整体架构搭建
1.服务器规划
| 主机名 | 外网ip | 内网ip | 搭建内容 |
|---|---|---|---|
| m01 | 10.0.0.61 | 172.16.1.61 | |
| lb01 | 10.0.0.5 | 172.16.1.5 | nginx、keepalived |
| lb02 | 10.0.0.6 | 172.16.1.6 | nginx、keepalived |
| web01 | 172.16.1.7 | nginx | |
| web02 | 172.16.1.8 | nginx | |
| web03 | 172.16.1.9 | php | |
| nfs | 172.16.1.31 | nfs、rsync、inotify | |
| backup | 172.16.1.41 | rsync | |
| db01 | 172.16.1.51 | redis、mariadb |
2.跳板机m01安全配置
#1.启动防火墙
[root@m01 ~]# systemctl start firewalld
[root@m01 ~]# systemctl enable firewalld
#2.配置防火墙
[root@m01 ~]# systemctl stop NetworkManager
[root@m01 ~]# firewall-cmd --remove-interface=eth1
success
[root@m01 ~]# firewall-cmd --permanent --remove-service={ssh,dhcpv6-client}
success
[root@m01 ~]# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 service name=ssh accept'
success
[root@m01 ~]# vim /usr/lib/firewalld/services/ssh.xml
<port protocol="tcp" port="2020"/>
#3.修改连接跳板机端口,禁止root登录,禁止使用密码登陆
[root@m01 ~]# vim /etc/ssh/sshd_config
17 Port 2020
38 PermitRootLogin no
63 PasswordAuthentication no
[root@m01 ~]# systemctl restart sshd
#4.xshell生成密钥对,并将公钥放于管理机普通用户下
[root@m01 ~]# useradd lhd
[root@m01 ~]# su lhd
[lhd@m01 root]$ cd
[lhd@m01 ~]$ mkdir .ssh
[lhd@m01 ~]$ vim .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAu+PyyjLSnO4K+QFRJ84QHimS/nmp9b+NguU7TA8T7K/InZ9gt9E4zYaud8lqz01FEy4bzpK27968G0DMuArSt
4T3111BPSPHnuOiCWlVzOCnSlIjWgrzACHU8scSyvmBF51CjbgE5ANBowQge77RBQu3GIaaI0aiJVqVxt9lcQ8=
[lhd@m01 ~]$ chmod 700 .ssh/
[lhd@m01 ~]$ chmod 600 .ssh/authorized_keys
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-RKvyO66e-1578380687275)(C:\Users\oldboy\AppData\Roaming\Typora\typora-user-images\1578359088163.png)]
3.使用跳板机管理所有机器
#1.生成密钥对,将公钥发送给所有服务器
[lhd@m01 ~]$ su -
Password:
Last login: Tue Jan 7 16:42:31 CST 2020 from 10.0.0.1 on pts/0
[root@m01 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:nm45DrdRcidakKmFVYM6hqygb7waMNdJA0UHIIlMSWg root@m01
The key's randomart image is:
+---[RSA 2048]----+
|B++++.. .oo |
|+E . . o.o . |
|. .o...= |
|. ooo+o . |
|+...o...S = . |
|oo. . B o |
|.o . *. |
| .+ ++o |
|.o.. o+. |
+----[SHA256]-----+
[root@m01 ~]# vim ssh.sh
#!/bin/bash
#免交互分发公钥
for ip in 7 8 9 31 41 51
do
sshpass -p 1 ssh-copy-id -o StrictHostKeyChecking=no "root@172.16.1.$ip"
done
[root@m01 ~]# yum install sshpass
[root@m01 ~]# sh ssh.sh
#2.关闭除m01/lb01/lb02以外的所有机器的外网
[root@web01 ~]# ifdown eth0
... ...
