网络架构图
1、机器准备
机器大小规格2vcpu 2G 100G 10.10.10.100 lamp-wordpress.chen.org 10.10.10.110 lamp-shopxo.chen.org 10.10.10.120 lamp-mysql.chen.org 10.10.10.250 lamp-nat.chen.org 192.168.247.250 lamp-nat.chen.org 192.168.247.240 lamp-dns-master.chen.org 192.168.247.230 lamp-dns-slave.chen.org
2、基础环境配置
配置IP地址
cat network-script.sh #!/bin/bash #read -p "Please enter your IP address: " ip cat >/etc/sysconfig/network-scripts/ifcfg-eth0<<EOF TYPE=Ethernet BOOTPROTO=none DEFROUTE=yes NAME=eth0 DEVICE=eth0 ONBOOT=yes IPADDR=10.10.10.$1 PREFIX=24 GATEWAY=10.10.10.250 DNS1=10.10.10.250 EOF nmcli c reload nmcli c down eth0 nmcli c up eth0
修改主机名
hostnamectl set-hostname lamp-wordpress.chen.org hostnamectl set-hostname lamp-shopxo.chen.org hostnamectl set-hostname lamp-mysql.chen.org hostnamectl set-hostname lamp-nat.chen.org hostnamectl set-hostname lamp-nat.chen.org hostnamectl set-hostname lamp-dns-master.chen.org hostnamectl set-hostname lamp-dns-slave.chen.org
关闭selinux、防火墙
systemctl stop firewalld && systemctl disable firewalld sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config setenforce 0
3、dns主从部署配置
master节点配置
yum install bind bind-utils
[root@lamp-dns-master ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@lamp-dns-master ~]#
[root@lamp-dns-master ~]# cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and https://tools.ietf.org/html/rfc6303
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// Note: empty-zones-enable yes; option is default.
// If private ranges should be forwarded, add
// disable-empty-zone "."; into options
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "magedu.org" IN {
type master;
file "magedu.org.zone";
};
[root@lamp-dns-master ~]#
[root@lamp-dns-master named]# cat /var/named/magedu.org.zone
$TTL 1D
@ IN SOA master admin (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 192.168.247.240
wordpress A 192.168.247.250
shopxo A 192.168.247.251
[root@lamp-dns-master named]#
启动dns服务
[root@lamp-dns-master named]# named-checkzone magedu.org.zone /var/named/magedu.org.zone
zone magedu.org.zone/IN: loaded serial 0
OK
[root@lamp-dns-master named]#
[root@lamp-dns-master named]# systemctl enable --now named
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
[root@lamp-dns-master named]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-08-30 19:15:24 CST; 1min 10s ago
Main PID: 14710 (named)
Tasks: 5 (limit: 11188)
Memory: 14.8M
CGroup: /system.slice/named.service
└─14710 /usr/sbin/named -u named -c /etc/named.conf
Aug 30 19:15:24 lamp-dns-master.chen.org named[14710]: network unreachable resolving './DNSKEY/IN': 2001:500:200::b#53
Aug 30 19:15:24 lamp-dns-master.chen.org named[14710]: network unreachable resolving './NS/IN': 2001:500:200::b#53
Aug 30 19:15:24 lamp-dns-master.chen.org named[14710]: network unreachable resolving './DNSKEY/IN': 2001:500:2d::d#53
Aug 30 19:15:24 lamp-dns-master.chen.org named[14710]: network unreachable resolving './NS/IN': 2001:500:2d::d#53
Aug 30 19:15:24 lamp-dns-master.chen.org named[14710]: network unreachable resolving './DNSKEY/IN': 2001:500:9f::42#53
Aug 30 19:15:24 lamp-dns-master.chen.org named[14710]: network unreachable resolving './NS/IN': 2001:500:9f::42#53
Aug 30 19:15:24 lamp-dns-master.chen.org named[14710]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
Aug 30 19:15:24 lamp-dns-master.chen.org named[14710]: network unreachable resolving './NS/IN': 2001:500:2f::f#53
Aug 30 19:15:25 lamp-dns-master.chen.org named[14710]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
Aug 30 19:15:25 lamp-dns-master.chen.org named[14710]: resolver priming query complete
[root@lamp-dns-master named]#
slave节点配置
yum install bind bind-utils -y
[root@lamp-dns-slave ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
// allow-query { localhost; };
allow-transfer { none; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@lamp-dns-slave ~]#
[root@lamp-dns-slave ~]# cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and https://tools.ietf.org/html/rfc6303
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// Note: empty-zones-enable yes; option is default.
