**
CentOS 7 下部署jumpserver 堡垒机
**
之前找了很多文章不是安装好的版本过老就是无法完成安装经过一番研究最终成功安装
以下命令均在一个终端里面执行
第一步设置防火墙参数
$ echo -e "\033[31m 1. 防火墙 Selinux 设置 \033[0m" \
&& if [ "$(systemctl status firewalld | grep running)" != "" ]; then firewall-cmd --zone=public --add-port=80/tcp --permanent; firewall-cmd --zone=public --add-port=2222/tcp --permanent; firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="172.17.0.0/16" port protocol="tcp" port="8080" accept"; firewall-cmd --reload; fi \
&& if [ "$(getenforce)" != "Disabled" ]; then setsebool -P httpd_can_network_connect 1; fi
# 第二部环境部署
$ echo -e "\033[31m 2. 部署环境 \033[0m" \
&& yum update -y \
&& ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
&& yum -y install kde-l10n-Chinese \
&& yum -y reinstall glibc-common \
&& localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8 \
&& export LC_ALL=zh_CN.UTF-8 \
&& echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf \
&& yum -y install wget gcc epel-release git \
&& yum install -y yum-utils device-mapper-persistent-data lvm2 \
&& yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo \
&& yum makecache fast \
&& rpm --import https://mirrors.aliyun.com/docker-ce/linux/centos/gpg \
&& echo -e "[nginx-stable]\nname=nginx stable repo\nbaseurl=http://nginx.org/packages/centos/\$releasever/\$basearch/\ngpgcheck=1\nenabled=1\ngpgkey=https://nginx.org/keys/nginx_signing.key" > /etc/yum.repos.d/nginx.repo \
&& rpm --import https://nginx.org/keys/nginx_signing.key \
&& yum -y install redis mariadb mariadb-devel mariadb-server nginx docker-ce \
&& systemctl enable redis mariadb nginx docker \
&& systemctl start redis mariadb \
&& yum -y install python36 python36-devel \
&& python3.6 -m venv /opt/py3
第三部下载组建安装
这里注意了 第三行下载软件包是从GIT下载的很多时候会很慢可以直接在git下载ZIP包然后自行解压修改文件夹名称来操作,我在这里尝试下载了十几次都没能下载完成最后下载ZIP搞定
$ echo -e "\033[31m 3. 下载组件 \033[0m" \
&& cd /opt \
&& if [ ! -d "/opt/jumpserver" ]; then git clone https://github.com/jumpserver/jumpserver.git; fi \
&& if [ ! -f "/opt/luna.tar.gz" ]; then wget https://demo.jumpserver.org/download/luna/1.4.8/luna.tar.gz; tar xf luna.tar.gz; chown -R root:root luna; fi \
&& yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt) \
&& source /opt/py3/bin/activate \
&& pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/ \
&& pip install -r /opt/jumpserver/requirements/requirements.txt -i https://mirrors.aliyun.com/pypi/simple/ \
&& curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://f1361db2.m.daocloud.io \
&& systemctl restart docker \
&& docker pull jumpserver/jms_coco:1.4.8 \
&& docker pull jumpserver/jms_guacamole:1.4.8 \
&& rm -rf /etc/nginx/conf.d/default.conf
第四部nginx配置代理转发
主要是方便从80端口进行访问
$ echo -e "\033[31m 4. 配置nginx \033[0m" \
&& cat << EOF > /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
client_max_body_size 100m; # 录像及文件上传大小限制
location /luna/ {
try_files \$uri / /index.html;
alias /opt/luna/;
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/;
}
location /static/ {
root /opt/jumpserver/data/;
}
location /socket.io/ {
proxy_pass http://localhost:5000/socket.io/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
access_log off;
}
location /coco/ {
proxy_pass http://localhost:5000/coco/;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection \$http_connection;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
}
}
EOF
第五步处理配置文件
$ echo -e "\033[31m 5. 处理配置文件 \033[0m" \
&& if [ "$DB_PASSWORD" = "" ]; then DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`; fi \
&& if [ "$SECRET_KEY" = "" ]; then SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`; echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc; fi \
&& if [ "$BOOTSTRAP_TOKEN" = "" ]; then BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`; echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc; fi \
&& if [ "$Server_IP" = "" ]; then Server_IP=`ip addr | grep inet | egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" | head -n 1 | cut -d / -f1`; fi \
