Jumpserver 5.2版本安裝與部署
組件說明
- Jumpserver 爲管理後臺, 管理員能夠經過 Web 頁面進行資產管理、用戶管理、資產受權等操做, 用戶能夠經過 Web 頁面進行資產登陸, 文件管理等操做
- koko 爲 SSH Server 和 Web Terminal Server 。用戶可使用本身的帳戶經過 SSH 或者 Web Terminal 訪問 SSH 協議和 Telnet 協議資產
- Luna 爲 Web Terminal Server 前端頁面, 用戶使用 Web Terminal 方式登陸所須要的組件
- Guacamole 爲 RDP 協議和 VNC 協議資產組件, 用戶能夠經過 Web Terminal 來鏈接 RDP 協議和 VNC 協議資產 (暫時只能經過 Web Terminal 來訪問)
端口說明
- Jumpserver 默認端口爲 8080/tcp 配置文件 jumpserver/config.yml
- koko 默認 SSH 端口爲 2222/tcp, 默認 Web Terminal 端口爲 5000/tcp 配置文件在 koko/config.yml
- Guacamole 默認端口爲 8081/tcp, 配置文件 /config/tomcat9/conf/server.xml
- Nginx 默認端口爲 80/tcp
- Redis 默認端口爲 6379/tcp
- Mysql 默認端口爲 3306/tcp
| Protocol | Server name | Port |
|---|---|---|
| TCP | Jumpserver | 8080 |
| TCP | koko | 2222, 5000 |
| TCP | Guacamole | 8081 |
| TCP | Db | 3306 |
| TCP | Redis | 6379 |
| TCP | Nginx | 80 |
環境
- 系統: CentOS 7
- IP: 192.168.244.144
- 目錄: /opt
- 數據庫: mariadb
- 代理: nginx
開始安裝
$ yum update -y # 防火牆 與 selinux 設置說明, 若是已經關閉了 防火牆 和 Selinux 的用戶請跳過設置 $ systemctl start firewalld $ firewall-cmd --zone=public --add-port=80/tcp --permanent # nginx 端口 $ firewall-cmd --zone=public --add-port=2222/tcp --permanent # 用戶SSH登陸端口 koko --permanent 永久生效, 沒有此參數重啓後失效 $ firewall-cmd --reload # 從新載入規則 $ setenforce 0 $ sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config # 安裝依賴包 $ yum -y install wget gcc epel-release git # 安裝 Redis, Jumpserver 使用 Redis 作 cache 和 celery broke $ yum -y install redis $ systemctl enable redis $ systemctl start redis # 安裝 MySQL, 若是不使用 Mysql 能夠跳過相關 Mysql 安裝和配置, 支持sqlite3, mysql, postgres等 $ yum -y install mariadb mariadb-devel mariadb-server MariaDB-shared # centos7下叫mariadb, 用法與mysql一致 $ systemctl enable mariadb $ systemctl start mariadb # 建立數據庫 Jumpserver 並受權 $ DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24` # 生成隨機數據庫密碼 $ echo -e "\033[31m 你的數據庫密碼是 $DB_PASSWORD \033[0m" $ mysql -uroot -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;" # 安裝 Nginx, 用做代理服務器整合 Jumpserver 與各個組件 $ vi /etc/yum.repos.d/nginx.repo [nginx] name=nginx repo baseurl=http://nginx.org/packages/centos/7/$basearch/ gpgcheck=0 enabled=1 $ yum -y install nginx $ systemctl enable nginx # 安裝 Python3.6 $ yum -y install python36 python36-devel # 配置並載入 Python3 虛擬環境 $ cd /opt $ python3.6 -m venv py3 # py3 爲虛擬環境名稱, 可自定義 $ source /opt/py3/bin/activate # 退出虛擬環境可使用 deactivate 命令 # 看到下面的提示符表明成功, 之後運行 Jumpserver 都要先運行以上 source 命令, 載入環境後默認如下全部命令均在該虛擬環境中運行 (py3) [root@localhost py3] # 下載 Jumpserver $ cd /opt/ $ git clone --depth=1 https://github.com/jumpserver/jumpserver.git # 安裝依賴 RPM 包 $ yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt) # 安裝 Python 庫依賴 $ pip install --upgrade pip setuptools $ pip install -r /opt/jumpserver/requirements/requirements.txt
