Normally, the server on which nginx or Apache is installed and the server on which storage such as DB is installed are separate servers. I think that it is often built, but up to CentOS7 it was relatively easy to set up, but the threshold has risen a little from CentOS8, so It took a lot of time to build the local network, so I will write it down once.
I often use Kagoya for both private and business purposes, so this time I ran it on Kagoya's VPS.
*** By the way, the instance used for creation has already been deleted. *** ***
[root@v133-18-●●●-●●● ~]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether fa:16:3e:a9:21:a9 brd ff:ff:ff:ff:ff:ff
inet 133.18.202.69/23 brd 133.18.203.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet 10.150.11.1/24 brd 10.150.11.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 2406:8c00:0:3409:133:18:202:69/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fea9:21a9/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether fa:16:3e:31:b3:50 brd ff:ff:ff:ff:ff:ff
The NIC information of the created WEB server instance is as above. The additional NIC created by KAGOYA's network function becomes the ** eth1 interface **.
First, check the connection status with the following command.
[root@v133-18-●●●-●●● ~]# nmcli con
NAME UUID TYPE DEVICE
Wired connection 1 05464f3c-c413-358b-8cd1-1b3adabd94d5 ethernet eth1
System eth0 5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 ethernet eth0
First, from the above state, change the connection name from Wired connection 1 to ** eth1 **, which is the same as DEVICE.
[root@v133-18-●●●-●●● ~]# nmcli con mod "Wired connection 1" connection.id eth1
[root@v133-18-●●●-●●● ~]# nmcli con
NAME UUID TYPE DEVICE
eth1 05464f3c-c413-358b-8cd1-1b3adabd94d5 ethernet eth1
System eth0 5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 ethernet eth0
The connection name is now the same as ** eth1 **, which is the same as the NIC interface. Then execute the instruction to associate the device with the connection itself.
[root@v133-18-●●●-●●● ~]# nmcli con mod "eth1" connection.interface-name eth1
After executing the above command, you can set any private IP with the following command.
[root@v133-18-●●●-●●● ~]# nmcli con mod eth1 \
ipv4.method manual \
ipv4.address "192.168.1.1/24" \
connection.autoconnect "yes" \
ipv6.method ignore
*** * Do not put spaces after the backslash ***
This time, the private IP segment is set to ** 192.168.1/24 **, Please set here as you like.
After executing the above command, check the settings as follows.
[root@v133-18-●●●-●●● ~]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether fa:16:3e:a9:21:a9 brd ff:ff:ff:ff:ff:ff
inet 133.18.202.69/23 brd 133.18.203.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet 10.150.11.1/24 brd 10.150.11.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 2406:8c00:0:3409:133:18:202:69/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fea9:21a9/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether fa:16:3e:31:b3:50 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global noprefixroute eth1
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fe31:b350/64 scope link
valid_lft forever preferred_lft forever
As mentioned above, the private IP of 192.168.1.1 specified arbitrarily is set in the interface of ** eth1 **.
*** Up to this point, the setting of the WEB server-side instance is completed. Next, set up the instance for the DB server in the same way. *** ***
[root@v133-18-●●●-●●● ~]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether fa:16:3e:84:9e:a6 brd ff:ff:ff:ff:ff:ff
inet 133.18.208.237/23 brd 133.18.209.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet 10.150.11.1/24 brd 10.150.11.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 2406:8c00:0:3412:133:18:208:237/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fe84:9ea6/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether fa:16:3e:b5:ef:3b brd ff:ff:ff:ff:ff:ff
inet6 fe80::e722:b88f:8d4d:d80d/64 scope link noprefixroute
valid_lft forever preferred_lft forever
When you execute the same command as the one confirmed on the WEB server side No IP has been assigned to ** eth1 ** yet.
Now, repeat the exact same procedure as before.
First,
nmcli con
Check the connection status with the above command.
[root@v133-18-●●●-●●● ~]# nmcli con
NAME UUID TYPE DEVICE
System eth0 5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 ethernet eth0
Wired connection 1 06b39142-cc39-38cd-813d-b9bbc39409dd ethernet --
As before, the connection name is ** Wired connection 1 **. I don't understand why the DEVICE notation is different.
Anyway, associate the connection name with the ** eth1 ** interface.
[root@v133-18-●●●-●●● ~]# nmcli con mod "Wired connection 1" connection.id eth1
[root@v133-18-●●●-●●● ~]# nmcli con
NAME UUID TYPE DEVICE
System eth0 5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 ethernet eth0
eth1 06b39142-cc39-38cd-813d-b9bbc39409dd ethernet --
Next, the process of associating the renamed connection with the interface is performed.
[root@v133-18-●●●-●●● ~]# nmcli con mod "eth1" connection.interface-name eth1
[root@v133-18-●●●-●●● ~]# nmcli con
NAME UUID TYPE DEVICE
eth1 06b39142-cc39-38cd-813d-b9bbc39409dd ethernet eth1
System eth0 5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 ethernet eth0
Then, the part that was Wired connection earlier was associated with ** eth1 interface **. Finally, set the private IP on the DB server instance side.
[root@v133-18-202-69 ~]# nmcli con mod eth1 \
ipv4.method manual \
ipv4.address "192.168.1.2/24" \
connection.autoconnect "yes" \
ipv6.method ignore
Since I set ** 192.168.1.1/24 ** for the WEB instance earlier, I set ** 192.168.1.2/24 ** for the DB instance.
Now, check the ** eth1 ** private IP again.
[root@v133-18-●●●-●●● ~]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether fa:16:3e:84:9e:a6 brd ff:ff:ff:ff:ff:ff
inet 133.18.208.237/23 brd 133.18.209.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet 10.150.11.1/24 brd 10.150.11.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 2406:8c00:0:3412:133:18:208:237/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fe84:9ea6/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether fa:16:3e:b5:ef:3b brd ff:ff:ff:ff:ff:ff
inet 192.168.1.2/24 brd 192.168.1.255 scope global noprefixroute eth1
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:feb5:ef3b/64 scope link
valid_lft forever preferred_lft forever
It is set to ** 192.168.1.2 ** specified by ** eth1 **.
Now that the local connection between the WEB server and the DB server is complete, set the security group on KAGOYA to allow only the ssh connection of the WEB server IP: ** 192.168.1.1 ** to the DB server. ..
Once, in the sshd_config file on the DB server side, allow password authentication as the root user.
Allow Root login and password authentication for SSH connection settings on the DB side, and Allow connections only on IP: *** 192.168.1.1 *** and port: ** 22 **. And make sure you can't ssh from your local PC.
Then, from the terminal on the WEB server side
[root@v133-18-●●●-●●● ~]# ssh [email protected]
[email protected]'s password:
Last login: Thu Aug 27 15:46:09 2020 from 61.22.158.140
[root@v133-18-●●●-●●● ~]#
As mentioned above, I was able to make an SSH connection to the DB server using a private IP. After that, by individually setting Postgresql etc. to allow only connections from hosts in the same segment, You can access it from a WEB application without exposing the DB server to the outside.
The references for this time are as follows. https://i1.fusioncom.jp/doc/ja/help/instance_nic_linux.html
Recommended Posts