[CentOS7] Let’s Encrypt Wildcard 설정

site : https://letsencrypt.org/

site: https://certbot.eff.org/docs/install.html

Let’s Encrypt 이용시 2차 도메인 마다 인증서를 생성 해야 합니다. 만약  test.com 을 가지고 있다고 하면

www.test.com / blog.test.com / work.test.com 등으로 인증서를 계속 생성 해서 관리 해야 하죠.

Wildcard 인증서를 사용하게 되면, 한번 등록으로 사이트에 적용할수 있습니다.

참고사항: Let’s encrypt wildcard 설정의 아래내용을 참고 하여 작업하시면 됩니다.

일반적인 named 운영 환경에서는 자동인증을 사용할수 없으며 Obtain API Key 를 제공 하는 DNS 를 이용 해야 합니다.

https://developerinsider.co/how-to-create-and-auto-renew-lets-encrypt-wildcard-certificate/

 

 

  •  기존 인증서 삭제
[root@CentOS7 certbot]# ./certbot-auto delete --cert-name web.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Deleted all files relating to certificate web.com.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@CentOS7 certbot]# ./certbot-auto delete --cert-name www.web.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Deleted all files relating to certificate www.web.com.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@CentOS7 certbot]#

 

  • Wildcard 인증서 생성
[root@CentOS7 certbot]# ./certbot-auto delete --cert-name www.web.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Deleted all files relating to certificate www.web.com.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@CentOS7 certbot]# ./certbot-auto certonly --manual -d "*.web.com" -d web.com  --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for web.com
dns-01 challenge for web.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.web.com with the following value:

-----------------------------------------mha

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.web.com with the following value:

-----------------------------------------mhb

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. web.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.web.com

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: web.com
   Type:   None
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.web.com
[root@CentOS7 certbot]#

 

  • named 작업 ( mha , mhb 값을 dns zone 파일에 txt 값으로 넣어야 합니다.)
_acme-challenge.web.com with the following value:

-----------------------------------------mha

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.web.com with the following value:

-----------------------------------------mhb


[root@CentOS7 certbot]# vi /var/named/web.com
$TTL 3H
@       IN SOA  @ ns.web.com. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
                        IN      NS      ns.web.com.
                        IN      MX 10   mail.web.com.
web.com.             IN      A       200.200.200.200
                        IN      A       200.200.200.200
mail                    IN      A       200.200.200.200
ns                      IN      A       200.200.200.200
ns1                     IN      A       200.200.200.201
www                     IN      A       200.200.200.200
_acme-challenge.web.com.        IN      TXT     -----------------------------------------mha
_acme-challenge.web.com.        IN      TXT     -----------------------------------------mhb


[root@CentOS7 certbot]# systemctl restart named



[root@CentOS7 certbot]# ./certbot-auto certonly --manual -d "*.web.com" -d web.com  --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for web.com
dns-01 challenge for web.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.web.com with the following value:

-----------------------------------------mha

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.web.com with the following value:

-----------------------------------------mhb

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/web.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/web.com/privkey.pem
   Your cert will expire on 2019-05-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

[root@CentOS7 certbot]# vi /var/named/web.com
[root@CentOS7 certbot]# systemctl restart named
[root@CentOS7 certbot]# nslookup -q=txt _acme-challenge.web.com
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
_acme-challenge.web.com      text = "-----------------------------------------mha"
_acme-challenge.web.com      text = "-----------------------------------------mhb"

Authoritative answers can be found from:

[root@CentOS7 certbot]#

IMPORTANT NOTES:

- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/web.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/web.com/privkey.pem
Your cert will expire on 2019-05-06. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

[root@CentOS7 certbot]#

 

  • nginx 설정을 변경 합니다.
[root@CentOS7 certbot]# vi /etc/nginx/sites-enabled/web_com.conf
server {
    listen       443;
    server_name  www.web.com web.com;
    root   /var/www/html;
    index  index.php index.html index.htm;
    location / {
        try_files $uri $uri/ /index.php?$query_string;
        autoindex on;
    }

    access_log  /var/www/html/web.com/logs/access.log;
    error_log  /var/www/html/web.com/logs/error.log warn;
    ssl         on;
    ssl_certificate /etc/letsencrypt/live/web.com/fullchain.pem; 
    ssl_certificate_key /etc/letsencrypt/live/wweb.com/privkey.pem;
    ssl_session_timeout  5m;

 

  • blog.web.com 을 테스트 합니다.
[root@CentOS7 certbot]# cd /etc/nginx/sites-enabled/
[root@CentOS7 sites-enabled]# cp web_com.conf web_blog.conf
[root@CentOS7 sites-enabled]# vi web_blog.conf
server {

    listen       80;
    server_name  blog.web.com;
    root   /var/www/html/blog.web.com/public_html;
    index  index.php index.html index.htm;
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
    }
}
server {
    listen       443;
    server_name  blog.web.com;
    root   /var/www/html/blog.web.com/public_html;
    index  index.php index.html index.htm;
    location / {
        try_files $uri $uri/ /index.php?$query_string;
        autoindex on;
    }

    access_log  /var/www/html/blog.web.com/logs/access.log;
    error_log  /var/www/html/blog.web.com/logs/error.log warn;
    ssl         on;
    ssl_certificate /etc/letsencrypt/live/web.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/web.com/privkey.pem;
    ssl_session_timeout  5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}
[root@CentOS7 ~]# mkdir -p /var/www/html/blog.web.com/{public_html,logs}
[root@CentOS7 ~]# chown -R nginx:nginx /var/www/html/blog.web.com/
[root@CentOS7 ~]# systemctl restart nginx
[root@CentOS7 ~]# vi /var/www/html/blog.web.com/public_html/index.php
<?php phpinfo(); ?>

 

  • web 테스트 https 와 http 를 테스트 합니다.

 

 

 

[CentOS7] Let’s Encrypt 설정 및 apache-nginx 설정

certboot 설치전 apache 필수 패키지

# yum -y update
# yum -y install httpd mod_ssl epel-release yum-utils

certbot 참고 페이지 : https://certbot.eff.org/lets-encrypt/centosrhel7-apache.html 

스크린샷에 보이는 web.com 의 도메인은 임의로 지정한 도메인 입니다.

Official site: https://letsencrypt.org  

certbot-auto site: https://certbot.eff.org/docs/install.html

 

  • certbot-auto down

[root@CentOS7 ~]# mkdir /usr/local/certbot
[root@CentOS7 ~]# cd /usr/local/certbot
[root@CentOS7 certbot]# wget https://dl.eff.org/certbot-auto
[root@CentOS7 certbot]# chmod a+x ./certbot-auto
[root@CentOS7 certbot]# ./certbot-auto --help
Usage: certbot-auto [OPTIONS]
A self-updating wrapper script for the Certbot ACME client. When run, updates
to both this script and certbot will be downloaded and installed. After
ensuring you have the latest versions installed, certbot will be invoked with
all arguments you have provided.

Help for certbot itself cannot be provided until it is installed.

  --debug                                   attempt experimental installation
  -h, --help                                print this help
  -n, --non-interactive, --noninteractive   run without asking for user input
  --no-bootstrap                            do not install OS dependencies
  --no-self-upgrade                         do not download updates
  --os-packages-only                        install OS dependencies and exit
  --install-only                            install certbot, upgrade if needed, and exit
  -v, --verbose                             provide more output
  -q, --quiet                               provide only update/error output;
                                            implies --non-interactive

All arguments are accepted and forwarded to the Certbot client when run.
[root@CentOS7 certbot]#

 

  • certbot-auto 실행
  • certbot-auto 실행시 필요한 패키지를 자동 설치 합니다. 
  • y를 눌러 설치를 완료 합니다. 
[root@CentOS7 certbot]# ./certbot-auto
Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
yum is hashed (/usr/bin/yum)
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: centos.mirror.cdnetworks.com
 * epel: mirror.premi.st
 * extras: data.aonenetworks.kr
 * remi-php71: ftp.riken.jp
 * remi-safe: ftp.riken.jp
 * updates: data.aonenetworks.kr
Package gcc-4.8.5-36.el7.x86_64 already installed and latest version
Package augeas-libs-1.4.0-6.el7_6.1.x86_64 already installed and latest version
Package 1:openssl-1.0.2k-16.el7.x86_64 already installed and latest version
Package redhat-rpm-config-9.1.0-87.el7.centos.noarch already installed and latest version
Package ca-certificates-2018.2.22-70.0.el7_5.noarch already installed and latest version
Resolving Dependencies
--> Running transaction check
~중략
Complete!
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate and install certificates?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): webtest@gamil.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: www.web.com
2: web.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for web.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/httpd/conf.d/ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Failed redirect for web.com
Unable to set enhancement redirect for web.com
Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection

IMPORTANT NOTES:
 - We were unable to set up enhancement redirect for your server,
   however, we successfully installed your certificate.
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/web.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/web.com/privkey.pem
   Your cert will expire on 2019-05-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
[root@CentOS7 certbot]#

 

  • certbot 인증서 생성후 ssl.conf 파일의 설정을 확인 합니다. 
[root@CentOS7 ~]# vi /etc/httpd/conf.d/ssl.conf

<VirtualHost *:443>
ServerName web.com
ServerAlias www.web.com
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCACertificateFile /etc/pki/tls/certs/webca.crt

 <Files ~ "\.(cgi|shtml|phtml|php3?)$">
     SSLOptions +StdEnvVars
  </Files>
  <Directory "/var/www/cgi-bin">
     SSLOptions +StdEnvVars
  </Directory>
SetEnvIf User-Agent ".*MSIE.*"nokeepalive ssl-unclean-shutdown
ErrorLog logs/example.com-ssl_error_log
TransferLog logs/example.com-ssl_access_log
LogLevel warn
CustomLog logs/example.com-ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLCertificateFile /etc/letsencrypt/live/web.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/web.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/web.com/chain.pem
</VirtualHost>

 

  • web접속 테스트를 진행 합니다. 
  • https://web.com 이며 www.web.com 의 경우 별도의 인증서가 필요 합니다. 
  • 모든 2차 도메인을 지정 하기 위해서는 wildcard 인증서가 필요 합니다. 
  • wildcard 인증서는 별도로 다루 도록 하겠습니다. 

 

  • www.web.com 의 인증서를 생성 합니다.
[root@CentOS7 certbot]# ./certbot-auto
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate and install certificates?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: web.com
2: www.web.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.web.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/httpd/conf.d/ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/httpd/conf.d/httpd-vhosts.conf to ssl vhost in /etc/httpd/conf.d/ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://www.web.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.web.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.web.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.web.com/privkey.pem
   Your cert will expire on 2019-05-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

[root@CentOS7 certbot]#

 

  • apache 데몬을 재시작 합니다. 
[root@CentOS7 certbot]# systemctl restart httpd

 

  • web site 를 확인 합니다. 

 

  • Nginx 설정
[root@CentOS7 ~]# cd /usr/local/certbot/
[root@CentOS7 certbot]# ./certbot-auto
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate and install certificates?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: web.com
2: www.web.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/web.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/web_com.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/web_com.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://web.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=web.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/web.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/web.com/privkey.pem
   Your cert will expire on 2019-05-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

[root@CentOS7 certbot]#

 

  • web 테스트 https://web.com 접속 테스트

 

  • https://www.web.com 인증서 생성 
[root@CentOS7 certbot]# ./certbot-auto
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate and install certificates?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: web.com
2: www.web.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/www.web.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/web_com.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/web_com.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://www.web.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.web.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.web.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.web.com/privkey.pem
   Your cert will expire on 2019-05-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

[root@CentOS7 certbot]#

 

  • 인증서 생성시 참고
./certbot-auto -d web.com -d www.web.com   형식으로 만들어야 http://www.web.com 접속시 https 오류가 없으며 
./certbot-auto --nginx 로 web-server 를 지정 할수 있습니다.

 

 

  • web 테스트 https://www.web.com 접속 테스트

 

  • Let’s Encrypt 인증서 자동 갱신 추가
[root@CentOS7 ~]# vi /etc/crontab
* 1 1 * * root /usr/local/certbot/certbot-auto renew >> /var/log/le-renew.log

자동갱신 테스트
[root@CentOS7 ~]# /usr/local/certbot/certbot-auto renew >> /var/log/le-renew.log
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal
Cert not yet due for renewal
[root@CentOS7 ~]#

 

 

 

apache ssl 인증서 사용 및 nginx ssl 인증서 사용

인증서 사용시 싱글 사인 ssl key 를 사용 하였습니다.

ssl single sign 의 경우 차후 포스팅 하겠습니다.

Windows 에서 테스트 할경우 /windows/system32/drivers/etc/hosts 에 www.web.com / web.com 도메인을 등록 합니다.

