1. 项目概述
最近在给公司内部搭建一个测试用的Web服务器环境,需要实现通过域名访问、DNS解析、防火墙配置等完整功能。这个方案采用了Nginx作为Web服务器,配合Bind搭建主从DNS架构,最终实现了通过www.example.com域名在9093端口稳定访问的需求。下面我会详细记录整个配置过程,包括一些容易踩坑的细节。
2. 环境准备
2.1 系统要求
我们需要准备两台CentOS 8/9或RHEL 8/9系统的虚拟机:
- 服务器A:192.168.70.128(同时作为Web服务器和主DNS)
- 服务器B:192.168.70.129(作为从DNS服务器)
注意:确保两台服务器网络互通,且都能访问互联网以下载必要的软件包。
2.2 软件包安装
2.2.1 Nginx安装配置
首先在服务器A上配置Nginx的yum源:
bash复制# 创建Nginx官方源配置文件
cat > /etc/yum.repos.d/nginx.repo <<EOF
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/\$releasever/\$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
EOF
然后安装Nginx:
bash复制dnf install -y yum-utils
dnf install -y nginx
验证安装:
bash复制rpm -qa | grep nginx
nginx -v
2.2.2 Bind安装配置
在两台服务器上都安装Bind:
bash复制dnf install -y bind bind-utils
3. Nginx服务器配置
3.1 网站目录准备
bash复制mkdir -p /u01/www
echo "hello www.example.com" > /u01/www/index.html
chown -R nginx:nginx /u01/www
3.2 Nginx配置文件
创建专门的配置文件:
bash复制cat > /etc/nginx/conf.d/www.example.conf <<EOF
server {
listen 9093;
server_name www.example.com;
root /u01/www;
index index.html;
location / {
try_files \$uri \$uri/ =404;
}
}
EOF
3.3 SELinux配置
bash复制# 设置目录安全上下文
semanage fcontext -a -t httpd_sys_content_t "/u01/www(/.*)?"
restorecon -Rv /u01/www
# 允许Nginx使用9093端口
semanage port -a -t http_port_t -p tcp 9093
3.4 防火墙配置
bash复制firewall-cmd --add-port=9093/tcp --permanent
firewall-cmd --reload
3.5 服务启动与自启
bash复制systemctl enable --now nginx
4. DNS服务器配置
4.1 主DNS配置(服务器A)
4.1.1 主配置文件
bash复制cat > /etc/named.conf <<EOF
options {
listen-on port 53 { 192.168.70.128; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
recursion no;
dnssec-validation yes;
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "example.com" IN {
type master;
file "named.example.com";
allow-transfer { 192.168.70.129; };
};
zone "70.168.192.in-addr.arpa" IN {
type master;
file "named.192.168.70";
allow-transfer { 192.168.70.129; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
EOF
4.1.2 正向解析文件
bash复制cat > /var/named/named.example.com <<EOF
\$TTL 1D
@ IN SOA www.example.com. admin.example.com. (
0
5
3
10
15
)
@ IN NS www.example.com.
www IN A 192.168.70.128
EOF
4.1.3 反向解析文件
bash复制cat > /var/named/named.192.168.70 <<EOF
\$TTL 1D
@ IN SOA www.example.com. admin.example.com. (
0
5
3
10
15
)
@ IN NS www.example.com.
128 IN PTR www.example.com.
EOF
4.1.4 权限设置
bash复制chown root:named /var/named/named.example.com
chown root:named /var/named/named.192.168.70
chmod 640 /var/named/named.example.com
chmod 640 /var/named/named.192.168.70
4.1.5 服务启动
bash复制systemctl enable --now named
firewall-cmd --add-service=dns --permanent
firewall-cmd --reload
4.2 从DNS配置(服务器B)
4.2.1 主配置文件修改
bash复制cat > /etc/named.conf <<EOF
options {
listen-on port 53 { 192.168.70.129; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
recursion no;
dnssec-validation yes;
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "example.com" IN {
type slave;
file "slaves/named.example.com";
masters { 192.168.70.128; };
};
zone "70.168.192.in-addr.arpa" IN {
type slave;
file "slaves/named.192.168.70";
masters { 192.168.70.128; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
EOF
4.2.2 服务启动
bash复制systemctl enable --now named
firewall-cmd --add-service=dns --permanent
firewall-cmd --reload
5. 客户端验证
5.1 配置DNS解析
在客户端机器上配置DNS服务器:
bash复制echo "nameserver 192.168.70.128" > /etc/resolv.conf
echo "nameserver 192.168.70.129" >> /etc/resolv.conf
5.2 测试DNS解析
bash复制nslookup www.example.com
dig www.example.com
dig -x 192.168.70.128
5.3 测试Web访问
bash复制curl http://www.example.com:9093
或者在Windows客户端浏览器中访问:
code复制http://www.example.com:9093
6. 常见问题与解决方案
6.1 SELinux相关问题
问题1:Nginx无法访问自定义目录
解决方案:
bash复制semanage fcontext -a -t httpd_sys_content_t "/u01/www(/.*)?"