#3.使用m01连接所有的机器
[lhd@m01 ~]$ su -
Password:
Last login: Tue Jan 7 17:08:54 CST 2020 on pts/1
[root@m01 ~]# ssh 172.16.1.7
Last login: Tue Jan 7 17:20:41 2020 from 10.0.0.1
[root@web01 ~]#
#4.给所有机器创建用户
[root@m01 ~]# groupadd www -g 666
[root@m01 ~]# useradd www -u 666 -g 666
4.使用防火墙实现内部上网
#1.m01开启ip转换
[root@m01 ~]# firewall-cmd --add-masquerade
[root@m01 ~]# firewall-cmd --add-masquerade --permanent
#2.修改其他没有外网的机器网关和DNS
[root@web01 ~]# vim /etc/resolv.conf
nameserver 223.5.5.5
[root@web01 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1
GATEWAY=172.16.1.61
[root@web01 ~]# systemctl restart network
5.安装nginx(web01、web02、lb01、lb02)
#1.配置官方源
[root@web01 ~]# vim /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=0
enabled=1
#2.yum安装NGINX
[root@web01 ~]# yum install -y nginx
或者
[root@m01 ~]# rz nginx-1.16.1-1.el7.ngx.x86_64.rpm
[root@m01 ~]# scp nginx-1.16.1-1.el7.ngx.x86_64.rpm 172.16.1.7:/tmp
[root@web01 tmp]# yum localinstall -y nginx-1.16.1-1.el7.ngx.x86_64.rpm
#3.配置nginx并启动
[root@web01 ~]# vim /etc/nginx/nginx.conf
user www;
http {
....
client_max_body_size 200M;
....
}
[root@web01 ~]# systemctl start nginx
6.安装php(web03)
#1.上传压缩包
[root@m01 ~]# rz php.tar.gz
[root@m01 ~]# scp php.tar.gz 172.16.1.9:/tmp
#2.解压安装php
[root@web03 ~]# cd /tmp
[root@web03 tmp]# tar xf php.tar.gz
[root@web03 tmp]# yum localinstall -y *.rpm
#3.配置php
[root@web03 ~]# vim /etc/php.ini
post_max_size = 200M
upload_max_filesize = 200M
[root@web03 ~]# vim /etc/php-fpm.d/www.conf
user = www
group = www
listen = 0.0.0.0:9000
listen.allowed_clients = 127.0.0.1,172.16.1.7,172.16.1.8
#4.启动php
[root@web03 ~]# systemctl start php-fpm
7.安装mariadb(db01)
#1.安装mariadb
[root@db01 ~]# yum install -y mariadb-server
#2.启动
[root@db01 ~]# systemctl start mariadb
#3.配置数据库密码
[root@db01 ~]# mysqladmin -u root password '123456'
#4.登录验证
[root@db01 ~]# mysqladmin -u root password '123456'
[root@db01 ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 5.5.64-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
8.安装redis(db01)
#1.安装redis
[root@db01 ~]# yum install -y redis
#2.配置redis
[root@db01 ~]# vim /etc/redis.conf
bind 127.0.0.1 172.16.1.51
#3.启动redis
[root@db01 ~]# systemctl start redis
9.安装nfs(nfs)
#1.安装nfs
[root@nfs ~]# yum install -y nfs-utils
#2.配置nfs
[root@nfs ~]# vim /etc/exports
/data/wordpress 172.16.1.0/24(rw,sync,all_squash,anonuid=666,anongid=666)
[root@nfs ~]# mkdir /data/wordpress -p
[root@nfs ~]# chown -R www.www /data/wordpress/
#3.启动nfs
[root@nfs ~]# systemctl start nfs
#4.验证nfs配置
[root@nfs ~]# cat /var/lib/nfs/etab
/data/wordpress 172.16.1.0/24(rw,sync,wdelay,hide,nocrossmnt,secure,root_squash,all_squash,no_subtree_check,secure_locks,acl,no_pnfs,anonuid=666,anongid=666,sec=sys,rw,secure,root_squash,all_squash)
10.安装rsync(backup服务器)
#1.安装rsync
[root@backup ~]# yum install -y rsync
#2.配置rsync
[root@backup ~]# vim /etc/rsyncd.conf
uid = www
gid = www
port = 873
fake super = yes