 

  • apache 에서 ssl 인증서를 사용 하기 위하여 mod_ssl 패키지를 설치 합니다.
[root@CentOS7 ~]# yum install -y mod_ssl

 

  • ssl.conf 파일을 수정 합니다.
[root@CentOS7 ~]# vi /etc/httpd/conf.d/ssl.conf
NameVirtualHost *:443

<VirtualHost *:443>
ServerName web.com
ServerAlias www.web.com
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/web.crt
SSLCertificateKeyFile /etc/pki/tls/private/web.key
SSLCACertificateFile /etc/pki/tls/certs/webca.crt

 <Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
 </Files>
 <Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
 </Directory>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
ErrorLog logs/example.com-ssl_error_log
TransferLog logs/example.com-ssl_access_log
LogLevel warn
CustomLog logs/example.com-ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

 

  • web site 접속 테스트를 합니다.

 

  • http 로 접속 하면 강제로 https 로 전환
[root@CentOS7 httpd]# vi conf.d/httpd-vhosts.conf
<VirtualHost *:80>
       ServerAdmin admin@web.com
       DocumentRoot /var/www/html/
       ServerName web.com
       ServerAlias www.web.com
<Location />
RedirectMatch /(.*)$ https://www.web.com/$1
</Location>
       ErrorLog /var/www/html/web.com/logs/web.com-error_log
       CustomLog /var/www/html/web.com/logs/web.com-access_log common
</VirtualHost>

 

  • apache 에서 nginx 서비스 이관
[root@CentOS7 ~]# yum install -y nginx php-fpm
[root@CentOS7 ~]# vi /etc/nginx/nginx.conf
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*.conf;
}
[root@CentOS7 ~]# vi /etc/nginx/conf.d/default.conf
server {
    listen       80;
    server_name  localhost;

    charset UTF-8;

        root   /usr/share/nginx/html;
        index  index.php index.html index.htm;
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        #fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

}

[root@CentOS7 ~]# vi /etc/php-fpm.d/www.conf
user = nginx
group = nginx

listen.owner = nginx
listen.group = nginx
listen.mode = 0660

[root@CentOS7 ~]# systemctl enable php-fpm
[root@CentOS7 ~]# systemctl start php-fpm
[root@CentOS7 ~]# systemctl start nginx

 

  • Virtualhost 설정
[root@CentOS7 ~]#  vi /etc/nginx/conf.d/default.conf
server {
    listen       80 default_server;
    server_name  localhost;

[root@CentOS7 ~]# mkdir -p /var/www/html/web.com/{public_html,logs}
[root@CentOS7 ~]# mkdir /etc/nginx/sites-enabled
[root@CentOS7 ~]# vi /etc/nginx/sites-enabled/web_com.conf
server {
    listen       80;
    server_name  www.web.com web.com;
    root   /var/www/html/web.com/public_html;
    index  index.php index.html index.htm;
    location / {
        return 301 https://web.com$request_uri;
    }


    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
    }
}

server {
    listen       443;
    server_name  www.web.com web.com;
    root   /var/www/html/web.com/public_html;
    index  index.php index.html index.htm;
    location / {
        try_files $uri $uri/ /index.php?$query_string;
        autoindex on;
    }

    access_log  /var/www/html/web.com/logs/access.log;
    error_log  /var/www/html/web.com/logs/error.log warn;
    ssl         on;
    ssl_certificate      /etc/pki/tls/certs/web.crt;
    ssl_certificate_key  /etc/pki/tls/private/web.key;
    ssl_session_timeout  5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

 

  • Web page 테스트를 진행 합니다.
  • 80 port www.web.com 접속을 하여도 443 https 로 자동으로 넘어 가는지 확인 합니다.

 

 

[CentOS7] LEMP Stack – nginx-percona-plugin install

몇일전 고객 요청으로 nginx 위에 cacti 를 설치 했습니다.

1.1.38 Version 의 경우 기본으로 제공되는 템플릿이 없어서  그래프를 그릴수 없습니다.

모니터링시 Authentication Method – > Builtin Authentication 을 None 으로

변경 해야 모든 그래프를 볼수 있습니다.

Percona-plugin 을 사용 하지 않을시 별도의 cacti user 계정은 필요 없습니다.

Nginx 모니터링시 ss_get_by_ssh 스크립트 이용으로 인하여 cacti 또는 별도의 계정이 필요 합니다.

cacti 계정 사용시 필히 /etc/cacti/db.php 권한을 cacti 로 변경 해야 합니다.  변경하지 않았을 경우 cacti 작동이 정상적으로 되지 않습니다.

 

 

nginx 설치전 System update 를 진행 합니다.

System update 후 rebooting  을 합니다.

[root@CentOS7 ~]# yum update -y
[root@CentOS7 ~]# init 6

 

  • nginx repo file 를 생성 합니다.
[root@CentOS7 ~]# vi /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=0
enabled=1
[root@CentOS7 ~]# yum clean all ; yum list

 

  • nginx 설치
[root@CentOS7 ~]# yum install -y nginx

 

  • php71 설치를 위한 epel-release 패키지 설치및 remi-release-7 패키지 설치
[root@CentOS7 ~]# yum install -y epel-release
[root@CentOS7 ~]# rpm -Uvh http://rpms.remirepo.net/enterprise/remi-release-7.rpm   
[root@CentOS7 ~]# yum clean all ; yum list
[root@CentOS7 ~]# yum update -y
[root@CentOS7 ~]# init 6
[root@CentOS7 ~]# yum-config-manager --enable remi-php71

 

  • php71 설치
[root@CentOS7 ~]# yum install -y php php-opcache php-mysql php-fpm php-gd \
 php-ldap php-odbc php-pear php-xml php-xmlrpc php-mbstring php-soap curl curl-devel

 

[root@CentOS7 ~]# vi /etc/yum.repos.d/mariadb.repo
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.1/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
[root@CentOS7 ~]# yum clean all ; yum list

 

  • mariadb 설치
[root@CentOS7 ~]# yum install -y mariadb mariadb-server

 

 

 

  • mariadb Daemon enable & start
[root@CentOS7 ~]# systemctl enable mariadb
[root@CentOS7 ~]# systemctl start mariadb

 

  • mysql_secure_installation 실행
[root@CentOS7 ~]# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!
[root@CentOS7 ~]#

 

  • nginx daemon enable & start
[root@CentOS7 ~]# systemctl enable nginx
[root@CentOS7 ~]# systemctl start nginx

 

 

  • nginx.conf 설정
[root@CentOS7 ~]# vi /etc/nginx/nginx.conf
user  nginx;
worker_processes  1;
 
error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;
 
 
events {
    worker_connections  1024;
}
 
 
http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
 
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
 
    access_log  /var/log/nginx/access.log  main;
 
    sendfile        on;
    #tcp_nopush     on;
 
    keepalive_timeout  65;
 
    #gzip  on;
 
    include /etc/nginx/conf.d/*.conf;
}

 

  • default.conf 파일 설정
[root@CentOS7 ~]# vi /etc/nginx/conf.d/default.conf
server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;
        root   /usr/share/nginx/html;
        index  index.php index.html index.htm;
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }


    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

}

 

  • nginx deamon restart
[root@CentOS7 ~]# systemctl restart nginx

 

  • php-fpm.conf 설정
[root@CentOS7 ~]# vi /etc/php-fpm.d/www.conf
user = nginx
group = nginx

listen.owner = nginx
listen.group = nginx
listen.mode = 0660

 

  • php-fpm daemon enable & start
[root@CentOS7 ~]# systemctl enable php-fpm
[root@CentOS7 ~]# systemctl start php-fpm

 

  • phpinfo() 확인
[root@CentOS7 ~]# vi /usr/share/nginx/html/info.php
<?php phpinfo(); ?>

 

  • web-site 확인

 

  • cacti 설치
[root@CentOS7 ~]# yum install -y httpd httpd-devel mariadb-server php-mysql php-pear php-common php-gd \
 php-devel php php-mbstring php-cli php-snmp net-snmp-utils net-snmp-libs rrdtool cacti

 

  • db 생성
[root@CentOS7 ~]# mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 10.1.37-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database cacti;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> GRANT ALL ON cacti.* TO cacti@localhost IDENTIFIED BY 'password';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> FLUSH privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> quit;
Bye
[root@CentOS7 ~]#

 

  • cacati db 작업
[root@CentOS7 ~]# rpm -ql cacti | grep cacti.sql
/usr/share/doc/cacti-1.1.38/cacti.sql

[root@CentOS7 ~]# rpm -ql cacti | grep cacti.sql
/usr/share/doc/cacti-1.1.38/cacti.sql
[root@CentOS7 ~]# mysql -u root -p cacti < /usr/share/doc/cacti-1.1.38/cacti.sql
Enter password:
[root@CentOS7 ~]# vi /etc/cacti/db.php
$database_type     = 'mysql';
$database_default  = 'cacti';
$database_hostname = 'localhost';
$database_username = 'cacti';
$database_password = 'password';
$database_port     = '3306';
$database_ssl      = false;

 

  • nginx default.conf 수정
[root@CentOS7 ~]# vi /etc/nginx/conf.d/default.conf
    location /server-status {
        stub_status on;
        allow 127.0.0.1;
        #deny all;
    }
    # cacti settings
    location /cacti {
    alias /usr/share/cacti;
    index index.php;
    }

    location ~ ^/cacti.+\.php$ {
    # fastcgi_pass unix:/var/run/php-fpm.sock;
    fastcgi_pass 127.0.0.1:9000;
    fastcgi_index index.php;

    fastcgi_split_path_info ^/cacti(.+\.php)(.*)$;
    fastcgi_param SCRIPT_FILENAME /usr/share/cacti/$fastcgi_script_name;
    include /etc/nginx/fastcgi_params;
    }

 

  • nginx deamon restart 및 /server-status 확인
[root@CentOS7 ~]# systemctl restart nginx
[root@CentOS7 ~]# curl http://localhost/server-status
Active connections: 1
server accepts handled requests
 1 1 1
Reading: 0 Writing: 1 Waiting: 0
[root@CentOS7 ~]#

 

  • db.php 권한 변경
[root@CentOS7 ~]# chown nginx:nginx /etc/cacti/db.php

 

 

  • mysql.time_zone_name 설정
[root@CentOS7 ~]# mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 15
Server version: 10.1.37-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> GRANT SELECT ON mysql.time_zone_name to 'cacti'@'localhost' IDENTIFIED BY 'password';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> FLUSH privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> quit
Bye
[root@CentOS7 ~]#

 

  • php.ini 설정 및 php-gpm 패키지 설치
[root@CentOS7 ~]# vi /etc/php.ini
date.timezone =Asia/Seoul

[root@CentOS7 ~]# yum install -y php-gmp

 

  • mariadb 설정
[root@CentOS7 ~]# vi /etc/my.cnf.d/server.cnf
[server]
character-set-server=utf8mb4
collation-server = utf8mb4_unicode_ci
max_heap_table_size = 200M
max_allowed_packet = 16777216
tmp_table_size = 64M
join_buffer_size = 64M
innodb_buffer_pool_size = 921M
innodb_doublewrite = OFF
innodb_additional_mem_pool_size = 80M
innodb_flush_log_at_timeout = 3
innodb_read_io_threads = 32
innodb_write_io_threads = 16


[root@CentOS7 ~]# vi /etc/my.cnf.d/client.cnf
[client]
default-character-set = utf8mb4


[root@CentOS7 ~]# systemctl restart mariadb
[root@CentOS7 ~]# systemctl restart nginx
[root@CentOS7 ~]# systemctl restart php-fpm

[root@CentOS7 ~]# mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql
Enter password:
Warning: Unable to load '/usr/share/zoneinfo/leapseconds' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/tzdata.zi' as time zone. Skipping it.
[root@CentOS7 ~]#

 

  • 모든 설정을 완료 하였습니다.

 

  • Next 를 클릭 합니다.

 

  • Next 를 클릭 합니다.

 

  • spine 을 설치 합니다.
  • spine 최신 버젼은 https://www.cacti.net/downloads/spine/ 에서 확인 할수 있습니다.
[root@CentOS7 spine]# wget https://www.cacti.net/downloads/spine/cacti-spine-1.1.38.tar.gz
[root@CentOS7 ~]# yum install -y gcc mysql-devel net-snmp-devel autoconf automake libtool dos2unix help2man
[root@CentOS7 ~]# mkdir spine
[root@CentOS7 ~]# cd spine/
[root@CentOS7 spine]# wget https://www.cacti.net/downloads/spine/cacti-spine-1.1.38.tar.gz
[root@CentOS7 spine]# tar xvf cacti-spine-1.1.38.tar.gz
[root@CentOS7 spine]# cd cacti-spine-1.1.38/
[root@CentOS7 cacti-spine-1.1.38]# ./bootstrap
INFO: Spine bootstrap process completed

  These instructions assume the default install location for spine
  of /usr/local/spine.  If you choose to use another prefix, make
  sure you update the commands as required for that new path.

