第3章 - 运维中的网络配置
嗨,运维工程师朋友们!
作为运维工程师,你需要配置服务器网络、管理防火墙规则、配置负载均衡、监控网络状态……网络知识是运维工作的核心基础。
这一章,我会带你学习运维工作中最常用的网络配置和管理技能,让你的服务器网络更安全、更稳定、更高效!
🖥️ 服务器网络配置
Linux 网络配置
查看网络配置
# 查看所有网络接口
ip addr show
# 或
ifconfig
# 查看路由表
ip route show
# 或
route -n
# 查看 DNS 配置
cat /etc/resolv.conf
# 查看网络连接
netstat -tunlp
# 或
ss -tunlp
# 测试网络连通性
ping 8.8.8.8
ping baidu.com
# 追踪路由
traceroute 8.8.8.8
# 或
tracepath baidu.com
配置静态IP (Ubuntu/Debian)
# /etc/netplan/01-netcfg.yaml
network:
version: 2
renderer: networkd
ethernets:
eth0:
addresses:
- 192.168.1.100/24
gateway4: 192.168.1.1
nameservers:
addresses:
- 8.8.8.8
- 114.114.114.114
# 应用配置
sudo netplan apply
# 测试配置(60秒后自动回滚)
sudo netplan try
配置静态IP (CentOS/RHEL)
# /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE=Ethernet
BOOTPROTO=static
NAME=eth0
DEVICE=eth0
ONBOOT=yes
IPADDR=192.168.1.100
NETMASK=255.255.255.0
GATEWAY=192.168.1.1
DNS1=8.8.8.8
DNS2=114.114.114.114
# 重启网络服务
sudo systemctl restart network
# 或 (CentOS 8+)
sudo systemctl restart NetworkManager
# 查看网络状态
sudo systemctl status NetworkManager
DNS 配置
# 配置 DNS 服务器
sudo nano /etc/resolv.conf
# 添加以下内容
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 114.114.114.114
# 测试 DNS 解析
nslookup baidu.com
dig baidu.com
host baidu.com
# 清除 DNS 缓存 (Ubuntu)
sudo systemd-resolve --flush-caches
# 查看 DNS 缓存统计
sudo systemd-resolve --statistics
🔥 防火墙配置
iptables 配置
# 查看当前规则
sudo iptables -L -n -v
# 允许 SSH (端口 22)
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# 允许 HTTP (端口 80)
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# 允许 HTTPS (端口 443)
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# 允许本地回环
sudo iptables -A INPUT -i lo -j ACCEPT
# 允许已建立的连接
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# 默认拒绝所有入站
sudo iptables -P INPUT DROP
# 默认允许所有出站
sudo iptables -P OUTPUT ACCEPT
# 删除规则 (按编号)
sudo iptables -D INPUT 3
# 保存规则
sudo iptables-save > /etc/iptables/rules.v4
# 恢复规则
sudo iptables-restore < /etc/iptables/rules.v4
firewalld 配置 (CentOS/RHEL)
# 查看状态
sudo firewall-cmd --state
# 查看当前区域
sudo firewall-cmd --get-active-zones
# 查看所有规则
sudo firewall-cmd --list-all
# 允许服务
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-service=ssh
# 允许端口
sudo firewall-cmd --permanent --add-port=3000/tcp
sudo firewall-cmd --permanent --add-port=8080-8090/tcp
# 允许来源IP
sudo firewall-cmd --permanent --add-source=192.168.1.0/24
# 删除规则
sudo firewall-cmd --permanent --remove-port=3000/tcp
# 重载配置
sudo firewall-cmd --reload
# 拒绝 IP
sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='1.2.3.4' reject"
UFW 配置 (Ubuntu)
# 启用防火墙
sudo ufw enable
# 禁用防火墙
sudo ufw disable
# 查看状态
sudo ufw status verbose
# 允许服务
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
# 允许端口
sudo ufw allow 3000/tcp
sudo ufw allow 8080:8090/tcp
# 允许来源IP
sudo ufw allow from 192.168.1.0/24
# 允许特定IP访问特定端口
sudo ufw allow from 192.168.1.100 to any port 22
# 拒绝IP
sudo ufw deny from 1.2.3.4
# 删除规则
sudo ufw delete allow 3000/tcp
# 删除规则 (按编号)
sudo ufw status numbered
sudo ufw delete 3
# 重置所有规则
sudo ufw reset
🔄 Nginx 配置
基础配置
# /etc/nginx/nginx.conf
user nginx;
worker_processes auto; # 自动根据CPU核心数设置
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024; # 每个worker的最大连接数
use epoll; # 使用epoll (Linux)
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
# 日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
# 性能优化
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# Gzip 压缩
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml text/javascript
application/json application/javascript application/xml+rss;
