centos7安装jumpserver堡垒机

Devops

centos7安装jumpserver堡垒机

Jumpserver

jumpserver是一款常用的开源堡垒机方案,基于python+django,适合上手,安装需要确保python3环境

centos7下python2和python3共存

安装jumpserver

克隆项目

1
2
3
cd /opt

git clone --depth=1 https://github.com/jumpserver/jumpserver.git

安装RPM包

1
2
3
cd /opt/jumpserver/requirements

yum -y install `cat rpm_requirements.txt`

安装python库依赖

**tip: ** 安装pip,实际可以使用pip3安装依赖
安装pip

1
2
3
4
5
6
7
8
# 安装epel扩展源
yum -y install epel-release

# 安装pip
yum -y install python-pip

# 清楚cache
yum clean all

安装依赖

1
pip3 install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

安装redis

使用redis作为cache和celery broke

1
2
3
4
5
6
yum -y install redis

systemctl enable redis

systemctl start redis

配置数据库

这边使用的是MySQL,安装教程就不写了,很简单,创建jumpserver库和用户:

1
2
3
4
5
6
7
8
create database jumpserver  character set utf8;

create user jumpserver@'%' identified by 'pwd';

GRANT ALL PRIVILEGES ON *.* TO 'jumpserver'@'%' IDENTIFIED BY 'pwd' WITH GRANT OPTION;
flush privileges;

exit;

修改jumpserver配置文件

1
2
3
cd /opt/jumpserver

cp config_example.yml config.yml
1
2
3
4
5
6
7
8
9
# 生成随机SECRET_KEY
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`

echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc

# 生成随机BOOTSTRAP_TOKEN
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`

echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
1
2
3
4
5
6
7
8
9
10
11
sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml

sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml

sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml

sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml

sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml

sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml

查看SECRET_KEY和BOOTSTRAP_TOKEN

1
2
3
4
5
6
cat ~/.bashrc

或者

echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"

人工确认修改没有问题:vim /opt/jumpserver/config.yml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# SECURITY WARNING: keep the secret key used in production secret!
# 加密秘钥 生产环境中请修改为随机字符串,请勿外泄, 可使用命令生成 
# $ cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo
SECRET_KEY: 

# SECURITY WARNING: keep the bootstrap token used in production secret!
# 预共享Token coco和guacamole用来注册服务账号,不在使用原来的注册接受机制
BOOTSTRAP_TOKEN: 

# Development env open this, when error occur display the full process track, Production disable it
# DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志
DEBUG: false

# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
# 日志级别
LOG_LEVEL: ERROR
# LOG_DIR: 

# Session expiration setting, Default 24 hour, Also set expired on on browser close
# 浏览器Session过期时间,默认24小时, 也可以设置浏览器关闭则过期
# SESSION_COOKIE_AGE: 86400
SESSION_EXPIRE_AT_BROWSER_CLOSE: true

# Database setting, Support sqlite3, mysql, postgres ....
# 数据库设置
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

# SQLite setting:
# 使用单文件sqlite数据库
# DB_ENGINE: sqlite3
# DB_NAME: 

# MySQL or postgres setting like:
# 使用Mysql作为数据库
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: 
DB_NAME: jumpserver

# When Django start it will bind this host and port
# ./manage.py runserver 127.0.0.1:8080
# 运行时绑定端口
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080

# Use Redis as broker for celery and web socket
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
# REDIS_PASSWORD: 
# REDIS_DB_CELERY: 3
# REDIS_DB_CACHE: 4

# Use OpenID authorization
# 使用OpenID 来进行认证设置
# BASE_SITE_URL: http://localhost:8080
# AUTH_OPENID: false  # True or False
# AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/
# AUTH_OPENID_REALM_NAME: realm-name
# AUTH_OPENID_CLIENT_ID: client-id
# AUTH_OPENID_CLIENT_SECRET: client-secret
#
# Use Radius authorization
# 使用Radius来认证
# AUTH_RADIUS: false
# RADIUS_SERVER: localhost
# RADIUS_PORT: 1812
# RADIUS_SECRET: 


