Nginx 结合 NFS 共享的服务搭建、DNS 域名解析及安全加固(时间同步、防火墙)实验
1需求分析与环境准备
1.1任务需求
任务需求:客户端通过访问 www.nihao.com 后,能够通过 dns 域名解析,访问到 nginx 服务中由 nfs 共享的首页文件,内容为:Very good, you have successfully set up the system. 各个主机能够实现时间同步,并且都开启防火墙来保证服务安装。
主机规划:
| 作用 | 系统 | IP | 主机名 | 软件 |
|---|---|---|---|---|
| web 服务器 | redhat9.5 | 192.168.33.8 | web | nginx |
| nfs 服务器 | redhat9.5 | 192.168.33.9 | nfs | nfs-utils |
| DNS 主服务器 | redhat9.5 | 192.168.33.18 | dns1 | bind |
| DNS 从服务器 | redhat9.5 | 192.168.33.28 | dns2 | bind |
| 客户端 | redhat9.5 | 192.168.33.7 | client | bind-utils |
1.2环境准备
1.2.1web服务器
[root@web ~]# nmcli c modify ens160 ipv4.method manual ipv4.addresses 192.168.33.8/24 ipv4.gateway 192.168.33.2 ipv4.dns 223.5.5.5 connection.autoconnect yes
[root@web ~]# nmcli c up ens160
1.2.2nfs服务器
[root@dns-client ~]# hostnamectl hostname nfs
[root@dns-client ~]# nmcli c modify ens160 ipv4.method manual ipv4.addresses 192.168.33.9/24 ipv4.gateway 192.168.33.2 ipv4.dns 223.5.5.5 connection.autoconnect yes
[root@dns-client ~]# nmcli c up ens160
1.2.3DNS主服务器
[root@dns1 ~]# nmcli c modify ens160 ipv4.method manual ipv4.addresses 192.168.33.18/24 ipv4.gateway 192.168.33.2 ipv4.dns 223.5.5.5 connection.autoconnect yes
[root@dns1 ~]# nmcli c up ens160
1.2.4DNS从服务器
[root@dns2 ~]# nmcli c modify ens160 ipv4.method manual ipv4.addresses 192.168.33.28/24 ipv4.gateway 192.168.33.2 ipv4.dns 223.5.5.5 connection.autoconnect yes
[root@dns2 ~]# nmcli c up ens160
1.2.5客户端
[root@client ~]# nmcli c modify ens160 ipv4.method manual ipv4.addresses 192.168.33.7/24 ipv4.gateway 192.168.33.2 ipv4.dns "192.168.33.18 192.168.33.28" connection.autoconnect yes
[root@client ~]# nmcli c up ens160
2安装配置服务
2.1web服务
2.1.1安装web服务
#web
[root@web ~]# mount /dev/sr0 /mnt
mount: /mnt: WARNING: source write-protected, mounted read-only.[root@web ~]# dnf install nginx- -y
Updating Subscription Management repositories.
Unable to read consumer identityThis system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register.
baseos 1.1 MB/s | 2.7 kB 00:00
appstream 1.7 MB/s | 3.2 kB 00:00
No match for argument: nginx-
Error: Unable to find a match: nginx-
[root@web ~]# dnf install nginx -y
Updating Subscription Management repositories.
Unable to read consumer identityThis system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register.
Last metadata expiration check: 0:00:08 ago on Tue 18 Mar 2025 02:51:17 PM CST.
Package nginx-2:1.20.1-20.el9.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
2.1.2配置nginx首页
[root@web ~]# rpm -ql nginx
/usr/bin/nginx-upgrade
/usr/lib/systemd/system/nginx.service
/usr/share/man/man3/nginx.3pm.gz
/usr/share/man/man8/nginx-upgrade.8.gz
/usr/share/man/man8/nginx.8.gz
/usr/share/nginx/html/404.html
/usr/share/nginx/html/50x.html
/usr/share/nginx/html/icons
/usr/share/nginx/html/icons/poweredby.png
/usr/share/nginx/html/index.html
/usr/share/nginx/html/nginx-logo.png
/usr/share/nginx/html/poweredby.png
/usr/share/nginx/html/system_noindex_logo.png
/usr/share/vim/vimfiles/ftdetect/nginx.vim
/usr/share/vim/vimfiles/ftplugin/nginx.vim
/usr/share/vim/vimfiles/indent/nginx.vim
/usr/share/vim/vimfiles/syntax/nginx.vim
[root@web ~]# echo "Very good, you have successfully set up the system." > /usr/share/nginx/html/index.html[root@web ~]# systemctl enable --now nginx
[root@web ~]# firewall-cmd --permanent --add-service=http
Warning: ALREADY_ENABLED: http
success
[root@web ~]# firewall-cmd --reload
success#在浏览器中输入web服务器的ip地址
2.2nfs服务
2.2.1安装nfs服务
#web
[root@web ~]# mount /dev/sr0 /mnt
mount: /mnt: /dev/sr0 already mounted on /run/media/redhat/RHEL-9-5-0-BaseOS-x86_64.
