CentOS 7/8 企业级服务集成:DHCP+FTP+DNS+Apache 4合1配置与排错
CentOS 企业级服务全栈部署DHCPFTPDNSApache 深度整合指南在企业网络环境中单一服务的独立部署往往难以满足复杂的业务需求。本文将深入探讨如何在CentOS系统上实现DHCP、FTP、DNS和Apache四大核心服务的无缝整合构建一个高效、稳定且易于管理的企业级网络服务平台。1. 环境规划与服务拓扑设计在开始部署前合理的网络规划是成功的关键。我们采用192.168.100.0/24作为示例网络其中网关地址192.168.100.254服务器IP192.168.100.1/24DHCP地址池192.168.100.50-192.168.100.200域名系统example.com服务依赖关系图[客户端] ├─ DHCP (获取IP/DNS信息) ├─ DNS (解析域名) ├─ Web (访问网站) └─ FTP (文件传输) └─ 依赖DNS解析提示实际部署时请根据企业网络规模调整IP地址范围和子网划分。生产环境中建议将不同服务部署在独立服务器上以提高可用性。2. 基础环境准备2.1 系统初始化配置首先设置静态IP并更新系统# 设置静态IP以ens33为例 nmcli con mod ens33 ipv4.addresses 192.168.100.1/24 nmcli con mod ens33 ipv4.gateway 192.168.100.254 nmcli con mod ens33 ipv4.dns 192.168.100.1, 8.8.8.8 nmcli con mod ens33 ipv4.method manual nmcli con up ens33 # 更新系统 yum update -y yum install -y epel-release2.2 统一防火墙策略创建集成防火墙规则脚本/usr/local/bin/firewall_setup.sh#!/bin/bash # 清空现有规则 systemctl stop firewalld firewall-cmd --permanent --remove-service{dhcp,dns,ftp,http} --remove-port{53/tcp,53/udp,67/udp,69/udp,80/tcp,21/tcp} # 添加服务规则 firewall-cmd --permanent --add-service{dhcp,dns,ftp,http} firewall-cmd --permanent --add-port{53/tcp,53/udp,67/udp,69/udp,80/tcp,21/tcp} # 启用SELinux但调整策略 setsebool -P dhcpd_use_execmem on setsebool -P ftpd_full_access on setsebool -P httpd_can_network_connect on systemctl start firewalld echo 防火墙规则配置完成赋予执行权限chmod x /usr/local/bin/firewall_setup.sh3. DHCP服务深度配置3.1 安装与基础配置yum install -y dhcp编辑/etc/dhcp/dhcpd.conf实现智能地址分配option domain-name example.com; option domain-name-servers 192.168.100.1; default-lease-time 86400; max-lease-time 172800; authoritative; subnet 192.168.100.0 netmask 255.255.255.0 { range 192.168.100.50 192.168.100.200; option routers 192.168.100.254; option broadcast-address 192.168.100.255; # 为网络打印机保留IP host printer1 { hardware ethernet 00:1A:2B:3C:4D:5E; fixed-address 192.168.100.10; } }3.2 高级功能实现租约数据库管理# 查看当前租约 cat /var/lib/dhcpd/dhcpd.leases # 备份租约文件 cp /var/lib/dhcpd/dhcpd.leases /var/lib/dhcpd/dhcpd.leases.bak服务管理systemctl enable --now dhcpd systemctl status dhcpd4. DNS服务(Bind9)企业级部署4.1 安装与区域配置yum install -y bind bind-utils主配置文件/etc/named.conf关键修改options { listen-on port 53 { any; }; allow-query { any; }; recursion yes; forwarders { 8.8.8.8; 8.8.4.4; }; };4.2 正反向解析区域配置创建正向解析文件/var/named/example.com.zone$TTL 86400 IN SOA ns1.example.com. admin.example.com. ( 2023061501 ; Serial 3600 ; Refresh 1800 ; Retry 604800 ; Expire 86400 ; Minimum TTL ) IN NS ns1.example.com. IN MX 10 mail.example.com. ns1 IN A 192.168.100.1 mail IN A 192.168.100.5 www IN A 192.168.100.1 ftp IN CNAME www反向解析文件/var/named/100.168.192.in-addr.arpa$TTL 86400 IN SOA ns1.example.com. admin.example.com. ( 2023061501 ; Serial 3600 ; Refresh 1800 ; Retry 604800 ; Expire 86400 ; Minimum TTL ) IN NS ns1.example.com. 1 IN PTR ns1.example.com. 5 IN PTR mail.example.com.4.3 服务验证与测试# 配置检查 named-checkconf named-checkzone example.com /var/named/example.com.zone # 启动服务 systemctl enable --now named # 测试解析 dig 192.168.100.1 www.example.com nslookup 