一、基础说明
1. 组件说明
- Jumpserver
Jumpserver为管理后台, 管理员可以通过Web页面进行资产管理、用户管理、资产授权等操作, 用户可以通过 Web 页面进行资产登录, 文件管理等操作
-
koko
koko为SSH Server和Web Terminal Server。用户可以使用自己的账户通过 SSH 或者 Web Terminal 访问 SSH 协议和 Telnet 协议资产
-
Luna
Luna为Web Terminal Server 前端页面, 用户使用 Web Terminal 方式登录所需要的组件
-
Guacamole
Guacamole为RDP协议和 VNC 协议资产组件, 用户可以通过 Web Terminal 来连接 RDP 协议和 VNC 协议资产 (暂时只能通过 Web Terminal 来访问)
2. 端口说明
- Jumpserver 默认 Web 端口为 8080/tcp, 默认 WS 端口为 8070/tcp, 配置文件 jumpserver/config.yml
- koko 默认 SSH 端口为 2222/tcp, 默认 Web Terminal 端口为 5000/tcp 配置文件在 koko/config.yml
- Guacamole 默认端口为 8081/tcp, 配置文件 /config/tomcat9/conf/server.xml
- Nginx 默认端口为 80/tcp
- Mysql 默认端口为 3306/tcp
二、一站式安装
1. 环境
- 系统 CentOS 7
- IP 192.168.10.89
- 目录 /opt
- 数据库 mysql5.6
- 代理 nginx
2. 安装MySQL5.6
2.1 脚本安装
[root@redis-cluser-02 tmp]# wget https://raw.githubusercontent.com/xiangys0134/deploy/master/software_install/mysql/mysql-xunce-5.6.sh && bash mysql-xunce-5.6.sh db
[root@redis-cluser-02 tmp]# systemctl start mysqld
2.2 创建数据库Jumpserver
[root@redis-cluser-02 ~]# DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
[root@redis-cluser-02 ~]# echo -e "\033[31m 你的数据库密码是 $DB_PASSWORD \033[0m"
你的数据库密码是 8pFInV4Mbb5x17riZu8B3fEO
[root@redis-cluser-02 ~]# mysql -uroot -p123456
mysql> create database jumpserver default charset 'utf8';
mysql> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '8pFInV4Mbb5x17riZu8B3fEO';
mysql> flush privileges;
3. 安装redis
[root@redis-cluser-02 tmp]# wget https://raw.githubusercontent.com/xiangys0134/deploy/master/software_install/redis/redis_install.sh && bash redis_install.sh redis
[root@localhost tmp]# yum -y install redis
[root@localhost tmp]# systemctl start redis
[root@localhost tmp]# systemctl enable redis
[root@localhost tmp]# redis-cli info //测试
4. 安装nginx
[root@redis-cluser-02 tmp]# wget https://raw.githubusercontent.com/xiangys0134/deploy/master/software_install/nginx/nginx_rpm-1.14.sh && bash nginx_rpm-1.14.sh web
[root@redis-cluser-02 tmp]# systemctl start nginx
5. 安装python3.6
[root@redis-cluser-02 tmp]# yum -y install python36 python36-devel
6.Jumpserver下载
[root@redis-cluser-02 tmp]# cd /opt
[root@redis-cluser-02 opt]# python3.6 -m venv py3 # py3 为虚拟环境名称, 可自定义
[root@redis-cluser-02 opt]# source /opt/py3/bin/activate
(py3) [root@redis-cluser-02 opt]# cd /opt/
(py3) [root@redis-cluser-02 opt]# git clone https://github.com/jumpserver/jumpserver.git
(py3) [root@localhost jumpserver]# git checkout 1.5.2
//安装依赖
(py3) [root@redis-cluser-02 jumpserver]# yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt)
7. 安装python依赖
(py3) [root@localhost ~]# yum install gcc krb5-devel
(py3) [root@redis-cluser-02 jumpserver]# pip install --upgrade pip setuptools
(py3) [root@redis-cluser-02 jumpserver]# pip install -i https://pypi.tuna.tsinghua.edu.cn/simple -r /opt/jumpserver/requirements/requirements.txt
8. 配置Jumpserver
(py3) [root@redis-cluser-02 opt]# cd /opt/jumpserver/
(py3) [root@redis-cluser-02 jumpserver]# cp config_example.yml config.yml
//生产随机码
(py3) [root@redis-cluser-02 jumpserver]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
(py3) [root@redis-cluser-02 jumpserver]# echo "SECRET_KEY=SECRET_KEY" >> ~/.bashrc
(py3) [root@redis-cluser-02 jumpserver]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
(py3) [root@redis-cluser-02 jumpserver]# echo "BOOTSTRAP_TOKEN=BOOTSTRAP_TOKEN" >> ~/.bashrc
(py3) [root@redis-cluser-02 jumpserver]# sed -i "s/SECRET_KEY:/SECRET_KEY: SECRET_KEY/g" /opt/jumpserver/config.yml
(py3) [root@redis-cluser-02 jumpserver]# sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN:BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
(py3) [root@redis-cluser-02 jumpserver]# sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
(py3) [root@redis-cluser-02 jumpserver]# sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
(py3) [root@redis-cluser-02 jumpserver]# sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
(py3) [root@redis-cluser-02 jumpserver]# sed -i "s/DB_PASSWORD: /DB_PASSWORD: DB_PASSWORD/g" /opt/jumpserver/config.yml
(py3) [root@redis-cluser-02 jumpserver]# echo -e "\033[31m 你的SECRET_KEY是SECRET_KEY \033[0m"
