III(二十一)Open×××(2)
案例1:
多个机房利用Open×××互联架构方案:
注:
*** client角色相当于宿主机win的拨号端;
*** server和*** client均执行(1、firewall(避免影响port服务和转发);2、关闭selinux;3、开启转发(#echo 1> /proc/sys/net/ipv4/ip_forward或更改/etc/sysctl.conf文件));
*** server-side:
[root@etiantian ~]# vim /etc/open***/server.conf #(配置如下:1、注释掉duplicate-cn;2、开启client-config-dir /etc/open***/ccd;3、开启route 192.168.1.0 255.255.255.0,push是将路由推到client,route是在本地配置路由;4、开启client-to-client)
;duplicate-cn
client-config-dir ccd
route 192.168.1.0 255.255.255.0
client-to-client
[root@etiantian ~]# egrep -v "#|;|^$" /etc/open***/server.conf #(完整配置如下)
local 10.96.20.113
port 52115
proto tcp
dev tun
ca /etc/open***/keys/ca.crt
cert /etc/open***/keys/server.crt
dh /etc/open***/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.16.1.0255.255.255.0"
client-config-dir /etc/open***/ccd
route 192.168.1.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status open***-status.log
log /var/log/open***.log
verb 3
crl-verify /etc/open***/keys/crl.pem
[root@etiantian ~]#vim /etc/open***/ccd/jowin #(创建并配置此文件,此处jowin为是签署的client证书的名字,iroute192.168.1.0 255.255.255.0必须配置;ifconfig-push此行可选,可让LAN内的主机获取到指定的虚拟地址)
iroute 192.168.1.0 255.255.255.0
#ifconfig-push 10.8.0.18 10.8.0.19
[root@etiantian ~]# service open*** start
Starting open***: [ OK ]
[root@etiantian ~]# lsof -i :52115
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
open*** 39657 root 5u IPv4 818132 0t0 TCP etiantian.org:52115 (LISTEN)
[root@etiantian ~]# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:168 (168.0 b) TXbytes:168 (168.0 b)
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j SNAT --to-source 172.16.1.11
*** client-side:
[root@localhost ~]# egrep -v "#|;|^$" /etc/open***/client.conf
client
dev tun
proto tcp
remote 10.96.20.113 52115
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/open***/ca.crt
cert /etc/open***/jowin.crt
key /etc/open***/jowin.key
ns-cert-type server
comp-lzo
verb 3
[root@localhost ~]# service open*** start
Starting open***: Enter Private KeyPassword:
[ OK ]
[root@localhost ~]# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes ofdata.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64time=0.426 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64time=0.327 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64time=0.281 ms
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -s SNAT --to-source 192.168.1.11
LAN(A) server1-side:
#route add -net 192.168.1.0/24 gw 172.16.1.11
LAN(B) server1-side:
#route add -net 172.16.1.0/24 gw 192.168.1.11
测试LAN(B)-server1是否能与LAN(A)-server1通信:
在LAN(B) server1上ping LAN(A) server1,可以ping通,正常
在*** server上抓包#tcpdump -n icmp,有ICMP echo request和ICMP echo reply,正常
在LAN(A) server1上抓包,有ICMP echo request和ICMP echo reply,正常
案例2:
办公电脑通过IDC机房的Open××× server实现代理上网(×××):
注:上图即是用户远程拨号到*** server管理IDC机房的主机;生产中*** server的eth0和用户的源IP均是公网地址;在访问其它网站时经用户自己本地路由出去并不走***线路
注:上图即是此案例要交待的通过代理上网
[root@etiantian ~]# vim /etc/open***/server.conf
push "redirect-gateway def1 bypass-dhcp bypass-dns"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
[root@etiantian ~]# cat /proc/sys/net/ipv4/ip_forward #(确保网络转发是开的)
1
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 10.96.20.113
#iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 52115 -j ACCEPT
