本次部署基于官方文档总结,点击查看官方文档

组件说明

  • Jumpserver 为管理后台, 管理员可以通过 Web 页面进行资产管理、用户管理、资产授权等操作, 用户可以通过 Web 页面进行资产登录, 文件管理等操作

  • koko 为 SSH Server 和 Web Terminal Server 。用户可以使用自己的账户通过 SSH 或者 Web Terminal 访问 SSH 协议和 Telnet 协议资产

  • Luna 为 Web Terminal Server 前端页面, 用户使用 Web Terminal 方式登录所需要的组件

  • Guacamole 为 RDP 协议和 VNC 协议资产组件, 用户可以通过 Web Terminal 来连接 RDP 协议和 VNC 协议资产 (暂时只能通过 Web Terminal 来访问)

端口配置

  • Jumpserver 默认 Web 端口为 8080/tcp, 默认 WS 端口为 8070/tcp, 配置文件 jumpserver/config.yml
  • koko 默认 SSH 端口为 2222/tcp, 默认 Web Terminal 端口为 5000/tcp 配置文件在 koko/config.yml
  • Guacamole 默认端口为 8081/tcp, 配置文件 /config/tomcat9/conf/server.xml
  • Nginx 默认端口为 80/tcp,443/tcp
  • Redis 默认端口为 6379/tcp
Protocol Server name IP Port
TCP Jumpserver 172.100.0.1(容器网络对应IP) 8070(ws), 8080(http)
TCP koko 172.100.0.2(容器网络对应IP) 2222, 5000
TCP Guacamole 172.100.0.3(容器网络对应IP) 8081
TCP sqlite3 db路径:/data/jumpserver/jumpserver/jumpserver.db
TCP Redis 127.0.0.1 6379
TCP Nginx 0.0.0.0 80,443

组件安装配置

Redis配置

  1. yum -y install redis
  2. # 修改 redis 配置文件
  3. vim /etc/redis.conf
  4. ...
  5. bind 127.0.0.1 # 注释这行, 新增如下内容
  6. requirepass weakPassword # redis 连接密码
  7. maxmemory-policy allkeys-lru # 清理策略, 优先移除最近未使用的key
  8. ...
  9. systemctl enable redis
  10. systemctl start redis
  11. systemctl status redis

sqlite3配置

  1. # SQLite 需要 3.8.3 或者最新版本,Centos7 默认版本 3.7.17 需要升级
  2. cd /usr/local/src
  3. wget https://www.sqlite.org/2019/sqlite-autoconf-3300100.tar.gz
  4. tar zxvf sqlite-autoconf-3300100.tar.gz
  5. /usr/local/bin/sqlite3 -V
  6. ln -s /usr/local/bin/sqlite3 /usr/bin/sqlite3
  7. sqlite3 --version
  8. ln -s /usr/local/lib/libsqlite3.so /usr/lib/libsqlite3.so
  9. vim ~/.bashrc
  10. export LD_LIBRARY_PATH="/usr/local/lib"
  11. source ~/.bashrc
  12. #生成jumpserver需要的sqlite文件
  13. cd /data/jumpserver/jumpserver
  14. sqlite3 jumpserver.db

Jumpserver 配置

  1. #安装 Python3.6
  2. $ yum -y install python36 python36-devel
  3. #配置并载入 Python3 虚拟环境
  4. $ cd /data/jumpserver/
  5. $ python3.6 -m venv py3_venv# py3 为虚拟环境名称, 可自定义
  6. $ source py3_venv/bin/activate # 激活python虚拟环境,退出虚拟环境可以使用 deactivate 命令
  7. # 看到下面的提示符代表成功, 以后运行 Jumpserver 都要先运行以上 source 命令, 载入环境后默认以下所有命令均在该虚拟环境中运行
  8. (py3) [root@localhost py3]
  9. # 下载 Jumpserver
  10. $ cd /data/jumpserver/
  11. $ git clone --depth=1 https://github.com/jumpserver/jumpserver.git
  12. # 安装依赖 RPM 包
  13. $ yum -y install $(cat /data/jumpserver/jumpserver/requirements/rpm_requirements.txt)
  14. # 安装 Python 库依赖
  15. $ pip install wheel
  16. $ pip install --upgrade pip setuptools
  17. #如果有报错,大多是三方依赖库版本问题,手动安装即可
  18. $ pip install -r /data/jumpserver/jumpserver/requirements/requirements.txt
  19. #注意有error的话,手动修正下版本号,再安装
  20. # jumpserver配置文件修改
  21. $ cd /opt/jumpserver
  22. $ cp config_example.yml config.yml
  23. $ SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` # 生成随机SECRET_KEY
  24. $ BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16` # 生成随机BOOTSTRAP_TOKEN
  25. $ sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /data/jumpserver/jumpserver/config.yml
  26. $ sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /data/jumpserver/jumpserver/config.yml
  27. $ sed -i "s/# DEBUG: true/DEBUG: false/g" /data/jumpserver/jumpserver/config.yml
  28. $ sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /data/jumpserver/jumpserver/config.yml
  29. $ sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /data/jumpserver/jumpserver/config.yml
  30. $ sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /data/jumpserver/jumpserver/config.yml/
  31. $ echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
  32. $ echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
  33. #配置存储为sqlite3,注释mysql配置
  34. DB_ENGINE: sqlite3
  35. DB_NAME: /data/jumpserver/jumpserver/jumpserver.db
  36. #HTTP_BIND_HOST修改为127.0.0.1
  37. HTTP_BIND_HOST: 127.0.0.1
  38. $ vi config.yml # 确认内容有没有错误

koko 和 Guacamole 配置

  • 直接采用docker部署

    1. #拉取镜像
    2. docker pull docker.io/jumpserver/jms_koko:1.5.6
    3. docker pull docker.io/jumpserver/jms_guacamole:1.5.6
  • docker-compose file