你的SECRET_KEY是 zdhN3poFjAGuMNlFWfWD9Y5r91diQdAfUD8FF8kVqepRt6NbYO
//检查配置
(py3) [root@redis-cluser-02 jumpserver]# egrep -v "#|^$" config.yml
SECRET_KEY: zdhN3poFjAGuMNlFWfWD9Y5r91diQdAfUD8FF8kVqepRt6NbYO
BOOTSTRAP_TOKEN: AfSWYxI9gK2dm5UT
DEBUG: false
LOG_LEVEL: ERROR
SESSION_EXPIRE_AT_BROWSER_CLOSE: true
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: 8pFInV4Mbb5x17riZu8B3fEO
DB_NAME: jumpserver
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
WS_LISTEN_PORT: 8070
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6380
REDIS_PASSWORD: intel.com
9. 安装docker
9.1安装参考文档
https://github.com/xiangys0134/deploy/blob/master/software_install/docker/docker_install.sh
9.2 启动容器
(py3) [root@redis-cluser-02 jumpserver]# Server_IP=`ip addr | grep 'state UP' -A2 | grep inet | egrep -v '(127.0.0.1|inet6|docker)' | awk '{print 2}' | tr -d "addr:" | head -n 1 | cut -d / -f1`
(py3) [root@redis-cluser-02 jumpserver]# echoServer_IP
192.168.10.89
(py3) [root@localhost jumpserver]# docker run --name jms_koko -d -p 2222:2222 -p 5000:5000 -e CORE_HOST=http://Server_IP:8080 -e BOOTSTRAP_TOKEN=BOOTSTRAP_TOKEN jumpserver/jms_koko:1.5.2
(py3) [root@localhost jumpserver]# docker run --name jms_guacamole -d -p 8081:8081 -e JUMPSERVER_SERVER=http://Server_IP:8080 -e BOOTSTRAP_TOKEN=BOOTSTRAP_TOKEN jumpserver/jms_guacamole:1.5.2
9.3 安装Web Terminal
(py3) [root@redis-cluser-02 opt]# wget https://github.com/jumpserver/luna/releases/download/1.5.2/luna.tar.gz
//网络问题可使用以下链接下载
(py3) [root@redis-cluser-02 opt]# wget https://demo.jumpserver.org/download/luna/1.5.2/luna.tar.gz
(py3) [root@redis-cluser-02 opt]# tar xf luna.tar.gz
(py3) [root@redis-cluser-02 opt]# chown -R root:root luna
10. 配置Nginx
[root@redis-cluser-02 opt]# rm -rf /etc/nginx/conf.d/default.conf
[root@redis-cluser-02 opt]# vi /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
client_max_body_size 100m; # 录像及文件上传大小限制
location /luna/ {
try_files uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /socket.io/ {
proxy_pass http://localhost:5000/socket.io/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgradehttp_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP remote_addr;
proxy_set_header Hosthost;
proxy_set_header X-Forwarded-For proxy_add_x_forwarded_for;
access_log off;
}
location /coco/ {
proxy_pass http://localhost:5000/coco/;
proxy_set_header X-Real-IPremote_addr;
proxy_set_header Host host;
proxy_set_header X-Forwarded-Forproxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade http_upgrade;
proxy_set_header Connectionhttp_connection;
proxy_set_header X-Real-IP remote_addr;
proxy_set_header Hosthost;
proxy_set_header X-Forwarded-For proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IPremote_addr;
proxy_set_header Host host;
proxy_set_header X-Forwarded-Forproxy_add_x_forwarded_for;
}
}
[root@redis-cluser-02 opt]# systemctl restart nginx
11. 启动进程
[root@redis-cluser-02 opt]# source /opt/py3/bin/activate
(py3) [root@redis-cluser-02 opt]# cd /opt/jumpserver/
(py3) [root@redis-cluser-02 jumpserver]# ./jms start -d
12. 安装ssh server和win server
(py3) [root@localhost opt]# git clone --depth=1 https://github.com/jumpserver/coco.git
(py3) [root@localhost opt]# cd /opt/coco/requirements/
(py3) [root@localhost requirements]# pip install -r requirements.txt
(py3) [root@localhost jumpserver]# cd /opt/coco
(py3) [root@localhost coco]# cp config_example.yml config.yml
(py3) [root@localhost jumpserver]# source ~/.bashrc
(py3) [root@localhost coco]# sed -i "s/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: BOOTSTRAP_TOKEN/g" /opt/coco/config.yml
(py3) [root@localhost coco]# sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g" /opt/coco/config.yml
(py3) [root@localhost coco]# egrep -v "#|^" config.yml
CORE_HOST: http://127.0.0.1:8080
BOOTSTRAP_TOKEN: CwTwNcknCEIKq2WP
LOG_LEVEL: ERROR
三、登录测试
1.后台登录
http://192.168.10.48
2. 邮件设置
jumpserver可以通过邮件发送激活或修改密码
系统设置
3. 用户管理
用户管理主要功能为用户登录浏览器用户权限
4.管理用户
系统用户一般和管理用户进行一对一匹配
5. 系统用户
系统用户需要配置好远程的密码
6.资产管理
7.通过xshell连接至堡垒机
[C:\~]$ ssh 192.168.10.48 2222
8. web终端连接
winndows认证
留言