通过代理访问其它网站,并用www.whatismyip.com.tw或www.ip138.com判断代理前后IP的变化,代理后用此网址查到的IP是代理服务器的IP(open***监听的地址),在win的cmd上,使用>route print > test.txt比较前后变化
方案3:
open***的LB和HA:
方一:在***-client使用多个配置文件实现(由用户选择拨号)
具体步骤:
配置*** server{1,2}环境,两个server端仅监听的IP地址不一样;
*** server[1,2}上的ca、server证书要一致(此例是将***server1的证书拷贝至*** server2上);
*** client本地有多个不同的配置文件(此例中是两个,配置文件中仅连接的*** server的IP不同,在安装目录下的config/jowin/下有两个不同的*.o***文件);
总结:
这种方法同样适合同一认证系统(如,本地文件、数据库、RADIUS、LDAP、active directory);
该方法操作简单,适合公司内部人员,不引入多余服务,不会增加多余的单点故障,当某一***server出问题,在***client可手动选择另一***server进行连接;
该方法是在用户端实现的LB,类似早期的华军下载站一样,由用户选择下载站点,而不是用智能DNS复杂的业务模式;
*** server1:
[root@etiantian ~]# grep local /etc/open***/server.conf
# Which local IP address should Open×××
;local a.b.c.d
local 10.96.20.113
[root@etiantian ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j SNAT --to-source 172.16.1.113
[root@etiantian ~]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 10.8.0.0/24 0.0.0.0/0 to:172.16.1.113
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@etiantian ~]# service open*** start
Starting open***: [ OK ]
[root@etiantian ~]# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0(0.0 b)
[root@etiantian ~]# tail /var/log/open***.log
Tue Jul 26 22:13:19 2016 Listening forincoming TCP connection on 10.96.20.113:52115
Tue Jul 26 22:13:19 2016 TCPv4_SERVER linklocal (bound): 10.96.20.113:52115
Tue Jul 26 22:13:19 2016 TCPv4_SERVER linkremote: [undef]
Tue Jul 26 22:13:19 2016 MULTI: multi_initcalled, r=256 v=256
Tue Jul 26 22:13:19 2016 IFCONFIG POOL: base=10.8.0.4size=62
Tue Jul 26 22:13:19 2016 IFCONFIG POOL LIST
Tue Jul 26 22:13:19 2016 test,10.8.0.4
Tue Jul 26 22:13:19 2016 jowin,10.8.0.8
Tue Jul 26 22:13:19 2016 MULTI: TCP INITmaxclients=1024 maxevents=1028
Tue Jul 26 22:13:19 2016 InitializationSequence Completed
*** server2:
[root@localhost ~]# grep local /etc/open***/server.conf
# Which local IP address should Open×××
;local a.b.c.d
local 10.96.20.114
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j SNAT --to-source 172.16.1.114
[root@localhost ~]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 10.8.0.0/24 0.0.0.0/0 to:172.16.1.114
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# service open*** start
Starting open***: [ OK ]
[root@localhost ~]# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0(0.0 b)
[root@localhost ~]# tail /var/log/open***.log
Wed Jul 27 13:14:05 2016 /sbin/route add-net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Wed Jul 27 13:14:05 2016 Data Channel MTUparms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jul 27 13:14:05 2016 Listening forincoming TCP connection on 10.96.20.114:52115
Wed Jul 27 13:14:05 2016 TCPv4_SERVER linklocal (bound): 10.96.20.114:52115
Wed Jul 27 13:14:05 2016 TCPv4_SERVER linkremote: [undef]
Wed Jul 27 13:14:05 2016 MULTI: multi_initcalled, r=256 v=256
Wed Jul 27 13:14:05 2016 IFCONFIG POOL:base=10.8.0.4 size=62
Wed Jul 27 13:14:05 2016 IFCONFIG POOL LIST
Wed Jul 27 13:14:05 2016 MULTI: TCP INITmaxclients=1024 maxevents=1028
Wed Jul 27 13:14:05 2016 InitializationSequence Completed
*** client:
在win的Open×××的安装目录的config/用户jowin目录/下,复制两个*.o***文件,此文件是在***server-side中编辑好client.conf再拷贝至win上并改名,这两个文件内容里仅监听的地址不一样,分别是remote 10.96.20.113 52115、remote 10.96.20.1145215;