[root@web ~]# dnf install nfs-utils -y
Updating Subscription Management repositories.
Unable to read consumer identityThis system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register.
Last metadata expiration check: 0:15:10 ago on Tue 18 Mar 2025 02:51:17 PM CST.
Package nfs-utils-1:2.5.4-27.el9.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
#nfs
[root@nfs ~]# mount /dev/sr0 /mnt
mount: /mnt: WARNING: source write-protected, mounted read-only.
[root@nfs ~]# dnf install nfs-utils -y
Updating Subscription Management repositories.
Unable to read consumer identityThis system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register.
BaseOS 646 kB/s | 2.7 kB 00:00
AppStream 1.5 MB/s | 3.2 kB 00:00
baseos 2.7 MB/s | 2.7 kB 00:00
appstream 3.1 MB/s | 3.2 kB 00:00
Package nfs-utils-1:2.5.4-27.el9.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
2.2.2启动nfs服务
[root@nfs ~]# systemctl start nfs-server
[root@nfs ~]# systemctl status nfs-server
● nfs-server.service - NFS server and services
Loaded: loaded (/usr/lib/systemd/system/nfs-server.service; enabled; preset: d>
Drop-In: /run/systemd/generator/nfs-server.service.d
└─order-with-mounts.conf
Active: active (exited) since Tue 2025-03-18 14:04:38 CST; 1h 6min ago
Docs: man:rpc.nfsd(8)
man:exportfs(8)
Process: 1225 ExecStartPre=/usr/sbin/exportfs -r (code=exited, status=0/SUCCESS)
Process: 1252 ExecStart=/usr/sbin/rpc.nfsd (code=exited, status=0/SUCCESS)
Process: 1375 ExecStart=/bin/sh -c if systemctl -q is-active gssproxy; then sys>
Main PID: 1375 (code=exited, status=0/SUCCESS)
CPU: 95msMar 18 14:04:37 dns-client systemd[1]: Starting NFS server and services...
Mar 18 14:04:38 dns-client systemd[1]: Finished NFS server and services.[root@nfs ~]# systemctl enable nfs-server
[root@web ~]# systemctl start nfs-server
[root@web ~]# systemctl status nfs-server
● nfs-server.service - NFS server and services
Loaded: loaded (/usr/lib/systemd/system/nfs-server.service; enabled; preset: d>
Drop-In: /run/systemd/generator/nfs-server.service.d
└─order-with-mounts.conf
Active: active (exited) since Tue 2025-03-18 14:02:08 CST; 1h 13min ago
Docs: man:rpc.nfsd(8)
man:exportfs(8)
Main PID: 1412 (code=exited, status=0/SUCCESS)
CPU: 99msMar 18 14:02:07 web systemd[1]: Starting NFS server and services...