# 修改 Jumpserver 配置文件 $ cd /opt/jumpserver $ cp config_example.yml config.yml $ SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` # 生成隨機SECRET_KEY $ echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc $ BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16` # 生成隨機BOOTSTRAP_TOKEN $ echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc $ sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml $ sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml $ sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml $ sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml $ sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml $ sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml $ echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m" $ echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m" $ vi config.yml # 確認內容有沒有錯誤
# SECURITY WARNING: keep the secret key used in production secret! # 加密祕鑰 生產環境中請修改成隨機字符串, 請勿外泄, PS: 純數字不能夠 SECRET_KEY: # SECURITY WARNING: keep the bootstrap token used in production secret! # 預共享Token koko和guacamole用來註冊服務帳號, 不在使用原來的註冊接受機制 BOOTSTRAP_TOKEN: # Development env open this, when error occur display the full process track, Production disable it # DEBUG 模式 開啓DEBUG後遇到錯誤時能夠看到更多日誌 DEBUG: false # DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/ # 日誌級別 LOG_LEVEL: ERROR # LOG_DIR: # Session expiration setting, Default 24 hour, Also set expired on on browser close # 瀏覽器Session過時時間, 默認24小時, 也能夠設置瀏覽器關閉則過時 # SESSION_COOKIE_AGE: 86400 SESSION_EXPIRE_AT_BROWSER_CLOSE: true # Database setting, Support sqlite3, mysql, postgres .... # 數據庫設置 # See https://docs.djangoproject.com/en/1.10/ref/settings/#databases # SQLite setting: # 使用單文件sqlite數據庫 # DB_ENGINE: sqlite3 # DB_NAME: # MySQL or postgres setting like: # 使用Mysql做爲數據庫 DB_ENGINE: mysql DB_HOST: 127.0.0.1 DB_PORT: 3306 DB_USER: jumpserver DB_PASSWORD: DB_NAME: jumpserver # When Django start it will bind this host and port # ./manage.py runserver 127.0.0.1:8080 # 運行時綁定端口 HTTP_BIND_HOST: 0.0.0.0 HTTP_LISTEN_PORT: 8080 # Use Redis as broker for celery and web socket # Redis配置 REDIS_HOST: 127.0.0.1 REDIS_PORT: 6379 # REDIS_PASSWORD: # REDIS_DB_CELERY: 3 # REDIS_DB_CACHE: 4 # Use OpenID authorization # 使用OpenID 來進行認證設置 # BASE_SITE_URL: http://localhost:8080 # AUTH_OPENID: false # True or False # AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/ # AUTH_OPENID_REALM_NAME: realm-name # AUTH_OPENID_CLIENT_ID: client-id # AUTH_OPENID_CLIENT_SECRET: client-secret # OTP settings # OTP/MFA 配置 # OTP_VALID_WINDOW: 0 # OTP_ISSUER_NAME: Jumpserver
# 運行 Jumpserver $ cd /opt/jumpserver $ ./jms start -d # 後臺運行使用 -d 參數./jms start -d # 新版本更新了運行腳本, 使用方式./jms start|stop|status all 後臺運行請添加 -d 參數 $ wget -O /usr/lib/systemd/system/jms.service https://demo.jumpserver.org/download/shell/centos/jms.service $ chmod 755 /usr/lib/systemd/system/jms.service $ systemctl enable jms # 配置自啓
# 安裝 docker 部署 koko 與 guacamole $ yum install -y yum-utils device-mapper-persistent-data lvm2 $ yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo $ yum makecache fast $ rpm --import https://mirrors.aliyun.com/docker-ce/linux/centos/gpg $ yum -y install docker-ce $ systemctl enable docker $ curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://f1361db2.m.daocloud.io $ systemctl restart docker # 容許 容器ip 訪問宿主 8080 端口, (容器的 ip 能夠進入容器查看) $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="172.17.0.0/16" port protocol="tcp" port="8080" accept" $ firewall-cmd --reload # 172.17.0.x 是docker容器默認的IP池, 這裏偷懶直接受權ip段了, 能夠根據實際狀況單獨受權IP # 獲取當前服務器 IP $ Server_IP=`ip addr | grep inet | egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" | head -n 1 | cut -d / -f1` $ echo -e "\033[31m 你的服務器IP是 $Server_IP \033[0m" # http://<Jumpserver_url> 指向 jumpserver 的服務端口, 如 http://192.168.244.144:8080 # BOOTSTRAP_TOKEN 爲 Jumpserver/config.yml 裏面的 BOOTSTRAP_TOKEN $ docker run --name jms_koko -d -p 2222:2222 -p 127.0.0.1:5000:5000 -e CORE_HOST=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_koko:1.5.2 $ docker run --name jms_guacamole -d -p 127.0.0.1:8081:8081 -e JUMPSERVER_SERVER=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_guacamole:1.5.2
# 安裝 Web Terminal 前端: Luna 須要 Nginx 來運行訪問 訪問(https://github.com/jumpserver/luna/releases)下載對應版本的 release 包, 直接解壓, 不須要編譯 $ cd /opt $ wget https://github.com/jumpserver/luna/releases/download/1.5.2/luna.tar.gz # 若是網絡有問題致使下載沒法完成可使用下面地址 $ wget https://demo.jumpserver.org/download/luna/1.5.2/luna.tar.gz $ tar xf luna.tar.gz $ chown -R root:root luna
# 配置 Nginx 整合各組件 $ rm -rf /etc/nginx/conf.d/default.conf $ vi /etc/nginx/conf.d/jumpserver.conf server { listen 80; client_max_body_size 100m; # 錄像及文件上傳大小限制 location /luna/ { try_files $uri / /index.html; alias /opt/luna/; # luna 路徑, 若是修改安裝目錄, 此處須要修改 } location /media/ { add_header Content-Encoding gzip; root /opt/jumpserver/data/; # 錄像位置, 若是修改安裝目錄, 此處須要修改 } location /static/ { root /opt/jumpserver/data/; # 靜態資源, 若是修改安裝目錄, 此處須要修改 } location /socket.io/ { proxy_pass http://localhost:5000/socket.io/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /coco/ { proxy_pass http://localhost:5000/coco/; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /guacamole/ { proxy_pass http://localhost:8081/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location / { proxy_pass http://localhost:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }
# 運行 Nginx $ nginx -t # 確保配置沒有問題, 有問題請先解決 $ systemctl start nginx # 訪問 http://192.168.244.144 (注意 沒有 :8080 經過 nginx 代理端口進行訪問) # 默認帳號: admin 密碼: admin 到會話管理-終端管理 接受 koko Guacamole 等應用的註冊 # 測試鏈接 $ ssh -p2222 admin@192.168.244.144 $ sftp -P2222 admin@192.168.244.144 密碼: admin # 若是是用在 Windows 下, Xshell Terminal 登陸語法以下 $ ssh admin@192.168.244.144 2222 $ sftp admin@192.168.244.144 2222 密碼: admin 若是能登錄表明部署成功 # sftp默認上傳的位置在資產的 /tmp 目錄下 # windows拖拽上傳的位置在資產的 Guacamole RDP上的 G 目錄下
多組件負載說明html