连接成功后,在win上ping 172.16.1.12,并在172.16.1.12上监听,有request也有reply,成功
open***的LB和HA:
方二(推荐使用):通过在*** client的配置文件中实现,此方法的client不仅适合win32平台的用户拨号,同样也适合企业跨机房互联;在*.o***文件中配置多个***server,利用client的参数功能remote-random,在拨号时随机自动选择***server,当某个***server故障,此时不需人工干预,client的Open××× GUI会自动判断且自动重连其它可用的***server
[root@etiantian open***]# vim client.conf #(在***server-side编辑好拷贝至win上改名为jowin_LB.o***)
remote 10.96.20.113 52115
remote 10.96.20.114 52115
remote-random
resolv-retry 20
*** server1:
[root@etiantian ~]# > /etc/open***/open***-status.log #(清空状态,并重启open***服务)
[root@etiantian ~]# service open*** restart
Shutting down open***: [ OK ]
Starting open***: [ OK ]
*** server2:
[root@localhost ~]# >/etc/open***/open***-status.log
[root@localhost ~]# service open*** restart
Shutting down open***: [ OK ]
Starting open***: [ OK ]
连接成功后,查看日志,发现当前连接到了10.96.20.113上了
将此113上的open***服务关闭,经查看20S后自动切至10.96.20.114,成功
[root@etiantian ~]# service open*** stop
Shutting down open***: [ OK ]
open***的LB和HA:
方三:通过域名+DNS轮询A记录实现,在*** client的配置文件中remote ***.etiantian.org 52115,DNS会将域名解析成两个A记录轮询两条A记录
注:此方案复杂,引入DNS服务,增加了单点故障和维护成本;若仅公司内部人员使用不推荐此方法,外部人员使用勉强可考虑;若多机房,多个***server不在一个机房,还需要通过IPSec进行连接;DNS轮询会有client的DNS缓存问题导致切换失效;DNS集群HA方案(LAN DNS、MySQL集群、存储等),缺点对长连接支持不好
[root@etiantian ~]# yum -y install bind bind-chroot bind-libs caching-nameserver ypbind #(DNS可安装在IDC机房中LAN内的任意一台主机,此例是安装在***server1上)
[root@etiantian ~]# vim /etc/named.conf #(更改并添加如下信息)
options {
listen-on port 53 { any; };
……
allow-query { any; };
……
};
……
zone "etiantian.org" {
type master;
file "etiantian.org.db";
};
[root@etiantian~]# cp -p /var/named/named.localhost /var/named/etiantian.org.db #(注意
此文件的所属主为root,所属组为named,若不加-p最后会查不到记录)
[root@etiantian ~]# vim /var/named/etiantian.org.db
$TTL 1D
@ IN SOA etiantian.org root (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H) ; minimum
IN NS @
IN A 127.0.0.1
*** IN A 10.96.20.113
*** IN A 10.96.20.114
[root@etiantian ~]# service named start
Starting named: [ OK ]
[root@etiantian ~]# host ***.etiantian.org
***.etiantian.org has address 10.96.20.114
***.etiantian.org has address 10.96.20.113
[root@etiantian ~]# nslookup ***.etiantian.org
Server: 10.96.20.113
Address: 10.96.20.113#53
Name: ***.etiantian.org
Address: 10.96.20.113
Name: ***.etiantian.org
Address: 10.96.20.114
[root@etiantian ~]# tail -2 /etc/hosts #(***server1和***server2都要有相同的文件)
10.96.20.113 etiantian.org
10.96.20.114 etiantian.org
[root@etiantian ~]# vim /etc/open***/client.conf #(在服务端把此文件编辑好拷贝至win上改名为jowin_LB3.o***)
remote ***.etiantian.org52115
remote-random
resolv-retry 20
[root@etiantian ~]# sz !$
sz /etc/open***/client.conf
注:此方法问题,*** client上win平台有本地缓存导致切换不成功,可用>ipconfig \displaydns more先查看,再用>ipconfig\flushdns清空;也可禁用win的DNS缓存,通过改注册表HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters,或将系统服务dns关掉
*** client:
此时连接到了113上,将113的open***服务停了,将dns缓存刷新,再次查看发现已切至114上了,成功
[root@etiantian ~]# service open*** stop
Shutting down open***: [ OK ]
方四:使用LVS或keepalived或haproxy
方案:
open***统一认证:
1、本地证书密钥认证;
2、本地文件认证;
3、数据库认证(方一,利用2的处理方式,用脚本(shell或php或pyhon)去读DB再通过比对,另DB中的密码可用MD5加密;方二,pam_mysql);
4、ldap统一认证(方一,open***-auth-ldap;方二,利用本地文件认证思路,去ldap查询,或与本地文件比较);
5、Radius认证(remoteauthentication dial in user service,远程用户拨号认证系统,RFC2865、RFC2866定义,是目前应用最广泛的AAA协议,可实现验证、授权、记账等服务的协议);