Mar 18 14:02:08 web systemd[1]: Finished NFS server and services.[root@web ~]# systemctl enable nfs-server
2.2.3放行服务
[root@nfs ~]# firewall-cmd --permanent --add-service=nfs
Warning: ALREADY_ENABLED: nfs
success
[root@nfs ~]# firewall-cmd --reload
success
f[root@nfs ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: cockpit dhcpv6-client nfs ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:[root@web ~]# systemctl enable nfs-server
[root@web ~]# firewall-cmd --permanent --add-service=nfs
Warning: ALREADY_ENABLED: nfs
success
[root@web ~]# firewall-cmd --reload
success
[root@web ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: cockpit dhcpv6-client http nfs ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
2.2.4关闭selinux
#永久关闭
[root@web ~]# sed -i
[root@web ~]# getenforce
Permissive#临时关闭
[root@nfs ~]# setenforce 0
2.2.5配置nfs服务
[root@nfs ~]# mkdir /nfs/data -p
[root@nfs ~]# systemctl restart nfs-server.service
[root@nfs ~]# showmount -e 192.168.33.9
Export list for 192.168.33.9:
/nfs/data 192.168.33.0/24
2.2.6配置nfs客户端
[root@web ~]# mkdir /var/nginx -p
[root@web ~]# mount -t nfs 192.168.33.9:/nfs/data /var/nginx
[root@web ~]# df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 4.0M 0 4.0M 0% /dev
tmpfs 1.8G 0 1.8G 0% /dev/shm
tmpfs 726M 12M 714M 2% /run
/dev/mapper/rhel-root 46G 4.9G 41G 11% /
/dev/nvme0n1p1 960M 347M 614M 37% /boot
tmpfs 363M 100K 363M 1% /run/user/1000
/dev/sr0 11G 11G 0 100% /mnt
tmpfs 363M 36K 363M 1% /run/user/0
192.168.33.9:/nfs/data 46G 4.9G 41G 11% /var/nginx#增加权限(仅实验)
[root@web ~]# ll -d /nfs/data/
drwxr-xrwx. 2 root root 84 Mar 14 16:30 /nfs/data/
[root@web ~]# chmod 777 /nfs/data/
[root@web ~]# ll -d /nfs/data
drwxrwxrwx. 2 root root 84 Mar 14 16:30 /nfs/data[root@nfs ~]# echo Very good, you have successfully set up the system. > /nfs/data/index.html
[root@nfs ~]# cat /nfs/data/index.html
Very good, you have successfully set up the system.
2.2.7配置服务
[root@web ~]# vim /etc/nginx/conf.d/nfs.conf
[root@web ~]# cat /etc/nginx/conf.d/nfs.conf
server {
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;server_name 192.168.33.8;
root /var/nginx/;
}
[root@web ~]# /usr/sbin/nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@web ~]# systemctl restart nginx[root@web ~]# firewall-cmd --permanent --add-port=80/tcp
success
[root@web ~]# firewall-cmd --reload
success
[root@web ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: cockpit dhcpv6-client http nfs ssh
ports: 80/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:#浏览器访问,共享成功
2.3DNS服务
2.3.1配置DNS主服务
2.3.1.1下载dns服务
[root@dns1 ~]# mount /dev/sr0 /mnt
mount: /mnt: WARNING: source write-protected, mounted read-only.
[root@dns1 ~]# dnf install bind -y
Updating Subscription Management repositories.
Unable to read consumer identityThis system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register.
BaseOS 642 kB/s | 2.7 kB 00:00
AppStream 2.6 MB/s | 3.2 kB 00:00
baseos 2.7 MB/s | 2.7 kB 00:00
appstream 3.1 MB/s | 3.2 kB 00:00
Package bind-32:9.16.23-24.el9_5.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
2.3.1.2修改主配置文件
[root@dns1 ~]# vim /etc/named.conf
[root@dns1 ~]# cat /etc/named.conf
options {
listen-on port 53 { 192.168.33.18; };
directory "/var/named";
allow-query { any; };
};
zone "nihao.com" IN {
type master;
file "nihao.com";
};
2.3.1.3配置区域数据文件
[root@dns1 ~]# vim /var/named/nihao.com
[root@dns1 ~]# cat /var/named/nihao.com
$TTL 1D
@ IN SOA @ admin.nihao.com. (0 1D 2H 3W 2D)
IN NS ns1
IN NS ns2
ns1 IN A 192.168.33.18
ns2 IN A 192.168.33.28
www IN A 192.168.33.8
2.3.1.4测试DNS解析
[root@dns1 ~]# systemctl start named
[root@dns1 ~]# ps -ef | grep named
named 4041 1 1 16:30 ? 00:00:00 /usr/sbin/named -u named -c /etc/named.conf
root 4056 3009 0 16:30 pts/1 00:00:00 grep --color=auto named[root@dns1 ~]# dig -t A www.nihao.com @192.168.33.18
; <<>> DiG 9.16.23-RH <<>> -t A www.nihao.com @192.168.33.18
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3624
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 39016b5685dbbc7b0100000067d93027efe733cf8b6e0f7e (good)
;; QUESTION SECTION:
;www.nihao.com. IN A;; ANSWER SECTION:
www.nihao.com. 86400 IN A 192.168.33.8;; Query time: 1 msec
;; SERVER: 192.168.33.18#53(192.168.33.18)
;; WHEN: Tue Mar 18 16:34:47 CST 2025
;; MSG SIZE rcvd: 86[root@dns1 ~]# dig -t NS nihao.com @192.168.33.18
; <<>> DiG 9.16.23-RH <<>> -t NS nihao.com @192.168.33.18
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28473
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: b2210255d5453a6c0100000067d9306edadef9a9282025df (good)
;; QUESTION SECTION:
;nihao.com. IN NS;; ANSWER SECTION:
nihao.com. 86400 IN NS ns2.nihao.com.
