• 欢迎访问笔记阁,实用快捷文章教程,推荐使用Chrome浏览器和360极速浏览器访问本网站
  • 如果您觉得本站非常有看点,那么赶紧使用Ctrl+D 收藏笔记阁吧

实测JumpServer2.1堡垒机单机部署

JumpServer feko 4个月前 (07-21) 232次浏览 已收录 0个评论 扫描二维码
文章目录[隐藏]

安装JumpServer

基本要求

环境:centos7.7 + python3.6
硬件配置: 2个CPU核心, 4G 内存, 50G 硬盘(最低)
操作系统: Linux 发行版 x86_64
Python = 3.6.x
Mariadb Server ≥ 5.5.56
Redis
Nginx

服务器简单初始化

  # yum install wget
  # mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
  # wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
  # yum makecache
  # systemctl  stop firewalld
  # systemctl  disable firewalld
  # vi /etc/selinux/config 
  # setenforce  0
  # yum install python3 ntpdate lrzsz mariadb-devel  python36-devel gcc openldap-devel
  # ntpdate  ntp1.aliyun.com
  # echo '*/1 * * * * /usr/sbin/ntpdate  ntp1.aliyun.com &>/dev/null' >> /var/spool/cron/root
  # cat >pip.conf<< EOF
  [global]
  index-url = http://pypi.douban.com/simple
  [install]
  use-mirrors =true
  mirrors =http://pypi.douban.com/simple/
  trusted-host =pypi.douban.com
  EOF
  # pip3 install --upgrade pip

安装nginx

  yum install nginx
  systemctl start nginx
  systemctl  enable nginx

安装数据库

  # yum install mariadb-server
  # systemctl  start mariadb
  # mysqladmin  -u root -p password 123456
  # mysql  -uroot -p123456
  > create database jumpserver default charset 'utf8' collate 'utf8_bin';
  > grant all on jumpserver.*  to jumpserver@127.0.0.1 identified by 'jumpserver';
  > flush privileges;
  相关端口 3306

安装redis

  # yum install epel-release
  # yum install redis
  # vi /etc/redis.conf 
  requirepass 123456
  # systemctl  start redis
  # systemctl  enable redis
  ## 相关端口  6379

创建 Python 虚拟环境(目录可以/data/soft/py3)

  python3.6 -m venv /opt/py3

载入 Python 虚拟环境

  source /opt/py3/bin/activate

每次操作 JumpServer 都需要先载入 py3 虚拟环境

获取 JumpServer 代码

  cd /opt && \
  wget https://github.com/jumpserver/jumpserver/releases/download/v2.1.0/jumpserver-v2.1.0.tar.gz
  tar xf jumpserver-v2.1.0.tar.gz
  mv jumpserver-v2.1.0 jumpserver

安装编译环境依赖

  cd /opt/jumpserver/requirements && \
  pip3 install --upgrade pip  && \
  pip install pyasn1==0.1.2  && \
  pip install six==1.5.0 && \
  pip install cffi && \
  pip install pbr && \
  pip install wheel && \
  pip3 install --upgrade  setuptools && \
  pip install -r requirements.txt

修改配置文件

  cd /opt/jumpserver && \
  cp config_example.yml config.yml && \
  vi config.yml
  SECRET_KEY: tgvAPABVkCO2xCwYz1h3gUrhiGtW2yX33Cz2Q9C0M64S2U93V
  BOOTSTRAP_TOKEN: tSQ1yPvs0UPeKSaG
  DEBUG: fasle
  LOG_LEVEL: ERROR
  DB_ENGINE: mysql
  DB_HOST: 127.0.0.1
  DB_PORT: 3306
  DB_USER: jumpserver
  DB_PASSWORD: jumpserver
  DB_NAME: jumpserver
  HTTP_BIND_HOST: 0.0.0.0
  HTTP_LISTEN_PORT: 8080
  WS_LISTEN_PORT: 8070
  REDIS_HOST: 127.0.0.1
  REDIS_PORT: 6379
  REDIS_PASSWORD: 123456

启动 JumpServer

  # cd /opt/jumpserver
  # ./jms start        # ./jms start -d 后台运行
  ##相关端口  8080

正常部署 KoKo 组件(go语言写的ssh客户端)

  cd /opt && \
  wget https://github.com/jumpserver/koko/releases/download/v2.1.0/koko-v2.1.0-linux-amd64.tar.gz
  tar -xf koko-v2.1.0-linux-amd64.tar.gz && \
  mv koko-v2.1.0-linux-amd64 koko && \
  chown -R root:root koko && \
  cd koko && \
  cp config_example.yml config.yml 
  vi config.yml
  CORE_HOST: http://127.0.0.1:8080
  BOOTSTRAP_TOKEN: tSQ1yPvs0UPeKSaG
  ##BOOTSTRAP_TOKEN 需要从 jumpserver/config.yml 里面获取, 保证一致
  LOG_LEVEL: ERROR
  SHARE_ROOM_TYPE: redis
  REDIS_HOST: 127.0.0.1
  REDIS_PORT: 6379
  REDIS_PASSWORD: 123456
  REDIS_DB_ROOM: 6

  ./koko  -d

  ##相关端口 SSHD_PORT: 2222   HTTPD_PORT: 5000

正常部署 Guacamole 组件(类似远程桌面协议)

