum -y install bind-chroot-9.8.2-0.47.rc1.el6_8.4.x86_64 bind-9.8.2-0.47.rc1.el6_8.4.x86_64
Check whether the installation is completed successfully installed
[root@localhost ~]# rpm -qa | grep bind
bind-devel-9.8.2-0.47.rc1.el6_8.4.x86_64
bind-utils-9.8.2-0.47.rc1.el6_8.4.x86_64
bind-chroot-9.8.2-0.47.rc1.el6_8.4.x86_64
bind-libs-9.8.2-0.47.rc1.el6_8.4.x86_64
bind-9.8.2-0.47.rc1.el6_8.4.x86_64
// see the installation was successful
In the present embodiment the ip address: 192.168.1.10 Subnet Mask 255.255.255.0
Centos.linux.com host name and turn off the firewall and selinux
3, the ip address, subnet mask
[root@centos named]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
device=eth0
TYPE=Ethernet
ONBOOT=yes
BOOTBROTO=static
IPADDR=192.168.1.10
NETMASK=255.255.255.0
DNS1=8.8.8.8
// DNS configuration according to the actual situation. You can configure Google's 8.8.8.8, it may also be the host of your local dns
4, change the hostname
[root@centos named]# vim /etc/sysconfig/network
5, change the selinux is disabled
[root@centos named]# vim /etc/selinux/config
6, turn off the firewall daemon
[root@centos named]# chkconfig iptables off
[root@centos named]# chkconfig --list iptables
7, restart the system for the configuration to take effect
8, provided the primary DNS server:
[root@centos named]# cd /etc/
[root@centos named]# cp named.conf named.bak
Do a backup, recovery can not prevent errors
9, edit the main configuration file, modify the two places is any
[root@centos named]# vim /etc/named.conf
{Options
the listen-ON {Port 53 is the any;}; // the any {:} into the original contents of the any
...
the allow the any-Query {;}; // the any {:} into the original contents of the any
...
10, the main configuration file editing
pros and cons to the configuration area, you can write directly in /etc/named.conf (not recommended), there are two include statements below /etc/named.conf most of which include "/ etc / named.rfc1912.zones "; reverse configuration file is used to configure the regions may of course be custom (custom required from /etc/named.conf include)
Here we use the default configuration file /etc/named.rfc1912.zones, execution
vim /etc/named.rfc1912.zones
Edit this file, add (domain names linux.com for example):
zone "linux.com" IN {
type master;
file "linux.com.zone";
};
Reverse zone follows,
zone "1.168.192.in-addr.arpa." IN {
type master;
file "1.168.192.zone";
};
11, modify the configuration file forward
Pros and cons in directory /etc/named.conf configuration parameters to parse zone file, the default is "/ var / named".
cd / var / named / // into this directory
cp named.localhost linux.com.zone // forward to resolve the name.localhost as a template file, copy into linux.com.zone. Note change in linux.com.zone inside: the last point there is filled with the tab key, do not use spaces
(Picture from the network)
12, reverse modify the configuration file (Tip: You can copy files to and analytical positive change)
(Picture from the network)
13, the main configuration, after you configure the forward and reverse, check the local configuration file bind error-prone process, the following command is used to check the configuration file and bind zone file syntax
here is to check Forward:
[root@centos named]# named-checkconf /etc/named.conf
[root@centos named]# named-checkzone linux.com /var/named/linux.com.zone
Here it is to check the reverse:
[root@centos named]# named-checkconf /etc/named.conf
[root@centos named]# named-checkzone linux.com /var/named/1.168.192.zone
14, then /etc/resolve.conf add your own ip address for the domain name server ip 192.168.1.10
vim /etc/resolve.conf
nameserver 192.168.1.10
15、重启服务
CentOS6.x 使用 service named restart重启named服务,使用chkconfig named on让服务开机启动。
CentOS7.x 使用 systemctl restart named重启named服务,使用systemctl enable named让服务开机启动。
这里当然是
[root@localhost named]# service named restart
[root@localhost named]# systemctl enable named
16、配置防火墙
CentOS7.x 是:
[root@localhost~]# firewall-cmd --zone=public--add-port=53/tcp --permanent
[root@localhost~]# firewall-cmd --zone=public--add-port=53/udp --permanent
重启防火墙以让更改立刻生效:
[root@localhost~]# firewall-cmd –reload
可使用以下命令检查配置是否成功:
[root@localhost~]# firewall-cmd --list-all
CentOS6.X是:
/sbin/iptables -I INPUT -p tcp --dport 53 -j ACCEPT
/sbin/iptables -I INPUT -p udp --dport 53 -j ACCEPT
保存规则:
/etc/rc.d/init.d/iptables save
重启防火墙以让更改立刻生效:
service iptables restart
17、检查之前先看下 配置文件有没有读取权限 ll /var/named
(如果没有读取权限, chmod +r /var/named/* 即可)
如果出现报错,输入
[root@centos etc]# tail /var/log/messages
查看错误文件,并更改
正向解析成功
[root@centos named]# nslookup www.linux.com
Server: 192.168.1.10
Address: 192.168.1.10#53
www.linux.com canonical name = centos.linux.com.
Name: centos.linux.com
Address: 192.168.1.10
反向解析成功
[root@centos named]# nslookup 192.168.1.10
Server: 192.168.1.10
Address: 192.168.1.10#53
10.1.168.192.in-addr.arpa name = centos.linux.com.
10.1.168.192.in-addr.arpa name = www.linux.com.
如果出现解析不成功的情况:
[root@centos named]# service network restart //先重启网络
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: Determining if ip address 192.168.1.10 is already in use for device eth0...
[ OK ][root@centos named]# service named restart //再重启DNS服务 最后再去尝试解析
Stopping named: . [ OK ]
Starting named: [ OK ]
4、熟悉DNSPOD的解析类型
DNSPod is to provide intelligent DNS domestic product website dedicated to providing high quality websites for all types of Telecom, China Netcom, education network intelligent two-wire or three-wire free DNS resolution. Currently DNSPod already is the largest provider of free DNS resolution product
A record
If you need to point a domain name ip address, you need to add a record A
CNAME record
if you need to point the domain name to another domain name, and then ip address provided by another domain name, you need to add a CNAME record
case CNAME most commonly used include: do CDN, doing business offices
MX records
If you need to set up a mailbox, so the mailbox can receive mail, you need to add an MX record
TXT records
if you want to identify the domain name and description, you can use TXT record, the vast majority of TXT record is used to make SPF record (anti-spam)
implicit / explicit URL records
will point a domain name to another site already exists, you need to add the URL record
AAAA records
when you want visitors to your domain name by IPv6 address, you can use the AAAA record
NS record
If you need to handle the domain name to resolve other DNS service providers, we need to add NS records
SRV records
SRV record that identifies a server using a service, common in Microsoft's catalog management system