use chroot = no
max connections = 200
timeout = 600
ignore errors
read only = false
list = false
auth users = rsync_backup
secrets file = /etc/rsync.password
log file = /var/log/rsyncd.log
#####################################
[data]
path = /data
#3.创建密码文件
[root@backup ~]# echo "rsync_backup:123456" > /etc/rsync.password
[root@backup ~]# chmod 600 /etc/rsync.password
#4.创建目录
[root@backup ~]# mkdir /data
[root@backup ~]# chown -R www.www /data/
11.搭建wordpress
#1.上传代码包
[root@m01 ~]# rz wordpress-5.0.3-zh_CN.tar.gz
[root@m01 ~]# scp wordpress-5.0.3-zh_CN.tar.gz 172.16.1.7:/code/
#2.解压部署代码
[root@web01 code]# tar xf wordpress-5.0.3-zh_CN.tar.gz
[root@web01 code]# chown -R www.www /code/
#3.配置nginx
[root@web01 code]# vim /etc/nginx/conf.d/blog.linux.com.conf
server {
listen 80;
server_name blog.linux.com;
location / {
root /code/wordpress;
index index.php;
}
location ~ \.php$ {
root /code/wordpress;
fastcgi_pass 172.16.1.9:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
#4.重启nginx
[root@web01 code]# systemctl restart nginx
#5.推送站点文件到web03
[root@web01 code]# scp -r /code 172.16.1.9:/
web03授权
[root@web03 ~]# chown -R www.www /code/
#6.配置hosts访问测试
#7.将配置与站点都推送至web02
[root@web01 ~]# scp -r /code 172.16.1.8:/
[root@web01 ~]# scp /etc/nginx/conf.d/blog.linux.com.conf 172.16.1.8:/etc/nginx/conf.d/
12.搭建phpmyadmin
#1.上传代码包
[root@m01 ~]# rz phpMyAdmin-4.9.2-all-languages.zip
[root@m01 ~]# scp phpMyAdmin-4.9.2-all-languages.zip 172.16.1.7:/code
#2.解压部署phpmyadmin
[root@web01 code]# unzip phpMyAdmin-4.9.2-all-languages.zip
[root@web01 code]# chown -R www.www /code/
#3.配置nginx
[root@web01 ~]# vim /etc/nginx/conf.d/php.linux.com.conf
server {
listen 80;
server_name php.linux.com;
location / {
root /code/phpMyAdmin-4.9.2-all-languages;
index index.php;
}
location ~ \.php$ {
root /code/phpMyAdmin-4.9.2-all-languages;
fastcgi_pass 172.16.1.9:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
#4.重启nginx
[root@web01 code]# systemctl restart nginx
#5.推送站点文件到web03
[root@web01 code]# scp -r /code/phpMyAdmin-4.9.2-all-languages 172.16.1.9:/code/
#6.web03授权session文件
[root@web03 ~]# chown -R www.www /var/lib/php/session
[root@web03 ~]# chown -R www.www /code/
#7.配置hosts访问测试
#8.将配置与站点都推送至web02
[root@web01 ~]# scp -r /code 172.16.1.8:/
[root@web01 ~]# scp /etc/nginx/conf.d/php.linux.com.conf 172.16.1.8:/etc/nginx/conf.d/
13.完善wordpress
#1.创建数据库
[root@db01 ~]# mysql -uroot -p
Enter password:
MariaDB [(none)]> create database wordpress;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all on wordpress.* to root@'172.16.1.%' identified by '123456';
Query OK, 0 rows affected (0.00 sec)
#2.开启web01外网测试访问,根据页面提示完成搭建
14.完善phpmyadmin
#1.配置数据库代码
[root@web01 ~]# cd /code/phpMyAdmin-4.9.2-all-languages/
[root@web01 phpMyAdmin-4.9.2-all-languages]# cp config.sample.inc.php config.inc.php
[root@web01 phpMyAdmin-4.9.2-all-languages]# vim config.inc.php
$cfg['Servers'][$i]['host'] = '172.16.1.51';