192.168.100.15. FTP服务(vsftpd)安全部署5.1 安装与认证配置yum install -y vsftpd编辑/etc/vsftpd/vsftpd.conf实现安全传输anonymous_enableNO local_enableYES write_enableYES local_umask022 dirmessage_enableYES xferlog_enableYES connect_from_port_20YES xferlog_std_formatYES chroot_local_userYES allow_writeable_chrootYES listenYES pam_service_namevsftpd userlist_enableYES userlist_denyNO userlist_file/etc/vsftpd/user_list tcp_wrappersYES # SSL加密配置 rsa_cert_file/etc/vsftpd/vsftpd.pem rsa_private_key_file/etc/vsftpd/vsftpd.pem ssl_enableYES allow_anon_sslNO force_local_data_sslYES force_local_logins_sslYES ssl_tlsv1YES ssl_sslv2NO ssl_sslv3NO生成SSL证书openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem5.2 用户管理与权限控制创建FTP专用用户组和用户groupadd ftpusers useradd -G ftpusers -d /var/ftp/user1 -s /sbin/nologin user1 echo password123 | passwd user1 --stdin chmod 750 /var/ftp/user1配置用户限制文件/etc/vsftpd/user_listuser1 user26. Apache Web服务高级配置6.1 基础安装与虚拟主机yum install -y httpd mod_ssl创建虚拟主机配置/etc/httpd/conf.d/example.com.confVirtualHost *:80 ServerName www.example.com ServerAdmin webmasterexample.com DocumentRoot /var/www/html/example ErrorLog /var/log/httpd/example_error.log CustomLog /var/log/httpd/example_access.log combined Directory /var/www/html/example Options Indexes FollowSymLinks AllowOverride All Require all granted /Directory /VirtualHost6.2 认证与访问控制创建密码保护区域# 创建密码文件 htpasswd -c /etc/httpd/conf/.htpasswd admin # 配置访问控制 echo -e AuthType Basic\nAuthName Restricted Area\nAuthUserFile /etc/httpd/conf/.htpasswd\nRequire valid-user /var/www/html/example/.htaccess7. 服务联调与排错指南7.1 联调验证清单服务组合验证方法预期结果DHCPDNSnslookup www.example.com正确解析服务器IPFTPDNSftp ftp.example.com使用域名成功连接Web认证浏览器访问http://www.example.com弹出认证对话框DHCP固定IP检查打印机网络配置获取预设固定IP7.2 常见问题解决方案问题1DHCP客户端无法获取IP检查服务状态systemctl status dhcpd验证防火墙规则firewall-cmd --list-all | grep dhcp查看日志journalctl -u dhcpd -f问题2DNS解析失败检查区域文件权限ls -l /var/named/测试递归查询dig trace example.com验证SELinux上下文ls -Z /var/named/问题3FTP连接被拒绝检查被动模式端口netstat -tulnp | grep vsftpd验证SELinux布尔值getsebool -a | grep ftp测试本地连接ftp 127.0.0.18. 性能优化与安全加固8.1 服务性能调优Apache优化参数/etc/httpd/conf/httpd.confKeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 5 StartServers 5 MinSpareServers 5 MaxSpareServers 10 ServerLimit 256 MaxRequestWorkers 150 MaxConnectionsPerChild 4000Bind9缓存优化options { max-cache-size 256M; max-cache-ttl 3600; min-cache-ttl 300; };8.2 安全加固措施定期轮换日志# 配置logrotate cat /etc/logrotate.d/server_logs EOF /var/log/httpd/*log /var/log/named.log /var/log/vsftpd.log { daily missingok rotate 30 compress delaycompress notifempty create 640 root adm sharedscripts postrotate systemctl reload httpd named vsftpd /dev/null 21 || true endscript } EOF自动化监控脚本#!/bin/bash # 服务监控脚本 services(httpd named dhcpd vsftpd) for service in ${services[]}; do if ! systemctl is-active --quiet $service; then systemctl restart $service echo $(date) - $service restarted /var/log/service_monitor.log fi done将脚本加入cron定时任务(crontab -l 2/dev/null; echo */5 * * * * /usr/local/bin/service_monitor.sh) | crontab -