DNS(主从)+DNAT+LAMP架构部署shopxo

1、机器准备
机器大小规格2vcpu 2G 100G

10.10.10.100lamp-wordpress.chen.org
10.10.10.110lamp-shopxo.chen.org
10.10.10.120lamp-mysql.chen.org
10.10.10.250lamp-nat.chen.org
192.168.247.250 lamp-nat.chen.org
192.168.247.240 lamp-dns-master.chen.org
192.168.247.230 lamp-dns-slave.chen.org

2、基础环境配置
配置IP地址

cat network-script.sh
#!/bin/bash
#read -p "Please enter your IP address: " ip
cat >/etc/sysconfig/network-scripts/ifcfg-eth0<<EOF
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
NAME=eth0
DEVICE=eth0
ONBOOT=yes
IPADDR=10.10.10.$1
PREFIX=24
GATEWAY=10.10.10.250
DNS1=10.10.10.250
EOF
nmcli c reload
nmcli c down eth0
nmcli c up eth0

修改主机名

hostnamectl set-hostname lamp-wordpress.chen.org
hostnamectl set-hostname lamp-shopxo.chen.org
hostnamectl set-hostname lamp-mysql.chen.org
hostnamectl set-hostname lamp-nat.chen.org
hostnamectl set-hostname lamp-nat.chen.org
hostnamectl set-hostname lamp-dns-master.chen.org
hostnamectl set-hostname lamp-dns-slave.chen.org

关闭selinux、防火墙

systemctl stop firewalld && systemctl disable firewalld
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
setenforce 0

3、dns主从部署配置
master节点配置

yum install bind bind-utils
[root@lamp-dns-master ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
//listen-on port 53 { 127.0.0.1; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file"/var/named/data/named.secroots";
recursing-file"/var/named/data/named.recursing";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@lamp-dns-master ~]#
[root@lamp-dns-master ~]# cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and https://tools.ietf.org/html/rfc6303
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// Note: empty-zones-enable yes; option is default.
// If private ranges should be forwarded, add
// disable-empty-zone "."; into options
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "magedu.org" IN {
type master;
file "magedu.org.zone";
};
[root@lamp-dns-master ~]#
[root@lamp-dns-master named]# cat /var/named/magedu.org.zone
$TTL 1D
@IN SOA master admin (
0; serial
1D; refresh
1H; retry
1W; expire
3H ); minimum
NSmaster
masterA 192.168.247.240
wordpress A 192.168.247.250
shopxoA 192.168.247.251
[root@lamp-dns-master named]#

启动dns服务

[root@lamp-dns-master named]# named-checkzone magedu.org.zone /var/named/magedu.org.zone
zone magedu.org.zone/IN: loaded serial 0
OK
[root@lamp-dns-master named]#
[root@lamp-dns-master named]# systemctl enable --now named
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
[root@lamp-dns-master named]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-08-30 19:15:24 CST; 1min 10s ago
Main PID: 14710 (named)
Tasks: 5 (limit: 11188)
Memory: 14.8M
CGroup: /system.slice/named.service
└─14710 /usr/sbin/named -u named -c /etc/named.conf
Aug 30 19:15:24 lamp-dns-master.chen.org named[14710]: network unreachable resolving './DNSKEY/IN': 2001:500:200::b#53
Aug 30 19:15:24 lamp-dns-master.chen.org named[14710]: network unreachable resolving './NS/IN': 2001:500:200::b#53
Aug 30 19:15:24 lamp-dns-master.chen.org named[14710]: network unreachable resolving './DNSKEY/IN': 2001:500:2d::d#53
Aug 30 19:15:24 lamp-dns-master.chen.org named[14710]: network unreachable resolving './NS/IN': 2001:500:2d::d#53
Aug 30 19:15:24 lamp-dns-master.chen.org named[14710]: network unreachable resolving './DNSKEY/IN': 2001:500:9f::42#53
Aug 30 19:15:24 lamp-dns-master.chen.org named[14710]: network unreachable resolving './NS/IN': 2001:500:9f::42#53
Aug 30 19:15:24 lamp-dns-master.chen.org named[14710]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
Aug 30 19:15:24 lamp-dns-master.chen.org named[14710]: network unreachable resolving './NS/IN': 2001:500:2f::f#53
Aug 30 19:15:25 lamp-dns-master.chen.org named[14710]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
Aug 30 19:15:25 lamp-dns-master.chen.org named[14710]: resolver priming query complete
[root@lamp-dns-master named]#

slave节点配置

yum install bind bind-utils -y
[root@lamp-dns-slave ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
//listen-on port 53 { 127.0.0.1; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file"/var/named/data/named.secroots";
recursing-file"/var/named/data/named.recursing";
//allow-query { localhost; };
allow-transfer { none; }；
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@lamp-dns-slave ~]#
[root@lamp-dns-slave ~]# cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and https://tools.ietf.org/html/rfc6303
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// Note: empty-zones-enable yes; option is default.
// If private ranges should be forwarded, add
// disable-empty-zone "."; into options
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "magedu.com" {
type slave;
masters { 192.168.247.240;};
file "slaves/magedu.com.slave";
};
[root@lamp-dns-slave ~]#