  To compile and install Spine using MySQL versions 5.5 or higher
  please do the following:

  ./configure
  make
  make install
  chown root:root /usr/local/spine/bin/spine
  chmod +s /usr/local/spine/bin/spine

  To compile and install Spine using MySQL versions previous to 5.5
  please do the following:

  ./configure --with-reentrant
  make
  make install
  chown root:root /usr/local/spine/bin/spine
  chmod +s /usr/local/spine/bin/spine
[root@CentOS7 cacti-spine-1.1.38]# ./configure
[root@CentOS7 cacti-spine-1.1.38]# make && make install
[root@CentOS7 cacti-spine-1.1.38]# chown root:root /usr/local/spine/bin/spine
[root@CentOS7 cacti-spine-1.1.38]# chmod +s /usr/local/spine/bin/spine
[root@CentOS7 ~]# cp /usr/local/spine/etc/spine.conf.dist /etc/spine.conf
[root@CentOS7 ~]# vi /etc/spine.conf
B_Host                 localhost
DB_Database             cacti
DB_User                 cacti
DB_Pass                 password
DB_Port                 3306

 

  • spine 테스트
[root@CentOS7 ~]# /usr/local/spine/bin/spine
SPINE: Using spine config file [/etc/spine.conf]
SPINE: Version 1.1.38 starting
SPINE: Time: 0.0249 s, Threads: 5, Devices: 0
[root@CentOS7 ~]#

 

 

  • Next 를 클릭 합니다.

 

  • cacti 1.1.38 Version 의 경우 별도의 권한 설정이 필요 합니다.
  • 설치시 옵션
[root@CentOS7 ~]# chown -R nginx.nginx /usr/share/cacti/resource/
[root@CentOS7 ~]# chown -R nginx.nginx /usr/share/cacti/scripts/
[root@CentOS7 ~]# chown -R nginx.nginx /usr/share/cacti/log/
[root@CentOS7 ~]# chown -R nginx.nginx /usr/share/cacti/cache/

 

 

  • Next 를 클릭 합니다.

 

  • 모니터링 Device 를 선택후 Next 를 클릭 합니다.
  • 최초 로그인 id/pass 는 admin/admin 이며 Keep me signed in 을 체크 해야 합니다.

 

  • 로그인 완료 모습

 

  • 설치후 cacti 디렉토리 권한
[root@CentOS7 ~]# chown -R nginx:nginx /usr/share/cacti/
[root@CentOS7 ~]# chown -R nginx:nginx /var/lib/cacti/cache/
[root@CentOS7 ~]# chown -R nginx:nginx /var/lib/cacti/cli/
[root@CentOS7 ~]# chown -R nginx:nginx /var/lib/cacti/rra/
[root@CentOS7 ~]# chown -R nginx:nginx /var/lib/cacti/scripts/

 

  • snmpd 설정
[root@CentOS7 ~]# systemctl enable snmpd
[root@CentOS7 ~]# systemctl start snmpd

[root@CentOS7 ~]# vi /etc/snmp/snmpd.conf
#       sec.name  source          community
com2sec public  default       public

####
# Second, map the security name into a group name:

#       groupName      securityModel securityName
group   public v1           public
group   public v2c          public

####
# Third, create a view for us to let the group have rights to:

# Make at least  snmpwalk -v 1 localhost -c public system fast again.
#       name           incl/excl     subtree         mask(optional)
#view    systemview    included   .1.3.6.1.2.1.1
#view    systemview    included   .1.3.6.1.2.1.25.1.1
view     all           included    .1

####
# Finally, grant the group read-only access to the systemview view.

#       group          context sec.model sec.level prefix read   write  notif
#access  notConfigGroup ""      any       noauth    exact  systemview none none
access  public ""      any       noauth    exact  all none none

[root@CentOS7 ~]# systemctl restart snmpd
[root@CentOS7 ~]# snmpwalk -v2c -c public 192.168.0.33

 

  • poller.php 설정
[root@CentOS7 ~]# vi /etc/cron.d/cacti
*/5 * * * *     nginx   /usr/bin/php /usr/share/cacti/poller.php > /dev/null 2>&1


## 주의 ss_get_by_ssh 스크립트 이용시에는 cacti 권한이 아니면 정상적으로 스크립트를 실행할수 없습니다. 

[root@CentOS7 ~]# vi /etc/cron.d/cacti
*/5 * * * *     cacti   /usr/bin/php /usr/share/cacti/poller.php > /dev/null 2>&1

 

  • Device temp 파일 다운 로드
[root@CentOS7 ~]# mkdir cacti
[root@CentOS7 ~]# cd cacti/

[root@CentOS7 cacti]# wget https://docs.cacti.net/_media/template:package:generic_snmp_device.xml.gz

[root@CentOS7 cacti]# wget https://docs.cacti.net/_media/template:package:local_linux_machine.xml.gz -O local_linux_machine.xml.gz

[root@CentOS7 cacti]# wget https://docs.cacti.net/_media/template:package:netsnmp_device.xml.gz -O netsnmp_device.xml.gz

[root@CentOS7 cacti]# chmod +x /usr/share/cacti/cli/import_package.php

[root@CentOS7 cacti]# /usr/share/cacti/cli/import_package.php --filename=./local_linux_machine.xml.gz

[root@CentOS7 cacti]# /usr/share/cacti/cli/import_package.php --filename=./template:package:generic_snmp_device.xml.gz

[root@CentOS7 cacti]# /usr/share/cacti/cli/import_package.php --filename=./netsnmp_device.xml.gz

 

  • cacti device 생성

 

  • Create Graphs for this Device 클릭

 

  • Create  클릭

 

  • Graphs 로 이동 합니다.

 

  • View 버튼 클릭

 

  • 최상위 메뉴중 Logs 를 클릭 합니다.

 

  • Console -> Configureation -> Settings ->  Authentication
  • Authentication Method – > Builtin Authentication 을 None 으로 변경 합니다

 

  • Graphs 로 이동 합니다.

 

  • 10 분후 정상적으로 그래프를 볼수 있습니다.

 

  • nginx percona temp 설치
[root@CentOS7 cacti]# wget https://www.percona.com/downloads/percona-monitoring-plugins/percona-monitoring-plugins-1.1.7/binary/redhat/7/x86_64/percona-cacti-templates-1.1.7-2.noarch.rpm
[root@CentOS7 cacti]# yum install -y percona-cacti-templates-1.1.7-2.noarch.rpm

 

  • nginx percona temp load
[root@CentOS7 cacti]# php /usr/share/cacti/cli/import_template.php --filename=/usr/share/cacti/resource/percona/templates/cacti_host_template_percona_nginx_server_ht_0.8.6i-sver1.1.7.xml
Read 42607 bytes of XML data
Import Results
Cacti has imported the following items for the Template:
CDEF
[success] Percona Turn Into Bits CDEF [new]
[success] Percona Negate CDEF [new]
GPRINT Preset
[success] Percona Nginx Server Checksum c5c20ca1d61ee9ccbb45854a46ce6fe8 [new]
[success] Percona Nginx Server Version t1.1.7:s1.1.7 [new]
[success] Percona Normal [new]
Data Input Method
[success] Percona Get Nginx Stats/Nginx Requests IM [new]
[success] Percona Get Nginx Stats/Nginx Accepts/Handled IM [new]
[success] Percona Get Nginx Stats/Nginx Scoreboard IM [new]
Data Template
[success] Percona Nginx Requests DT [new]
[success] Percona Nginx Accepts/Handled DT [new]
[success] Percona Nginx Scoreboard DT [new]
Graph Template
[success] Percona Nginx Requests GT [new]
[success] Percona Nginx Accepts/Handled GT [new]
[success] Percona Nginx Scoreboard GT [new]
Device Template
[success] Percona Nginx Server HT [new]
[root@CentOS7 cacti]#
[root@CentOS7 cacti]# chown -R cacti:nginx resource/

 

  • Data Collection -> Data Input Methods  로 이동합니다.

 

  • Input String 변경
기존 <path_php_binary> -q <path_cacti>/scripts/ss_get_by_ssh.php –host <hostname> –type nginx –items hw,ig,ih,ii –server <server> –url <url> –http-user <http-user> –http-password <password>

변경 <path_php_binary> -q <path_cacti>/scripts/ss_get_by_ssh.php –host <hostname> –type nginx –items hw,ig,ih,ii

 

 

  • Save 한후 모든 nginx 템플릿에 동일하게 적용 합니다.
  • Add Graph Template

 

 

  • Create Graphs for this Device 를 클릭 합니다.

 

  • Console -> Data Collection -> Data Collectiors -> Web Site Hostname 변경 192.168.0.33
  • Save 를 클릭 하여 저장 합니다.

 

  • User 생성
[root@CentOS7 ~]# useradd -d /usr/share/cacti cacti
[root@CentOS7 ~]# mkdir /usr/share/cacti/.ssh
[root@CentOS7 ~]# chmod 700 /usr/share/cacti/.ssh
[root@CentOS7 ~]# chown cacti:cacti /usr/share/cacti/.ssh

 

  • ss_get_by_ssh.php 설정
[root@CentOS7 cacti]# su - cacti
-bash-4.2$ pwd
/usr/share/cacti
-bash-4.2$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/usr/share/cacti/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /usr/share/cacti/.ssh/id_rsa.
Your public key has been saved in /usr/share/cacti/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:y7EHWx/3qKXjoDnq68yDRV79YBx/kkglxdtsTVb8KZ0 cacti@CentOS7
The key's randomart image is:
+---[RSA 2048]----+
|          .+o  .o|
|          o..   +|
|         + + =.++|
|      . . * =.=Eo|
|     o .S..o.+o  |
|      o. B ..o o |
|     o  = o . o .|
|    .o. .+ ..+   |
|     oB+o. .+.   |
+----[SHA256]-----+
-bash-4.2$ cd .ssh/
-bash-4.2$ cat id_rsa.pub >> authorized_keys
-bash-4.2$ chmod 600 authorized_keys
-bash-4.2$ ssh localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:ZWA5Uum+t2aMbqe60UBUVGMLCoTWSkOdVF50tY70k+w.
ECDSA key fingerprint is MD5:c9:d5:01:7b:e7:49:69:e4:73:39:bb:58:65:a5:0a:c2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Last login: Tue Feb  5 02:50:25 2019
-bash-4.2$

 

  • ss_get_by_ssh.php 테스트
[root@CentOS7 ~]# cd /usr/share/cacti/scripts/
[root@CentOS7 scripts]# chown cacti:cacti ss_get_by_ssh.php
[root@CentOS7 scripts]# chmod +x ss_get_by_ssh.php

[root@CentOS7 scripts]# su - cacti
Last login: Tue Feb  5 02:55:06 KST 2019 on pts/0
-bash-4.2$ php /usr/share/cacti/scripts/ss_get_by_ssh.php --type nginx --host 127.0.0.1 --items hw,hx
hw:7 hx:46-bash-4.2$

 

  • Nginx percona 사용을 위한 권한 변경
[root@CentOS7 ~]# chown -R cacti:nginx /var/lib/cacti/
[root@CentOS7 ~]# chown -R cacti:nginx /usr/share/cacti/
[root@CentOS7 ~]# chown -R cacti:nginx /var/lib/cacti/cache/
[root@CentOS7 ~]# chown -R cacti:nginx /var/lib/cacti/cli/
[root@CentOS7 ~]# chown -R cacti:nginx /var/lib/cacti/rra
[root@CentOS7 ~]# chown -R cacti:nginx /var/lib/cacti/scripts/
[root@CentOS7 ~]# chown -R cacti:nginx /var/log/cacti/
[root@CentOS7 ~]# chown cacti:nginx /etc/cacti/db.php

[root@CentOS7 ~]# vi /etc/cron.d/cacti
*/5 * * * *     cacti   /usr/bin/php /usr/share/cacti/poller.php > /dev/null 2>&1

 

  • nginx 모니터링 결과

 

  • 추가설정
  • Configuration -> Settings -> Paths에서 Spine config File Path 을 설정합니다.
  • /etc/spine.conf

 

  • Configuration -> Settings -> Poller 에서 Poller Type 을 변경합니다.
  • Poller Type : spine 으로 변경
  • Poller interval : Every Minute 으로 변경

 

  • Spine Specific Execution Parameters 변경
  • Maximum Threads per Process 1 -> 16
  • Number of PHP Script Servers 1 -> 8

 

  • Save 를 클릭 하여 설정을 마무리 합니다.
  • nginx 모니터링 실패시 아래와 같은 log 파일을 확인 할수 있습니다.
  • Device 항목에서 Debug 항목을 eanble 하면 자세한 로그를 확인 할수 있습니다.
  • Console -> Data Collection -> Data Collectiors 의 web site hostname 을 확인 합니다.
  • [root@CentOS7 scripts]# tail -f /var/log/secure cacti 유저 로그인 잘되는지 확인 합니다.
  • crontab 의 cacti 스크립트의 유저명을 확인 합니다.

