RHCE实验环境搭建基于RHEL 8的DHCP与HTTPS服务双配置实战1. 实验环境准备与本地源配置在RHEL 8系统中配置本地yum源是搭建实验环境的第一步。与RHEL 7不同RHEL 8采用了AppStream和BaseOS双仓库设计这要求我们在配置时需要特别注意路径结构。本地源配置步骤挂载ISO镜像文件mkdir -p /mnt/cdrom mount /dev/sr0 /mnt/cdrom创建本地repo配置文件cat /etc/yum.repos.d/local.repo EOF [BaseOS] nameBaseOS baseurlfile:///mnt/cdrom/BaseOS enabled1 gpgcheck0 [AppStream] nameAppStream baseurlfile:///mnt/cdrom/AppStream enabled1 gpgcheck0 EOF验证源配置yum clean all yum makecache yum repolist注意如果系统中有其他网络源配置文件建议暂时禁用或备份这些文件以避免潜在的软件包冲突。常见问题排查挂载点权限问题确保/mnt/cdrom目录有足够权限ISO文件完整性使用file命令检查ISO是否完整路径错误确认BaseOS和AppStream目录确实存在于挂载点2. DHCP服务器配置实战DHCP服务是企业网络中不可或缺的基础服务RHCE考试中常考察多网段DHCP配置能力。下面我们将配置一个支持双网段的DHCP服务器。安装DHCP服务包yum install -y dhcp-server配置DHCP主配置文件cat /etc/dhcp/dhcpd.conf EOF option domain-name example.com; default-lease-time 600; max-lease-time 7200; authoritative; subnet 172.24.8.0 netmask 255.255.255.0 { range 172.24.8.100 172.24.8.200; option routers 172.24.8.1; option domain-name-servers 8.8.8.8; option broadcast-address 172.24.8.255; } subnet 192.168.168.0 netmask 255.255.255.0 { range 192.168.168.100 192.168.168.200; option routers 192.168.168.1; option domain-name-servers 8.8.4.4; option broadcast-address 192.168.168.255; } host fixed-client1 { hardware ethernet 00:0c:29:aa:bb:cc; fixed-address 172.24.8.8; } host fixed-client2 { hardware ethernet 00:0c:29:dd:ee:ff; fixed-address 192.168.168.168; } EOF启动并验证DHCP服务systemctl enable --now dhcpd systemctl status dhcpd客户端测试在另一台测试机上执行dhclient -v eth0 ip addr show eth0关键参数说明参数说明示例值default-lease-time默认租约时间(秒)600max-lease-time最大租约时间(秒)7200rangeIP地址分配范围172.24.8.100-172.24.8.200option routers默认网关172.24.8.1fixed-address固定IP分配172.24.8.83. HTTPS网站配置与访问控制在RHEL 8上配置HTTPS网站需要考虑SELinux上下文和防火墙设置这是RHCE考试的重点考察内容。安装必要软件包yum install -y httpd mod_ssl openssl创建网站目录结构mkdir -p /www/{https,secret} echo zuoye /www/https/index.html echo mimi /www/secret/mimi.html配置SSL证书cd /etc/pki/tls/certs openssl req -newkey rsa:2048 -nodes -keyout www.zuoye.com.key \ -x509 -days 365 -out www.zuoye.com.crt \ -subj /CNwww.zuoye.com chmod 600 www.zuoye.com.*创建虚拟主机配置cat /etc/httpd/conf.d/zuoye.conf EOF VirtualHost *:22222 ServerName www.zuoye.com DocumentRoot /www/https SSLEngine on SSLCertificateFile /etc/pki/tls/certs/www.zuoye.com.crt SSLCertificateKeyFile /etc/pki/tls/certs/www.zuoye.com.key Alias /mimi /www/secret/mimi.html Directory /www/secret AuthType Basic AuthName Restricted Content AuthUserFile /etc/httpd/conf/.htpasswd Require user xiaoming /Directory /VirtualHost EOF创建用户认证文件mkdir -p /etc/httpd/conf htpasswd -c /etc/httpd/conf/.htpasswd xiaoming调整SELinux和防火墙semanage port -a -t http_port_t -p tcp 22222 firewall-cmd --add-port22222/tcp --permanent firewall-cmd --reload启动服务并测试systemctl enable --now httpd curl -k https://www.zuoye.com:22222 curl -k https://www.zuoye.com:22222/mimi -u xiaoming4. 服务整合与连通性测试完成DHCP和HTTPS服务配置后我们需要验证两个服务能否协同工作这是RHCE考试中常被忽视但实际工作中非常重要的环节。DHCP客户端获取IP后访问HTTPS网站在客户端通过DHCP获取IP地址在客户端配置本地hosts解析echo 192.168.168.135 www.zuoye.com /etc/hosts测试HTTPS访问# 测试公开内容 curl -k https://www.zuoye.com:22222 # 测试受保护内容需要认证 curl -k https://www.zuoye.com:22222/mimi -u xiaoming排错检查清单确认DHCP分配的IP与HTTPS服务器IP在同一网段检查防火墙是否放行了22222端口验证SELinux上下文是否正确ls -Z /www/ restorecon -Rv /www/查看服务日志获取详细错误信息journalctl -u dhcpd -f tail -f /var/log/httpd/error_log服务状态监控命令命令用途示例输出关键点ss -tulnp查看端口监听状态确保22222端口被httpd监听dhcpd -t检查DHCP配置语法显示Configuration file checks outapachectl configtest检查Apache配置显示Syntax OKcurl -v详细HTTP请求信息查看SSL握手过程和响应状态码5. 高级配置与优化技巧对于追求更高分数和实际应用场景的读者以下高级技巧可以帮助你更好地掌握RHCE考试要点。DHCP服务优化配置DHCP故障转移需两台DHCP服务器# 在主服务器上 failover peer dhcp-failover { primary; address 192.168.168.135; port 647; peer address 192.168.168.136; max-response-delay 60; max-unacked-updates 10; load balance max seconds 3; } # 在从服务器上 failover peer dhcp-failover { secondary; address 192.168.168.136; port 647; peer address 192.168.168.135; max-response-delay 60; max-unacked-updates 10; load balance max seconds 3; }使用DHCP选项提供更多信息option ntp-servers 192.168.168.135; option time-offset -18000; # 东五区HTTPS安全加固禁用不安全的SSL/TLS协议和加密套件# 在zuoye.conf中添加 SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite HIGH:!aNULL:!MD5:!RC4 SSLHonorCipherOrder on启用HTTP严格传输安全(HSTS)Header always set Strict-Transport-Security max-age63072000; includeSubDomains; preload自动化部署脚本示例#!/bin/bash # 自动部署DHCP和HTTPS服务 # 配置本地源 configure_yum_repo() { mount /dev/sr0 /mnt /dev/null cat /etc/yum.repos.d/local.repo EOF [BaseOS] nameBaseOS baseurlfile:///mnt/BaseOS enabled1 gpgcheck0 [AppStream] nameAppStream baseurlfile:///mnt/AppStream enabled1 gpgcheck0 EOF yum clean all yum makecache } # 安装必要软件 install_packages() { yum install -y dhcp-server httpd mod_ssl openssl policycoreutils-python-utils } # 配置DHCP setup_dhcp() { cat /etc/dhcp/dhcpd.conf DHCP_EOF [...DHCP配置内容...] DHCP_EOF systemctl enable --now dhcpd } # 配置HTTPS setup_https() { [...HTTPS配置内容...] systemctl enable --now httpd } main() { configure_yum_repo install_packages setup_dhcp setup_https echo 部署完成 } main