1, briefly DNS service, and set up a DNS server, Master-slave, authorizing the subdomain
DNS is the "Domain Name System" abbreviation, DNS host names to achieve the mapping of IP address resolution. In the network between the host is addressed via IP address to communicate, but the IP address is difficult to remember, easier to remember the human host name, if you want to communicate via the host name, you need to complete a large number of DNS host names and mapping work to resolve IP addresses. DNS uses an inverted tree structure, distributed, hostname hierarchical management structure.
Recursive query and DNS query into iterative queries, the query request represents a recursive query requesting party, the receiving party will pass multiple queries, the final result of the corresponding reply to the requester (in the multiple client hosts to appear between local DNS server); after the iterative query indicates query request requesting party, the reception side local database no corresponding information, then the requestor would like to tell the root name servers query, then the query down one level, so that the query requester through several independent after the query will get the result (often seen between the local DNS server and in several other DNS servers on top of its hierarchy).
DNS server types: (1) the primary name server, domain stores and maintains configuration information jurisdictions, and to provide an accurate relationship between host name and the query of IP. (2) the name of the server from which the primary name server configuration information from domain synchronization, can also provide precise inquiry, but it is not updated MD structural information. (3) Name Service cache, the cache queried domain information, the same answer queries for later. Within the domain information set expiration time, which provides fast query but not precise inquiry, because the information on it can expire.
DNS server from the main building. Assume that the primary DNS server IP is 192.168.1.100, 192.168.1.101 from the DNS server for the IP
log primary DNS server and the DNS server software is installed from a DNS server (. 1)
the root user to perform the install the bind yum
(2) and then modify the primary DNS server DNS master configuration file /etc/named.conf
{Options the listen -ON Port 53 is {the any;}; listening port and which hosts can access the parse, any means all Directory " / var / the named"; database file directory location the allow - Query the any {;}; which allows the host to request the query recursion yes; it sees itself as a way to query the client . "" {the iN Zone of the type hint; File "named.ca"; }; Zone "magedu.com" the iN { of the type Master; File "magedu.com "; the allow -transfer { 192.168 . 1.101 ;} is defined which may be synchronized between the data from the DNS server, a plurality of IP separated by semicolons, and finally ending with a semicolon. } Zone " 1.168 . 192 . In - addr.arpa" the IN { of the type Master; file “named.192.168.1”; allow-transfer{192.168.1.101;} }
3) modify the DNS configuration file from the master DNS server
{Options the listen -ON Port 53 is {the any;}; listening port and which hosts can access the parse, any means all Directory " / var / the named"; database file directory location the allow - Query the any {;}; which allows the host to request the query recursion yes; it sees itself as a way to query the client . "" {the iN Zone of the type hint; File "named.ca"; }; Zone "magedu.com" the iN { of the type Slave; indicates that this machine is from DNS server file "slaves /magedu.com"; file indicates where to place the synchronization, which is relative to the / var / the named / relative path directory Masters { 192.168 . 1.100 ;} define the primary server address } Zone " 1.168 . 192 .in-addr.arpa” IN { type slave; file “slaves/named.192.168.1”; masters{192.168.1.100;} }
(4) modify the master DNS server's domain name parsing library file from the DNS server does not need to define a positive resolution files:
$TTL 86400 $ORIGIN magedu.com. @ IN SOA ns1.magedu.com. admin.magedu.com. ( 2019011301 1H 5M 1W 86400 ) @ IN NS ns1.magedu.com. @ IN NS slave.magedu.com. @ IN MX 10 mail.magedu.com. ns1 IN A 192.168.1.110 slave IN A 192.168.1.111 www IN A 192.168.1.110 ftp IN A 192.168.1.110 web IN A CNAME ftp
Description: an increase of two slave records.
Reverse lookup file:
$ TTL 86400 @ IN SOA ns1.magedu.com. admin.magedu.com. ( 2019011301 1H 5M 1W 86400 ) @ IN NS ns1.magedu.com. @ IN NS slave.magedu.com. 110 IN PTR ns1.magedu.com. 111 IN PTR slave.magedu.com. 110 IN PTR www 110 IN PTR ftp 110 IN PTR web
(5) Restart from the primary DNS server and DNS server named service
CD # / var / named
(only the main server performs DNS) # chown the named: the named named.192.168.1 magedu.com
# service named restart
(. 6) were observed
to see if the library file from the parsed synchronization on the DNS server, located in / var / named directory under
observation log file:/var/log/messages
Subdomain Authorization:
on this domain name server being analytical document defines subdomain
# vim /var/named/magedu.com
The TTL $ 86400 $ magedu.com the ORIGIN. @ The IN ns1.magedu.com the SOA. Admin.magedu.com. ( 201.90113 million IH 5M 1W 86400 ) ns1.magedu.com the IN the NS @. @ The IN slave.magedu.com the NS. OPS .magedu.com. iN NS ns1.ops.magedu.com. Add NS records @ the iN the MX 10 mail.magedu.com. NSl the iN a 192.168 . 1.110 ns1.ops.magedu.com. the iN a 192.168 . 1.120 add corresponding A recording Slave the IN A 192.168 . 1.111 WWW the IN A 192.168 . 1.110 FTP the IN A 192.168 . 1.110 web IN A CNAME ftp
Of course, also you need to have the corresponding subdomain subdomain parsing library files, configuration similar parent domain format. So as to sub-domain for resolution.