 

  • cacti admin 비번 분실
루트 비번 락킹

[root@localhost log]# mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 430
Server version: 10.1.35-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> use cacti;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [cacti]> update user_auth set enabled=('on');
Query OK, 1 row affected (0.03 sec)
Rows matched: 3  Changed: 1  Warnings: 0

MariaDB [cacti]>  flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [cacti]>

 

 

 

[Ubuntu 18.04] A start job is running for wait for Network to be Configured

 

18.04 를 오랜만에 설치해서 테스트 하고 있습니다.

부팅시 아래 메세지 에서 계속 부팅이 지연되는 현상이 발생하여 원인을 찾다 보니 해외에서도 Ubuntu 유저들이 동일한 현상이 발생 하여 systemd-network-wait-online.service 를 mask 처리를 하여 해결 하는 설정이 있어 내용을 공유 합니다.

 

  • ubuntu 18.04 server 부팅시 A start job is running for Wait for Network to be Configured 라는 메시지와 함께 약 2분간 시스템이 대기 합니다.

 

리부팅후 systemd-networkd-wait-online.service 서비스를 mask 처리 합니다. 

test@ubuntu1804:~$ sudo systemctl mask systemd-networkd-wait-online.service
Created symlink /etc/systemd/system/systemd-networkd-wait-online.service → /dev/null.
test@ubuntu1804:~$

 

리부팅을 진행 하여 동일한 현상이 있는지 체크 합니다.

 

 

MacOS Virtualbox VM ssh 접속

파일 -> 호스트 네트워크 관리자 에서 IP 를 설정 합니다.

Default 로 설정된 IP를 사용 하여도 무방 합니다.

IP설정시 dhcp 사용여부에 따라 dhcp 의 IP 대역의 변경이 필요 합니다.

 

  • vboxnet0 설정 참고

 

  • DHCP 설정

 

  • Oracle VM VirtualBox 관리자 에서 설정을 클릭 합니다. 
  • 어댑터 2 설정 참고

 

  • Ubuntu 18.04 Network 설정
추가된 Nic Device 를 확인 합니다. 

test@ubuntu1804:~$ ifconfig 
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.4  netmask 255.255.255.0  broadcast 10.0.2.255
        inet6 fe80::a00:27ff:feef:dc10  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:ef:dc:10  txqueuelen 1000  (Ethernet)
        RX packets 343  bytes 400022 (400.0 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 192  bytes 17859 (17.8 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp0s8: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 08:00:27:49:d1:f7  txqueuelen 1000  (Ethernet)
        RX packets 1014  bytes 93803 (93.8 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 649  bytes 82497 (82.4 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 56  bytes 4404 (4.4 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 56  bytes 4404 (4.4 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

test@ubuntu1804:~$ 

추가된 Nic Device 를 설정 합니다. 
test@ubuntu1804:~$ sudo vi /etc/netplan/50-cloud-init.yaml 
network:
    ethernets:
        enp0s3:
            addresses: []
            dhcp4: true
        enp0s8:
            addresses: []
            dhcp4: true
    version: 2

변경된 설정을 적용합니다. 
test@ubuntu1804:~$ sudo netplan apply

IP 주소를 확인 합니다. 
test@ubuntu1804:~$ ifconfig 
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.4  netmask 255.255.255.0  broadcast 10.0.2.255
        inet6 fe80::a00:27ff:feef:dc10  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:ef:dc:10  txqueuelen 1000  (Ethernet)
        RX packets 346  bytes 401292 (401.2 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 200  bytes 18979 (18.9 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp0s8: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.100  netmask 255.255.255.0  broadcast 192.168.100.255
        inet6 fe80::a00:27ff:fe49:d1f7  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:49:d1:f7  txqueuelen 1000  (Ethernet)
        RX packets 1104  bytes 101845 (101.8 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 714  bytes 91017 (91.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

 

호스트 전용 아댑터 에 설정된 IP 로 접속을 진행 합니다. 

MacOS@MacOS-MacBook-Pro  ~  ssh test@192.168.100.100
test@192.168.100.100's password: 
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-42-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Dec  6 01:16:25 UTC 2018

  System load:  0.0               Processes:             93
  Usage of /:   54.2% of 3.87GB   Users logged in:       1
  Memory usage: 3%                IP address for enp0s3: 10.0.2.4
  Swap usage:   0%                IP address for enp0s8: 192.168.100.100


 * MicroK8s is Kubernetes in a snap. Made by devs for devs.
   One quick install on a workstation, VM, or appliance.

   - http://bit.ly/microk8s


1 package can be updated.
0 updates are security updates.


Last login: Thu Dec  6 01:10:44 2018 from 192.168.100.1
test@ubuntu1804:~$

 

 

Virtualbox PXE-boot 이용시 참고

 

Windows 에서 테스트시 vmware 를 이용하지만 Mac 에서는 페러럴즈로 윈도우 및 PXE-Boot 로 서버에

리눅스 설치등에 이용했습니다. vmware 에서는 당연히 vm -> vm 으로 pxe구성시 잘되는데..

Virtualbox 에서는 기본만 설치 하여 pxe-boot 를 구성하면 operation not permitted 이라는 메시지와 함께

정상적으로 pxe-boot에 진입 할수 없습니다.

해결 방법 https://www.virtualbox.org/wiki/Downloads 에서 중간쯤에 위치한

VirtualBox Extension Pack 을 설치 하면 정상적으로 PXE-boot 에진입 할수 있습니다.

 

  • VM 네트워크 설정 

 

  • VM pxe-boot

CentOS 7 Source LAMP install

OS :  CentOS Linux release 7.4.1708

APACHE : 2.4.37

Mariadb : 10.3.8

PHP : 7.2.12

Apache 2.4.37 설치

설치된 apache 패키지를 제거 합니다.

[root@CentOS7 ~]# yum remove -y httpd httpd-*

 

Source 설치에 필요한 패키지를 설치 합니다.

[root@CentOS7 ~]# yum install -y make gcc g++ gcc-c++ autoconf automake libtool pkgconfig \
findutils oepnssl openssl-devel openldap-devel pcre-devel libxml2-devel lua-devel \
curl curl-devel libcurl-devel expat-devel flex

 

패키지를 다운로드 합니다.

 (http://mirror.apache-kr.org/httpd/ , http://mirror.apache-kr.org/apr/ , https://sourceforge.net/projects/pcre/files/pcre/)

[root@CentOS7 ~]# wget http://mirror.apache-kr.org/httpd/httpd-2.4.37.tar.gz
[root@CentOS7 ~]# wget http://mirror.apache-kr.org/apr/apr-1.6.5.tar.gz
[root@CentOS7 ~]# wget http://mirror.apache-kr.org/apr/apr-util-1.6.1.tar.gz
[root@CentOS7 ~]# wget http://downloads.sourceforge.net/project/pcre/pcre/8.42/pcre-8.42.tar.gz

 

Apache Source 설치

apr-1.6.5 설치 
[root@CentOS7 apm]# tar xvf apr-1.6.5.tar.gz
[root@CentOS7 apm]# cd apr-1.6.5/
[root@CentOS7 apr-1.6.5]# ./configure --prefix=/usr/local/apr
[root@CentOS7 apr-1.6.5]# make && make install

apr-util-1.6.1 설치 
[root@CentOS7 apm]# tar xvf apr-util-1.6.1.tar.gz
[root@CentOS7 apm]# cd apr-util-1.6.1/
[root@CentOS7 apr-util-1.6.1]# ./configure --with-apr=/usr/local/apr/
[root@CentOS7 apr-util-1.6.1]# make && make install

pcre-8.42 설치 
[root@CentOS7 apm]# tar xvf pcre-8.42.tar.gz
[root@CentOS7 pcre-8.42]# ./configure --prefix=/usr/local/pcre
[root@CentOS7 pcre-8.42]# make && make install


httpd-2.4.37 설치 
[root@CentOS7 apm]# tar xvf httpd-2.4.37.tar.gz
[root@CentOS7 apm]# cd httpd-2.4.37/
[root@CentOS7 httpd-2.4.37]# ./configure --enable-module=so --enable-mods-shared=most --enable-maintainer-mode \
--enable-deflate --enable-headers --enable-rewrite --enable-ssl --enable-proxy --enable-proxy-http \
--enable-proxy-ajp --enable-proxy-balance --with-mpm=worker --with-apr=/usr/local/apr \
--with-pcre=/usr/local/pcre --prefix=/usr/local/apache2
[root@CentOS7 httpd-2.4.37]# make && make isntall

 

Apache 유저/구릅 생성 및 권한 추가

[root@CentOS7 ~]# groupadd apache
[root@CentOS7 ~]# useradd -g apache -d /usr/local/apache2 -s /sbin/nologin apache
[root@CentOS7 ~]# chown -R apache:apache /usr/local/apache2/

 

Apache 실행 Test

[root@CentOS7 ~]# vi /usr/local/apache2/conf/httpd.conf
ServerName www.example.com:80
[root@CentOS7 ~]# /usr/local/apache2/bin/apachectl start

[root@CentOS7 ~]# netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1/systemd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1082/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1305/master
tcp        0     64 192.168.0.25:22         192.168.0.1:9938        ESTABLISHED 1417/sshd: root@pts
tcp6       0      0 :::111                  :::*                    LISTEN      1/systemd
tcp6       0      0 :::80                   :::*                    LISTEN      54092/httpd
tcp6       0      0 :::22                   :::*                    LISTEN      1082/sshd
tcp6       0      0 ::1:25                  :::*                    LISTEN      1305/master
[root@CentOS7 ~]#

 

Systemd Service 파일 생성

[root@CentOS7 ~]# vi /etc/systemd/system/httpd.service
[Unit]
Description=The Apache HTTP Server
 
[Service]
Type=forking
#EnvironmentFile=/usr/local/apache2/bin/envvars
PIDFile=/usr/local/apache2/logs/httpd.pid
ExecStart=/usr/local/apache2/bin/apachectl start
ExecReload=/usr/local/apache2/bin/apachectl graceful
ExecStop=/usr/local/apache2/bin/apachectl stop
KillSignal=SIGCONT
PrivateTmp=true
 
 
[Install]
WantedBy=multi-user.target

[root@CentOS7 ~]# systemctl daemon-reload
[root@CentOS7 ~]# systemctl enable httpd

 

방화벽 추가

[root@CentOS7 ~]# firewall-cmd --permanent --add-port=80/tcp
[root@CentOS7 ~]# firewall-cmd --permanent --add-port=443/tcp
[root@CentOS7 ~]# firewall-cmd --reload

 

Mariadb 설치

 

mysql 유저생성

[root@CentOS7 ~]# useradd mysql

 

Cmake 3.12 설치

[root@CentOS7 ~]# cd /usr/local/src/
[root@CentOS7 src]# wget https://cmake.org/files/v3.12/cmake-3.12.0.tar.gz
[root@CentOS7 src]# tar xvf cmake-3.12.0.tar.gz
[root@CentOS7 src]# cd cmake-3.12.0/
[root@CentOS7 cmake-3.12.0]# ./configure
[root@CentOS7 cmake-3.12.0]# gmake && make install
[root@CentOS7 cmake-3.12.0]# rm -f CMakeCache.txt

 

ncruse 6.1 설치

[root@CentOS7 ~]# cd /usr/local/src/
[root@CentOS7 ~]# wget http://ftp.gnu.org/gnu/ncurses/ncurses-6.1.tar.gz
[root@CentOS7 src]# tar xvf ncurses-6.1.tar.gz
[root@CentOS7 src]# cd ncurses-6.1/
[root@CentOS7 ncurses-6.1]# ./configure --with-shared
[root@CentOS7 ncurses-6.1]# make && make install

 

Mariadb 10.3.8 설치

[root@CentOS7 ~]# cd /usr/local/src
[root@CentOS7 src]# wget --trust-server-names https://downloads.mariadb.org/f/mariadb-10.3.8/source/mariadb-10.3.8.tar.gz/from/http%3A//ftp.kaist.ac.kr/mariadb/?serve
[root@CentOS7 src]# tar xvf mariadb-10.3.8.tar.gz
[root@CentOS7 src]# cd mariadb-10.3.8/


[root@CentOS7 mariadb-10.3.8]# BUILD/autorun.sh
[root@CentOS7 mariadb-10.3.8]# export OPENSSL_ROOT_DIR=/usr/local/ssl
[root@CentOS7 mariadb-10.3.8]# export OPENSSL_INCLUDE_DIR=/usr/local/ssl/include    
[root@CentOS7 mariadb-10.3.8]# export OPENSSL_LIBRARIES=/usr/local/ssl/lib
[root@CentOS7 mariadb-10.3.8]# export OPENSSL_ROOT_DIR=/usr/local/ssl