#2.推送至web02和web03
[root@web01 ~]# scp /code/phpMyAdmin-4.9.2-all-languages/config.inc.php 172.16.1.8:/code/phpMyAdmin-4.9.2-all-languages/
[root@web01 ~]# scp /code/phpMyAdmin-4.9.2-all-languages/config.inc.php 172.16.1.9:/code/phpMyAdmin-4.9.2-all-languages/
#3.测试登录数据库
15.nfs文件共享(web01、web02、web03)
#1.安装nfs命令
[root@web01 ~]# yum install -y nfs-utils
#2.查看挂载点
[root@web01 ~]# showmount -e 172.16.1.31
Export list for 172.16.1.31:
/data/wordpress 172.16.1.0/24
#3.挂载
[root@web01 ~]# cd /code/wordpress/wp-content/
[root@web01 wp-content]# scp -r ./* 172.16.1.31:/data/wordpress/
[root@web01 ~]# mount -t nfs 172.16.1.31:/data/wordpress /code/wordpress/wp-content/
#4.nfs端再授权一次
[root@nfs ~]# chown -R www.www /data/wordpress/
#5.测试wordpress发布文章上传图片
16.nfs文件实时同步至backup
#1.nfs服务器安装rsync和inotify
[root@nfs ~]# yum install -y rsync inotify-tools
#2.上传sersync包
[root@m01 ~]# rz
[root@m01 ~]# scp sersync2.5.4_64bit_binary_stable_final.tar.gz 172.16.1.31:/tmp
#3.解压安装sersync
[root@nfs tmp]# mkdir /service
[root@nfs tmp]# tar xf sersync2.5.4_64bit_binary_stable_final.tar.gz -C /service/
#4.配置sersync
[root@nfs tmp]# cd /service/
[root@nfs service]# mv GNU-Linux-x86/ sersync
[root@nfs service]# vim sersync/confxml.xml
<inotify>
<delete start="true"/>
<createFolder start="true"/>
<createFile start="true"/>
<closeWrite start="true"/>
<moveFrom start="true"/>
<moveTo start="true"/>
<attrib start="true"/>
<modify start="true"/>
</inotify>
<sersync>
<localpath watch="/data">
<remote ip="172.16.1.41" name="data"/>
<!--<remote ip="192.168.8.39" name="tongbu"/>-->
<!--<remote ip="192.168.8.40" name="tongbu"/>-->
</localpath>
<rsync>
<commonParams params="-az"/>
<auth start="true" users="rsync_backup" passwordfile="/etc/rsync.passwd"/>
<userDefinedPort start="false" port="874"/><!-- port=874 -->
<timeout start="false" time="100"/><!-- timeout=100 -->
<ssh start="false"/>
</rsync>
#5.创建密码文件
[root@nfs service]# echo "123456" > /etc/rsync.passwd
[root@nfs service]# chmod 600 /etc/rsync.passwd
#6.启动sersync
[root@nfs ~]# /service/sersync/sersync2 -dro /service/sersync/confxml.xml
17.配置负载均衡
#1.配置lb01的nginx
[root@lb01 conf.d]# vim php.linux.com.conf
upstream php {
server 172.16.1.7:80;
server 172.16.1.8:80;
}
server {
listen 80;
server_name php.linux.com;
location / {
proxy_pass http://php;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
}
}
#2.推送配置文件至lb02
[root@lb01 conf.d]# scp * 172.16.1.6:/etc/nginx/conf.d/
#3.两台机器都重启nginx
[root@lb01 ~]# systemctl restart nginx
[root@lb02 ~]# systemctl restart nginx
#4.配置hosts访问测试
18.配置HTTPS(lb01、lb02)
#1.准备存放协议的目录
[root@lb01 ~]# cd /etc/nginx/
[root@lb01 nginx]# mkdir ssl_key
#2.生成协议证书
[root@lb01 ~]# cd /etc/nginx/ssl_key/
[root@lb01 ssl_key]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
............................+++
......+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@lb01 ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