# OTP settings
# OTP/MFA 配置
# OTP_VALID_WINDOW: 0
# OTP_ISSUER_NAME: Jumpserver

运行Jumpserver

1
2
3
4
5
6
7
cd /opt/jumpserver

# 后台运行
./jms start all -d

# 其他命令
./jms start|stop|status all

安装SSH Server和 WebSocket Server:Coco

clone项目

1
git clone --depth=1 https://github.com/jumpserver/coco.git

安装依赖

1
2
3
4
5
cd /opt/coco/requirements

yum -y install $(cat rpm_requirements.txt)

pip3 install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

修改配置

1
2
3
4
5
6
7
cd /opt/coco/

cp config_example.yml config.yml

sed -i "s/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/coco/config.yml

sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g" /opt/coco/config.yml

vim /opt/coco/config.yml

启coco

1
2
3
4
5
# 后台启动
./cocod start -d

# 更多命令
./cocod start|stop|statu

安装Web Terminal 前端: Luna

直接下载解压

1
2
3
4
5
6
7
8
cd /opt
wget https://github.com/jumpserver/luna/releases/download/1.4.10/luna.tar.gz

#如果网络有问题导致下载无法完成可以使用下面地址
wget https://demo.jumpserver.org/download/luna/1.4.10/luna.tar.gz

tar -zxvf luna.tar.gz
chown -R root:root luna

nginx配置

安装nginx

1
2
3
4
yum install yum-utils

# 配置nginx yum源
vim /etc/yum.repos.d/nginx.repo

内容:

1
2
3
4
5
6
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key

安装:

1
2
3
4
5
6
7
8
yum makecache fast

yum install -y nginx

mv default.conf default.conf_20190520.bak

# 修改配置
vim /etc/nginx/conf.d/jumpserver.conf

修改如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
server {
    listen 80;  # 代理端口, 以后将通过此端口进行访问, 不再通过8080端口
    # server_name demo.jumpserver.org;  # 修改成你的域名或者注释掉

    client_max_body_size 100m;  # 录像及文件上传大小限制

    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;  # luna 路径, 如果修改安装目录, 此处需要修改
    }

    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;  # 录像位置, 如果修改安装目录, 此处需要修改
    }

    location /static/ {
        root /opt/jumpserver/data/;  # 静态资源, 如果修改安装目录, 此处需要修改
    }

    location /socket.io/ {
        proxy_pass       http://localhost:5000/socket.io/;  # 如果coco安装在别的服务器, 请填写它的ip
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /coco/ {
        proxy_pass       http://localhost:5000/coco/;  # 如果coco安装在别的服务器, 请填写它的ip
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /guacamole/ {
        proxy_pass       http://localhost:8081/;  # 如果guacamole安装在别的服务器, 请填写它的ip
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location / {
        proxy_pass http://localhost:8080;  # 如果jumpserver安装在别的服务器, 请填写它的ip
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

启动nginx

1
2
3
systemctl enable nginx

systemctl start nginx

访问jumpserver

nginx启动后,浏览器访问http:ip:nginx配置的端口即可访问,默认账密admin/admin

测试连接

如果登录客户端是 macOS 或 Linux, 登录语法如下
$ ssh -p2222 admin@192.168.244.144
$ sftp -P2222 admin@192.168.244.144
密码: admin

如果登录客户端是 Windows, Xshell Terminal 登录语法如下
$ ssh admin@192.168.244.144 2222
$ sftp admin@192.168.244.144 2222
密码: admin
如果能登陆代表部署成功

以上,完~

官方文档

官方安装指导

本文标题:centos7安装jumpserver堡垒机

文章作者:Kyle

发布时间:2019-05-20, 05:11:18

最后更新:2020-12-21, 14:39:10

原始链接:https://spindriftks.github.io/2019/05/20/centos7%E5%AE%89%E8%A3%85jumpserver%E5%A0%A1%E5%9E%92%E6%9C%BA/

许可协议: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

文章目录
  1. Jumpserver
  2. 安装jumpserver
    1. 克隆项目
    2. 安装RPM包
    3. 安装python库依赖
    4. 安装redis
    5. 配置数据库
    6. 修改jumpserver配置文件
    7. 运行Jumpserver
  3. 安装SSH Server和 WebSocket Server:Coco
    1. clone项目
    2. 安装依赖
    3. 修改配置
    4. 启coco
  4. 安装Web Terminal 前端: Luna
  5. nginx配置
    1. 安装nginx
    2. 启动nginx
    3. 访问jumpserver
  6. 测试连接
  7. 官方文档
|