2, briefly HTTP services, and user-based access control, web hosting, https
(1) HTTP services:
the HTTP is a protocol belonging to the object-oriented application layer, due to its simple, fast way for distributed hypermedia information system. Its main features are as follows:
(1.1) supports the client / server model
(1.2) is simple and fast: a customer service request to the server, instead of sending the request method and path, a common request methods: GET, POST and HEAT.
(1.3) Flexible: the HTTP allows the transmission of any type of data object
(1.4) no connection: only one restriction request per connection processing
(1.5) stateless: the HTTP protocol is stateless protocol.
Common HTTP server: Apache and Nginx
(2) user-based access control
following basic authentication mechanism to be user-based access control
definitions (2.1) security domain
<Directory “/devops/html/“> Options None AllowOverride None AuthType Basic AuthName “Only for user who Regist before” AuthUserFile /etc/httpd/users/.htpasswd Require user user1 user2
Here allows only user1 and user2, and they appear in the AuthUserFile file, these users as virtual users, rather than the users of the system
(2.2) provides a user account file
using htpasswd command for maintenance
htpasswd [OPTIONS] passwdfile userName
options there are:
-c: create the first user when you add this file
-m: md5 format to encrypt user passwords are stored
-s: sha format to encrypt user passwords are stored
-D: delete the specified user
(2.3) group certification
<Directory “/devops/html/“> Options None AllowOverride None AuthType Basic AuthName “Only for user who Regist before” AuthUserFile /etc/httpd/users/.htpasswd AuthGroupFile /etc/httpd/users/.htgroup Require group group1 group2
Then each row in the group file defines a set format
group1: user1 user2
group2: user3 user4
(3) implement virtual hosts:
a physical host can serve multiple sites, each site can be achieved by one or more virtual hosts, open the virtual host to first turn off the Main center console, that is, to comment DocumentRoot directive.
Way to achieve virtual host in three ways:
(3.1) based on IP, requires that all IP addresses are valid and can be used for communication
<VirtualHost 192.168.10.51:80> ServerName www.foo.com DocumentRoot /vhost/foo.com/htdocs/ </VirtualHost> <VirtualHost 192.168.10.61:80> ServerName www.bar.com DocumentRoot /vhost/bar.com/htdocs/ </VirtualHost>
(3.2) based on Port
<VirtualHost 192.168.10.51:80> ServerName www.foo.com DocumentRoot /vhost/foo.com/htdocs/ </VirtualHost> <VirtualHost 192.168.10.51:8080> ServerName www.bar.com DocumentRoot /vhost/bar.com/htdocs/ </VirtualHost>
(3.3) based on the FQDN
<VirtualHost 192.168.10.51:80> ServerName www.foo.com DocumentRoot /vhost/foo.com/htdocs/ </VirtualHost> <VirtualHost 192.168.10.51:80> ServerName www.bar.com DocumentRoot /vhost/bar.com/htdocs/ </VirtualHost>
(4) to achieve https:
HTTPS i.e. http over ssl, by https: // accessed, corresponding to the default access port 443. Note SSL session is based on IP addresses are created, so a single IP on the host, you can only use a https virtual host.
(4.1) digital certificate for the server application
to create a private CA
#openssl genrsa -out rootkey.pem 2048 #openssl req -new -key rootkey.pem -out root.csr #openssl x509 -req -days 365 -extensions v3_ca -signkey rootkey.pem -in root.csr -out root.crt
Creating a server certificate key
openssl genrsa -out serverkey.pem 2048
Create a certificate signing request in server
openssl req -new -key serverkey.pem -out server.csr
CA visa
openssl x509 -req -days 3650 -extensions v3_req -in server.csr -CA root.crt -CAkey rootkey.pem -CAcreateserial -out server.crt
(4.2) configuration httpdsupports the use of ssl, and use of the certificate fileyum -y install mod_ssl
Profile: /etc/httpd/conf.d/ssl.conf
DocumentRoot
ServerName
SSLCertificateFile server certificate file CRT
SSLCertificateKeyFile server certificate key pem