&& if [ ! -d "/var/lib/mysql/jumpserver" ]; then mysql -uroot -e "create database jumpserver default charset 'utf8';grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD';flush privileges;"; fi \
&& if [ ! -f "/opt/jumpserver/config.yml" ]; then cp /opt/jumpserver/config_example.yml /opt/jumpserver/config.yml; sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml; sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml; sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml; sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml; sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml; sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml; fi
第六步启动Jumpserver
首次启动会显示相关数据库信息 记得保存好
$ echo -e "\033[31m 6. 启动 Jumpserver \033[0m" \
&& systemctl start nginx \
&& cd /opt/jumpserver \
&& ./jms start all -d \
&& docker run --name jms_coco -d -p 2222:2222 -p 5000:5000 -e CORE_HOST=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN jumpserver/jms_coco:1.4.8 \
&& docker run --name jms_guacamole -d -p 8081:8081 -e JUMPSERVER_SERVER=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN jumpserver/jms_guacamole:1.4.8 \
&& echo -e "\033[31m 你的数据库密码是 $DB_PASSWORD \033[0m" \
&& echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m" \
&& echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m" \
&& echo -e "\033[31m 你的服务器IP是 $Server_IP \033[0m" \
&& echo -e "\033[31m 请打开浏览器访问 http://$Server_IP 用户名:admin 密码:admin \033[0m"
到此安装完毕
如果使用人数较多需要使用多组件负载附相关配置文件可以根据实际使用情况进行配置调整以提高使用体验
实测下来不采用多组间负载的情况下20人同时使用还是可以正常的 超过30人以上建议增加一个负载节点
coco 服务默认运行在单核心下面, 当负载过高时会导致用户访问变慢, 这时可运行多个 docker 容器缓解
$ docker run --name jms_coco01 -d -p 2223:2222 -p 5001:5000 -e CORE_HOST=http://<Jumpserver_url> -e BOOTSTRAP_TOKEN=****** jumpserver/jms_coco:1.4.8
$ docker run --name jms_coco02 -d -p 2224:2222 -p 5002:5000 -e CORE_HOST=http://<Jumpserver_url> -e BOOTSTRAP_TOKEN=****** jumpserver/jms_coco:1.4.8
...
#guacamole 与COCO服务一样根据实际情况进行节点增加
$ docker run --name jms_guacamole01 -d -p 8082:8081 -e JUMPSERVER_SERVER=http://<Jumpserver_url> -e BOOTSTRAP_TOKEN=****** jumpserver/jms_guacamole:1.4.8
$ docker run --name jms_guacamole02 -d -p 8083:8081 -e JUMPSERVER_SERVER=http://<Jumpserver_url> -e BOOTSTRAP_TOKEN=****** jumpserver/jms_guacamole:1.4.8
...
nginx 代理设置
$ vi /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
# 加入 tcp 代理
stream {
log_format proxy '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
access_log /var/log/nginx/tcp-access.log proxy;
open_log_file_cache off;
upstream cocossh {
server localhost:2222 weight=1;
server localhost:2223 weight=1; # 多节点
server localhost:2224 weight=1; # 多节点
# 这里是 coco ssh 的后端ip
hash $remote_addr;
}
server {
listen 2220; # 不能使用已经使用的端口, 自行修改, 用户ssh登录时的端口
proxy_pass cocossh;
proxy_connect_timeout 10s;
proxy_timeout 24h; #代理超时
}
}
# 到此结束
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
# tcp_nopush on;
keepalive_timeout 65;
# 关闭版本显示
server_tokens off;
include /etc/nginx/conf.d/*.conf;
}
$ firewall-cmd --zone=public --add-port=2220/tcp --permanent
$ firewall-cmd --reload
$ vi /etc/nginx/conf.d/jumpserver.conf
upstream jumpserver {
server localhost:80;
# 这里是 jumpserver 的后端ip
}
upstream cocows {
server localhost:5000 weight=1;
server localhost:5001 weight=1; # 多节点
server localhost:5002 weight=1; # 多节点
# 这里是 coco ws 的后端ip
ip_hash;
}
upstream guacamole {
server localhost:8081 weight=1;
server localhost:8082 weight=1; # 多节点
server localhost:8083 weight=1; # 多节点
# 这里是 guacamole 的后端ip
ip_hash;
}
server {
listen 80;
server_name demo.jumpserver.org; # 自行修改成你的域名
client_max_body_size 100m; # 录像上传大小限制
location / {
proxy_pass http://jumpserver;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/;
}
location /socket.io/ {
proxy_pass http://cocows/socket.io/; # coco
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /coco/ {
proxy_pass http://cocows/coco/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://guacamole/; # guacamole
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
}
$ nginx -t
$ nginx -s reload