6、利用active directory(可与ldap打通);
7、结合U盾等认证设备
举例(open***通过本地文件认证):
*** server-side:
[root@etiantian ~]# cd /etc/open***
[root@etiantian open***]# vim server.conf
auth-user-pass-verify /etc/open***/checkpsw.sh via-env
client-cert-not-required
username-as-common-name
script-security 3
注:
auth-user-pass-verify语法:auth-user-pass-verifyscript method(此处脚本checkpsw.sh是shell脚本可下载获得(也可是php脚本),用来接收client的用户名和密码并和本地文件psw-file进行比对,通过返回值(return 0表示成功,return 1表示失败)确认是否可连接***server;method有via-env(pass user/pass via environment)和via-file(passuser/pass via temporary file));
psw-file文件(用户名和密码在一行,用单个或多个空格分隔);
client-cert-not-required(不使用证书,使用user/pass认证);
--script-security=0|1|2|3(0,strictly nocalling of external programs;1,default,only call built-in excutables such as ifconfig、ip、route、or netsh;2,allowcalling of built-in executables and user-defined scripts;3,allowpasswords to be passed to scripts via environment variables(protentiallyunsafe);若无此参数client是不能成功连接server-side,报错Failed running command(--auth-user-pass-verify):external program forfailed);
[root@etiantian open***]# vim checkpsw.sh
-------------------script start----------------------
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman<mathias@open***.se>
#
# This script will authenticate Open×××users against
# a plain text file. The passfile shouldsimply contain
# one row per user with the username firstfollowed by
# one or more space(s) or tab(s) and thenthe password.
PASSFILE="/etc/open***/psw-file"
LOG_FILE="/var/log/open***/open***-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file\"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk'!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}'${PASSFILE}`
if [ "${CORRECT_PASSWORD}" ="" ]; then
echo "${TIME_STAMP}: User does not exist:username=\"${username}\", password=\"${password}\".">> ${LOG_FILE}
exit 1
fi
if [ "${password}" ="${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication:username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrectpassword: username=\"${username}\",password=\"${password}\"." >> ${LOG_FILE}
exit 1
--------------------script end------------------
[root@etiantian open***]# chmod 755 checkpsw.sh
[root@etiantian open***]# vim psw-file #(允许连接*** server的账号密码)
jowin chai
[root@etiantian open***]# chmod 400 psw-file #(为安全给最小权限,或使用chattr+i psw-file)
[root@etiantian open***]# service open*** restart
Shutting down open***: [ OK ]
Starting open***: [ OK ]
[root@etiantian open***]# vim client.conf #(将此文件在服务端编辑好上传至win上改名为jowin_user_pass.o***)
remote 10.96.20.113 52115
#remote-random
resolv-retry 20
#cert jowin.crt
#key jowin.key
auth-user-pass
[root@etiantian open***]# sz client.conf
*** client:
点connect后,会有账号密码对话框弹出,正常进入,成功
举例
open***通过open***-auth-ldap插件认证(open***的安装见上篇《×××(1)》和openldap的安装见下篇《LDAP》):
[root@etiantian ~]# yum -y install gcc-c++ gcc-objc
[root@etiantian ~]# rpm -qa | grep openldap #(确保已安装openldap-*客户端)
openldap-servers-2.4.40-12.el6.x86_64
openldap-2.4.40-12.el6.x86_64
openldap-clients-2.4.40-12.el6.x86_64
compat-openldap-2.3.43-2.el6.x86_64
openldap-servers-sql-2.4.40-12.el6.x86_64
openldap-devel-2.4.40-12.el6.x86_64
[root@etiantian ~]# cd /home/webgame/tools/
[root@etiantian tools]# rz -E #(上传re2c-0.13.6.tar.gz和auth-ldap-2.0.3.tar.gz)
rz waiting to receive.