...................................................................+++
......................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ch
State or Province Name (full name) []:lhd
Locality Name (eg, city) [Default City]:maliao
Organization Name (eg, company) [Default Company Ltd]:chaojimali
Organizational Unit Name (eg, section) []:chaoji
Common Name (eg, your name or your server's hostname) []:maliao
Email Address []:123!^H@
[root@lb01 ssl_key]#
#3.配置blog的nginx
[root@lb01 nginx]# vim /etc/nginx/conf.d/blog.linux.com.conf
upstream web {
server 172.16.1.7:80;
server 172.16.1.8:80;
}
server {
listen 443 ssl;
server_name blog.linux.com;
ssl_certificate /etc/nginx/ssl_key/server.crt;
ssl_certificate_key /etc/nginx/ssl_key/server.key;
location / {
proxy_pass http://web;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
}
}
server {
listen 80;
server_name blog.linux.com;
return 302 https://$server_name$request_uri;
}
#4.配置phpmyadmin的nginx
[root@lb01 nginx]# vim /etc/nginx/conf.d/php.linux.com.conf
upstream php {
server 172.16.1.7;
server 172.16.1.8;
}
server {
listen 443 ssl;
server_name php.linux.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://php;
proxy_set_header host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_http_version 1.1;
}
}
server {
listen 80;
server_name php.linux.com;
return 302 https://$server_name$request_uri;
}
#5.推送配置文件至另一台服务器
[root@lb01 conf.d]# scp * 172.16.1.6:/etc/nginx/conf.d/
#6.将证书推送至另一台服务器
[root@lb01 nginx]# scp -r ssl_key 172.16.1.5:/etc/nginx/
#7.重启nginx
#8.配置后端HTTPS解决博客乱码和phpmyadmin报错
fastcgi_param HTTPS on;
19.配置phpmyadmin的session共享
#1.配置php把session存到redis
[root@web03 ~]# vim /etc/php.ini
session.save_handler = redis
session.save_path = "tcp://172.16.1.51:6379"
[root@web03 ~]# vim /etc/php-fpm.d/www.conf
#最后三行的前两行
;php_value[session.save_handler] = files
;php_value[session.save_path] = /var/lib/php/session
#2.重启php
[root@web03 ~]# systemctl restart php-fpm
#3.redis查看session
[root@db01 ~]# redis-cli
127.0.0.1:6379> keys *
1) "PHPREDIS_SESSION:b1955b61f97e659d7c4a5d5b63675f50"
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-NeJ96ji4-1578380687277)(C:\Users\oldboy\AppData\Roaming\Typora\typora-user-images\1578379935121.png)]
20.配置keepalived
#1.配置master
[root@lb01 ~]# vim /etc/keepalived/keepalived.conf
global_defs {
router_id lb01
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 150
advert_int 3
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.3
}
}
#2.配置backup
[root@lb02 ~]# vim /etc/keepalived/keepalived.conf
global_defs {
router_id lb02
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 51
priority 100
advert_int 3
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.3
}
}
#3.启动keepalived
[root@lb01 ~]# systemctl start keepalived
[root@lb02 ~]# systemctl start keepalived
#4.查看VIP
[root@lb01 ~]# ip addr | grep 10.0.0.3
inet 10.0.0.3/32 scope global eth0