# 引入站点配置
include /etc/nginx/conf.d/*.conf;
}
反向代理配置
# /etc/nginx/conf.d/api.conf
server {
listen 80;
server_name api.example.com;
# 日志
access_log /var/log/nginx/api.access.log;
error_log /var/log/nginx/api.error.log;
# 客户端请求体大小限制
client_max_body_size 10M;
# 反向代理到后端服务
location / {
proxy_pass http://localhost:3000;
# 设置代理头
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 超时设置
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
# 缓冲设置
proxy_buffering on;
proxy_buffer_size 4k;
proxy_buffers 8 4k;
}
# WebSocket 支持
location /socket.io/ {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
}
负载均衡配置
# /etc/nginx/conf.d/loadbalancer.conf
# 定义后端服务器组
upstream backend {
# 负载均衡策略: 轮询 (默认)
# least_conn; # 最少连接
# ip_hash; # IP哈希 (保持会话)
server 192.168.1.101:3000 weight=3; # 权重为3
server 192.168.1.102:3000 weight=2; # 权重为2
server 192.168.1.103:3000 weight=1 backup; # 备份服务器
# 健康检查 (需要nginx_upstream_check_module)
# check interval=3000 rise=2 fall=3 timeout=1000;
# 长连接
keepalive 32;
}
server {
listen 80;
server_name app.example.com;
location / {
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 长连接支持
proxy_http_version 1.1;
proxy_set_header Connection "";
}
}
HTTPS 配置
# /etc/nginx/conf.d/https.conf
server {
listen 80;
server_name example.com www.example.com;
# HTTP 重定向到 HTTPS
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com www.example.com;
# SSL 证书
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
# SSL 配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# SSL 会话缓存
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# HSTS (可选)
add_header Strict-Transport-Security "max-age=31536000" always;
location / {
root /var/www/html;
index index.html;
}
}
静态资源缓存
server {
listen 80;
server_name static.example.com;
root /var/www/static;
# 图片、字体等静态资源
location ~* \.(jpg|jpeg|png|gif|ico|css|js|woff|woff2|ttf)$ {
expires 30d; # 缓存30天
add_header Cache-Control "public, immutable";
access_log off;
}
# HTML 文件不缓存
location ~* \.html$ {
expires -1;
add_header Cache-Control "no-cache, no-store, must-revalidate";
}
}
Nginx 常用命令
# 测试配置文件
sudo nginx -t
# 重载配置 (不中断服务)
sudo nginx -s reload
# 停止服务
sudo nginx -s stop
# 优雅停止 (处理完当前请求后停止)
sudo nginx -s quit
# 查看版本
nginx -v
# 查看编译参数
nginx -V
# 使用 systemctl 管理
sudo systemctl start nginx
sudo systemctl stop nginx
sudo systemctl restart nginx
sudo systemctl status nginx
sudo systemctl enable nginx # 开机自启
📊 网络监控
实时监控工具
# 实时查看网络连接
watch -n 1 "netstat -tunlp | grep ESTABLISHED"
# 实时查看网络流量 (需要安装 iftop)
sudo iftop -i eth0
# 实时查看带宽使用 (需要安装 nload)
nload eth0
# 实时查看网络统计
watch -n 1 "ip -s link show eth0"
# 查看网络接口统计
netstat -i
tcpdump 抓包
# 抓取所有包
sudo tcpdump -i eth0
# 抓取指定端口
sudo tcpdump -i eth0 port 80
# 抓取指定主机
sudo tcpdump -i eth0 host 192.168.1.100
# 抓取 HTTP 请求
sudo tcpdump -i eth0 -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
# 保存到文件
sudo tcpdump -i eth0 -w capture.pcap
# 读取文件
sudo tcpdump -r capture.pcap
# 只抓取 TCP SYN 包
sudo tcpdump -i eth0 'tcp[tcpflags] & tcp-syn != 0'
日志分析
# 统计 Nginx 访问日志中的 IP 访问次数
cat /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -rn | head -10
# 统计请求的 URL
cat /var/log/nginx/access.log | awk '{print $7}' | sort | uniq -c | sort -rn | head -10
# 统计状态码
cat /var/log/nginx/access.log | awk '{print $9}' | sort | uniq -c | sort -rn
# 统计请求方法
cat /var/log/nginx/access.log | awk '{print $6}' | sort | uniq -c | sort -rn
# 实时查看日志
tail -f /var/log/nginx/access.log
# 查看最近的错误日志
tail -100 /var/log/nginx/error.log
监控脚本
#!/bin/bash