[root@CentOS7 mariadb-10.3.8]# cmake \
-DPLUGIN_TOKUDB=NO \
-OPENSSL_ROOT_DIR=/usr/local/ssl \
-OPENSSL_INCLUDE_DIR=/usr/local/ssl/include \
-OPENSSL_LIBRARIES=/usr/local/ssl/lib \
-DDEFAULT_CHARSET=utf8 \
-DDEFAULT_COLLATION=utf8_general_ci


[root@CentOS7 mariadb-10.3.8]# make install
[root@CentOS7 mariadb-10.3.8]# chown mysql:mysql -R /usr/local/mysql/


참고!!! cmake 를 다시 해야 하는경우 
[root@CentOS7 mariadb-10.3.8]# rm -f CMakeCache.txt

 

mysql_install_db (DB 파일 생성)

[root@CentOS7 mariadb-10.3.8]# su - mysql
[mysql@CentOS7 ~]$ cd /usr/local/mysql
[mysql@CentOS7 mysql]$ scripts/mysql_install_db --user=mysql --basedir=/usr/local/mysql --datadir=/usr/local/mysql/data
[mysql@CentOS7 mysql]$ exit
[root@CentOS7 ~]# usermod -s /sbin/nologin mysql

 

Systemd 스크립트 작성

[root@CentOS7 ~]# vi /usr/lib/systemd/system/mariadb.service
# It's not recommended to modify this file in-place, because it will be
# overwritten during package upgrades.  If you want to customize, the
# best way is to create a file "/etc/systemd/system/mariadb.service",
# containing
#   .include /lib/systemd/system/mariadb.service
#   ...make your changes here...
# or create a file "/etc/systemd/system/mariadb.service.d/foo.conf",
# which doesn't need to include ".include" call and which will be parsed
# after the file mariadb.service itself is parsed.
#
# For more info about custom unit files, see systemd.unit(5) or
# http://fedoraproject.org/wiki/Systemd#How_do_I_customize_a_unit_file.2F_add_a_custom_unit_file.3F

# For example, if you want to increase mariadb's open-files-limit to 10000,
# you need to increase systemd's LimitNOFILE setting, so create a file named
# "/etc/systemd/system/mariadb.service.d/limits.conf" containing:
#   [Service]
#   LimitNOFILE=10000

# Note: /usr/lib/... is recommended in the .include line though /lib/... 
# still works.
# Don't forget to reload systemd daemon after you change unit configuration:
# root> systemctl --system daemon-reload

[Unit]
Description=MariaDB database server
After=syslog.target
After=network.target

[Service]
Type=simple
User=mysql
Group=mysql

ExecStartPre=/usr/libexec/mariadb-prepare-db-dir %n
# Note: we set --basedir to prevent probes that might trigger SELinux alarms,
# per bug #547485
ExecStart=/usr/local/mysql/bin/mysqld_safe --basedir=/usr
ExecStartPost=/usr/libexec/mariadb-wait-ready $MAINPID

# Give a reasonable amount of time for the server to start up/shut down
TimeoutSec=300

# Place temp files in a secure directory, not /tmp
PrivateTmp=true

[Install]
WantedBy=multi-user.target

 

mariadb-wait-ready

[root@CentOS7 ~]# vi /usr/libexec/mariadb-wait-ready

#!/bin/sh

# This script waits for mysqld to be ready to accept connections
# (which can be many seconds or even minutes after launch, if there's
# a lot of crash-recovery work to do).
# Running this as ExecStartPost is useful so that services declared as
# "After mysqld" won't be started until the database is really ready.

# Service file passes us the daemon's PID (actually, mysqld_safe's PID)
daemon_pid="$1"

# extract value of a MySQL option from config files
# Usage: get_mysql_option SECTION VARNAME DEFAULT
# result is returned in $result
# We use my_print_defaults which prints all options from multiple files,
# with the more specific ones later; hence take the last match.
get_mysql_option(){
    result=`/usr/local/mysql/bin/my_print_defaults "$1" | sed -n "s/^--$2=//p" | tail -n 1`
    if [ -z "$result" ]; then
        # not found, use default
        result="$3"
    fi
}

# Defaults here had better match what mysqld_safe will default to
get_mysql_option mysqld datadir "/usr/local/mysql/data"
datadir="$result"
get_mysql_option mysqld socket "/usr/local/mysql/data/mysql.sock"
socketfile="$result"

# Wait for the server to come up or for the mysqld process to disappear
ret=0
while /bin/true; do
    if ! [ -d "/proc/$daemon_pid" ] ; then
            ret=1
            break
    fi
    RESPONSE=`/usr/local/mysql/bin/mysqladmin --no-defaults --socket="$socketfile" --user=UNKNOWN_MYSQL_USER ping 2>&1`
    mret=$?
    if [ $mret -eq 0 ]; then
        break
    fi
    # exit codes 1, 11 (EXIT_CANNOT_CONNECT_TO_SERVICE) are expected,
    # anything else suggests a configuration error
    if [ $mret -ne 1 -a $mret -ne 11 ]; then
        ret=1
        break
    fi
    # "Access denied" also means the server is alive
    echo "$RESPONSE" | grep -q "Access denied for user" && break

    sleep 1
done

exit $ret

 

mariadb-prepare-db-dir

[root@CentOS7 ~]# vi /usr/libexec/mariadb-prepare-db-dir

#!/bin/sh

# This script creates the mysql data directory during first service start.
# In subsequent starts, it does nothing much.

# extract value of a MySQL option from config files
# Usage: get_mysql_option SECTION VARNAME DEFAULT
# result is returned in $result
# We use my_print_defaults which prints all options from multiple files,
# with the more specific ones later; hence take the last match.
get_mysql_option(){
        result=`/usr/local/mysql/bin/my_print_defaults "$1" | sed -n "s/^--$2=//p" | tail -n 1`
        if [ -z "$result" ]; then
            # not found, use default
            result="$3"
        fi
}

# Defaults here had better match what mysqld_safe will default to
get_mysql_option mysqld datadir "/usr/local/mysql/data"
datadir="$result"
get_mysql_option mysqld_safe log-error "/usr/local/mysql/data/mariadb.log"
errlogfile="$result"
get_mysql_option mysqld socket "$datadir/mysql.sock"
socketfile="$result"

# Absorb configuration settings from the specified systemd service file,
# or the default "mysqld" service if not specified
SERVICE_NAME="$1"
if [ x"$SERVICE_NAME" = x ]
then
    SERVICE_NAME=mysqld.service
fi

myuser=`systemctl show -p User "${SERVICE_NAME}" |
  sed 's/^User=//'`
if [ x"$myuser" = x ]
then
    myuser=mysql
fi

mygroup=`systemctl show -p Group "${SERVICE_NAME}" |
  sed 's/^Group=//'`
if [ x"$mygroup" = x ]
then
    mygroup=mysql
fi

# Set up the errlogfile with appropriate permissions
touch "$errlogfile"
chown "$myuser:$mygroup" "$errlogfile"
chmod 0640 "$errlogfile"
[ -x /sbin/restorecon ] && /sbin/restorecon "$errlogfile"

# We check if there is already a process using the socket file,
# since otherwise this systemd service file could report false
# positive result when starting and mysqld_safe could remove
# a socket file, which actually uses a different daemon.
if fuser "$socketfile" &>/dev/null ; then
    echo "Socket file $socketfile exists." >&2
    echo "Is another MySQL daemon already running with the same unix socket?" >&2
    exit 1
fi

# Make the data directory
if [ ! -d "$datadir/mysql" ] ; then
    # First, make sure $datadir is there with correct permissions
    # (note: if it's not, and we're not root, this'll fail ...)
    if [ ! -e "$datadir" -a ! -h "$datadir" ]
    then
        mkdir -p "$datadir" || exit 1
    fi
    chown "$myuser:$mygroup" "$datadir"
    chmod 0755 "$datadir"
    [ -x /sbin/restorecon ] && /sbin/restorecon "$datadir"

    # Now create the database
    echo "Initializing MySQL database"
    /usr/local/mysql/scripts/mysql_install_db --datadir="$datadir" --user="$myuser"
    ret=$?
    if [ $ret -ne 0 ] ; then
        echo "Initialization of MySQL database failed." >&2
        echo "Perhaps /etc/my.cnf is misconfigured." >&2
        # Clean up any partially-created database files
        if [ ! -e "$datadir/mysql/user.frm" ] ; then
            rm -rf "$datadir"/*
        fi
        exit $ret
    fi
    # In case we're running as root, make sure files are owned properly
    chown -R "$myuser:$mygroup" "$datadir"
fi

exit 0

 

mysql_install_db

[root@CentOS7 ~]# vi /usr/libexec/mysql_install_db

#!/bin/sh
# Copyright (c) 2000, 2013, Oracle and/or its affiliates.
# Copyright (c) 2009, 2013, Monty Program Ab
# 
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
# 
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# 
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA

# This scripts creates the MariaDB Server system tables
#
# All unrecognized arguments to this script are passed to mysqld.

basedir="/usr/local/mysql"
builddir=""
ldata="/usr/local/mysql/data"
langdir=""
srcdir=""

args=""
defaults=""
mysqld_opt=""
user=""

force=0
in_rpm=0
ip_only=0
cross_bootstrap=0

usage()
{
  cat <<EOF
Usage: $0 [OPTIONS]
  --basedir=path       The path to the MariaDB installation directory.
  --builddir=path      If using --srcdir with out-of-directory builds, you
                       will need to set this to the location of the build
                       directory where built files reside.
  --cross-bootstrap    For internal use.  Used when building the MariaDB system
                       tables on a different host than the target.
  --datadir=path       The path to the MariaDB data directory.
  --defaults-extra-file=name
                       Read this file after the global files are read.
  --defaults-file=name Only read default options from the given file name.
  --force              Causes mysql_install_db to run even if DNS does not
                       work.  In that case, grant table entries that
                       normally use hostnames will use IP addresses.
  --help               Display this help and exit.                     
  --ldata=path         The path to the MariaDB data directory. Same as
                       --datadir.
  --no-defaults        Don't read default options from any option file.
  --defaults-file=path Read only this configuration file.
  --rpm                For internal use.  This option is used by RPM files
                       during the MariaDB installation process.
  --skip-name-resolve  Use IP addresses rather than hostnames when creating
                       grant table entries.  This option can be useful if
                       your DNS does not work.
  --srcdir=path        The path to the MariaDB source directory.  This option
                       uses the compiled binaries and support files within the
                       source tree, useful for if you don't want to install
                       MariaDB yet and just want to create the system tables.
  --user=user_name     The login username to use for running mysqld.  Files
                       and directories created by mysqld will be owned by this
                       user.  You must be root to use this option.  By default
                       mysqld runs using your current login name and files and
                       directories that it creates will be owned by you.

All other options are passed to the mysqld program

EOF
  exit 1
}

s_echo()
{
  if test "$in_rpm" -eq 0 -a "$cross_bootstrap" -eq 0
  then
    echo "$1"
  fi
}

link_to_help()
{
  echo
  echo "The latest information about mysql_install_db is available at"
  echo "https://mariadb.com/kb/en/installing-system-tables-mysql_install_db"
}

parse_arg()
{
  echo "$1" | sed -e 's/^[^=]*=//'
}

parse_arguments()
{
  # We only need to pass arguments through to the server if we don't
  # handle them here.  So, we collect unrecognized options (passed on
  # the command line) into the args variable.
  pick_args=
  if test "$1" = PICK-ARGS-FROM-ARGV
  then
    pick_args=1
    shift
  fi

  for arg
  do
    case "$arg" in
      --force) force=1 ;;
      --basedir=*) basedir=`parse_arg "$arg"` ;;
      --builddir=*) builddir=`parse_arg "$arg"` ;;
      --srcdir=*)  srcdir=`parse_arg "$arg"` ;;
      --ldata=*|--datadir=*|--data=*) ldata=`parse_arg "$arg"` ;;
      --user=*)
        # Note that the user will be passed to mysqld so that it runs
        # as 'user' (crucial e.g. if log-bin=/some_other_path/
        # where a chown of datadir won't help)
        user=`parse_arg "$arg"` ;;
      --skip-name-resolve) ip_only=1 ;;
      --verbose) verbose=1 ;; # Obsolete
      --rpm) in_rpm=1 ;;
      --help) usage ;;
      --no-defaults|--defaults-file=*|--defaults-extra-file=*)
        defaults="$arg" ;;

      --cross-bootstrap|--windows)
        # Used when building the MariaDB system tables on a different host than
        # the target. The platform-independent files that are created in
        # --datadir on the host can be copied to the target system.
        #
        # The most common use for this feature is in the Windows installer
        # which will take the files from datadir and include them as part of
        # the install package.  See top-level 'dist-hook' make target.
        #
        # --windows is a deprecated alias
        cross_bootstrap=1 ;;

