Marco 2016 new Linux+python high-end Operation Nineth Week

1, detailed description of the process of encrypting communication, combined with the best diagram.

SSL Protocol Basics:

The SSL protocol is located between the TCP/IP protocol and various application layer protocols, and is divided into two tiers:

1) SSL recording protocol: based on the Reliable Transport Layer Protocol (TCP), it provides the basic functions of data encapsulation, compression and encryption for the upper layer protocol.

2) SSL Handshake Protocol: On the SSL record protocol, before the actual data transmission, the communication parties authenticate, negotiate the encryption algorithm, Exchange encryption key and so on.

SSL protocol Communication process:

1) The browser sends a connection request to the server, and the server returns its own certificate (containing the server public key S_pukey), the symmetric cryptographic algorithm type, and other related information to the client.

2) The client browser checks whether the server is routed to the CA certificate issued by its trusted CA center. If so, perform step 4th; otherwise, give the customer a warning message: ask if you want to continue accessing

3) The client browser compares the information in the certificate, such as the certificate validity period, the server domain name and the public key S_PK, the information returned by the server is consistent, and if so, the browser completes the authentication to the server.

4) The server requires clients to send client certificates (including client public key C_pukey), supported symmetric encryption schemes, and other related information. After receiving, the server carries the same authentication, and if it does not pass the authentication, the connection is refused;

5) The server according to the client browser sent to the type of password, choose a maximum encryption scheme, with the client public key C_pubkey encrypted after the notification to the browser;

6) After the client decrypts the private key C_prkey, it learns the encryption scheme selected by the server, selects a call key key, and then sends the server with the server public key S_pukey encryption;

7) The server received the browser sent to the message, with the private key S_prkey decryption, get the call key key.

8) The next data transfer is encrypted using the symmetric key key.

Described above is the two-way authentication SSL protocol specific communication process, both the server and the user must have a certificate. This shows that the SSL protocol is through asymmetric key mechanism to ensure both authentication, and to complete the establishment of the connection, in the actual data communication

The data security is ensured by the symmetric key mechanism.

2. Describes the process of creating a private CA, and a method certificate for the certificate request sent to the client.

(1) configuration file:/etc/pki/tls/openssl.cnf

To create the required files:

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M02/89/7B/wKioL1gVUfTzC0f2AAAVmMs7spk253.jpg "title=" 1.jpg " alt= "Wkiol1gvuftzc0f2aaavmms7spk253.jpg"/>

(2) CA Server self-visa certificate:

650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M00/89/7B/wKioL1gVUoChAcoJAAAup2wX7P8834.jpg "title=" 2.jpg " alt= "Wkiol1gvuochacojaaaup2wx7p8834.jpg"/>

-new: Generate a new certificate signing request;

-x509: Dedicated to CA generate self-signed certificate;

-key: The private key file used to generate the request;

-days N: Validity period of the certificate;

-out/path/to/somecertfile: Save path to Certificate

(3) Issuing certificate:

1) The client generates a certificate request:

Configuration file

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M02/89/7E/wKiom1gVVLDgYdgPAAAXRFKQ6dY157.jpg "title=" 5.jpg " alt= "Wkiom1gvvldgydgpaaaxrfkq6dy157.jpg"/>

650) this.width=650; "src=" http://s2.51cto.com/wyfs02/M01/89/7B/wKioL1gVVHbw3NrYAAAYUkkZfYA019.jpg "style=" float: none; "title=" 6.jpg "alt=" Wkiol1gvvhbw3nryaaayukkzfya019.jpg "/>

2) Transfer the request file to the CA server:

If the SCP tool is not installed, it can be installed using our configured yum install openssh-clients.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/89/7E/wKiom1gVU7mA6nIVAAANEMjvQxc400.jpg "style=" float: none; "title=" 4.jpg "alt=" Wkiom1gvu7ma6nivaaanemjvqxc400.jpg "/>

650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M02/89/7B/wKioL1gVVXiDZYrJAAAOwsU48XM423.jpg "title=" 7.jpg " alt= "Wkiol1gvvxidzyrjaaaowsu48xm423.jpg"/>

3) The CA signs the certificate and sends the certificate back to the requestor:

650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M00/89/7E/wKiom1gVVqjgWD9bAABDsUuYG0c233.jpg "style=" float: none; "title=" 8.jpg "alt=" Wkiom1gvvqjgwd9baabdsuuyg0c233.jpg "/>