    1. vim /data/jumpserver/docker-jumpserver-compose.yml
    2. #写入如下内容

    docker-jumpserver-compose.yml 内容如下:

    1. version: "3"
    2. services:
    3. guacamole:
    4. image: 'docker.io/jumpserver/jms_guacamole:1.5.6'
    5. restart: on-failure:3
    6. environment:
    7. JUMPSERVER_SERVER: 'http://172.100.0.1:8080'
    8. BOOTSTRAP_TOKEN: '上面生成的BOOTSTRAP_TOKEN'
    9. ports:
    10. - '127.0.0.1:8081:8080'
    11. networks:
    12. jumpserver:
    13. ipv4_address: 172.100.0.2
    14. #volumes:
    15. # - '/etc/localtime:/etc/localtime:ro'
    16. # - '/etc/timezone:/etc/timezone'
    17. koko:
    18. image: 'docker.io/jumpserver/jms_koko:1.5.6'
    19. restart: on-failure:3
    20. environment:
    21. CORE_HOST: 'http://172.100.0.1:8080'
    22. BOOTSTRAP_TOKEN: '上面生成的BOOTSTRAP_TOKEN'
    23. ports:
    24. - '127.0.0.1:5100:5000'
    25. - '2222:2222'
    26. networks:
    27. jumpserver:
    28. ipv4_address: 172.100.0.3
    29. networks:
    30. jumpserver:
    31. driver: bridge
    32. ipam:
    33. driver: default
    34. config:
    35. -
    36. subnet: 172.100.0.1/24
    37. ##项目启动命令##
    38. # docker-compose -f docker-jumpserver-compose.yml -p jumpserver up -d
    39. ##项目停止命令##
    40. # docker-compose -f docker-jumpserver-compose.yml -p jumpserver down
    1. # 启动容器
    2. cd /data/jumpserver/
    3. docker-compose -f docker-jumpserver-compose.yml -p jumpserver up -d

nginx配置

  1. vim /usr/local/nginx/conf/vhost/jms.test.com.conf
  2. #nginx配置内容
  3. ...
  4. server
  5. {
  6. listen 80;
  7. server_name jms.test.com;
  8. return 301 https://jms.test.com$request_uri;
  9. access_log off;
  10. }
  11. server
  12. {
  13. listen 443;
  14. server_name jms.test.com;
  15. ssl on;
  16. ssl_certificate /usr/local/nginx/conf/cert/214235695130621.pem;
  17. ssl_certificate_key /usr/local/nginx/conf/cert/214235695130621.key;
  18. ssl_session_timeout 5m;
  19. ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
  20. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  21. ssl_prefer_server_ciphers on;
  22. set $node_port 8100;
  23. client_max_body_size 100m; # 录像及文件上传大小限制
  24. location /luna/ {
  25. try_files $uri / /index.html;
  26. alias /data/jumpserver/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
  27. }
  28. location /media/ {
  29. add_header Content-Encoding gzip;
  30. root /data/jumpserver/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
  31. }
  32. location /static/ {
  33. root /data/jumpserver/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
  34. }
  35. location /koko/ {
  36. proxy_pass http://127.0.0.1:5000;
  37. proxy_buffering off;
  38. proxy_http_version 1.1;
  39. proxy_set_header Upgrade $http_upgrade;
  40. proxy_set_header Connection "upgrade";
  41. proxy_set_header X-Real-IP $remote_addr;
  42. proxy_set_header Host $host;
  43. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  44. access_log off;
  45. }
  46. location /guacamole/ {
  47. proxy_pass http://127.0.0.1:8081/;
  48. proxy_buffering off;
  49. proxy_http_version 1.1;
  50. proxy_set_header Upgrade $http_upgrade;
  51. proxy_set_header Connection $http_connection;
  52. proxy_set_header X-Real-IP $remote_addr;
  53. proxy_set_header Host $host;
  54. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  55. access_log off;
  56. }
  57. location /ws/ {
  58. proxy_set_header X-Real-IP $remote_addr;
  59. proxy_set_header Host $host;
  60. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  61. proxy_pass http://172.100.0.1:8070;
  62. proxy_http_version 1.1;
  63. proxy_buffering off;
  64. proxy_set_header Upgrade $http_upgrade;
  65. proxy_set_header Connection "upgrade";
  66. }
  67. location / {
  68. proxy_pass http://172.100.0.1:8080;
  69. proxy_set_header X-Real-IP $remote_addr;
  70. proxy_set_header Host $host;
  71. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  72. }
  73. access_log logs/jms_access.log;
  74. error_log logs/jms_error.log;
  75. }
  76. ...