jumpserver堡垒机(步骤)
环境:
系统:Centos 7 2核4G50内存
IP: 10.0.0.41
目录: /opt
数据库: mariadb
代理: nginx
端口:
JumpServer 默认 Web 端口为 8080/tcp, 默认 WS 端口为 8070/tcp, 配置文件 jumpserver/config.yml
Nginx 默认端口为 80/tcp
Redis 默认端口为 6379/tcp
Mysql 默认端口为 3306/tcp
systemctl start firewalld
1、systemctl start firewalld
2、setenforce 0
3、firewall-cmd --zone=public --add-port=80/tcp --permanent (nginx端口)
4、firewall-cmd --zone=public --add-port=2222/tcp --permanent (用SSH登录端口,koko。–permanent:永久生效,没有此参数重启后失效)
5、firewall-cmd --reload(重新载入规则)
6、sed -i “s/SELINUX=enforcing/SELINUX=disabled/g” /etc/selinux/config
7、yum -y install wget gcc epel-release git (安装依赖)
8、yum -y install redis
9、systemctl enable redis
10、systemctl start redis
11、yum -y install mariadb mariadb-devel mariadb-server MariaDB-shared
12、cd /etc/yum.repos.d/
13、ls
CentOS-Base.repo CentOS-Debuginfo.repo CentOS-Media.repo CentOS-Vault.repo epel.repo.rpmnew mariadb.repo
CentOS-CR.repo CentOS-fasttrack.repo CentOS-Sources.repo epel.repo epel-testing.repo
14、cat mariadb.repo
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.3/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
15、systemctl enable mariadb
16、systemctl start mariadb
17、cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24
ovsPAjGD6UzZvtLwDbQSMhkS
18、DB_PASSWORD=cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24
19、echo -e “\033[31m 你的数据库密码是 KaTeX parse error: Undefined control sequence: \0 at position 13: DB_PASSWORD \̲0̲33[0m" 你的数据库密码…DB_PASSWORD’; flush privileges;”
21、yum -y install nginx
22、systemctl enable nginx
23、yum -y install python36 python35-devel
24、cd /opt/
25、ls
26、python3.6 -m venv py3
27、source /opt/py3/bin/activate
(py3)
28、(py3) [root@localhost py3] ##环境已经改变了
29、[root@ c7-41 ~]# cd /opt/
30、(py3) [root@ c7-41 opt]# git clone --depth=1 https://github.com/jumpserver/jumpserver.git
31、(py3) [root@ c7-41 opt]# tar -zxf jumpserver.v1.5.8.tar.gz
32、(py3) [root@ c7-41 opt]# ls
jumpserver jumpserver.v1.5.8.tar.gz py3
33、(py3) [root@ c7-41 opt]# yum -y install KaTeX parse error: Expected 'EOF', got '#' at position 117: …oot@ c7-41 opt]#̲ pip install wh…SECRET_KEY" >> ~/.bashrc
44、(py3) [root@ c7-41 jumpserver]# BOOTSTRAP_TOKEN=cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16
45、(py3) [root@ c7-41 jumpserver]# echo “BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN” >> ~/.bashrc
46、(py3) [root@ c7-41 jumpserver]# sed -i “s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g” /opt/jumpserver/config.yml
47、(py3) [root@ c7-41 jumpserver]# sed -i “s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g” /opt/jumpserver/config.yml
48、(py3) [root@ c7-41 jumpserver]# sed -i “s/# DEBUG: true/DEBUG: false/g” /opt/jumpserver/config.yml
49、(py3) [root@ c7-41 jumpserver]# sed -i “s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g” /opt/jumpserver/config.yml
50、(py3) [root@ c7-41 jumpserver]# sed -i “s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g” /opt/jumpserver/config.yml
51、(py3) [root@ c7-41 jumpserver]# sed -i “s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g” /opt/jumpserver/config.yml
52、(py3) [root@ c7-41 jumpserver]# echo -e “\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m”
你的SECRET_KEY是 siiyvwOZ5kUAhsvQZgpFl1FvGS8WkRiD5EpTNFYPzgHfZzK2vE
53、(py3) [root@ c7-41 jumpserver]# echo -e “\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m”
你的BOOTSTRAP_TOKEN是 ghQMhgs6ML0oAz1Z
54、确保配置文件没问题:
(py3) [root@ c7-41 jumpserver]# cat /opt/jumpserver/config.yml
SECURITY WARNING: keep the secret key used in production secret!
加密秘钥 生产环境中请修改为随机字符串,请勿外泄, 可使用命令生成
$ cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo
SECRET_KEY: Ro0i3kEqjXz6qwGDnXByGPujWwgC3gEY2Cai4l3rHdP4OIXWu6
SECURITY WARNING: keep the bootstrap token used in production secret!
预共享Token coco和guacamole用来注册服务账号,不在使用原来的注册接受机制
BOOTSTRAP_TOKEN: 1sjJ3diFo1VecbTp
Development env open this, when error occur display the full process track, Production disable it
DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志
DEBUG: false
DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
日志级别
LOG_LEVEL: ERROR
LOG_DIR:
Session expiration setting, Default 24 hour, Also set expired on on browser close
浏览器Session过期时间,默认24小时, 也可以设置浏览器关闭则过期
SESSION_COOKIE_AGE: 86400
SESSION_EXPIRE_AT_BROWSER_CLOSE: true
Database setting, Support sqlite3, mysql, postgres …
数据库设置
See https://docs.djangoproject.com/en/1.10/ref/settings/#databases
SQLite setting:
使用单文件sqlite数据库
DB_ENGINE: sqlite3
DB_NAME:
MySQL or postgres setting like:
使用Mysql作为数据库
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: proPRiTlR7cH62Ays25KwaoZ
DB_NAME: jumpserver
When Django start it will bind this host and port
./manage.py runserver 127.0.0.1:8080
运行时绑定端口
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
WS_LISTEN_PORT: 8070
Use Redis as broker for celery and web socket
Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379