DNS(主从)+DNAT+LAMP架构部署

网络架构图

1、机器准备

机器大小规格2vcpu 2G 100G
10.10.10.100    lamp-wordpress.chen.org
10.10.10.110    lamp-shopxo.chen.org
10.10.10.120    lamp-mysql.chen.org
10.10.10.250    lamp-nat.chen.org
192.168.247.250 lamp-nat.chen.org
192.168.247.240 lamp-dns-master.chen.org
192.168.247.230 lamp-dns-slave.chen.org

2、基础环境配置

配置IP地址

cat network-script.sh 
#!/bin/bash
#read -p "Please enter your IP address: " ip
cat >/etc/sysconfig/network-scripts/ifcfg-eth0<<EOF
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
NAME=eth0
DEVICE=eth0
ONBOOT=yes
IPADDR=10.10.10.$1
PREFIX=24
GATEWAY=10.10.10.250
DNS1=10.10.10.250
EOF
nmcli c reload
nmcli c down eth0
nmcli c up eth0

修改主机名

hostnamectl set-hostname lamp-wordpress.chen.org 
hostnamectl set-hostname lamp-shopxo.chen.org    
hostnamectl set-hostname lamp-mysql.chen.org 
hostnamectl set-hostname lamp-nat.chen.org     
hostnamectl set-hostname lamp-nat.chen.org       
hostnamectl set-hostname lamp-dns-master.chen.org
hostnamectl set-hostname lamp-dns-slave.chen.org 

关闭selinux、防火墙

systemctl stop firewalld && systemctl disable firewalld
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
setenforce 0

3、dns主从部署配置

master节点配置

yum install bind bind-utils

[root@lamp-dns-master ~]# cat /etc/named.conf 
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
//    listen-on port 53 { 127.0.0.1; };
//    listen-on-v6 port 53 { ::1; };
    directory     "/var/named";
    dump-file     "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    secroots-file    "/var/named/data/named.secroots";
    recursing-file    "/var/named/data/named.recursing";
    allow-query     { any; };

    /* 
     - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
     - If you are building a RECURSIVE (caching) DNS server, you need to enable 
       recursion. 
     - If your recursive DNS server has a public IP address, you MUST enable access 
       control to limit queries to your legitimate users. Failing to do so will
       cause your server to become part of large scale DNS amplification 
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface 
    */
    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";

    /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
    include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
    type hint;
    file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

[root@lamp-dns-master ~]# 
[root@lamp-dns-master ~]# cat /etc/named.rfc1912.zones 
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package 
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and https://tools.ietf.org/html/rfc6303
// (c)2007 R W Franks
// 
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// Note: empty-zones-enable yes; option is default.
// If private ranges should be forwarded, add 
// disable-empty-zone "."; into options
// 

zone "localhost.localdomain" IN {
    type master;
    file "named.localhost";
    allow-update { none; };
};

zone "localhost" IN {
    type master;
    file "named.localhost";
    allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
    type master;
    file "named.loopback";
    allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
    type master;
    file "named.loopback";
    allow-update { none; };
};

zone "0.in-addr.arpa" IN {
    type master;
    file "named.empty";
    allow-update { none; };
};

zone "magedu.org" IN {
        type master;
        file "magedu.org.zone";
};

[root@lamp-dns-master ~]# 
[root@lamp-dns-master named]# cat /var/named/magedu.org.zone
$TTL 1D
@    IN SOA master admin (
                    0    ; serial
                    1D    ; refresh
                    1H    ; retry
                    1W    ; expire
                    3H )    ; minimum
          NS    master
master    A     192.168.247.240
wordpress A     192.168.247.250
shopxo    A     192.168.247.251
[root@lamp-dns-master named]# 

启动dns服务

[root@lamp-dns-master named]# named-checkzone magedu.org.zone /var/named/magedu.org.zone
zone magedu.org.zone/IN: loaded serial 0
OK
[root@lamp-dns-master named]# 
[root@lamp-dns-master named]# systemctl enable --now named
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
[root@lamp-dns-master named]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2022-08-30 19:15:24 CST; 1min 10s ago
 Main PID: 14710 (named)
    Tasks: 5 (limit: 11188)
   Memory: 14.8M
   CGroup: /system.slice/named.service
           └─14710 /usr/sbin/named -u named -c /etc/named.conf