650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M00/89/7B/wKioL1gVVqiyH3VaAAAVBGYRpNA985.jpg "style=" float: none; "title=" 9.jpg "alt=" Wkiol1gvvqiyh3vaaaavbgyrpna985.jpg "/>

3, build a set of DNS server, responsible for resolving magedu.com domain name (host name and IP)

(1), able to some host names for forward parsing and reverse parsing;

(2), sub-domain cdn.magedu.com subdomain authorization, subdomain is responsible for resolving the host name in the corresponding subdomain;

(3), in order to ensure the high availability of the DNS service system, please design a set of programs, and write a detailed implementation process

To install first:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/89/7E/wKiom1gVW3rwP4xPAAA_MiI-3Eg113.jpg "title=" 10.jpg "alt=" Wkiom1gvw3rwp4xpaaa_mii-3eg113.jpg "/>

The common configuration files are:

/etc/named.conf# Master configuration file

/etc/named.rfc1912.zones# Zone configuration file

/etc/rc.d/init.d/named# Startup scripts

/var/named# Storing area data files

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M01/89/7B/wKioL1gVXPuwyjq3AAA9csowdGg249.jpg "style=" float: none; "title=" 11.jpg "alt=" Wkiol1gvxpuwyjq3aaa9csowdgg249.jpg "/>

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M02/89/7E/wKiom1gVXPvCS68rAAAmWYafDWc558.jpg "style=" float: none; "title=" 12.jpg "alt=" Wkiom1gvxpvcs68raaamwyafdwc558.jpg "/>

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M02/89/7B/wKioL1gVXPuCTEwMAAAIjgfY818126.jpg "style=" float: none; "title=" 13.jpg "alt=" Wkiol1gvxpuctewmaaaijgfy818126.jpg "/>

Listen-on Port: (any;}; Represents 53 ports listening on local IP, allowing addresses to be used to access local 53 ports

allow-query {any;}; Allow all addresses to be queried

Recursion Yes, recursive, if no then this DNS server will not be recursive parsing, yes or comment out do not write, the table is allowed, the default is allowed

Include "/etc/named.rfc1912.zones"; Load Zone profile

Forward and Reverse zone resolution

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/89/7F/wKiom1gVeqHxSGxBAAAaPyzpUBs843.jpg "title=" 12.jpg "alt=" Wkiom1gveqhxsgxbaaaapyzpubs843.jpg "/>

Allow-transfer {192.168.199.65;}; Indicates that only 192.168.199.65 is allowed to synchronize the data, that is, its auxiliary DNS, multiple IPs separated by ";";

Edit zone file for forward parsing

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M00/89/7C/wKioL1gVem7Bm2c0AAAr2XyJbFY193.jpg "title=" 11.jpg "alt=" Wkiol1gvem7bm2c0aaar2xyjbfy193.jpg "/>

Edit a zone file in reverse resolution

650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M01/89/7C/wKioL1gVekuhhcryAAAqB3wpu_s857.jpg "title=" 10.jpg "alt=" Wkiol1gvekuhhcryaaaqb3wpu_s857.jpg "/>

Start the service:

650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M02/89/7C/wKioL1gVaVLzZmAXAAAIQcYx8ag279.jpg "title=" 19.jpg "alt=" Wkiol1gvavlzzmaxaaaiqcyx8ag279.jpg "/>

Forward parsing:

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M02/89/7F/wKiom1gVexGAXaDmAABBRm2qgnQ266.jpg "style=" float: none; "title=" 13.jpg "alt=" Wkiom1gvexgaxadmaabbrm2qgnq266.jpg "/>

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M02/89/7C/wKioL1gVexHi_1MWAAAZR4kqM7s179.jpg "style=" float: none; "title=" 14.jpg "alt=" wkiol1gvexhi_1mwaaazr4kqm7s179.jpg "/>650) this.width=650; src= http://s4.51cto.com/ Wyfs02/m00/89/7f/wkiom1gvezjdyo4paaazr4kqm7s374.jpg "title=" 14.jpg "alt=" wkiom1gvezjdyo4paaazr4kqm7s374.jpg "/ >

Reverse parsing:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/89/7C/wKioL1gVe4qTlCRNAABDi-r_NvE192.jpg "style=" float: none; "title=" 15.jpg "alt=" Wkiol1gve4qtlcrnaabdi-r_nve192.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/89/7F/wKiom1gVe4rAqm7mAAAZSNoJ5wE643.jpg "style=" float: none; "title=" 16.jpg "alt=" Wkiom1gve4raqm7maaazsnoj5we643.jpg "/>