      *)
        if test -n "$pick_args"
        then
          # This sed command makes sure that any special chars are quoted,
          # so the arg gets passed exactly to the server.
          # XXX: This is broken; true fix requires using eval and proper
          # quoting of every single arg ($basedir, $ldata, etc.)
          #args="$args "`echo "$arg" | sed -e 's,\([^a-zA-Z0-9_.-]\),\\\\\1,g'`
          args="$args $arg"
        fi
        ;;
    esac
  done
}

# Try to find a specific file within --basedir which can either be a binary
# release or installed source directory and return the path.
find_in_basedir()
{
  case "$1" in
    --dir)
      return_dir=1; shift
      ;;
  esac

  file=$1; shift

  for dir in "$@"
  do
    if test -f "$basedir/$dir/$file"
    then
      if test -n "$return_dir"
      then
        echo "$basedir/$dir"
      else
        echo "$basedir/$dir/$file"
      fi
      break
    fi
  done
}

cannot_find_file()
{
  echo
  echo "FATAL ERROR: Could not find $1"

  shift
  if test $# -ne 0
  then
    echo
    echo "The following directories were searched:"
    echo
    for dir in "$@"
    do
      echo "    $dir"
    done
  fi

  echo
  echo "If you compiled from source, you need to run 'make install' to"
  echo "copy the software into the correct location ready for operation."
  echo
  echo "If you are using a binary release, you must either be at the top"
  echo "level of the extracted archive, or pass the --basedir option"
  echo "pointing to that location."
  link_to_help
}

# Ok, let's go.  We first need to parse arguments which are required by
# my_print_defaults so that we can execute it first, then later re-parse
# the command line to add any extra bits that we need.
parse_arguments PICK-ARGS-FROM-ARGV "$@"

#
# We can now find my_print_defaults.  This script supports:
#
#   --srcdir=path pointing to compiled source tree
#   --basedir=path pointing to installed binary location
#
# or default to compiled-in locations.
#
if test -n "$srcdir" && test -n "$basedir"
then
  echo "ERROR: Specify either --basedir or --srcdir, not both."
  link_to_help
  exit 1
fi
if test -n "$srcdir"
then
  if test -z "$builddir"
  then
    builddir="$srcdir"
  fi
  print_defaults="$builddir/extra/my_print_defaults"
elif test -n "$basedir"
then
  print_defaults=`find_in_basedir my_print_defaults bin extra`
  if test -z "$print_defaults"
  then
    cannot_find_file my_print_defaults $basedir/bin $basedir/extra
    exit 1
  fi
else
  print_defaults="/usr/local/mysql/bin/my_print_defaults"
fi

if test ! -x "$print_defaults"
then
  cannot_find_file "$print_defaults"
  exit 1
fi

# Now we can get arguments from the groups [mysqld] and [mysql_install_db]
# in the my.cfg file, then re-run to merge with command line arguments.
parse_arguments `"$print_defaults" $defaults --mysqld mysql_install_db`
parse_arguments PICK-ARGS-FROM-ARGV "$@"

# Configure paths to support files
if test -n "$srcdir"
then
  basedir="$builddir"
  bindir="$basedir/client"
  extra_bindir="$basedir/extra"
  mysqld="$basedir/sql/mysqld"
  langdir="$basedir/sql/share/english"
  pkgdatadir="$srcdir/scripts"
  scriptdir="$srcdir/scripts"
elif test -n "$basedir"
then
  bindir="$basedir/bin"
  extra_bindir="$bindir"
  mysqld=`find_in_basedir mysqld libexec sbin bin`
  if test -z "$mysqld"
  then
    cannot_find_file mysqld $basedir/libexec $basedir/sbin $basedir/bin
    exit 1
  fi
  langdir=`find_in_basedir --dir errmsg.sys share/english share/mysql/english`
  if test -z "$langdir"
  then
    cannot_find_file errmsg.sys $basedir/share/english $basedir/share/mysql/english
    exit 1
  fi
  pkgdatadir=`find_in_basedir --dir fill_help_tables.sql share share/mysql`
  if test -z "$pkgdatadir"
  then
    cannot_find_file fill_help_tables.sql $basedir/share $basedir/share/mysql
    exit 1
  fi
  scriptdir="$basedir/scripts"
else
  basedir="/usr"
  bindir="/usr/bin"
  extra_bindir="$bindir"
  mysqld="/usr/libexec/mysqld"
  pkgdatadir="/usr/share/mysql"
  scriptdir="/usr/bin"
fi

# Set up paths to SQL scripts required for bootstrap
fill_help_tables="$pkgdatadir/fill_help_tables.sql"
create_system_tables="$pkgdatadir/mysql_system_tables.sql"
create_system_tables2="$pkgdatadir/mysql_performance_tables.sql"
fill_system_tables="$pkgdatadir/mysql_system_tables_data.sql"

for f in "$fill_help_tables" "$create_system_tables" "$create_system_tables2" "$fill_system_tables"
do
  if test ! -f "$f"
  then
    cannot_find_file "$f"
    exit 1
  fi
done

if test ! -x "$mysqld"
then
  cannot_find_file "$mysqld"
  exit 1
fi

if test -n "$langdir"
then
  if test ! -f "$langdir/errmsg.sys"
  then
    cannot_find_file "$langdir/errmsg.sys"
    exit 1
  fi
  mysqld_opt="--lc-messages-dir=$langdir/.."
else
  mysqld_opt="--lc-messages=en_US"
fi


# Try to determine the hostname
hostname=`hostname`

# Check if hostname is valid
if test "$cross_bootstrap" -eq 0 -a "$in_rpm" -eq 0 -a "$force" -eq 0
then
  resolved=`"$extra_bindir/resolveip" $hostname 2>&1`
  if test $? -ne 0
  then
    resolved=`"$extra_bindir/resolveip" localhost 2>&1`
    if test $? -ne 0
    then
      echo "Neither host '$hostname' nor 'localhost' could be looked up with"
      echo "'$extra_bindir/resolveip'"
      echo "Please configure the 'hostname' command to return a correct"
      echo "hostname."
      echo "If you want to solve this at a later stage, restart this script"
      echo "with the --force option"
      link_to_help
      exit 1
    fi
    echo "WARNING: The host '$hostname' could not be looked up with resolveip."
    echo "This probably means that your libc libraries are not 100 % compatible"
    echo "with this binary MariaDB version. The MariaDB daemon, mysqld, should work"
    echo "normally with the exception that host name resolving will not work."
    echo "This means that you should use IP addresses instead of hostnames"
    echo "when specifying MariaDB privileges !"
  fi
fi

if test "$ip_only" -eq 1
then
  hostname=`echo "$resolved" | awk '/ /{print $6}'`
fi

# Create database directories
for dir in "$ldata" "$ldata/mysql" "$ldata/test"
do
  if test ! -d "$dir"
  then
    if ! `mkdir -p "$dir"`
    then
      echo "Fatal error Can't create database directory '$dir'"
      link_to_help
      exit 1
    fi
    chmod 700 "$dir"
  fi
  if test -n "$user"
  then
    chown $user "$dir"
    if test $? -ne 0
    then
      echo "Cannot change ownership of the database directories to the '$user'"
      echo "user.  Check that you have the necessary permissions and try again."
      exit 1
    fi
  fi
done

if test -n "$user"
then
  args="$args --user=$user"
fi

# When doing a "cross bootstrap" install, no reference to the current
# host should be added to the system tables.  So we filter out any
# lines which contain the current host name.
if test $cross_bootstrap -eq 1
then
  filter_cmd_line="sed -e '/@current_hostname/d'"
else
  filter_cmd_line="cat"
fi

# Configure mysqld command line
mysqld_bootstrap="${MYSQLD_BOOTSTRAP-$mysqld}"
mysqld_install_cmd_line()
{
  "$mysqld_bootstrap" $defaults "$mysqld_opt" --bootstrap \
  "--basedir=$basedir" "--datadir=$ldata" --log-warnings=0 --loose-skip-innodb \
  --loose-skip-ndbcluster $args --max_allowed_packet=8M \
  --default-storage-engine=myisam \
  --net_buffer_length=16K
}


# Create the system and help tables by passing them to "mysqld --bootstrap"
s_echo "Installing MariaDB/MySQL system tables in '$ldata' ..."
if { echo "use mysql;"; cat "$create_system_tables" "$create_system_tables2" "$fill_system_tables"; } | eval "$filter_cmd_line" | mysqld_install_cmd_line > /dev/null
then
  s_echo "OK"
else
  echo
  echo "Installation of system tables failed!  Examine the logs in"
  echo "$ldata for more information."
  echo
  echo "The problem could be conflicting information in an external"
  echo "my.cnf files. You can ignore these by doing:"
  echo
  echo "    shell> $scriptdir/scripts/mysql_install_db --defaults-file=~/.my.cnf"
  echo
  echo "You can also try to start the mysqld daemon with:"
  echo
  echo "    shell> $mysqld --skip-grant --general-log &"
  echo
  echo "and use the command line tool $bindir/mysql"
  echo "to connect to the mysql database and look at the grant tables:"
  echo
  echo "    shell> $bindir/mysql -u root mysql"
  echo "    mysql> show tables;"
  echo
  echo "Try 'mysqld --help' if you have problems with paths.  Using"
  echo "--general-log gives you a log in $ldata that may be helpful."
  link_to_help
  echo "MariaDB is hosted on launchpad; You can find the latest source and"
  echo "email lists at http://launchpad.net/maria"
  echo
  echo "Please check all of the above before submitting a bug report"
  echo "at http://mariadb.org/jira"
  echo
  exit 1
fi

s_echo "Filling help tables..."
if { echo "use mysql;"; cat "$fill_help_tables"; } | mysqld_install_cmd_line > /dev/null
then
  s_echo "OK"
else
  echo
  echo "WARNING: HELP FILES ARE NOT COMPLETELY INSTALLED!"
  echo "The \"HELP\" command might not work properly."
fi

# Don't output verbose information if running inside bootstrap or using
# --srcdir for testing.  In such cases, there's no end user looking at
# the screen.
if test "$cross_bootstrap" -eq 0 && test -z "$srcdir"
then
  s_echo
  s_echo "To start mysqld at boot time you have to copy"
  s_echo "support-files/mysql.server to the right place for your system"

  echo
  echo "PLEASE REMEMBER TO SET A PASSWORD FOR THE MariaDB root USER !"
  echo "To do so, start the server, then issue the following commands:"
  echo
  echo "'$bindir/mysqladmin' -u root password 'new-password'"
  echo "'$bindir/mysqladmin' -u root -h $hostname password 'new-password'"
  echo
  echo "Alternatively you can run:"
  echo "'$bindir/mysql_secure_installation'"
  echo
  echo "which will also give you the option of removing the test"
  echo "databases and anonymous user created by default.  This is"
  echo "strongly recommended for production servers."
  echo
  echo "See the MariaDB Knowledgebase at http://mariadb.com/kb or the"
  echo "MySQL manual for more instructions."

  if test "$in_rpm" -eq 0
  then
    echo
    echo "You can start the MariaDB daemon with:"
    echo "cd '$basedir' ; $bindir/mysqld_safe --datadir='$ldata'"
    echo
    echo "You can test the MariaDB daemon with mysql-test-run.pl"
    echo "cd '$basedir/mysql-test' ; perl mysql-test-run.pl"
  fi

  echo
  echo "Please report any problems at http://mariadb.org/jira"
  echo
  echo "The latest information about MariaDB is available at http://mariadb.org/."
  echo "You can find additional information about the MySQL part at:"
  echo "http://dev.mysql.com"
  echo "Support MariaDB development by buying support/new features from MariaDB"
  echo "Corporation Ab. You can contact us about this at sales@mariadb.com."
  echo "Alternatively consider joining our community based development effort:"
  echo "http://mariadb.com/kb/en/contributing-to-the-mariadb-project/"
  echo
fi

exit 0

 

권한 설정

[root@CentOS7 ~]# chmod +x /usr/libexec/mariadb-wait-ready
[root@CentOS7 ~]# chmod +x /usr/libexec/mariadb-prepare-db-dir
[root@CentOS7 ~]# chmod +x /usr/libexec/mysql_install_db

 

my.cnf 파일 설정

[root@CentOS7 ~]# vi /etc/my.cnf

[mysqld]
#datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
datadir=/usr/local/mysql/data
lc_messages_dir = /usr/local/mysql/share


[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
#pid-file=/var/run/mariadb/mariadb.pid
pid-file=/var/lib/mysql/mariadb.pid

 

mysql log디렉토리 생성 및 socket 디렉토리 생성

[root@CentOS7 ~]# mkdir -p /var/lib/mysql
[root@CentOS7 ~]# chown mysql:mysql /var/lib/mysql
[root@CentOS7 ~]# mkdir /var/log/mariadb
[root@CentOS7 ~]# chown mysql:mysql /var/log/mariadb
[root@CentOS7 ~]# export MYSQL_UNIX_PORT=/var/lib/mysql/mysql.sock