# 當負載太高時會致使用戶訪問變慢, 這時可在多個服務器運行 docker 容器負載均衡 $ docker run --name jms_koko01 -d -p 2223:2222 -p 5001:5000 -e CORE_HOST=http://<Jumpserver_url> -e BOOTSTRAP_TOKEN=****** jumpserver/jms_koko:1.5.2 $ docker run --name jms_koko02 -d -p 2224:2222 -p 5002:5000 -e CORE_HOST=http://<Jumpserver_url> -e BOOTSTRAP_TOKEN=****** jumpserver/jms_koko:1.5.2 ... # guacamole 也是同樣 $ docker run --name jms_guacamole01 -d -p 8082:8081 -e JUMPSERVER_SERVER=http://<Jumpserver_url> -e BOOTSTRAP_TOKEN=****** jumpserver/jms_guacamole:1.5.2 $ docker run --name jms_guacamole02 -d -p 8083:8081 -e JUMPSERVER_SERVER=http://<Jumpserver_url> -e BOOTSTRAP_TOKEN=****** jumpserver/jms_guacamole:1.5.2 ... # nginx 代理設置 $ vi /etc/nginx/nginx.conf user nginx; worker_processes auto; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } # 加入 tcp 代理 stream { log_format proxy '$remote_addr [$time_local] ' '$protocol $status $bytes_sent $bytes_received ' '$session_time "$upstream_addr" ' '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"'; access_log /var/log/nginx/tcp-access.log proxy; open_log_file_cache off; upstream kokossh { server localhost:2222 weight=1; server localhost:2223 weight=1; # 多節點 server localhost:2224 weight=1; # 多節點 # 這裏是 koko ssh 的後端ip hash $remote_addr; } server { listen 2220; # 不能使用已經使用的端口, 自行修改, 用戶ssh登陸時的端口 proxy_pass kokossh; proxy_connect_timeout 10s; } } # 到此結束 http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; # tcp_nopush on; keepalive_timeout 65; # 關閉版本顯示 server_tokens off; include /etc/nginx/conf.d/*.conf; } $ firewall-cmd --zone=public --add-port=2220/tcp --permanent $ firewall-cmd --reload $ vi /etc/nginx/conf.d/jumpserver.conf upstream jumpserver { server localhost:8080; # 這裏是 jumpserver 的後端ip } upstream kokows { server localhost:5000 weight=1; server localhost:5001 weight=1; # 多節點 server localhost:5002 weight=1; # 多節點 # 這裏是 koko ws 的後端ip ip_hash; } upstream guacamole { server localhost:8081 weight=1; server localhost:8082 weight=1; # 多節點 server localhost:8083 weight=1; # 多節點 # 這裏是 guacamole 的後端ip ip_hash; } server { listen 80; server_name demo.jumpserver.org; # 自行修改爲你的域名 client_max_body_size 100m; # 錄像上傳大小限制 location / { proxy_pass http://jumpserver; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /luna/ { try_files $uri / /index.html; alias /opt/luna/; } location /static/ { root /opt/jumpserver/data/; # 靜態資源, 若是修改安裝目錄, 此處須要修改 } location /media/ { add_header Content-Encoding gzip; root /opt/jumpserver/data/; # 錄像位置, 若是修改安裝目錄, 此處須要修改 } location /socket.io/ { proxy_pass http://kokows/socket.io/; # koko proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /coco/ { proxy_pass http://kokows/coco/; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /guacamole/ { proxy_pass http://guacamole/; # guacamole proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } } $ nginx -t $ nginx -s reload
相關文章
- 1. Jumpserver部署與安裝
- 2. jumpserver安裝與部署
- 3. Jumpserver安裝部署
- 4. JumpServer 安裝部署與試用心得
- 5. centos7:Jumpserver安裝與部署(一)
- 6. JumpServer 安裝部署與配置
- 7. Centos6.8部署jumpserver(完整版)
- 8. ELK6.3版本安裝部署
- 9. jumpserver一站式部署安裝
- 10. jumpserver0.4.0與python3版本安裝
- 更多相關文章...
- • Eclipse 安裝(Neon 版本) - Eclipse 教程
- • Maven 自動化部署 - Maven教程
- • Composer 安裝與使用
- • 使用阿里雲OSS+CDN部署前端頁面與加速靜態資源
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
歡迎關注本站公眾號,獲取更多信息
