本次部署基于官方文档总结,点击查看官方文档
组件说明
-
Jumpserver 为管理后台, 管理员可以通过 Web 页面进行资产管理、用户管理、资产授权等操作, 用户可以通过 Web 页面进行资产登录, 文件管理等操作
-
koko 为 SSH Server 和 Web Terminal Server 。用户可以使用自己的账户通过 SSH 或者 Web Terminal 访问 SSH 协议和 Telnet 协议资产
-
Luna 为 Web Terminal Server 前端页面, 用户使用 Web Terminal 方式登录所需要的组件
-
Guacamole 为 RDP 协议和 VNC 协议资产组件, 用户可以通过 Web Terminal 来连接 RDP 协议和 VNC 协议资产 (暂时只能通过 Web Terminal 来访问)
端口配置
- Jumpserver 默认 Web 端口为 8080/tcp, 默认 WS 端口为 8070/tcp, 配置文件 jumpserver/config.yml
- koko 默认 SSH 端口为 2222/tcp, 默认 Web Terminal 端口为 5000/tcp 配置文件在 koko/config.yml
- Guacamole 默认端口为 8081/tcp, 配置文件 /config/tomcat9/conf/server.xml
- Nginx 默认端口为 80/tcp,443/tcp
- Redis 默认端口为 6379/tcp
| Protocol | Server name | IP | Port |
|---|---|---|---|
| TCP | Jumpserver | 172.100.0.1(容器网络对应IP) | 8070(ws), 8080(http) |
| TCP | koko | 172.100.0.2(容器网络对应IP) | 2222, 5000 |
| TCP | Guacamole | 172.100.0.3(容器网络对应IP) | 8081 |
| TCP | sqlite3 | db路径:/data/jumpserver/jumpserver/jumpserver.db | |
| TCP | Redis | 127.0.0.1 | 6379 |
| TCP | Nginx | 0.0.0.0 | 80,443 |
组件安装配置
Redis配置
yum -y install redis
# 修改 redis 配置文件
vim /etc/redis.conf
...
bind 127.0.0.1 # 注释这行, 新增如下内容
requirepass weakPassword # redis 连接密码
maxmemory-policy allkeys-lru # 清理策略, 优先移除最近未使用的key
...
systemctl enable redis
systemctl start redis
systemctl status redis
sqlite3配置
# SQLite 需要 3.8.3 或者最新版本,Centos7 默认版本 3.7.17 需要升级
cd /usr/local/src
wget https://www.sqlite.org/2019/sqlite-autoconf-3300100.tar.gz
tar zxvf sqlite-autoconf-3300100.tar.gz
/usr/local/bin/sqlite3 -V
ln -s /usr/local/bin/sqlite3 /usr/bin/sqlite3
sqlite3 --version
ln -s /usr/local/lib/libsqlite3.so /usr/lib/libsqlite3.so
vim ~/.bashrc
export LD_LIBRARY_PATH="/usr/local/lib"
source ~/.bashrc
#生成jumpserver需要的sqlite文件
cd /data/jumpserver/jumpserver
sqlite3 jumpserver.db
Jumpserver 配置
#安装 Python3.6
$ yum -y install python36 python36-devel
#配置并载入 Python3 虚拟环境
$ cd /data/jumpserver/
$ python3.6 -m venv py3_venv# py3 为虚拟环境名称, 可自定义
$ source py3_venv/bin/activate # 激活python虚拟环境,退出虚拟环境可以使用 deactivate 命令
# 看到下面的提示符代表成功, 以后运行 Jumpserver 都要先运行以上 source 命令, 载入环境后默认以下所有命令均在该虚拟环境中运行
(py3) [root@localhost py3]
# 下载 Jumpserver
$ cd /data/jumpserver/
$ git clone --depth=1 https://github.com/jumpserver/jumpserver.git
# 安装依赖 RPM 包
$ yum -y install $(cat /data/jumpserver/jumpserver/requirements/rpm_requirements.txt)
# 安装 Python 库依赖
$ pip install wheel
$ pip install --upgrade pip setuptools
#如果有报错,大多是三方依赖库版本问题,手动安装即可
$ pip install -r /data/jumpserver/jumpserver/requirements/requirements.txt
#注意有error的话,手动修正下版本号,再安装
# jumpserver配置文件修改
$ cd /opt/jumpserver
$ cp config_example.yml config.yml
$ SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` # 生成随机SECRET_KEY
$ BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16` # 生成随机BOOTSTRAP_TOKEN
$ sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /data/jumpserver/jumpserver/config.yml
$ sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /data/jumpserver/jumpserver/config.yml
$ sed -i "s/# DEBUG: true/DEBUG: false/g" /data/jumpserver/jumpserver/config.yml
$ sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /data/jumpserver/jumpserver/config.yml
$ sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /data/jumpserver/jumpserver/config.yml
$ sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /data/jumpserver/jumpserver/config.yml/
$ echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
$ echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
#配置存储为sqlite3,注释mysql配置
DB_ENGINE: sqlite3
DB_NAME: /data/jumpserver/jumpserver/jumpserver.db
#HTTP_BIND_HOST修改为127.0.0.1
HTTP_BIND_HOST: 127.0.0.1
$ vi config.yml # 确认内容有没有错误
koko 和 Guacamole 配置
-
直接采用docker部署
#拉取镜像 docker pull docker.io/jumpserver/jms_koko:1.5.6 docker pull docker.io/jumpserver/jms_guacamole:1.5.6 -
docker-compose file
vim /data/jumpserver/docker-jumpserver-compose.yml #写入如下内容docker-jumpserver-compose.yml 内容如下:
version: "3" services: guacamole: image: 'docker.io/jumpserver/jms_guacamole:1.5.6' restart: on-failure:3 environment: JUMPSERVER_SERVER: 'http://172.100.0.1:8080' BOOTSTRAP_TOKEN: '上面生成的BOOTSTRAP_TOKEN' ports: - '127.0.0.1:8081:8080' networks: jumpserver: ipv4_address: 172.100.0.2 #volumes: # - '/etc/localtime:/etc/localtime:ro' # - '/etc/timezone:/etc/timezone' koko: image: 'docker.io/jumpserver/jms_koko:1.5.6' restart: on-failure:3 environment: CORE_HOST: 'http://172.100.0.1:8080' BOOTSTRAP_TOKEN: '上面生成的BOOTSTRAP_TOKEN' ports: - '127.0.0.1:5100:5000' - '2222:2222' networks: jumpserver: ipv4_address: 172.100.0.3 networks: jumpserver: driver: bridge ipam: driver: default config: - subnet: 172.100.0.1/24 ##项目启动命令## # docker-compose -f docker-jumpserver-compose.yml -p jumpserver up -d ##项目停止命令## # docker-compose -f docker-jumpserver-compose.yml -p jumpserver down# 启动容器 cd /data/jumpserver/ docker-compose -f docker-jumpserver-compose.yml -p jumpserver up -d
nginx配置
vim /usr/local/nginx/conf/vhost/jms.test.com.conf
#nginx配置内容
...
server
{
listen 80;
server_name jms.test.com;
return 301 https://jms.test.com$request_uri;
access_log off;
}
server
{
listen 443;
server_name jms.test.com;
ssl on;
ssl_certificate /usr/local/nginx/conf/cert/214235695130621.pem;
ssl_certificate_key /usr/local/nginx/conf/cert/214235695130621.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
set $node_port 8100;
client_max_body_size 100m; # 录像及文件上传大小限制
location /luna/ {
try_files $uri / /index.html;
alias /data/jumpserver/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /data/jumpserver/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /data/jumpserver/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /koko/ {
proxy_pass http://127.0.0.1:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://127.0.0.1:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://172.100.0.1:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location / {
proxy_pass http://172.100.0.1:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
access_log logs/jms_access.log;
error_log logs/jms_error.log;
}
...