# network-monitor.sh
echo "=== 网络监控报告 ==="
echo "时间: $(date)"
echo ""
# 网络连接统计
echo "--- 网络连接统计 ---"
echo "ESTABLISHED: $(netstat -an | grep ESTABLISHED | wc -l)"
echo "TIME_WAIT: $(netstat -an | grep TIME_WAIT | wc -l)"
echo "LISTEN: $(netstat -an | grep LISTEN | wc -l)"
echo ""
# 端口监听
echo "--- 监听端口 ---"
netstat -tunlp | grep LISTEN
echo ""
# Top 10 连接数最多的IP
echo "--- 连接数最多的IP (Top 10) ---"
netstat -an | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -10
echo ""
# 网络流量
echo "--- 网络流量 ---"
ip -s link show eth0 | grep -A 1 "RX:"
echo ""
# 磁盘空间
echo "--- 磁盘使用情况 ---"
df -h | grep -v tmpfs
echo ""
# 内存使用
echo "--- 内存使用情况 ---"
free -h
🔧 性能优化
系统参数优化
# /etc/sysctl.conf
# TCP 连接优化
net.ipv4.tcp_tw_reuse = 1 # 允许TIME-WAIT状态的socket被重新使用
net.ipv4.tcp_fin_timeout = 30 # TIME-WAIT超时时间
net.ipv4.tcp_keepalive_time = 1200 # TCP keepalive探测间隔
net.ipv4.tcp_max_syn_backlog = 8192 # SYN队列长度
# 连接数优化
net.core.somaxconn = 32768 # 最大监听队列长度
net.ipv4.tcp_max_tw_buckets = 5000 # TIME-WAIT最大数量
# 缓冲区优化
net.core.rmem_default = 262144 # 默认接收缓冲区大小
net.core.wmem_default = 262144 # 默认发送缓冲区大小
net.core.rmem_max = 16777216 # 最大接收缓冲区
net.core.wmem_max = 16777216 # 最大发送缓冲区
# 应用配置
sudo sysctl -p
文件描述符优化
# 查看当前限制
ulimit -n
# 临时修改
ulimit -n 65535
# 永久修改 /etc/security/limits.conf
* soft nofile 65535
* hard nofile 65535
root soft nofile 65535
root hard nofile 65535
# 查看进程的文件描述符使用
lsof -p <PID> | wc -l
# 查看系统文件描述符使用
cat /proc/sys/fs/file-nr
🚨 故障排查
网络不通排查
# 1. 检查网络接口状态
ip link show
# 2. 检查IP配置
ip addr show
# 3. 测试本地回环
ping 127.0.0.1
# 4. 测试网关
ping $(ip route | grep default | awk '{print $3}')
# 5. 测试DNS
ping 8.8.8.8
nslookup baidu.com
# 6. 检查路由
ip route show
traceroute 8.8.8.8
# 7. 检查防火墙
sudo iptables -L -n -v
sudo ufw status
# 8. 检查端口占用
sudo netstat -tunlp | grep :80
sudo ss -tunlp | grep :80
端口连接测试
# telnet 测试
telnet 192.168.1.100 80
# nc (netcat) 测试
nc -zv 192.168.1.100 80
# curl 测试
curl -I http://192.168.1.100:80
# 测试端口范围
nc -zv 192.168.1.100 80-90
服务状态检查
# 检查服务状态
sudo systemctl status nginx
sudo systemctl status mysql
# 查看服务日志
sudo journalctl -u nginx -n 50 --no-pager
sudo journalctl -u nginx -f # 实时查看
# 检查进程
ps aux | grep nginx
# 检查端口监听
sudo lsof -i :80
💡 最佳实践
1. 安全加固
# 禁用 root SSH 登录
sudo nano /etc/ssh/sshd_config
# PermitRootLogin no
# PasswordAuthentication no # 只允许密钥登录
# 修改 SSH 默认端口
# Port 2222
sudo systemctl restart sshd
# 安装 fail2ban 防暴力破解
sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
2. 自动化脚本
#!/bin/bash
# server-health-check.sh
# 服务器健康检查脚本
# 检查 Nginx
if ! systemctl is-active --quiet nginx; then
echo "[ERROR] Nginx is not running"
systemctl start nginx
fi
# 检查磁盘空间
DISK_USAGE=$(df -h / | awk 'NR==2 {print $5}' | sed 's/%//')
if [ $DISK_USAGE -gt 80 ]; then
echo "[WARNING] Disk usage is ${DISK_USAGE}%"
fi
# 检查内存
MEM_USAGE=$(free | awk '/Mem:/ {printf "%.0f", $3/$2*100}')
if [ $MEM_USAGE -gt 90 ]; then
echo "[WARNING] Memory usage is ${MEM_USAGE}%"
fi
echo "[OK] Health check completed"
3. 定期备份
#!/bin/bash
# backup-config.sh
# 备份配置文件
BACKUP_DIR="/backup/config-$(date +%Y%m%d)"
mkdir -p $BACKUP_DIR
# 备份 Nginx 配置
cp -r /etc/nginx $BACKUP_DIR/
# 备份防火墙规则
iptables-save > $BACKUP_DIR/iptables-rules
# 备份网络配置
cp -r /etc/netplan $BACKUP_DIR/ 2>/dev/null
cp -r /etc/sysconfig/network-scripts $BACKUP_DIR/ 2>/dev/null
echo "Backup completed: $BACKUP_DIR"
📝 小结
这一章我们学习了:
✅ 服务器网络配置:静态IP配置、DNS设置、网络诊断
✅ 防火墙管理:iptables、firewalld、UFW配置
✅ Nginx配置:反向代理、负载均衡、HTTPS、缓存
✅ 网络监控:实时监控工具、抓包分析、日志分析
✅ 性能优化:系统参数调优、文件描述符优化
✅ 故障排查:网络诊断、端口测试、服务检查
🎯 下一步
接下来学习测试工程师如何测试和调试网络功能!