[root@etiantian tools]# tar xf re2c-0.13.6.tar.gz
[root@etiantian tools]# cd re2c-0.13.6
[root@etiantian re2c-0.13.6]# ./configure
[root@etiantian re2c-0.13.6]# make && make install
[root@etiantian re2c-0.13.6]# cd ..
[root@etiantian tools]# tar xf auth-ldap-2.0.3.tar.gz
[root@etiantian tools]# cdauth-ldap-2.0.3
[root@etiantianauth-ldap-2.0.3]# ./configure --prefix=/usr/local --with-openldap=/usr/local --with-open***=/home/webgame/tools/open***/open***-2.2.2 #(此处/home/路径为open***源码安装时的解压路径)
[root@etiantianauth-ldap-2.0.3]# make && make install
[root@etiantianauth-ldap-2.0.3]# cp auth-ldap.conf /etc/open***/
[root@etiantianauth-ldap-2.0.3]# cd
[root@etiantian ~]# vim /etc/open***/server.conf
plugin /usr/local/lib/open***-auth-ldap.so /etc/open***/auth-ldap.conf
client-cert-not-required
username-as-common-name
[root@etiantian ~]# vim /etc/open***/auth-ldap.conf #(配置更改如下信息,其中URL可以是域名也可是ldap服务器地址;BindDN处的内容要与/etc/openldap/slapd.conf中rootdn的内容一致,否则会认证失败;Password即是管理员admin的密码;TLSEnable改为no)
-----------------file start-------------------------
<LDAP>
# LDAP server URL
URL ldap://etiantian.org
# Bind DN (If your LDAP server doesn'tsupport anonymous binds)
BindDN cn=admin,dc=etiantian,dc=org
# Bind Password
Password oldboy
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable no
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
#TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
#TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication isrequired
#TLSCertFile /usr/local/etc/ssl/client-cert.pem
#TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
BaseDN "ou=People,dc=etiantian,dc=org"
# User Search Filter
#SearchFilter "(&(uid=%u)(accountStatus=active))"
SearchFilter "uid=%u"
# Require Group Membership
RequireGroup false
# Add non-group members to a PF table (disabled)
#PFTable ips_***_users
#<Group>
#BaseDN "ou=Groups,dc=etiantian,dc=org"
#SearchFilter "(|(cn=developers)(cn=artists))"
#MemberAttribute uniqueMember
# Add group members to a PFtable (disabled)
#PFTable ips_***_eng
#</Group>
</Authorization>
---------------file end-------------
win的*** client:
[root@etiantian ~]# vim /etc/open***/client.conf #(在服务端修改好后上传到win上并改名为jowin_ldap.o***)
remote 10.96.20.113 52115
#cert jowin.crt
#key jowin.key
auth-user-pass
连接,输入ldap中存在的账号,此处使用user01/user01,成功登陆
转载于:https://blog.51cto.com/jowin/1831509