开始安装Guacamole 组件

  rpm --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
  rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-1.el7.nux.noarch.rpm
  yum -y install  ffmpeg-devel  freerdp-devel pango-devel libssh2-devel libtelnet-devel libvncserver-devel libwebsockets-devel  pulseaudio-libs-devel openssl-devel  libvorbis-devel libwebp-devel

  cd /opt && \
  wget -O /opt/guacamole.tar.gz https://github.com/jumpserver/docker-guacamole/archive/v2.1.0.tar.gz
  tar -xf guacamole.tar.gz && \
  mv docker-guacamole-2.1.0 guacamole && \
  cd /opt/guacamole && \
  tar -xf guacamole-server-1.2.0.tar.gz && \
  tar -xf ssh-forward.tar.gz -C /bin/ && \
  chmod +x /bin/ssh-forward
  cd /opt/guacamole/guacamole-server-1.2.0
  ./configure --with-init-dir=/etc/init.d && \
  make && \
  make install

安装java

  yum install -y java-1.8.0-openjdk

创建相关目录

  mkdir -p /config/guacamole /config/guacamole/extensions /config/guacamole/record /config/guacamole/drive && \
  chown daemon:daemon /config/guacamole/record /config/guacamole/drive && \
  cd /config

安装tomcat9

  wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-9/v9.0.36/bin/apache-tomcat-9.0.36.tar.gz
  tar -xf apache-tomcat-9.0.36.tar.gz && \
  mv apache-tomcat-9.0.36 tomcat9 && \
  rm -rf /config/tomcat9/webapps/* && \
  sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat9/conf/server.xml && \
  echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /config/tomcat9/conf/logging.properties && \
  ln -sf /opt/guacamole/guacamole-1.0.0.war /config/tomcat9/webapps/ROOT.war && \
  ln -sf /opt/guacamole/guacamole-auth-jumpserver-1.0.0.jar /config/guacamole/extensions/guacamole-auth-jumpserver-1.0.0.jar && \
  ln -sf /opt/guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties

设置 Guacamole 环境

  export JUMPSERVER_SERVER=http://127.0.0.1:8080
  echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc
  export BOOTSTRAP_TOKEN=zxffNymGjP79j6BN
  echo "export BOOTSTRAP_TOKEN=zxffNymGjP79j6BN" >> ~/.bashrc
  export JUMPSERVER_KEY_DIR=/config/guacamole/keys
  echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc
  export GUACAMOLE_HOME=/config/guacamole
  echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
  export GUACAMOLE_LOG_LEVEL=ERROR
  echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc
  export JUMPSERVER_ENABLE_DRIVE=true
  echo "export JUMPSERVER_ENABLE_DRIVE=true" >> ~/.bashrc

Guacamole环境变量说明

  JUMPSERVER_SERVER 指 core 访问地址
  BOOTSTRAP_TOKEN 为 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN 值
  JUMPSERVER_KEY_DIR 认证成功后 key 存放目录
  GUACAMOLE_HOME 为 guacamole.properties 配置文件所在目录
  GUACAMOLE_LOG_LEVEL 为生成日志的等级
  JUMPSERVER_ENABLE_DRIVE 为 rdp 协议挂载共享盘

启动 Guacamole

  /etc/init.d/guacd start
  sh /config/tomcat9/bin/startup.sh

下载 Lina 组件

  cd /opt
  wget https://github.com/jumpserver/lina/releases/download/v2.1.0/lina-v2.1.0.tar.gz
  tar -xf lina-v2.1.0.tar.gz
  mv lina-v2.1.0 lina
  chown -R nginx:nginx lina

下载 luna组件

  cd /opt
  wget https://github.com/jumpserver/luna/releases/download/v2.1.0/luna-v2.1.0.tar.gz
  tar -xf luna-v2.1.0.tar.gz
  mv luna-v2.1.0 luna
  chown -R nginx:nginx luna

配置 Nginx 整合各组件

  echo > /etc/nginx/conf.d/default.conf
  vi   nginx.conf #删除里面的server主机
  vi /etc/nginx/conf.d/jumpserver.conf

  server {
      listen 80;

      client_max_body_size 100m;  # 录像及文件上传大小限制

      location /ui/ {
          try_files $uri / /index.html;
          alias /opt/lina/;
      }

      location /luna/ {
          try_files $uri / /index.html;
          alias /opt/luna/;  # luna 路径, 如果修改安装目录, 此处需要修改
      }

      location /media/ {
          add_header Content-Encoding gzip;
          root /opt/jumpserver/data/;  # 录像位置, 如果修改安装目录, 此处需要修改
      }

      location /static/ {
          root /opt/jumpserver/data/;  # 静态资源, 如果修改安装目录, 此处需要修改
      }

      location /koko/ {
          proxy_pass       http://localhost:5000;
          proxy_buffering off;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header Host $host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          access_log off;
      }

      location /guacamole/ {
          proxy_pass       http://localhost:8081/;
          proxy_buffering off;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection $http_connection;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header Host $host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          access_log off;
      }

      location /ws/ {
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header Host $host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_pass http://localhost:8070;
          proxy_http_version 1.1;
          proxy_buffering off;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
      }

      location /api/ {
          proxy_pass http://localhost:8080;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header Host $host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      }

      location /core/ {
          proxy_pass http://localhost:8080;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header Host $host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      }

      location / {
          rewrite ^/(.*)$ /ui/$1 last;
      }
  }

  nginx -t
  nginx -s reload

登陆

http://192.168.4.246
默认用户/密码 admin/admin
实测JumpServer2.1堡垒机单机部署


笔记阁 , 版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权
转载请注明原文链接:实测JumpServer2.1堡垒机单机部署
喜欢 (6)
发表我的评论
取消评论
表情 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址