Aug 30 19:15:24 lamp-dns-master.chen.org named[14710]: network unreachable resolving './DNSKEY/IN': 2001:500:200::b#53
Aug 30 19:15:24 lamp-dns-master.chen.org named[14710]: network unreachable resolving './NS/IN': 2001:500:200::b#53
Aug 30 19:15:24 lamp-dns-master.chen.org named[14710]: network unreachable resolving './DNSKEY/IN': 2001:500:2d::d#53
Aug 30 19:15:24 lamp-dns-master.chen.org named[14710]: network unreachable resolving './NS/IN': 2001:500:2d::d#53
Aug 30 19:15:24 lamp-dns-master.chen.org named[14710]: network unreachable resolving './DNSKEY/IN': 2001:500:9f::42#53
Aug 30 19:15:24 lamp-dns-master.chen.org named[14710]: network unreachable resolving './NS/IN': 2001:500:9f::42#53
Aug 30 19:15:24 lamp-dns-master.chen.org named[14710]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
Aug 30 19:15:24 lamp-dns-master.chen.org named[14710]: network unreachable resolving './NS/IN': 2001:500:2f::f#53
Aug 30 19:15:25 lamp-dns-master.chen.org named[14710]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
Aug 30 19:15:25 lamp-dns-master.chen.org named[14710]: resolver priming query complete
[root@lamp-dns-master named]# 

slave节点配置

yum install bind bind-utils -y

[root@lamp-dns-slave ~]# cat /etc/named.conf 
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
//    listen-on port 53 { 127.0.0.1; };
//    listen-on-v6 port 53 { ::1; };
    directory     "/var/named";
    dump-file     "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    secroots-file    "/var/named/data/named.secroots";
    recursing-file    "/var/named/data/named.recursing";
//    allow-query     { localhost; };
      allow-transfer { none; };

    /* 
     - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
     - If you are building a RECURSIVE (caching) DNS server, you need to enable 
       recursion. 
     - If your recursive DNS server has a public IP address, you MUST enable access 
       control to limit queries to your legitimate users. Failing to do so will
       cause your server to become part of large scale DNS amplification 
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface 
    */
    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";

    /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
    include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
    type hint;
    file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

[root@lamp-dns-slave ~]# 
[root@lamp-dns-slave ~]# cat /etc/named.rfc1912.zones 
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package 
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and https://tools.ietf.org/html/rfc6303
// (c)2007 R W Franks
// 
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// Note: empty-zones-enable yes; option is default.
// If private ranges should be forwarded, add 
// disable-empty-zone "."; into options
// 

zone "localhost.localdomain" IN {
    type master;
    file "named.localhost";
    allow-update { none; };
};

zone "localhost" IN {
    type master;
    file "named.localhost";
    allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
    type master;
    file "named.loopback";
    allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
    type master;
    file "named.loopback";
    allow-update { none; };
};

zone "0.in-addr.arpa" IN {
    type master;
    file "named.empty";
    allow-update { none; };
};

zone "magedu.com" {
    type slave;
    masters { 192.168.247.240;};
    file "slaves/magedu.com.slave";
};
[root@lamp-dns-slave ~]# 

启动dns服务

[root@lamp-dns-slave ~]# systemctl enable --now named
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
[root@lamp-dns-slave ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2022-08-30 19:27:05 CST; 4s ago
  Process: 14287 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 14282 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (>
 Main PID: 14288 (named)
    Tasks: 5 (limit: 11188)
   Memory: 14.9M
   CGroup: /system.slice/named.service
           └─14288 /usr/sbin/named -u named -c /etc/named.conf