// If private ranges should be forwarded, add
// disable-empty-zone "."; into options
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "magedu.com" {
type slave;
masters { 192.168.247.240;};
file "slaves/magedu.com.slave";
}
[root@lamp-dns-slave ~]#
启动dns服务
[root@lamp-dns-slave ~]# systemctl enable --now named
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
[root@lamp-dns-slave ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-08-30 19:27:05 CST; 4s ago
Process: 14287 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 14282 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (>
Main PID: 14288 (named)
Tasks: 5 (limit: 11188)
Memory: 14.9M
CGroup: /system.slice/named.service
└─14288 /usr/sbin/named -u named -c /etc/named.conf
Aug 30 19:27:05 lamp-dns-slave.chen.org named[14288]: network unreachable resolving './DNSKEY/IN': 2001:500:9f::42#53
Aug 30 19:27:05 lamp-dns-slave.chen.org named[14288]: network unreachable resolving './NS/IN': 2001:500:9f::42#53
Aug 30 19:27:05 lamp-dns-slave.chen.org systemd[1]: Started Berkeley Internet Name Domain (DNS).
Aug 30 19:27:06 lamp-dns-slave.chen.org named[14288]: zone magedu.com/IN: refresh: unexpected rcode (SERVFAIL) from master 192.168.247.240#53 (source 0.0.0.0#0)
Aug 30 19:27:06 lamp-dns-slave.chen.org named[14288]: network unreachable resolving './DNSKEY/IN': 2001:7fe::53#53
Aug 30 19:27:06 lamp-dns-slave.chen.org named[14288]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
Aug 30 19:27:06 lamp-dns-slave.chen.org named[14288]: network unreachable resolving './DNSKEY/IN': 2001:500:1::53#53
Aug 30 19:27:06 lamp-dns-slave.chen.org named[14288]: network unreachable resolving './DNSKEY/IN': 2001:503:c27::2:30#53
Aug 30 19:27:06 lamp-dns-slave.chen.org named[14288]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
Aug 30 19:27:07 lamp-dns-slave.chen.org named[14288]: resolver priming query complete
[root@lamp-dns-slave ~]#
测试能否主从同步
[root@lamp-dns-slave ~]# rndc reload
server reload successful
[root@lamp-dns-slave ~]#
[root@lamp-dns-slave named]# ls slaves/
magedu.org.slave
[root@lamp-dns-slave named]#
在master、salve节点测试能否解析dns
通过ping域名也可以解析对应的ip
4、配置DNAT转发
开启ip转发功能
[root@lamp-nat ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@lamp-nat ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@lamp-nat ~]#
虚机设置
在eth0、eth1、eth2配置好相应ip
清空防火墙规则
iptables -F iptables -X iptables -Z iptables -t nat -F iptables -t nat -X iptables -t nat -Z iptables -t nat -A PREROUTING -d 192.168.247.250 -p tcp --dport 80 -j DNAT --to-destination 10.10.10.100 iptables -t nat -A PREROUTING -d 192.168.247.251 -p tcp --dport 80 -j DNAT --to-destination 10.10.10.110
5、安装mysql
mysql版本8.0.26 yum install -y mysql-server systemctl enable --now mysqld 创建wordpress库以及账号密码 create database wordpress; create user wordpress@'10.10.10.%' identified by 'wordpress'; grant all on wordpress.* to wordpress@'10.10.10.%' ;
创建shopxo库以及账号授权 create database shopxo; create user shopxo@'10.10.10.%' identified by 'shopxo'; grant all on shopxo.* to shopxo@'10.10.10.%' ;
6、wordpress+php安装
wordpress版本:wordpress-6.0.1-zh_CN.tar.gz php版本:7.4 mysql:8.0.26 rocky8版本安装php7.4 yum install -y https://mirrors.tuna.tsinghua.edu.cn/remi/enterprise/remi-release-8.rpm yum install httpd php74-php.x86_64 php74-php-mysqlnd.x86_64 php74-php-json.x86_64 启动httpd服务 systemctl enable --now httpd tar -xf wordpress-6.0.1-zh_CN.tar.gz mv wordpress/* /var/www/html/ chown -R apache.apache /var/www/html/
admin CP4H*4ej(%ccrGLgPF
7、shopxo+php安装
shopxo版本2.2.3 php版本:7.4 下载安装包:wget https://codeload.github.com/gongfuxiang/shopxo/zip/refs/heads/v2.2.3 rocky8版本安装php7.4 yum install -y https://mirrors.tuna.tsinghua.edu.cn/remi/enterprise/remi-release-8.rpm yum -y install httpd unzip php74-php.x86_64 php74-php-mysqlnd.x86_64 php74-php-json.x86_64 php74-php-gd.x86_64 php74-php-xml.x86_64 php74-php-pecl-zip.x86_64 systemctl enable --now httpd unzip v2.3.0.zip mv shopxo-v2.3.0/* /var/www/html/ chown -R apache.apache /var/www/html/
9、在dns主备上测试能否解析网站
注意wordpress、shopxo节点网关需要指向nat节点10.10.10.250
测试wordpress.magedu.org网站解析
shopox.magedu.org网站解析
10、 启动windows虚机测试