To configure Master-slave synchronization:

# Vim/etc/named.rfc1912.zones

Add at the end

Zone "Magedu.com" in {

Type slave;

Masters {192.168.1.65;};

File "Slaves/magedu.com.zone";

Allow-transfer {none;};

};

Zone "1.168.192.in-addr.arpa" in {

Type slave;

Masters {192.168.1.65;};

File "Slaves/1.168.192.zone";

Allow-transfer {none;};

};

The batch type is slave and specifies that the primary server is 192.168.1.65

]# Service named Start

After the service starts, Magedu.com.zone and 199.168.192.zone files are automatically added to the/var/named/slaves/

]# ll/var/named/slaves/

Subdomain Authorization:

Add a server with IP 192.168.1.61 as a subdomain

Add NS and A records to the zone file in the parent domain

]# Vim/var/named/magedu.com.zone

Add to

CDN in NS ns1.cdn.magedu.com.

Ns1.cdn in A 192.168.1.61

[[email protected] ~]# yum-y install bind

[Email protected] ~]# SCP 192.168.1.64:/etc/named.conf/etc/

[Email protected] ~]# Vim/etc/named.rfc1912.zones

Add at the end

Zone "Cdn.magedu.com" in {

Type master;

File "Cdn.magedu.com.zone";

};

Zone "Magedu.com" in {

Type forward;

Forward only;

Forwarders {192.168.1.65;};

};

[Email protected] ~]# Vim/var/named/cdn.magedu.com.zone

$TTL 86400

@ in SOA ns.cdn.magedu.com. Admin.cdn.magedu.com. (

                                                                                                                  2016092201

                                                                                                                  2H

                                                                                                                  5m

                                                                                                                  7d

12H)

In NS ns.cdn.magedu.com.

In MX ten mx1.cdn.magedu.com.

In A 192.168.1.61

NS in A 192.168.1.61

MX1 in A 192.168.1.61

www in A 192.168.1.61

Test

1) Subdomain Testing

[Email protected] ~]# dig @192.168.1.61 www.cdn.magedu.com

2) Parent domain test

[Email protected] ~]# dig-t www.magedu.com

4, please describe a complete HTTP request processing process;

A complete HTTP request process begins when the connection to the TCP three handshake is successful, and the client begins sending an HTTP request to the server in the specified format, after the server receives the request, resolves the HTTP request, processes the business logic, and returns an HTTP response to the client. The HTTP response content also has a standard format.

5. What are the processing models supported by HTTPD, and what environments are they used for?

Prefork: A multi-process model in which each process responds to a request;

A Master process: responsible for generating n sub-processes, also known as the worker process, each child process processing a user request, even if there is no user request, will be pre-generated more than one idle process, waiting for the request to arrive at any time, the maximum no more than 1024, the minimum idle, the number of concurrent response
Prefork: No more than 1024 concurrent requests, high-performance Web servers, this is an order of magnitude difference. 10 times times c10k, this mode is stable, one process crashes and does not affect other processes. ----> Ask a high demand for sex
Worker: Multithreaded model, each thread responds to a request; a master process: generates multiple child processes, each of which is responsible for generating multiple threads, and each thread responds to a request;
m process, n thread: m*n-----> Concurrency slightly higher
Event: Events-driven model, each thread responds to n requests; one Master process: generates m sub-processes, each process directly n requests;
M*n-----> High Concurrency--->

6, the establishment of HTTPD server (based on the compilation method), requires:

provides two name-based virtual hosts:

(a) www1.stuX.com, page file directory is/WEB/VHOSTS/WWW1, error log is/var/log/httpd/www1.err, access log is/var/log/httpd/www1.access;

(b) www2.stuX.com, page file directory is/WEB/VHOSTS/WWW2, error log is/var/log/httpd/www2.err, access log is/var/log/httpd/www2.access;

(c) Establish their own home page file index.html for two virtual hosts, respectively, with their corresponding hostname;

(d) Output of httpd work status information through Www1.stux.com/server-status and only allow access to the account password (status:status);

This article is from the "11822904" blog, please be sure to keep this source http://11832904.blog.51cto.com/11822904/1867354

Marco 2016 new Linux+python high-end Operation Nineth Week