192.168.2.11 为内网装备安装 dns 和 nginx 服务的机器
安装 Bind
# 安装 named
yum install bind bind-utils -y
# 配置自动启动
systemctl enable named && systemctl start named
# 检查服务运行状态
systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: <span style="color:green">active (running)<span> since 一 2020-03-30 09:47:49 CST; 4s ago
Process: 11893 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 11890 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 11895 (named)
Tasks: 7
Memory: 57.3M
CGroup: /system.slice/named.service
└─11895 /usr/sbin/named -u named -c /etc/named.conf
3月 30 09:47:49 node12 named[11895]: address not available resolving './DNSKEY/IN': 2001:500:9f::42#53
3月 30 09:47:49 node12 named[11895]: address not available resolving './NS/IN': 2001:500:9f::42#53
3月 30 09:47:49 node12 named[11895]: address not available resolving './DNSKEY/IN': 2001:500:2d::d#53
3月 30 09:47:49 node12 named[11895]: address not available resolving './NS/IN': 2001:500:2d::d#53
3月 30 09:47:49 node12 named[11895]: address not available resolving './DNSKEY/IN': 2001:dc3::35#53
3月 30 09:47:49 node12 named[11895]: address not available resolving './NS/IN': 2001:dc3::35#53
3月 30 09:47:49 node12 named[11895]: address not available resolving './DNSKEY/IN': 2001:503:c27::2:30#53
3月 30 09:47:49 node12 named[11895]: address not available resolving './DNSKEY/IN': 2001:500:a8::e#53
3月 30 09:47:50 node12 named[11895]: resolver priming query complete
3月 30 09:47:50 node12 named[11895]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
配置 Bind
修改 named.conf 配置文件 让所有人都可访问 dns 服务
vim /etc/named.conf
options {
# start
# 修改这里
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
# 还有这里
allow-query { any; };
# end
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
修改 named.rfc1912.zones 配置文件
添加要自定义的域名 这里我添加的是 s.com
vim /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
# start
# 添加在这
zone "s.com" IN {
type master;
file "s.com.zone";
};
# end
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
添加自定义的域名解析文件
# 从样例文件复制一份出来用作s.com的解析配置文件
# 请注意 -a 表示 复制原有文件的所有属性 如果你是新建文件请确保文件属性正确以免 named 无权读取报错
cp -a /var/named/named.localhost /var/named/s.com.zone
ll
drwxrwx--- 2 named named 23 3月 30 09:47 data
drwxrwx--- 2 named named 60 3月 30 09:48 dynamic
-rw-r----- 1 root named 2253 4月 5 2018 named.ca
-rw-r----- 1 root named 152 12月 15 2009 named.empty
-rw-r----- 1 root named 152 6月 21 2007 named.localhost
-rw-r----- 1 root named 168 12月 15 2009 named.loopback
-rw-r----- 1 root named 152 6月 21 2007 s.com.zone
配置 s.com.zone 文件
vim /var/named/s.com.zone
$TTL 1D
@ IN SOA @ s.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS dns
A 192.168.2.11
dns A 192.168.2.11
docker A 192.168.2.11
jenkins A 192.168.2.11
test A 192.168.2.11
检查 named 配置文件是否有错误
named-checkconf
检查自定义域名配置文件是否有错误
named-checkzone s.com /var/named/s.com.zone
zone s.com/IN: loaded serial 0
OK
重启 named 服务
systemctl restart named
添加内网DNS到网络设定中
ping 自定义域名 测试内网 dns 服务是否正常
ping docker.s.com
正在 Ping docker.s.com [192.168.2.11] 具有 32 字节的数据:
来自 192.168.2.11 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.2.11 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.2.11 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.2.11 的回复: 字节=32 时间<1ms TTL=64
配置 nginx
安装 nginx
yum install -y nginx
# 如果提示无可用安装包说明未安装 epel-release 源 需要先安装
yum install -y epel-release
# 配置自动启动
systemctl enable nginx && systemctl start nginx
配置自定义2级域名
vim /etc/nginx/conf.d/docker.s.com.conf
server {
listen 80;
server_name docker.s.com;
location / {
proxy_read_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
# Fix the “It appears that your reverse proxy set up is broken" error.
# Be sure to set the X-Forwarded-Proto header if your reverse proxy is accessed via HTTPS and then Jenkins itself is accessed via HTTP i.e. proxying HTTPS to HTTP.
#proxy_set_header X-Forwarded-Proto $scheme;
#proxy to docker's server port 9000
# 在这里你可以配置你需要的 任意可访问的IP 和端口 这里我配置的是 Portainer docker 服务
proxy_pass http://192.168.2.11:9000;
add_header backendIP $upstream_addr;
add_header backendCode $upstream_status;
}
error_log /var/log/nginx/docker.s.com/error.log;
access_log /var/log/nginx/docker.s.com/access.log;
}
# 创建 日志目录
mkdir -p /var/log/nginx/docker.s.com
检查 nginx 配置文件是否有错误
nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
重载 nginx 服务
nginx -s reload
# 或
systemctl restart nginx
访问 docker.s.com 测试