启动dns服务

[root@lamp-dns-slave ~]# systemctl enable --now named
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
[root@lamp-dns-slave ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-08-30 19:27:05 CST; 4s ago
Process: 14287 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 14282 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (>
Main PID: 14288 (named)
Tasks: 5 (limit: 11188)
Memory: 14.9M
CGroup: /system.slice/named.service
└─14288 /usr/sbin/named -u named -c /etc/named.conf
Aug 30 19:27:05 lamp-dns-slave.chen.org named[14288]: network unreachable resolving './DNSKEY/IN': 2001:500:9f::42#53
Aug 30 19:27:05 lamp-dns-slave.chen.org named[14288]: network unreachable resolving './NS/IN': 2001:500:9f::42#53
Aug 30 19:27:05 lamp-dns-slave.chen.org systemd[1]: Started Berkeley Internet Name Domain (DNS).
Aug 30 19:27:06 lamp-dns-slave.chen.org named[14288]: zone magedu.com/IN: refresh: unexpected rcode (SERVFAIL) from master 192.168.247.240#53 (source 0.0.0.0#0)
Aug 30 19:27:06 lamp-dns-slave.chen.org named[14288]: network unreachable resolving './DNSKEY/IN': 2001:7fe::53#53
Aug 30 19:27:06 lamp-dns-slave.chen.org named[14288]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
Aug 30 19:27:06 lamp-dns-slave.chen.org named[14288]: network unreachable resolving './DNSKEY/IN': 2001:500:1::53#53
Aug 30 19:27:06 lamp-dns-slave.chen.org named[14288]: network unreachable resolving './DNSKEY/IN': 2001:503:c27::2:30#53
Aug 30 19:27:06 lamp-dns-slave.chen.org named[14288]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
Aug 30 19:27:07 lamp-dns-slave.chen.org named[14288]: resolver priming query complete
[root@lamp-dns-slave ~]#

测试能否主从同步

[root@lamp-dns-slave ~]# rndc reload
server reload successful
[root@lamp-dns-slave ~]#
[root@lamp-dns-slave named]# ls slaves/
magedu.org.slave
[root@lamp-dns-slave named]#

在master、salve节点测试能否解析dns
通过ping域名也可以解析对应的ip
4、配置DNAT转发
开启ip转发功能

[root@lamp-nat ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@lamp-nat ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@lamp-nat ~]#

虚机设置
在eth0、eth1、eth2配置好相应ip
清空防火墙规则

iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t nat -A PREROUTING -d 192.168.247.250 -p tcp --dport 80 -j DNAT --to-destination 10.10.10.100
iptables -t nat -A PREROUTING -d 192.168.247.251 -p tcp --dport 80 -j DNAT --to-destination 10.10.10.110

5、安装mysql
mysql版本8.0.26

yum install -y mysql-server
systemctl enable --now mysqld

创建wordpress库以及账号密码

create database wordpress;
create user wordpress@'10.10.10.%' identified by 'wordpress';
grant all on wordpress.* to wordpress@'10.10.10.%' ;

创建shopxo库以及账号授权

create database shopxo;
create user shopxo@'10.10.10.%' identified by 'shopxo';
grant all on shopxo.* to shopxo@'10.10.10.%' ;

6、wordpress+php安装

wordpress版本：wordpress-6.0.1-zh_CN.tar.gz
php版本：7.4
mysql:8.0.26
rocky8版本安装php7.4
yum install -y https://mirrors.tuna.tsinghua.edu.cn/remi/enterprise/remi-release-8.rpm
yum install httpd php74-php.x86_64 php74-php-mysqlnd.x86_64php74-php-json.x86_64

启动httpd服务

systemctl enable --now httpd
tar -xf wordpress-6.0.1-zh_CN.tar.gz
mv wordpress/* /var/www/html/
chown -R apache.apache /var/www/html/
adminCP4H*4ej(%ccrGLgPF

7、shopxo+php安装
shopxo版本2.2.3
php版本：7.4
下载安装包
rocky8版本安装php7.4

yum install -y https://mirrors.tuna.tsinghua.edu.cn/remi/enterprise/remi-release-8.rpm
yum -y install httpd unzip php74-php.x86_64 php74-php-mysqlnd.x86_64 php74-php-json.x86_64 php74-php-gd.x86_64 php74-php-xml.x86_64 php74-php-pecl-zip.x86_64
systemctl enable --now httpd
unzip v2.3.0.zip
mv shopxo-v2.3.0/* /var/www/html/
chown -R apache.apache /var/www/html/

9、在dns主备上测试能否解析网站
注意wordpress、shopxo节点 需要指向nat节点10.10.10.250
测试wordpress.ebingou.cn网站解析
shopox.ebingou.cn网站解析
10、 启动windows虚机测试

疯狂暗示打赏按钮

本文标签：

声明：本文由代码号注册/游客用户【千兰】供稿发布，本站不对用户发布的DNS(主从)+DNAT+LAMP架构部署shopxo信息内容原创度和真实性等负责。如内容侵犯您的版权或其他权益，请留言并加以说明。站长审查之后若情况属实会及时为您删除。同时遵循 CC 4.0 BY-SA 版权协议，尊重和保护作者的劳动成果，转载请标明出处链接和本声明内容。本文作者：千兰» https://www.ebingou.cn/dmh/16503.html

很赞哦！ ()