Aug 30 19:27:05 lamp-dns-slave.chen.org named[14288]: network unreachable resolving './DNSKEY/IN': 2001:500:9f::42#53
Aug 30 19:27:05 lamp-dns-slave.chen.org named[14288]: network unreachable resolving './NS/IN': 2001:500:9f::42#53
Aug 30 19:27:05 lamp-dns-slave.chen.org systemd[1]: Started Berkeley Internet Name Domain (DNS).
Aug 30 19:27:06 lamp-dns-slave.chen.org named[14288]: zone magedu.com/IN: refresh: unexpected rcode (SERVFAIL) from master 192.168.247.240#53 (source 0.0.0.0#0)
Aug 30 19:27:06 lamp-dns-slave.chen.org named[14288]: network unreachable resolving './DNSKEY/IN': 2001:7fe::53#53
Aug 30 19:27:06 lamp-dns-slave.chen.org named[14288]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
Aug 30 19:27:06 lamp-dns-slave.chen.org named[14288]: network unreachable resolving './DNSKEY/IN': 2001:500:1::53#53
Aug 30 19:27:06 lamp-dns-slave.chen.org named[14288]: network unreachable resolving './DNSKEY/IN': 2001:503:c27::2:30#53
Aug 30 19:27:06 lamp-dns-slave.chen.org named[14288]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
Aug 30 19:27:07 lamp-dns-slave.chen.org named[14288]: resolver priming query complete
[root@lamp-dns-slave ~]# 

测试能否主从同步
[root@lamp-dns-slave ~]# rndc reload
server reload successful
[root@lamp-dns-slave ~]#
[root@lamp-dns-slave named]# ls slaves/
magedu.org.slave
[root@lamp-dns-slave named]#

在master、salve节点测试能否解析dns

 通过ping域名也可以解析对应的ip

 

4、配置DNAT转发

开启ip转发功能

[root@lamp-nat ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@lamp-nat ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@lamp-nat ~]#

虚机设置

在eth0、eth1、eth2配置好相应ip 

清空防火墙规则

iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t nat -A PREROUTING -d 192.168.247.250 -p tcp --dport 80 -j DNAT --to-destination 10.10.10.100
iptables -t nat -A PREROUTING -d 192.168.247.251 -p tcp --dport 80 -j DNAT --to-destination 10.10.10.110

5、安装mysql

mysql版本8.0.26
yum install -y mysql-server 
systemctl enable --now mysqld

创建wordpress库以及账号密码
create database wordpress;
create user wordpress@'10.10.10.%' identified by 'wordpress';
grant all on wordpress.* to wordpress@'10.10.10.%' ;

创建shopxo库以及账号授权
create database shopxo;
create user shopxo@'10.10.10.%' identified by 'shopxo';
grant all on shopxo.* to shopxo@'10.10.10.%' ;

6、wordpress+php安装

wordpress版本:wordpress-6.0.1-zh_CN.tar.gz
php版本:7.4
mysql:8.0.26
rocky8版本安装php7.4 
yum install -y https://mirrors.tuna.tsinghua.edu.cn/remi/enterprise/remi-release-8.rpm
yum install httpd php74-php.x86_64 php74-php-mysqlnd.x86_64  php74-php-json.x86_64

启动httpd服务
systemctl enable --now httpd 
tar -xf wordpress-6.0.1-zh_CN.tar.gz
mv wordpress/* /var/www/html/
chown -R apache.apache /var/www/html/

 admin  CP4H*4ej(%ccrGLgPF

7、shopxo+php安装

shopxo版本2.2.3
php版本:7.4
下载安装包:wget https://codeload.github.com/gongfuxiang/shopxo/zip/refs/heads/v2.2.3
rocky8版本安装php7.4 

yum install -y https://mirrors.tuna.tsinghua.edu.cn/remi/enterprise/remi-release-8.rpm
yum -y install httpd unzip php74-php.x86_64 php74-php-mysqlnd.x86_64 php74-php-json.x86_64 php74-php-gd.x86_64 php74-php-xml.x86_64 php74-php-pecl-zip.x86_64
systemctl enable --now httpd
unzip v2.3.0.zip 
mv shopxo-v2.3.0/* /var/www/html/
chown -R apache.apache /var/www/html/

9、在dns主备上测试能否解析网站

注意wordpress、shopxo节点网关需要指向nat节点10.10.10.250

 测试wordpress.magedu.org网站解析

shopox.magedu.org网站解析

 10、 启动windows虚机测试

 

posted @ 2022-08-30 20:32  cyh00001  阅读(144)  评论(0编辑  收藏  举报