jumpserver堡垒机部署
@环境
#系统:CentOS 7
#systemctl stop firewalld
#systemctl disable firewalld
#setenforce 0
#sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
#wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
#yum clean all
#yum makecache
@准备Python3和python虚拟环境
#安装依赖包
#yum -y install wget gcc epel-release git
#安装Python3.6
#yum -y install python36 python36-devel
#建立Python虚拟环境
# cd /data
python3.6 -m venv py3
source /data/py3/bin/activate
@安装jumpserver
#下载或clone项目
#cd /data/ && git clone --depth=1 https://github.com/jumpserver/jumpserver.git
#安装依赖rpm包
#cd /data/jumpserver/requirements
yum -y install $(cat rpm_requirements.txt)
#安装Python库依赖
#pip install --upgrade pip setuptools
pip install -r requirements.txt
#安装redis
#yum -y install redis
systemctl enable redis
systemctl start redis
#安装mariadb
#yum -y install mariadb mariadb-devel mariadb-server mariadb-shared
systemctl enable mariadb
systemctl start mariadb
#创建数据看看jumpserver并授权
#DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
echo -e "\033[31m 你的数据库密码是 $DB_PASSWORD \033[0m"
mysql -uroot -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"
#修改jumpserver配置文件
#cd /data/jumpserver
cp config_example.yml config.yml
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` # 生成随机SECRET_KEY
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16` # 生成随机BOOTSTRAP_TOKEN
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /data/jumpserver/config.yml
sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /data/jumpserver/config.yml
sed -i "s/# DEBUG: true/DEBUG: false/g" /data/jumpserver/config.yml
sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /data/jumpserver/config.yml
sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /data/jumpserver/config.yml
sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /data/jumpserver/config.yml
echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
vi config.yml # 确认内容有没有错误
SECRET_KEY:
# 预共享Token coco和guacamole用来注册服务账号, 不在使用原来的注册接受机制
BOOTSTRAP_TOKEN:
# DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志
DEBUG: false
# 日志级别
LOG_LEVEL: ERROR
SESSION_EXPIRE_AT_BROWSER_CLOSE: true
# 使用Mysql作为数据库
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD:
DB_NAME: jumpserver
# 运行时绑定端口
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
#运行jumpserver
#cd /data/jumpserver
./jms start all -d
@安装 SSH Server 和 WebSocket Server: Coco
#下载或 Clone 项目
#cd /data
source /data/py3/bin/activate
git clone --depth=1 https://github.com/jumpserver/coco.git
#安装依赖
#cd /data/coco/requirements
yum -y install $(cat rpm_requirements.txt)
pip install -r requirements.txt
#修改配饰文件并运行
#cd /data/coco
cp config_example.yml config.yml
sed -i "s/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /data/coco/config.yml
sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g" /data/coco/config.yml
vi config.yml
CORE_HOST: http://127.0.0.1:8080
BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>
LOG_LEVEL: ERROR
./cocod start -d
@安装 Web Terminal 前端: Luna
#解压luna
#cd /data
tar xf luna.tar.gz
chown -R root:root luna
@安装 Windows 支持组件(如果不需要管理 windows 资产, 可以直接跳过这一步)
#安装依赖
#rpm --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
#yum -y localinstall --nogpgcheck https://download1.rpmfusion.org/free/el/rpmfusion-free-release-7.noarch.rpmhttps://download1.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-7.noarch.rpm
#yum install -y java-1.8.0-openjdk libtool
#yum install -y cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel
#yum install -y ffmpeg-devel freerdp-devel freerdp-plugins pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel ghostscript
#编译安装 guacamole 服务
#cd /data
#git clone --depth=1 https://github.com/jumpserver/docker-guacamole.git
#cd /data/docker-guacamole/
#tar -xf guacamole-server-0.9.14.tar.gz
#cd guacamole-server-0.9.14
#autoreconf -fi
#./configure --with-init-dir=/etc/init.d
#make && make install
#ln -s /usr/local/lib/freerdp/*.so /usr/lib64/freerdp/
#cd ..
#rm -rf guacamole-server-0.9.14
#ldconfig
#配置Tomcat
#mkdir -p /config/guacamole /config/guacamole/lib /config/guacamole/extensions # 创建 guacamole 目录
#ln -sf /data/docker-guacamole/guacamole-auth-jumpserver-0.9.14.jar /config/guacamole/extensions/guacamole-auth-jumpserver-0.9.14.jar
#ln -sf /data/docker-guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties # guacamole 配置文件
#cd /config
#wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40.tar.gz
#tar xf apache-tomcat-8.5.40.tar.gz
#rm -rf apache-tomcat-8.5.40.tar.gz
#mv apache-tomcat-8.5.40 tomcat8
#rm -rf /config/tomcat8/webapps/*
#ln -sf /data/docker-guacamole/guacamole-0.9.14.war /config/tomcat8/webapps/ROOT.war # guacamole client
#sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat8/conf/server.xml # 修改默认端口为 8081
#sed -i 's/FINE/WARNING/g' /config/tomcat8/conf/logging.properties # 修改 log 等级为 WARNING
#cd /config
#tar xf linux-amd64.tar.gz -C /bin/
#chmod +x /bin/ssh-forward
@配置环境变量
#勿多次执行以下环境设置
#export JUMPSERVER_SERVER=http://127.0.0.1:8080 # http://127.0.0.1:8080 指 jumpserver 访问地址
#echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc
#BOOTSTRAP_TOKEN 为 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN
#export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN
#echo "export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
#export JUMPSERVER_KEY_DIR=/config/guacamole/keys
#echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc
#export GUACAMOLE_HOME=/config/guacamole
#echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
@启动 Guacamole
#/etc/init.d/guacd start
#sh /config/tomcat8/bin/startup.sh
@配置 Nginx 整合各组件
#安装 Nginx
#yum install yum-utils
vi /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
gpgcheck=1
enabled=1
yum makecache fast
yum install -y nginx
rm -rf /etc/nginx/conf.d/default.conf
systemctl enable nginx
#准备配置文件 修改 /etc/nginx/conf.d/jumpserver.conf
#vi /etc/nginx/conf.d/jumpserver.conf
server {
listen 80; # 代理端口, 以后将通过此端口进行访问, 不再通过8080端口
# server_name demo.jumpserver.org; # 修改成你的域名或者注释掉
client_max_body_size 100m; # 录像及文件上传大小限制
location /luna/ {
try_files $uri / /index.html;
alias /data/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /data/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /data/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /socket.io/ {
proxy_pass http://localhost:5000/socket.io/; # 如果coco安装在别的服务器, 请填写它的ip
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /coco/ {
proxy_pass http://localhost:5000/coco/; # 如果coco安装在别的服务器, 请填写它的ip
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/; # 如果guacamole安装在别的服务器, 请填写它的ip
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass http://localhost:8080; # 如果jumpserver安装在别的服务器, 请填写它的ip
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
#运行nginx
#nginx -t # 确保配置没有问题, 有问题请先解决
systemctl start nginx
systemctl enable nginx
#开始使用 Jumpserver
#默认账号: admin 密码: admin