 

Systemd daemon-reload 및 실행

[root@CentOS7 ~]# systemctl daemon-reload
[root@CentOS7 ~]# systemctl start mariadb
[root@CentOS7 ~]# systemctl enable mariadb

 

mysql_secure_installation

[root@CentOS7 ~]# vi .bash_profile

PATH=$PATH:$HOME/bin
PATH=$PATH:$HOME/bin:/usr/local/mysql/bin

export PATH
export MYSQL_UNIX_PORT=/var/lib/mysql/mysql.sock



[root@CentOS7 ~]# source .bash_profile

[root@CentOS7 ~]# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!
[root@CentOS7 ~]#

Mariadb Status
[root@CentOS7 ~]# mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 17
Server version: 10.3.8-MariaDB Source distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> status;
--------------
mysql  Ver 15.1 Distrib 10.3.8-MariaDB, for Linux (x86_64) using readline 5.1

Connection id:          17
Current database:
Current user:           root@localhost
SSL:                    Not in use
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server:                 MariaDB
Server version:         10.3.8-MariaDB Source distribution
Protocol version:       10
Connection:             Localhost via UNIX socket
Server characterset:    utf8
Db     characterset:    utf8
Client characterset:    utf8
Conn.  characterset:    utf8
UNIX socket:            /var/lib/mysql/mysql.sock
Uptime:                 2 min 0 sec

Threads: 7  Questions: 20  Slow queries: 0  Opens: 18  Flush tables: 1  Open tables: 12  Queries per second avg: 0.166
--------------

MariaDB [(none)]> quit;
Bye
[root@CentOS7 ~]#

 

mariadb 실행 확인

[root@CentOS7 ~]# systemctl status mariadb
● mariadb.service - MariaDB database server
   Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2018-12-01 03:43:37 KST; 8s ago
  Process: 2028 ExecStartPost=/usr/libexec/mariadb-wait-ready $MAINPID (code=exited, status=0/SUCCESS)
  Process: 2002 ExecStartPre=/usr/libexec/mariadb-prepare-db-dir %n (code=exited, status=0/SUCCESS)
 Main PID: 2027 (mysqld_safe)
   CGroup: /system.slice/mariadb.service
           ├─2027 /bin/sh /usr/local/mysql/bin/mysqld_safe --basedir=/usr
           └─2125 /usr/local/mysql/bin/mysqld --basedir=/usr --datadir=/usr/local/mysql/data --plugin-dir=/usr/lib64/mysql/plugin --log-error=/var/log/mariadb/mariadb.log --pid-file=/var/lib/mysql/mariadb.pid --socket=/var/lib/mysql/mysql.sock

Dec 01 03:43:36 CentOS7 systemd[1]: Starting MariaDB database server...
Dec 01 03:43:36 CentOS7 mysqld_safe[2027]: 181201 03:43:36 mysqld_safe Logging to '/var/log/mariadb/mariadb.log'.
Dec 01 03:43:36 CentOS7 mysqld_safe[2027]: 181201 03:43:36 mysqld_safe Starting mysqld daemon with databases from /usr/local/mysql/data
Dec 01 03:43:37 CentOS7 systemd[1]: Started MariaDB database server.
[root@CentOS7 ~]#

 

php 7.2 사용시 필요한 설정

[root@CentOS7 ~]# mv /usr/local/mysql/include /usr/local/mysql/include.def
[root@CentOS7 ~]# mkdir -p /usr/local/mysql/include/mysql
[root@CentOS7 ~]# chown -R mysql:mysql /usr/local/mysql/include
[root@CentOS7 ~]# cd /usr/local/src/mariadb-10.3.8/include
[root@CentOS7 include]# cp -rf ./* /usr/local/mysql/include/mysql

 

php7.2 설치

 

php-7.2.12.tar 파일 다운로드 

[root@CentOS7 ~]# cd /usr/local/src/
[root@CentOS7 src]# wget --trust-server-names http://jp2.php.net/get/php-7.2.12.tar.xz/from/this/mirror
[root@CentOS7 src]# tar xvf php-7.2.12.tar.xz
[root@CentOS7 src]# cd php-7.2.12/

 

php-7.2 설치 

[root@CentOS7 php-7.2.12]# ./configure --prefix=/usr/local/php \
--with-config-file-path=/etc \
--with-apxs2=/usr/local/apache2/bin/apxs \
--with-config-file-scan-dir=/etc/php/php.d --with-zlib-dir --enable-mbstring --with-curl \
--with-zlib --disable-rpath --enable-inline-optimization --enable-sockets \
--with-mysqli --with-openssl --with-fpm-user=nobody --with-fpm-group=nobody \
--with-mysql-sock=/var/lib/mysql/mysql.sock \
--with-pdo-mysql --enable-zip 

[root@CentOS7 php-7.2.12]# make && make install

 

httpd.conf 파일

[root@CentOS7 ~]# vi /usr/local/apache2/conf/httpd.conf

    AddType application/x-httpd-php .php .phtml
    AddType application/x-httpd-php-source .phps

    DirectoryIndex index.php index.html


[root@CentOS7 ~]# systemctl restart httpd

 

phpinfo

[root@CentOS7 ~]# vi /usr/local/apache2/htdocs/test.php
<?php phpinfo(); ?>

 

 

RHEL 8.0 Beta Version

 

RHEL 8.0 Beta Version Download 시 서브스크립션이 있는 RHNID 가 필요 합니다.

자세한 정보는 아래 사이트에서 확인 가능 합니다.

rhel 8.0 site : https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8-beta/

https://cockpit-project.org/

 

추가된 사항 : Web Console 추가 , dnf 명령어 사용 , network 데몬 삭제?? 등이 있습니다.

그리고 yum grouplist 확인시 Desktop 을 확인 할수 없었습니다.

yum grouplist 

[root@rhel80 ~]# yum grouplist
~ 중략
Available Environment Groups:
   Minimal Install
   Custom Operating System
Installed Environment Groups:
   Server
Installed Groups:
   Development Tools
   Graphical Administration Tools
   Legacy UNIX Compatibility
Available Groups:
   Headless Management
   Network Servers
   Scientific Support
   Security Tools
   System Tools
[root@rhel80 ~]#

 

 

설치 화면

(설명은 생략 합니다.)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ubuntu 16.04 OpenVPN Server / Client

 

Reference site: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04

 

OpenVPN 설치전 시스템 의 모든 패키지를 업데이트 합니다.

test@ubuntu-vpn:~$ sudo apt upgrade -y

 

OpenVPN 설치

test@ubuntu-vpn:~$ sudo apt install -y openvpn

 

EasyRSA 을 다운 받고 압축을 해제 합니다.

test@vpn-test:~$ wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
test@vpn-test:~$ tar xvf EasyRSA-3.0.4.tgz
test@vpn-test:~$ cd EasyRSA-3.0.4/

 

vars 파일 을 카피 하고 수정 합니다.

test@ubuntu-vpn:~$ cd EasyRSA-3.0.4/
test@ubuntu-vpn:~/EasyRSA-3.0.4$ cp vars.example vars
test@ubuntu-vpn:~/EasyRSA-3.0.4$ vi vars

~중략
set_var EASYRSA_REQ_COUNTRY     "US"
set_var EASYRSA_REQ_PROVINCE    "California"
set_var EASYRSA_REQ_CITY        "San Francisco"
set_var EASYRSA_REQ_ORG        "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL       "me@example.net"
set_var EASYRSA_REQ_OU          "My Organizational Unit"

 

수정된 vars 를 이용하여 ca 를 생성합니다.

pki 디렉토리 생성

test@ubuntu-vpn:~/EasyRSA-3.0.4$ ./easyrsa init-pki

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /home/test/EasyRSA-3.0.4/pki

test@ubuntu-vpn:~/EasyRSA-3.0.4$

 

nopass 옵션사용시 비밀번호 없이 설정을 진행 합니다.

test@ubuntu-vpn:~/EasyRSA-3.0.4$ ./easyrsa build-ca nopass

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
......................+++
....................................................................................................+++
writing new private key to '/home/test/EasyRSA-3.0.4/pki/private/ca.key.kMZbbLCFHN'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/home/test/EasyRSA-3.0.4/pki/ca.crt

test@ubuntu-vpn:~/EasyRSA-3.0.4$

 

Server 인증서 만들기

test@ubuntu-vpn:~/EasyRSA-3.0.4$ ./easyrsa gen-req server nopass

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...............+++
.........................................................+++
writing new private key to '/home/test/EasyRSA-3.0.4/pki/private/server.key.smJLxpp4h4'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:

Keypair and certificate request completed. Your files are:
req: /home/test/EasyRSA-3.0.4/pki/reqs/server.req
key: /home/test/EasyRSA-3.0.4/pki/private/server.key

test@ubuntu-vpn:~/EasyRSA-3.0.4$

 

server.key 파일 복사

test@ubuntu-vpn:~/EasyRSA-3.0.4$ sudo cp pki/private/server.key /etc/openvpn/

 

server.crt 파일 생성 yes 로 설정을 마무리 합니다.

yes 를 입력

test@ubuntu-vpn:~/EasyRSA-3.0.4$ ./easyrsa sign-req server server

Note: using Easy-RSA configuration from: ./vars


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 3650 days:

subject=
    commonName                = server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from ./openssl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Nov  3 08:59:07 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /home/test/EasyRSA-3.0.4/pki/issued/server.crt

test@ubuntu-vpn:~/EasyRSA-3.0.4$

 

crt 파일을 복사 합니다.

test@ubuntu-vpn:~/EasyRSA-3.0.4$ sudo cp pki/issued/server.crt /etc/openvpn/
test@ubuntu-vpn:~/EasyRSA-3.0.4$ sudo cp pki/ca.crt /etc/openvpn/

 

Diffie-Hellman key 생성

test@ubuntu-vpn:~/EasyRSA-3.0.4$ ./easyrsa gen-dh

Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
......................+
~중략


DH parameters of size 2048 created at /home/test/EasyRSA-3.0.4/pki/dh.pem

test@ubuntu-vpn:~/EasyRSA-3.0.4$

 

ta.key 를 생성

test@ubuntu-vpn:~/EasyRSA-3.0.4$ openvpn --genkey --secret ta.key
test@ubuntu-vpn:~/EasyRSA-3.0.4$ sudo cp ta.key /etc/openvpn/
test@ubuntu-vpn:~/EasyRSA-3.0.4$ sudo cp pki/dh.pem /etc/openvpn/

 

openvpn-config 디렉토리 생성 및 디렉토리 권한 설정

test@ubuntu-vpn:~/EasyRSA-3.0.4$ mkdir -p ~/openvpn-config/key
test@ubuntu-vpn:~/EasyRSA-3.0.4$ chmod -R 700 ~/openvpn-config

 

Client 인증서 생성

test@ubuntu-vpn:~/EasyRSA-3.0.4$ ./easyrsa gen-req user01 nopass

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
..................................................................................................................................................................+++
..................+++
writing new private key to '/home/test/EasyRSA-3.0.4/pki/private/user01.key.xoi765b604'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [user01]:

Keypair and certificate request completed. Your files are:
req: /home/test/EasyRSA-3.0.4/pki/reqs/user01.req
key: /home/test/EasyRSA-3.0.4/pki/private/user01.key

test@ubuntu-vpn:~/EasyRSA-3.0.4$

 

user01.key 를 카피 합니다.

test@ubuntu-vpn:~/EasyRSA-3.0.4$ cp pki/private/user01.key ~/openvpn-config/key/test@ubuntu-vpn:~/EasyRSA-3.0.4$ ./easyrsa sign-req client user01

Note: using Easy-RSA configuration from: ./vars


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 3650 days:

subject=
    commonName                = user01


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from ./openssl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'user01'
Certificate is to be certified until Nov  3 09:06:29 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /home/test/EasyRSA-3.0.4/pki/issued/user01.crt

test@ubuntu-vpn:~/EasyRSA-3.0.4$

 

user01 crt 파일 복사

test@ubuntu-vpn:~/EasyRSA-3.0.4$ sudo cp pki/issued/user01.crt ~/openvpn-config/key/
test@ubuntu-vpn:~/EasyRSA-3.0.4$ sudo cp ta.key ~/openvpn-config/key/
test@ubuntu-vpn:~/EasyRSA-3.0.4$ sudo cp /etc/openvpn/ca.crt ~/openvpn-config/key/

 

server.conf.gz 파일 카피 및 압축해제

test@ubuntu-vpn:~/EasyRSA-3.0.4$ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
test@ubuntu-vpn:~/EasyRSA-3.0.4$ sudo gzip -d /etc/openvpn/server.conf.gz