nihao.com. 86400 IN NS ns1.nihao.com.;; ADDITIONAL SECTION:
ns1.nihao.com. 86400 IN A 192.168.33.18
ns2.nihao.com. 86400 IN A 192.168.33.28;; Query time: 0 msec
;; SERVER: 192.168.33.18#53(192.168.33.18)
;; WHEN: Tue Mar 18 16:35:58 CST 2025
;; MSG SIZE rcvd: 134
2.3.1.5放行DNS服务
[root@dns1 ~]# firewall-cmd --permanent --add-service=dns
Warning: ALREADY_ENABLED: dns
success
[root@dns1 ~]# firewall-cmd --reload
success
2.3.2配置DNS从服务
2.3.2.1下载DNS服务
[root@dns2 ~]# mount /dev/sr0 /mnt
mount: /mnt: WARNING: source write-protected, mounted read-only.
[root@dns2 ~]# dnf install bind -y
Updating Subscription Management repositories.
Unable to read consumer identityThis system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register.
Last metadata expiration check: 23:18:39 ago on Mon 17 Mar 2025 05:24:35 PM CST.
Package bind-32:9.16.23-24.el9_5.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
2.3.2.2修改主配置文件
[root@dns2 ~]# vim /etc/named.conf
[root@dns2 ~]# cat /etc/named.conf
options {
listen-on port 53 { 192.168.33.28; };
directory "/var/named";
allow-query { any; };
};zone "nihao.com" IN {
type slave;
masters {192.168.33.18 ;};
file "slaves/nihao.com ";
};
2.3.2.3放行DNS服务
[root@dns2 ~]# firewall-cmd --permanent --add-service=dns
Warning: ALREADY_ENABLED: dns
success
[root@dns2 ~]# firewall-cmd --reload
success
2.3.2.4测试DNS解析
[root@dns2 ~]# systemctl start named
[root@dns2 ~]# dig -t NS nihao.com @192.168.33.28; <<>> DiG 9.16.23-RH <<>> -t NS nihao.com @192.168.33.28
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22549
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: f7f9cd098dfd769d0100000067d935a2dd294fd67c31035c (good)
;; QUESTION SECTION:
;nihao.com. IN NS;; ANSWER SECTION:
nihao.com. 86400 IN NS ns1.nihao.com.
nihao.com. 86400 IN NS ns2.nihao.com.;; ADDITIONAL SECTION:
ns1.nihao.com. 86400 IN A 192.168.33.18
ns2.nihao.com. 86400 IN A 192.168.33.28;; Query time: 1 msec
;; SERVER: 192.168.33.28#53(192.168.33.28)
;; WHEN: Tue Mar 18 16:58:10 CST 2025
;; MSG SIZE rcvd: 134[root@dns2 ~]# dig -t A www.nihao.com @192.168.33.28
; <<>> DiG 9.16.23-RH <<>> -t A www.nihao.com @192.168.33.28
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48375
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 41ea09fa8ee6c3270100000067d935bbed3f85565a64bc12 (good)
;; QUESTION SECTION:
;www.nihao.com. IN A;; ANSWER SECTION:
www.nihao.com. 86400 IN A 192.168.33.8;; Query time: 0 msec
;; SERVER: 192.168.33.28#53(192.168.33.28)
;; WHEN: Tue Mar 18 16:58:35 CST 2025
;; MSG SIZE rcvd: 86
3时间同步
将dns1设置为主服务器
[root@dns1 ~]# vim /etc/chrony.conf
其余的配置文件中(仅展示dns2,其余步骤相同)
[root@dns2 ~]# vim /etc/chrony.conf
4测试
[root@client ~]# curl www.nihao.com
Very good, you have successfully set up the system.
#关闭主dns服务器
[root@client ~]# curl www.nihao.com
Very good, you have successfully set up the system.
实验完成!!!