restorecon -Rv /u01/www
问题2:Nginx无法监听非标准端口
解决方案:
bash复制semanage port -a -t http_port_t -p tcp 9093
6.2 DNS相关问题
问题1:从DNS无法同步数据
检查步骤:
- 检查主DNS的allow-transfer设置
- 检查防火墙是否放行53端口
- 检查主从服务器时间是否同步
问题2:DNS解析不生效
检查步骤:
bash复制# 检查named服务状态
systemctl status named
# 检查日志
journalctl -u named -f
# 检查配置文件语法
named-checkconf
named-checkzone example.com /var/named/named.example.com
6.3 Nginx相关问题
问题1:配置文件语法错误
检查方法:
bash复制nginx -t
问题2:端口冲突
检查方法:
bash复制ss -tulnp | grep 9093
7. 性能优化建议
7.1 Nginx优化
bash复制# 在/etc/nginx/nginx.conf的http块中添加:
gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
keepalive_timeout 65;
client_max_body_size 20m;
7.2 DNS优化
bash复制# 在/etc/named.conf的options块中添加:
recursion no;
dnssec-validation yes;
allow-query { any; };
7.3 系统优化
bash复制# 增加文件描述符限制
echo "nginx soft nofile 65535" >> /etc/security/limits.conf
echo "nginx hard nofile 65535" >> /etc/security/limits.conf
8. 安全加固措施
8.1 Nginx安全
bash复制# 隐藏Nginx版本号
sed -i 's/# server_tokens off;/server_tokens off;/' /etc/nginx/nginx.conf
# 禁用不需要的HTTP方法
cat >> /etc/nginx/conf.d/www.example.conf <<EOF
if (\$request_method !~ ^(GET|HEAD|POST)$ ) {
return 405;
}
EOF
8.2 DNS安全
bash复制# 限制区域传输
sed -i 's/allow-transfer { any; };/allow-transfer { 192.168.70.129; };/' /etc/named.conf
# 启用DNSSEC
dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com
8.3 系统安全
bash复制# 定期更新系统
dnf update -y
# 配置防火墙严格规则
firewall-cmd --remove-service=dhcpv6-client --permanent
firewall-cmd --reload
9. 监控与维护
9.1 服务监控
bash复制# 监控Nginx状态
curl http://localhost:9093/nginx_status
# 监控DNS查询
rndc stats
cat /var/named/data/named_stats.txt
9.2 日志分析
bash复制# Nginx访问日志分析
goaccess /var/log/nginx/access.log -o /var/www/html/report.html --log-format=COMBINED
# DNS查询日志分析
cat /var/named/data/named.run | grep queries
9.3 备份策略
bash复制# Nginx配置备份
tar czf /backup/nginx_conf_$(date +%F).tar.gz /etc/nginx/
# DNS区域文件备份
tar czf /backup/dns_zones_$(date +%F).tar.gz /var/named/
10. 扩展功能
10.1 添加HTTPS支持
bash复制# 安装Certbot
dnf install -y certbot python3-certbot-nginx
# 获取证书
certbot --nginx -d www.example.com
# 自动续期测试
certbot renew --dry-run
10.2 负载均衡配置
bash复制# 在Nginx配置中添加:
upstream backend {
server 192.168.70.128:9093;
server 192.168.70.130:9093;
}
server {
listen 9093;
server_name www.example.com;
location / {
proxy_pass http://backend;
}
}
10.3 高可用DNS
bash复制# 配置第三个DNS服务器
zone "example.com" IN {
type slave;
file "slaves/named.example.com";
masters { 192.168.70.128; 192.168.70.129; };
};
在实际部署过程中,我发现SELinux的配置是最容易出问题的环节,特别是在使用非标准目录和端口时。建议在配置完成后,使用audit2allow工具来分析和解决SELinux拒绝问题。另外,DNS的主从同步需要注意时间同步问题,建议在所有服务器上配置NTP服务。