 

server.conf 설정

test@ubuntu-vpn:~/EasyRSA-3.0.4$ sudo vi /etc/openvpn/server.conf
tls-auth ta.key 0 # This file is secret
key-direction 0

cipher AES-128-CBC   # AES
auth SHA256

;dh dh2048.pem
dh dh.pem

user nobody
group nogroup

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

 

sysctl.conf 설정

test@ubuntu-vpn:~/EasyRSA-3.0.4$ sudo vi /etc/sysctl.conf
net.ipv4.ip_forward=1

test@ubuntu-vpn:~/EasyRSA-3.0.4$ sudo sysctl -p
net.ipv4.ip_forward = 1

 

UFW 설정

Default G/W 로 사용되는 Nic Device 를 확인 합니다.

test@ubuntu-vpn:~$ ip route |grep default
default via 192.168.0.2 dev ens33

 

ufw 를 설정 합니다. 

test@ubuntu-vpn:~$ sudo vi /etc/ufw/before.rules
#   ufw-before-forward
#

# Don't delete these required lines, otherwise there will be errors
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# ens33 MASQUERADE Settins
-A POSTROUTING -s 10.8.0.0/8 -o ens33 -j MASQUERADE
COMMIT
# END OPENVPN RULES
#

 

/etc/default/ufw 설정

DROP => ACCEPT 로 변경 합니다.

test@ubuntu-vpn:~$ sudo vi /etc/default/ufw
#DEFAULT_FORWARD_POLICY="DROP"
DEFAULT_FORWARD_POLICY="ACCEPT"

 

ufw Service 추가 

test@ubuntu-vpn:~$ sudo ufw allow 1194/udp
Rules updated
Rules updated (v6)
test@ubuntu-vpn:~$ sudo ufw allow OpenSSH
Rules updated
Rules updated (v6)
test@ubuntu-vpn:~$ sudo ufw disable
Firewall stopped and disabled on system startup
test@ubuntu-vpn:~$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
test@ubuntu-vpn:~$

 

openvpn Server 활성화 및 구동

test@ubuntu-vpn:~$ sudo systemctl enable openvpn@server
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /lib/systemd/system/openvpn@.service.
test@ubuntu-vpn:~$ sudo systemctl start openvpn@server

 

ifconfig 확인시 tun0 Device 를 확인 할수 있습니다.

test@ubuntu-vpn:~$ ifconfig
ens33     Link encap:Ethernet  HWaddr 00:0c:29:18:c3:ea
          inet addr:192.168.0.12  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe18:c3ea/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3098 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4223 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:729938 (729.9 KB)  TX bytes:531750 (531.7 KB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:176 errors:0 dropped:0 overruns:0 frame:0
          TX packets:176 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:13296 (13.2 KB)  TX bytes:13296 (13.2 KB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

test@ubuntu-vpn:~$

 

base.conf 설정

test@ubuntu-vpn:~$ mkdir ~/openvpn-config/files
test@ubuntu-vpn:~$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/openvpn-config/base.conf
test@ubuntu-vpn:~$ vi ~/openvpn-config/base.conf
remote 192.168.0.12 1194

user nobody
group nogroup


#ca ca.crt
#cert client.crt
#key client.key

cipher AES-256-CBC
auth SHA256
key-direction 1


# 최하단 

;mute 20


# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf

 

make_config.sh 스크립트 작성

test@ubuntu-vpn:~$ vi ~/openvpn-config/make_config.sh

#!/bin/bash

# First argument: Client identifier

KEY_DIR=~/openvpn-config/key
OUTPUT_DIR=~/openvpn-config/files
BASE_CONFIG=~/openvpn-config/base.conf

cat ${BASE_CONFIG} \
    <(echo -e '<ca>') \
    ${KEY_DIR}/ca.crt \
    <(echo -e '</ca>\n<cert>') \
    ${KEY_DIR}/${1}.crt \
    <(echo -e '</cert>\n<key>') \
    ${KEY_DIR}/${1}.key \
    <(echo -e '</key>\n<tls-auth>') \
    ${KEY_DIR}/ta.key \
    <(echo -e '</tls-auth>') \
    > ${OUTPUT_DIR}/${1}.ovpn


test@ubuntu-vpn:~$ chmod 700 ~/openvpn-config/make_config.sh

 

user01 계정 생성

test@ubuntu-vpn:~$ cd openvpn-config/
test@ubuntu-vpn:~/openvpn-config$ sudo ./make_config.sh user01
test@ubuntu-vpn:~/openvpn-config$ cd files/
test@ubuntu-vpn:~/openvpn-config/files$ sudo cp ../key/ta.key .
test@ubuntu-vpn:~/openvpn-config/files$ sudo chmod 644 ta.key

 

접속시 필요한 파일은 ~/openvpn-config/files 에 있습니다.

test@ubuntu-vpn:~$ ls -al openvpn-config/files/
total 24
drwxrwxr-x 2 test test  4096 Nov  6 18:19 .
drwx------ 4 test test  4096 Nov  6 18:17 ..
-rw-r--r-- 1 root root   636 Nov  6 18:19 ta.key
-rw-r--r-- 1 root root 11545 Nov  6 18:18 user01.ovpn
test@ubuntu-vpn:~$

 

Ubuntu OpenVPN Client

 

openvpn 설치

test@ubuntu-client:~$ sudo apt update
test@ubuntu-client:~$ sudo apt install -y openvpn
test@ubuntu-client:~$ sudo snap install easy-openvpn

 

user01 인증서 복사

test@ubuntu-vpn:~/openvpn-config/files$ scp user01.ovpn test@192.168.0.14:/home/test/openvpn/
test@ubuntu-vpn:~/openvpn-config/files$ scp ta.key  test@192.168.0.14:/home/test/openvpn/

 

접속 테스트 

test@ubuntu-client:~/openvpn$ sudo openvpn --config user01.ovpn

~중략
option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Wed Nov  7 15:56:52 2018 OPTIONS IMPORT: timers and/or timeouts modified
Wed Nov  7 15:56:52 2018 OPTIONS IMPORT: --ifconfig/up options modified
Wed Nov  7 15:56:52 2018 OPTIONS IMPORT: route options modified
Wed Nov  7 15:56:52 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Nov  7 15:56:52 2018 ROUTE_GATEWAY 192.168.0.2/255.255.255.0 IFACE=ens33 HWADDR=00:0c:29:0f:e7:2a
Wed Nov  7 15:56:52 2018 TUN/TAP device tun0 opened
Wed Nov  7 15:56:52 2018 TUN/TAP TX queue length set to 100
Wed Nov  7 15:56:52 2018 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Nov  7 15:56:52 2018 /sbin/ip link set dev tun0 up mtu 1500
Wed Nov  7 15:56:52 2018 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Wed Nov  7 15:56:52 2018 /sbin/ip route add 192.168.0.12/32 dev ens33
Wed Nov  7 15:56:52 2018 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5
Wed Nov  7 15:56:52 2018 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5
Wed Nov  7 15:56:52 2018 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Wed Nov  7 15:56:52 2018 GID set to nogroup
Wed Nov  7 15:56:52 2018 UID set to nobody
Wed Nov  7 15:56:52 2018 Initialization Sequence Completed

 

정상적으로 vpn 에 접속시 tun0 Device 를 확인 할수 있습니다. 

test@ubuntu-client:~$ ifconfig
ens33     Link encap:Ethernet  HWaddr 00:0c:29:0f:e7:2a
          inet addr:192.168.0.14  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe0f:e72a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:918 errors:0 dropped:0 overruns:0 frame:0
          TX packets:763 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:102521 (102.5 KB)  TX bytes:155757 (155.7 KB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:176 errors:0 dropped:0 overruns:0 frame:0
          TX packets:176 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:13296 (13.2 KB)  TX bytes:13296 (13.2 KB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

test@ubuntu-client:~$

 

systemd 에 추가 

test@ubuntu-client:~/openvpn$ sudo vi /lib/systemd/system/openvpn-client.service
[Unit]
Description=test.com OpenVPN Kr Service
After=multi-user.target

[Service]
Type=idle
ExecStart=/usr/sbin/openvpn --config /home/test/openvpn/user01.ovpn

[Install]
WantedBy=multi-user.target

test@ubuntu-client:~/openvpn$ sudo chmod 644 /lib/systemd/system/openvpn-client.service

 

systemd 활성화 및 실행 

test@ubuntu-client:~/openvpn$ sudo systemctl daemon-reload
test@ubuntu-client:~/openvpn$ sudo systemctl enable openvpn-client
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn-client.service to /lib/systemd/system/openvpn-client.service.
test@ubuntu-client:~/openvpn$ sudo systemctl start openvpn-client
test@ubuntu-client:~/openvpn$ sudo systemctl status openvpn-client
● openvpn-client.service - test.com OpenVPN Kr Service
   Loaded: loaded (/lib/systemd/system/openvpn-client.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2018-11-07 16:02:04 KST; 32s ago
 Main PID: 2034 (openvpn)
    Tasks: 1
   Memory: 828.0K
      CPU: 35ms
   CGroup: /system.slice/openvpn-client.service
           └─2034 /usr/sbin/openvpn --config /home/test/openvpn/user01.ovpn

Nov 07 16:02:06 ubuntu-client openvpn[2034]: Wed Nov  7 16:02:06 2018 ERROR: Linux route add command failed: external program exited
Nov 07 16:02:06 ubuntu-client openvpn[2034]: Wed Nov  7 16:02:06 2018 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5
Nov 07 16:02:06 ubuntu-client openvpn[2034]: Wed Nov  7 16:02:06 2018 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5
Nov 07 16:02:06 ubuntu-client openvpn[2034]: Wed Nov  7 16:02:06 2018 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Nov 07 16:02:06 ubuntu-client openvpn[2034]: Wed Nov  7 16:02:06 2018 GID set to nogroup
Nov 07 16:02:06 ubuntu-client openvpn[2034]: Wed Nov  7 16:02:06 2018 UID set to nobody
Nov 07 16:02:06 ubuntu-client openvpn[2034]: Wed Nov  7 16:02:06 2018 Initialization Sequence Completed

 

시스템 리부팅 및 동작 확인 

test@ubuntu-client:~/openvpn$ sudo init 6
test@ubuntu-client:~$ ifconfig
ens33     Link encap:Ethernet  HWaddr 00:0c:29:0f:e7:2a
          inet addr:192.168.0.14  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe0f:e72a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:152 errors:0 dropped:0 overruns:0 frame:0
          TX packets:171 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:30427 (30.4 KB)  TX bytes:33460 (33.4 KB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:176 errors:0 dropped:0 overruns:0 frame:0
          TX packets:176 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:13296 (13.2 KB)  TX bytes:13296 (13.2 KB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:1216 (1.2 KB)

test@ubuntu-client:~$ systemctl status openvpn-client
● openvpn-client.service - test.com OpenVPN Kr Service
   Loaded: loaded (/lib/systemd/system/openvpn-client.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2018-11-07 16:04:43 KST; 7min ago
 Main PID: 1312 (openvpn)
    Tasks: 1
   Memory: 1.7M
      CPU: 157ms
   CGroup: /system.slice/openvpn-client.service
           └─1312 /usr/sbin/openvpn --config /home/test/openvpn/user01.ovpn

Nov 07 16:10:59 ubuntu-client openvpn[1312]: Wed Nov  7 16:10:59 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modifi
Nov 07 16:10:59 ubuntu-client openvpn[1312]: Wed Nov  7 16:10:59 2018 Preserving previous TUN/TAP instance: tun0
Nov 07 16:10:59 ubuntu-client openvpn[1312]: Wed Nov  7 16:10:59 2018 Initialization Sequence Completed
Nov 07 16:11:09 ubuntu-client openvpn[1312]: Wed Nov  7 16:11:09 2018 Authenticate/Decrypt packet error: cipher final failed
Nov 07 16:11:20 ubuntu-client openvpn[1312]: Wed Nov  7 16:11:20 2018 Authenticate/Decrypt packet error: cipher final failed
Nov 07 16:11:30 ubuntu-client openvpn[1312]: Wed Nov  7 16:11:30 2018 Authenticate/Decrypt packet error: cipher final failed
Nov 07 16:11:40 ubuntu-client openvpn[1312]: Wed Nov  7 16:11:40 2018 Authenticate/Decrypt packet error: cipher final failed
Nov 07 16:11:51 ubuntu-client openvpn[1312]: Wed Nov  7 16:11:51 2018 Authenticate/Decrypt packet error: cipher final failed
Nov 07 16:12:01 ubuntu-client openvpn[1312]: Wed Nov  7 16:12:01 2018 Authenticate/Decrypt packet error: cipher final failed
Nov 07 16:12:10 ubuntu-client openvpn[1312]: Wed Nov  7 16:12:10 2018 Authenticate/Decrypt packet error: cipher final failed

test@ubuntu-client:~$

 

Authenticate/Decrypt packet error: cipher final failed 메시지 발생시 설정 확인 필요.